* [ 000/102] 3.9.3-stable review
@ 2013-05-17 21:35 Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 001/102] KVM: VMX: fix halt emulation while emulating invalid guest sate Greg Kroah-Hartman
                   ` (102 more replies)
  0 siblings, 103 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, torvalds, akpm, stable
This is the start of the stable review cycle for the 3.9.3 release.
There are 102 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun May 19 21:30:33 UTC 2013.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.9.3-rc1.gz
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 3.9.3-rc1
Andy Grover <agrover@redhat.com>
    target: Use FD_MAX_SECTORS/FD_BLOCKSIZE for blockdevs using fileio
Eric W. Biederman <ebiederm@xmission.com>
    audit: Make testing for a valid loginuid explicit.
Helge Deller <deller@gmx.de>
    parisc: make default cross compiler search more robust (v3)
Mike Frysinger <vapier@gentoo.org>
    parisc: fix NATIVE set up in build
John David Anglin <dave.anglin@bell.net>
    parisc: use long branch in fork_like macro
John David Anglin <dave.anglin@bell.net>
    parisc: fix SMP races when updating PTE and TLB entries in entry.S
John David Anglin <dave.anglin@bell.net>
    parisc: only re-enable interrupts if we need to schedule or deliver signals when returning to userspace
Oleg Nesterov <oleg@redhat.com>
    usermodehelper: check subprocess_info->path != NULL
Dave Airlie <airlied@redhat.com>
    drm/radeon: restore nomodeset operation (v2)
Kees Cook <keescook@chromium.org>
    drm/radeon: check incoming cliprects pointer
Axel Lin <axel.lin@ingics.com>
    ASoC: da7213: Fix setting dmic_samplephase and dmic_clk_rate
Benjamin LaHaise <bcrl@kvack.org>
    ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex
Chen Gang <gang.chen@asianux.com>
    drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow
Lan Tianyu <tianyu.lan@intel.com>
    ACPI / EC: Restart transaction even when the IBF flag set
Nicholas Bellinger <nab@linux-iscsi.org>
    target/iblock: Fix WCE=1 + DPOFUA=1 backend WRITE regression
Joern Engel <joern@logfs.org>
    target: close target_put_sess_cmd() vs. core_tmr_abort_task() race
Shlomo Pongratz <shlomop@mellanox.com>
    iscsi-target: Fix processing of OOO commands
Dirk Brandewie <dirk.j.brandewie@intel.com>
    cpufreq / intel_pstate: fix ffmpeg regression
Dirk Brandewie <dirk.j.brandewie@intel.com>
    cpufreq / intel_pstate: use lowest requested max performance
Dirk Brandewie <dirk.j.brandewie@intel.com>
    cpufreq / intel_pstate: remove idle time and duration from sample and calculations
Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    drivers/rtc/rtc-pcf2123.c: fix error return code in pcf2123_probe()
Inderpal Singh <inderpal.singh@linaro.org>
    ARM: EXYNOS5: Fix kernel dump in AFTR idle mode
Geert Uytterhoeven <geert@linux-m68k.org>
    VSOCK: Drop bogus __init annotation from vsock_init_tables()
Philipp Reisner <philipp.reisner@linbit.com>
    drbd: fix for deadlock when using automatic split-brain-recovery
Lars Ellenberg <lars.ellenberg@linbit.com>
    drbd: fix memory leak
Philipp Reisner <philipp.reisner@linbit.com>
    drbd: Fix build error when CONFIG_CRYPTO_HMAC is not set
Guenter Roeck <linux@roeck-us.net>
    watchdog: Fix race condition in registration code
Tomoya MORINAGA <tomoya.rohm@gmail.com>
    pch_dma: Use GFP_ATOMIC because called from interrupt context
Cong Wang <amwang@redhat.com>
    xfrm6: release dev before returning error
Amerigo Wang <amwang@redhat.com>
    ipv6,gre: do not leak info to user-space
Eric Dumazet <edumazet@google.com>
    ipv6: do not clear pinet6 field
Jiri Pirko <jiri@resnulli.us>
    macvlan: fix passthru mode race between dev removal and rx path
Josh Boyer <jwboyer@redhat.com>
    if_cablemodem.h: Add parenthesis around ioctl macros
Sergei Shtylyov <sshtylyov@ru.mvista.com>
    3c59x: fix PCI resource management
Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    3c59x: fix freeing nonexistent resource on driver unload
Konstantin Khlebnikov <khlebnikov@openvz.org>
    net: frag, fix race conditions in LRU list maintenance
stephen hemminger <stephen@networkplumber.org>
    virtio: don't expose u16 in userspace api
Daniel Borkmann <dborkman@redhat.com>
    packet: tpacket_v3: do not trigger bug() on wrong header status
holger@eitzenberger.org <holger@eitzenberger.org>
    asix: fix BUG in receive path when lowering MTU
stephen hemminger <stephen@networkplumber.org>
    bridge: fix race with topology change timer
Bjørn Mork <bjorn@mork.no>
    net: vlan,ethtool: netdev_features_t is more than 32 bit
Patrick McHardy <kaber@trash.net>
    net: use netdev_features_t in skb_needs_linearize()
Jamal Hadi Salim <jhs@mojatatu.com>
    net_sched: act_ipt forward compat with xtables
Matthew Whitehead <tedheadster@gmail.com>
    3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA)
Yuchung Cheng <ycheng@google.com>
    tcp: reset timer after any SYNACK retransmit
Chen Gang <gang.chen@asianux.com>
    net: mac802154: comparision issue of type cast, finding by EXTRA_CFLAGS=-W
Gao feng <gaofeng@cn.fujitsu.com>
    net: tun: release the reference of tun device in tun_recvmsg
Ben Hutchings <bhutchings@solarflare.com>
    sfc: Fix naming of MTD partitions for FPGA bitfiles
Eric Dumazet <edumazet@google.com>
    tcp: force a dst refcount when prequeue packet
Jani Nikula <jani.nikula@intel.com>
    drm/i915: clear the stolen fb before resuming
Daniel Vetter <daniel.vetter@ffwll.ch>
    drm: don't check modeset locks in panic handler
Daniel Vetter <daniel.vetter@ffwll.ch>
    drm/mm: fix dump table BUG
Christopher Harvey <charvey@matrox.com>
    drm/mgag200: Fix framebuffer base address programming
Christopher Harvey <charvey@matrox.com>
    drm/mgag200: Fix writes into MGA1064_PIX_CLK_CTL register
Stanislaw Gruszka <sgruszka@redhat.com>
    iwl4965: workaround connection regression on passive channel
Thommy Jakobsson <thommyj@gmail.com>
    B43: Handle DMA RX descriptor underrun
Chris Metcalf <cmetcalf@tilera.com>
    tile: support new Tilera hypervisor
Daniel Drake <dsd@laptop.org>
    mwifiex: fix setting of multicast filter
Amitkumar Karwar <akarwar@marvell.com>
    mwifiex: fix memory leak issue when driver unload
Bing Zhao <bzhao@marvell.com>
    mwifiex: clear is_suspended flag when interrupt is received early
Felix Fietkau <nbd@openwrt.org>
    ath9k: fix key allocation error handling for powersave keys
Anton Blanchard <anton@au1.ibm.com>
    powerpc/kexec: Fix kexec when using VMX optimised memcpy
Robert Jennings <rcj@linux.vnet.ibm.com>
    powerpc: Bring all threads online prior to migration/hibernation
Jaccon Bastiaansen <jaccon.bastiaansen@gmail.com>
    ARM: 7720/1: ARM v6/v7 cmpxchg64 shouldn't clear upper 32 bits of the old/new value
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    x86/microcode: Add local mutex to fix physical CPU hot-add deadlock
Lachlan McIlroy <lmcilroy@redhat.com>
    ext4: limit group search loop for non-extent files
Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    tracing: Fix leaks of filter preds
Thomas Gleixner <tglx@linutronix.de>
    tick: Cleanup NOHZ per cpu data on cpu down
Tirupathi Reddy <tirupath@codeaurora.org>
    timer: Don't reinitialize the cpu base lock during CPU_UP_PREPARE
John Stultz <john.stultz@linaro.org>
    time: Revert ALWAYS_USE_PERSISTENT_CLOCK compile time optimizaitons
Jeff Layton <jlayton@redhat.com>
    audit: vfs: fix audit_inode call in O_CREAT case of do_last
Anton Blanchard <anton@samba.org>
    audit: Syscall rules are not applied to existing processes on non-x86
James Bottomley <JBottomley@Parallels.com>
    SCSI: sd: fix array cache flushing bug causing performance problems
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    xen/vcpu/pvhvm: Fix vcpu hotplugging hanging.
Li Zefan <lizefan@huawei.com>
    shm: fix null pointer deref when userspace specifies invalid hugepage size
Alexander van Heukelum <heukelum@fastmail.fm>
    x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
Shuah Khan <shuah.khan@hp.com>
    hp_accel: Ignore the error from lis3lv02d_poweron() at resume
Jeff Layton <jlayton@redhat.com>
    nfsd: fix oops when legacy_recdir_name_error is passed a -ENOENT error
J. Bruce Fields <bfields@redhat.com>
    nfsd4: don't allow owner override on 4.1 CLAIM_FH opens
Stanislaw Gruszka <sgruszka@redhat.com>
    sched: Avoid prev->stime underflow
Stanislaw Gruszka <sgruszka@redhat.com>
    Revert "math64: New div64_u64_rem helper"
Stanislaw Gruszka <sgruszka@redhat.com>
    sched: Do not account bogus utime
Stanislaw Gruszka <sgruszka@redhat.com>
    sched: Avoid cputime scaling overflow
Frederic Weisbecker <fweisbec@gmail.com>
    sched: Lower chances of cputime scaling overflow
Frederic Weisbecker <fweisbec@gmail.com>
    math64: New div64_u64_rem helper
Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    dm cache: fix error return code in cache_create
Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    dm snapshot: fix error return code in snapshot_ctr
Mikulas Patocka <mpatocka@redhat.com>
    dm bufio: avoid a possible __vmalloc deadlock
Mike Snitzer <snitzer@redhat.com>
    dm stripe: fix regression in stripe_width calculation
Mike Snitzer <snitzer@redhat.com>
    dm table: fix write same support
Viresh Kumar <viresh.kumar@linaro.org>
    DMA: OF: Check properties value before running be32_to_cpup() on it
Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix 3.9 regression of EAPD init on Conexant codecs
Wang YanQing <udknight@gmail.com>
    ALSA: HDA: Fix Oops caused by dereference NULL pointer
Takashi Iwai <tiwai@suse.de>
    Revert "ALSA: hda - Don't set up active streams twice"
Bob Moore <robert.moore@intel.com>
    ACPICA: Fix possible buffer overflow during a field unit read operation
Dan Carpenter <dan.carpenter@oracle.com>
    ASoC: wm8994: missing break in wm8994_aif3_hw_params()
Aaro Koskinen <aaro.koskinen@iki.fi>
    ARM: OMAP: RX-51: change probe order of touchscreen and panel SPI devices
Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
    HID: reintroduce fix-up for certain Sony RF receivers
Paolo Bonzini <pbonzini@redhat.com>
    KVM: emulator: emulate SALC
Paolo Bonzini <pbonzini@redhat.com>
    KVM: emulator: emulate XLAT
Paolo Bonzini <pbonzini@redhat.com>
    KVM: emulator: emulate AAM
Gleb Natapov <gleb@redhat.com>
    KVM: VMX: fix halt emulation while emulating invalid guest sate
-------------
Diffstat:
 Makefile                                     |   4 +-
 arch/arm/include/asm/cmpxchg.h               |   8 +-
 arch/arm/mach-exynos/include/mach/regs-pmu.h |   1 +
 arch/arm/mach-exynos/pmu.c                   |   5 +-
 arch/arm/mach-omap2/board-rx51-peripherals.c |   4 +-
 arch/parisc/Makefile                         |  23 ++--
 arch/parisc/kernel/entry.S                   | 172 +++++++++++++++------------
 arch/powerpc/include/asm/rtas.h              |   2 +
 arch/powerpc/kernel/machine_kexec_64.c       |   4 +
 arch/powerpc/kernel/rtas.c                   | 113 ++++++++++++++++++
 arch/powerpc/platforms/pseries/suspend.c     |  22 ++++
 arch/tile/Kconfig                            |  14 ++-
 arch/tile/include/hv/hypervisor.h            |  27 ++++-
 arch/tile/kernel/head_32.S                   |   2 +-
 arch/tile/kernel/head_64.S                   |  12 +-
 arch/x86/Kconfig                             |   1 -
 arch/x86/include/asm/syscalls.h              |   4 +-
 arch/x86/kernel/microcode_intel_early.c      |   5 +-
 arch/x86/kernel/vm86_32.c                    |  38 +++---
 arch/x86/kvm/emulate.c                       |  42 ++++++-
 arch/x86/kvm/vmx.c                           |   6 +
 arch/x86/xen/enlighten.c                     |  15 +++
 drivers/acpi/acpica/exfldio.c                |  14 ++-
 drivers/acpi/ec.c                            |   4 +-
 drivers/block/drbd/drbd_main.c               |   1 +
 drivers/block/drbd/drbd_receiver.c           |   5 +-
 drivers/char/ipmi/ipmi_bt_sm.c               |   4 +-
 drivers/char/ipmi/ipmi_devintf.c             |  14 ++-
 drivers/cpufreq/intel_pstate.c               |  67 +++--------
 drivers/dma/of-dma.c                         |   8 +-
 drivers/dma/pch_dma.c                        |   2 +-
 drivers/gpu/drm/drm_crtc.c                   |   4 +
 drivers/gpu/drm/drm_mm.c                     |  34 +++---
 drivers/gpu/drm/i915/intel_fb.c              |  16 ++-
 drivers/gpu/drm/mgag200/mgag200_mode.c       |  69 +++++++----
 drivers/gpu/drm/radeon/r300_cmdbuf.c         |   2 +-
 drivers/gpu/drm/radeon/radeon_drv.c          |  12 +-
 drivers/hid/hid-core.c                       |   1 +
 drivers/md/dm-bufio.c                        |  24 +++-
 drivers/md/dm-cache-target.c                 |   1 +
 drivers/md/dm-snap.c                         |   1 +
 drivers/md/dm-stripe.c                       |  11 +-
 drivers/md/dm-table.c                        |   2 +-
 drivers/net/ethernet/3com/3c509.c            |   2 +
 drivers/net/ethernet/3com/3c59x.c            |  27 +++--
 drivers/net/ethernet/sfc/mcdi.c              |   2 +-
 drivers/net/ethernet/tile/tilegx.c           |   2 +-
 drivers/net/macvlan.c                        |   7 +-
 drivers/net/tun.c                            |   7 +-
 drivers/net/usb/asix_common.c                |   3 +
 drivers/net/wireless/ath/ath9k/main.c        |   6 +-
 drivers/net/wireless/b43/dma.c               |  19 +++
 drivers/net/wireless/b43/dma.h               |   4 +-
 drivers/net/wireless/b43/main.c              |  43 +++----
 drivers/net/wireless/iwlegacy/4965-mac.c     |   3 +-
 drivers/net/wireless/mwifiex/cfg80211.c      |   3 -
 drivers/net/wireless/mwifiex/cmdevt.c        |   1 +
 drivers/net/wireless/mwifiex/main.c          |   1 +
 drivers/net/wireless/mwifiex/sta_ioctl.c     |  21 +---
 drivers/platform/x86/hp_accel.c              |   3 +-
 drivers/rtc/Kconfig                          |   2 -
 drivers/rtc/rtc-pcf2123.c                    |   1 +
 drivers/scsi/sd.c                            |  20 ++++
 drivers/scsi/sd.h                            |   1 +
 drivers/target/iscsi/iscsi_target_erl1.c     |   7 +-
 drivers/target/target_core_file.c            |  10 +-
 drivers/target/target_core_iblock.c          |   2 +
 drivers/target/target_core_transport.c       |  11 +-
 drivers/watchdog/watchdog_dev.c              |   3 +-
 fs/ext4/mballoc.c                            |   6 +-
 fs/namei.c                                   |   2 +-
 fs/nfsd/nfs4proc.c                           |  15 ++-
 fs/nfsd/nfs4recover.c                        |  12 +-
 include/linux/audit.h                        |   7 +-
 include/linux/kref.h                         |  33 +++++
 include/linux/time.h                         |   4 -
 include/net/inet_frag.h                      |   5 +-
 include/net/sock.h                           |  12 ++
 include/net/tcp.h                            |   1 +
 include/uapi/linux/audit.h                   |   1 +
 include/uapi/linux/if_cablemodem.h           |  12 +-
 include/uapi/linux/virtio_net.h              |   2 +-
 ipc/shm.c                                    |   8 +-
 kernel/auditfilter.c                         |  31 ++++-
 kernel/auditsc.c                             |   5 +-
 kernel/kmod.c                                |   5 +
 kernel/sched/cputime.c                       |  70 +++++++++--
 kernel/time/Kconfig                          |   5 -
 kernel/time/tick-sched.c                     |   2 +-
 kernel/timer.c                               |   2 +-
 kernel/trace/trace_events_filter.c           |   4 +
 mm/mmap.c                                    |   8 +-
 net/8021q/vlan_dev.c                         |   2 +-
 net/bridge/br_stp_timer.c                    |   2 +-
 net/core/dev.c                               |   2 +-
 net/core/ethtool.c                           |   2 +-
 net/core/sock.c                              |  12 --
 net/ipv4/inet_fragment.c                     |   1 +
 net/ipv4/tcp_minisocks.c                     |   7 +-
 net/ipv6/ip6_gre.c                           |   2 +
 net/ipv6/tcp_ipv6.c                          |  12 ++
 net/ipv6/udp.c                               |  13 +-
 net/ipv6/udp_impl.h                          |   2 +
 net/ipv6/udplite.c                           |   2 +-
 net/ipv6/xfrm6_policy.c                      |   4 +-
 net/mac802154/mac802154.h                    |   2 +-
 net/packet/af_packet.c                       |  53 ++++-----
 net/sched/act_ipt.c                          |  33 ++++-
 net/vmw_vsock/af_vsock.c                     |   2 +-
 sound/pci/hda/hda_codec.c                    |   7 +-
 sound/pci/hda/patch_conexant.c               |  17 ++-
 sound/soc/codecs/da7213.c                    |   8 +-
 sound/soc/codecs/wm8994.c                    |   1 +
 113 files changed, 1011 insertions(+), 458 deletions(-)
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 001/102] KVM: VMX: fix halt emulation while emulating invalid guest sate
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 002/102] KVM: emulator: emulate AAM Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tomas Papan, Paolo Bonzini,
	Gleb Natapov
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Gleb Natapov <gleb@redhat.com>
commit 8d76c49e9ffeee839bc0b7a3278a23f99101263e upstream.
The invalid guest state emulation loop does not check halt_request
which causes 100% cpu loop while guest is in halt and in invalid
state, but more serious issue is that this leaves halt_request set, so
random instruction emulated by vm86 #GP exit can be interpreted
as halt which causes guest hang. Fix both problems by handling
halt_request in emulation loop.
Reported-by: Tomas Papan <tomas.papan@gmail.com>
Tested-by: Tomas Papan <tomas.papan@gmail.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/vmx.c |    6 ++++++
 1 file changed, 6 insertions(+)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -5197,6 +5197,12 @@ static int handle_invalid_guest_state(st
 			return 0;
 		}
 
+		if (vcpu->arch.halt_request) {
+			vcpu->arch.halt_request = 0;
+			ret = kvm_emulate_halt(vcpu);
+			goto out;
+		}
+
 		if (signal_pending(current))
 			goto out;
 		if (need_resched())
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 002/102] KVM: emulator: emulate AAM
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 001/102] KVM: VMX: fix halt emulation while emulating invalid guest sate Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 003/102] KVM: emulator: emulate XLAT Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Junichi Nomura, Paolo Bonzini,
	Gleb Natapov
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit a035d5c64d08a8ac12d81b596e7fa6d95a73c347 upstream.
This is used by SGABIOS, KVM breaks with emulate_invalid_guest_state=1.
AAM needs the source operand to be unsigned; do the same in AAD as well
for consistency, even though it does not affect the result.
Reported-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/emulate.c |   25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2986,6 +2986,28 @@ static int em_das(struct x86_emulate_ctx
 	return X86EMUL_CONTINUE;
 }
 
+static int em_aam(struct x86_emulate_ctxt *ctxt)
+{
+	u8 al, ah;
+
+	if (ctxt->src.val == 0)
+		return emulate_de(ctxt);
+
+	al = ctxt->dst.val & 0xff;
+	ah = al / ctxt->src.val;
+	al %= ctxt->src.val;
+
+	ctxt->dst.val = (ctxt->dst.val & 0xffff0000) | al | (ah << 8);
+
+	/* Set PF, ZF, SF */
+	ctxt->src.type = OP_IMM;
+	ctxt->src.val = 0;
+	ctxt->src.bytes = 1;
+	fastop(ctxt, em_or);
+
+	return X86EMUL_CONTINUE;
+}
+
 static int em_aad(struct x86_emulate_ctxt *ctxt)
 {
 	u8 al = ctxt->dst.val & 0xff;
@@ -3926,7 +3948,8 @@ static const struct opcode opcode_table[
 	/* 0xD0 - 0xD7 */
 	G(Src2One | ByteOp, group2), G(Src2One, group2),
 	G(Src2CL | ByteOp, group2), G(Src2CL, group2),
-	N, I(DstAcc | SrcImmByte | No64, em_aad), N, N,
+	I(DstAcc | SrcImmUByte | No64, em_aam),
+	I(DstAcc | SrcImmUByte | No64, em_aad), N, N,
 	/* 0xD8 - 0xDF */
 	N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
 	/* 0xE0 - 0xE7 */
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 003/102] KVM: emulator: emulate XLAT
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 001/102] KVM: VMX: fix halt emulation while emulating invalid guest sate Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 002/102] KVM: emulator: emulate AAM Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 004/102] KVM: emulator: emulate SALC Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Junichi Nomura, Paolo Bonzini,
	Gleb Natapov
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 7fa57952d70f5737513d8319395e471d107e4e0d upstream.
This is used by SGABIOS, KVM breaks with emulate_invalid_guest_state=1.
It is just a MOV in disguise, with a funny source address.
Reported-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/emulate.c |   15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -60,6 +60,7 @@
 #define OpGS              25ull  /* GS */
 #define OpMem8            26ull  /* 8-bit zero extended memory operand */
 #define OpImm64           27ull  /* Sign extended 16/32/64-bit immediate */
+#define OpXLat            28ull  /* memory at BX/EBX/RBX + zero-extended AL */
 
 #define OpBits             5  /* Width of operand field */
 #define OpMask             ((1ull << OpBits) - 1)
@@ -99,6 +100,7 @@
 #define SrcImmUByte (OpImmUByte << SrcShift)
 #define SrcImmU     (OpImmU << SrcShift)
 #define SrcSI       (OpSI << SrcShift)
+#define SrcXLat     (OpXLat << SrcShift)
 #define SrcImmFAddr (OpImmFAddr << SrcShift)
 #define SrcMemFAddr (OpMemFAddr << SrcShift)
 #define SrcAcc      (OpAcc << SrcShift)
@@ -3949,7 +3951,8 @@ static const struct opcode opcode_table[
 	G(Src2One | ByteOp, group2), G(Src2One, group2),
 	G(Src2CL | ByteOp, group2), G(Src2CL, group2),
 	I(DstAcc | SrcImmUByte | No64, em_aam),
-	I(DstAcc | SrcImmUByte | No64, em_aad), N, N,
+	I(DstAcc | SrcImmUByte | No64, em_aad), N,
+	I(DstAcc | SrcXLat | ByteOp, em_mov),
 	/* 0xD8 - 0xDF */
 	N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
 	/* 0xE0 - 0xE7 */
@@ -4211,6 +4214,16 @@ static int decode_operand(struct x86_emu
 		op->val = 0;
 		op->count = 1;
 		break;
+	case OpXLat:
+		op->type = OP_MEM;
+		op->bytes = (ctxt->d & ByteOp) ? 1 : ctxt->op_bytes;
+		op->addr.mem.ea =
+			register_address(ctxt,
+				reg_read(ctxt, VCPU_REGS_RBX) +
+				(reg_read(ctxt, VCPU_REGS_RAX) & 0xff));
+		op->addr.mem.seg = seg_override(ctxt);
+		op->val = 0;
+		break;
 	case OpImmFAddr:
 		op->type = OP_IMM;
 		op->addr.mem.ea = ctxt->_eip;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 004/102] KVM: emulator: emulate SALC
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2013-05-17 21:35 ` [ 003/102] KVM: emulator: emulate XLAT Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 005/102] HID: reintroduce fix-up for certain Sony RF receivers Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Junichi Nomura, Paolo Bonzini,
	Gleb Natapov
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 326f578f7e1443bac2333712dd130a261ec15288 upstream.
This is an almost-undocumented instruction available in 32-bit mode.
I say "almost" undocumented because AMD documents it in their opcode
maps just to say that it is unavailable in 64-bit mode (sections
"A.2.1 One-Byte Opcodes" and "B.3 Invalid and Reassigned Instructions
in 64-Bit Mode").
It is roughly equivalent to "sbb %al, %al" except it does not
set the flags.  Use fastop to emulate it, but do not use the opcode
directly because it would fail if the host is 64-bit!
Reported-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/emulate.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -534,6 +534,9 @@ FOP_SETCC(setle)
 FOP_SETCC(setnle)
 FOP_END;
 
+FOP_START(salc) "pushf; sbb %al, %al; popf \n\t" FOP_RET
+FOP_END;
+
 #define __emulate_1op_rax_rdx(ctxt, _op, _suffix, _ex)			\
 	do {								\
 		unsigned long _tmp;					\
@@ -3951,7 +3954,8 @@ static const struct opcode opcode_table[
 	G(Src2One | ByteOp, group2), G(Src2One, group2),
 	G(Src2CL | ByteOp, group2), G(Src2CL, group2),
 	I(DstAcc | SrcImmUByte | No64, em_aam),
-	I(DstAcc | SrcImmUByte | No64, em_aad), N,
+	I(DstAcc | SrcImmUByte | No64, em_aad),
+	F(DstAcc | ByteOp | No64, em_salc),
 	I(DstAcc | SrcXLat | ByteOp, em_mov),
 	/* 0xD8 - 0xDF */
 	N, E(0, &escape_d9), N, E(0, &escape_db), N, E(0, &escape_dd), N, N,
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 005/102] HID: reintroduce fix-up for certain Sony RF receivers
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2013-05-17 21:35 ` [ 004/102] KVM: emulator: emulate SALC Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 006/102] ARM: OMAP: RX-51: change probe order of touchscreen and panel SPI devices Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fernando Luis Vazquez Cao,
	Jiri Kosina
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
commit c1e0ac192b48b37f31801c17534ab3d2a9282d84 upstream.
It looks like the manual merge 0d69a3c731e120b05b7da9fb976830475a3fbc01 ("Merge
branches 'for-3.9/sony' and 'for-3.9/steelseries' into for-linus") accidentally
removed Sony RF receiver with USB product id 0x0374 from the "have special
driver" list, effectively nullifying a464918419f94a0043d2f549d6defb4c3f69f68a
("HID: add support for Sony RF receiver with USB product id 0x0374"). Add the
device back to the list.
Signed-off-by: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/hid-core.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1702,6 +1702,7 @@ static const struct hid_device_id hid_ha
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER) },
 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS3_CONTROLLER) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE) },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_STEELSERIES, USB_DEVICE_ID_STEELSERIES_SRWS1) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SUNPLUS, USB_DEVICE_ID_SUNPLUS_WDESKTOP) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_THINGM, USB_DEVICE_ID_BLINK1) },
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 006/102] ARM: OMAP: RX-51: change probe order of touchscreen and panel SPI devices
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2013-05-17 21:35 ` [ 005/102] HID: reintroduce fix-up for certain Sony RF receivers Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 007/102] ASoC: wm8994: missing break in wm8994_aif3_hw_params() Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Reichel, Aaro Koskinen,
	Pali Rohár, Joni Lapilainen, Tomi Valkeinen, Felipe Balbi,
	Tony Lindgren
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
commit e65f131a14726e5f1b880a528271a52428e5b3a5 upstream.
Commit 9fdca9df (spi: omap2-mcspi: convert to module_platform_driver)
broke the SPI display/panel driver probe on RX-51/N900. The exact cause is
not fully understood, but it seems to be related to the probe order. SPI
communication to the panel driver (spi1.2) fails unless the touchscreen
(spi1.0) has been probed/initialized before. When the omap2-mcspi driver
was converted to a platform driver, it resulted in that the devices are
probed immediately after the board registers them in the order they are
listed in the board file.
Fix the issue by moving the touchscreen before the panel in the SPI
device list.
The patch fixes the following failure:
[    1.260955] acx565akm spi1.2: invalid display ID
[    1.265899] panel-acx565akm display0: acx_panel_probe panel detect error
[    1.273071] omapdss CORE error: driver probe failed: -19
Tested-by: Sebastian Reichel <sre@debian.org>
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Cc: Pali Rohár <pali.rohar@gmail.com>
Cc: Joni Lapilainen <joni.lapilainen@gmail.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: Felipe Balbi <balbi@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/mach-omap2/board-rx51-peripherals.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/mach-omap2/board-rx51-peripherals.c
+++ b/arch/arm/mach-omap2/board-rx51-peripherals.c
@@ -73,11 +73,11 @@
 #define LIS302_IRQ1_GPIO 181
 #define LIS302_IRQ2_GPIO 180  /* Not yet in use */
 
-/* list all spi devices here */
+/* List all SPI devices here. Note that the list/probe order seems to matter! */
 enum {
 	RX51_SPI_WL1251,
-	RX51_SPI_MIPID,		/* LCD panel */
 	RX51_SPI_TSC2005,	/* Touch Controller */
+	RX51_SPI_MIPID,		/* LCD panel */
 };
 
 static struct wl12xx_platform_data wl1251_pdata;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 007/102] ASoC: wm8994: missing break in wm8994_aif3_hw_params()
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2013-05-17 21:35 ` [ 006/102] ARM: OMAP: RX-51: change probe order of touchscreen and panel SPI devices Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 008/102] ACPICA: Fix possible buffer overflow during a field unit read operation Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Mark Brown
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 4495e46fe18f198366961bb2b324a694ef8a9b44 upstream.
The missing break here means that we always return early and the
function is a no-op.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/codecs/wm8994.c |    1 +
 1 file changed, 1 insertion(+)
--- a/sound/soc/codecs/wm8994.c
+++ b/sound/soc/codecs/wm8994.c
@@ -2841,6 +2841,7 @@ static int wm8994_aif3_hw_params(struct
 		default:
 			return 0;
 		}
+		break;
 	default:
 		return 0;
 	}
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 008/102] ACPICA: Fix possible buffer overflow during a field unit read operation
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2013-05-17 21:35 ` [ 007/102] ASoC: wm8994: missing break in wm8994_aif3_hw_params() Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 009/102] Revert "ALSA: hda - Dont set up active streams twice" Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bob Moore, Lv Zheng,
	Rafael J. Wysocki
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bob Moore <robert.moore@intel.com>
commit 61388f9e5d93053cf399a356414f31f9b4814c6d upstream.
Can only happen under these conditions: 1) The DSDT version is 1,
meaning integers are 32-bits.  2) The field is between 33 and 64
bits long.
It applies cleanly back to ACPICA 20100806+ (Linux v2.6.37+).
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/acpica/exfldio.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/acpi/acpica/exfldio.c
+++ b/drivers/acpi/acpica/exfldio.c
@@ -720,7 +720,19 @@ acpi_ex_extract_from_field(union acpi_op
 
 	if ((obj_desc->common_field.start_field_bit_offset == 0) &&
 	    (obj_desc->common_field.bit_length == access_bit_width)) {
-		status = acpi_ex_field_datum_io(obj_desc, 0, buffer, ACPI_READ);
+		if (buffer_length >= sizeof(u64)) {
+			status =
+			    acpi_ex_field_datum_io(obj_desc, 0, buffer,
+						   ACPI_READ);
+		} else {
+			/* Use raw_datum (u64) to handle buffers < 64 bits */
+
+			status =
+			    acpi_ex_field_datum_io(obj_desc, 0, &raw_datum,
+						   ACPI_READ);
+			ACPI_MEMCPY(buffer, &raw_datum, buffer_length);
+		}
+
 		return_ACPI_STATUS(status);
 	}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 009/102] Revert "ALSA: hda - Dont set up active streams twice"
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2013-05-17 21:35 ` [ 008/102] ACPICA: Fix possible buffer overflow during a field unit read operation Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 010/102] ALSA: HDA: Fix Oops caused by dereference NULL pointer Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 6c35ae3c327ef4b5f51d3428d2ba47ac2153e882 upstream.
This reverts commit affdb62b815b38261f09f9d4ec210a35c7ffb1f3.
The commit introduced a regression with AD codecs where the stream is
always clean up.  Since the patch is just a minor optimization and
reverting the commit fixes the issue, let's just revert it.
Reported-and-tested-by: Michael Burian <michael.burian@sbg.at>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/hda_codec.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -1577,7 +1577,7 @@ void snd_hda_codec_setup_stream(struct h
 		    "NID=0x%x, stream=0x%x, channel=%d, format=0x%x\n",
 		    nid, stream_tag, channel_id, format);
 	p = get_hda_cvt_setup(codec, nid);
-	if (!p || p->active)
+	if (!p)
 		return;
 
 	if (codec->pcm_format_first)
@@ -1624,7 +1624,7 @@ void __snd_hda_codec_cleanup_stream(stru
 
 	snd_printdd("hda_codec_cleanup_stream: NID=0x%x\n", nid);
 	p = get_hda_cvt_setup(codec, nid);
-	if (p && p->active) {
+	if (p) {
 		/* here we just clear the active flag when do_now isn't set;
 		 * actual clean-ups will be done later in
 		 * purify_inactive_streams() called from snd_hda_codec_prpapre()
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 010/102] ALSA: HDA: Fix Oops caused by dereference NULL pointer
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2013-05-17 21:35 ` [ 009/102] Revert "ALSA: hda - Dont set up active streams twice" Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 011/102] ALSA: hda - Fix 3.9 regression of EAPD init on Conexant codecs Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wang YanQing, Takashi Iwai
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Wang YanQing <udknight@gmail.com>
commit 2195b063f6609e4c6268f291683902f25eaf9aa6 upstream.
The interrupt handler azx_interrupt will call azx_update_rirb,
which may call snd_hda_queue_unsol_event, snd_hda_queue_unsol_event
will dereference chip->bus pointer.
The problem is we alloc chip->bus in azx_codec_create
which will be called after we enable IRQ and enable unsolicited
event in azx_probe.
This will cause Oops due dereference NULL pointer. I meet it, good luck:)
[Rearranged the NULL check before the tracepoint and added another
 NULL check of bus->workq -- tiwai]
Signed-off-by: Wang YanQing <udknight@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/hda_codec.c |    3 +++
 1 file changed, 3 insertions(+)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -681,6 +681,9 @@ int snd_hda_queue_unsol_event(struct hda
 	struct hda_bus_unsolicited *unsol;
 	unsigned int wp;
 
+	if (!bus || !bus->workq)
+		return 0;
+
 	trace_hda_unsol_event(bus, res, res_ex);
 	unsol = bus->unsol;
 	if (!unsol)
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 011/102] ALSA: hda - Fix 3.9 regression of EAPD init on Conexant codecs
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2013-05-17 21:35 ` [ 010/102] ALSA: HDA: Fix Oops caused by dereference NULL pointer Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 012/102] DMA: OF: Check properties value before running be32_to_cpup() on it Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit ff359b14919c379a365233aa2e1dd469efac8ce8 upstream.
The older Conexant codecs have up to two EAPDs and these are supposed
to be rather statically turned on.  The new generic parser code
assumes the dynamic on/off per path usage, thus it resulted in the
silent output on some machines.
This patch fixes the problem by simply assuming the static EAPD on for
such old Conexant codecs as we did until 3.8 kernel.
Reported-and-tested-by: Christopher K. <c.krooss@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_conexant.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -64,6 +64,7 @@ struct conexant_spec {
 	/* extra EAPD pins */
 	unsigned int num_eapds;
 	hda_nid_t eapds[4];
+	bool dynamic_eapd;
 
 #ifdef ENABLE_CXT_STATIC_QUIRKS
 	const struct snd_kcontrol_new *mixers[5];
@@ -3152,7 +3153,7 @@ static void cx_auto_parse_eapd(struct hd
 	 * thus it might control over all pins.
 	 */
 	if (spec->num_eapds > 2)
-		spec->gen.own_eapd_ctl = 1;
+		spec->dynamic_eapd = 1;
 }
 
 static void cx_auto_turn_eapd(struct hda_codec *codec, int num_pins,
@@ -3191,6 +3192,15 @@ static int cx_auto_build_controls(struct
 	return 0;
 }
 
+static int cx_auto_init(struct hda_codec *codec)
+{
+	struct conexant_spec *spec = codec->spec;
+	snd_hda_gen_init(codec);
+	if (!spec->dynamic_eapd)
+		cx_auto_turn_eapd(codec, spec->num_eapds, spec->eapds, true);
+	return 0;
+}
+
 static void cx_auto_free(struct hda_codec *codec)
 {
 	snd_hda_detach_beep_device(codec);
@@ -3200,7 +3210,7 @@ static void cx_auto_free(struct hda_code
 static const struct hda_codec_ops cx_auto_patch_ops = {
 	.build_controls = cx_auto_build_controls,
 	.build_pcms = snd_hda_gen_build_pcms,
-	.init = snd_hda_gen_init,
+	.init = cx_auto_init,
 	.free = cx_auto_free,
 	.unsol_event = snd_hda_jack_unsol_event,
 #ifdef CONFIG_PM
@@ -3350,7 +3360,8 @@ static int patch_conexant_auto(struct hd
 
 	cx_auto_parse_beep(codec);
 	cx_auto_parse_eapd(codec);
-	if (spec->gen.own_eapd_ctl)
+	spec->gen.own_eapd_ctl = 1;
+	if (spec->dynamic_eapd)
 		spec->gen.vmaster_mute.hook = cx_auto_vmaster_hook;
 
 	switch (codec->vendor_id) {
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 012/102] DMA: OF: Check properties value before running be32_to_cpup() on it
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2013-05-17 21:35 ` [ 011/102] ALSA: hda - Fix 3.9 regression of EAPD init on Conexant codecs Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 013/102] dm table: fix write same support Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Viresh Kumar, Vinod Koul,
	Robert Richter
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit 9a188eb126aa7bf27077ee46fcb914898d6fc281 upstream.
In of_dma_controller_register() routine we are calling of_get_property() as an
parameter to be32_to_cpup(). In case the property doesn't exist we will get a
crash.
This patch changes this code to check if we got a valid property first and then
runs be32_to_cpup() on it.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Robert Richter <robert.richter@calxeda.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/dma/of-dma.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/dma/of-dma.c
+++ b/drivers/dma/of-dma.c
@@ -93,6 +93,7 @@ int of_dma_controller_register(struct de
 {
 	struct of_dma	*ofdma;
 	int		nbcells;
+	const __be32	*prop;
 
 	if (!np || !of_dma_xlate) {
 		pr_err("%s: not enough information provided\n", __func__);
@@ -103,8 +104,11 @@ int of_dma_controller_register(struct de
 	if (!ofdma)
 		return -ENOMEM;
 
-	nbcells = be32_to_cpup(of_get_property(np, "#dma-cells", NULL));
-	if (!nbcells) {
+	prop = of_get_property(np, "#dma-cells", NULL);
+	if (prop)
+		nbcells = be32_to_cpup(prop);
+
+	if (!prop || !nbcells) {
 		pr_err("%s: #dma-cells property is missing or invalid\n",
 		       __func__);
 		kfree(ofdma);
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 013/102] dm table: fix write same support
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2013-05-17 21:35 ` [ 012/102] DMA: OF: Check properties value before running be32_to_cpup() on it Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 014/102] dm stripe: fix regression in stripe_width calculation Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bharata B Rao, Mike Snitzer,
	Alasdair G Kergon
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit dc019b21fb92d620a3b52ccecc135ac968a7c7ec upstream.
If device_not_write_same_capable() returns true then the iterate_devices
loop in dm_table_supports_write_same() should return false.
Reported-by: Bharata B Rao <bharata.rao@gmail.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-table.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -1442,7 +1442,7 @@ static bool dm_table_supports_write_same
 			return false;
 
 		if (!ti->type->iterate_devices ||
-		    !ti->type->iterate_devices(ti, device_not_write_same_capable, NULL))
+		    ti->type->iterate_devices(ti, device_not_write_same_capable, NULL))
 			return false;
 	}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 014/102] dm stripe: fix regression in stripe_width calculation
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2013-05-17 21:35 ` [ 013/102] dm table: fix write same support Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 015/102] dm bufio: avoid a possible __vmalloc deadlock Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Snitzer, Alasdair G Kergon
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit d793e684277124d55c5d2444007e224635821346 upstream.
Fix a regression in the calculation of the stripe_width in the
dm stripe target which led to incorrect processing of device limits.
The stripe_width is the stripe device length divided by the number of
stripes.  The group of commits in the range f14fa69 ("dm stripe: fix
size test") to eb850de ("dm stripe: support for non power of 2
chunksize") interfered with each other (a merging error) and led to the
stripe_width being set incorrectly to the stripe device length divided by
chunk_size * stripe_count.
For example, a stripe device's table with: 0 33553920 striped 3 512 ...
should result in a stripe_width of 11184640 (33553920 / 3), but due to
the bug it was getting set to 21845 (33553920 / (512 * 3)).
The impact of this bug is that device topologies that previously worked
fine with the stripe target are no longer considered valid.  In
particular, there is a higher risk of seeing this issue if one of the
stripe devices has a 4K logical block size.  Resulting in an error
message like this:
"device-mapper: table: 253:4: len=21845 not aligned to h/w logical block size 4096 of dm-1"
The fix is to swap the order of the divisions and to use a temporary
variable for the second one, so that width retains the intended
value.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-stripe.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/md/dm-stripe.c
+++ b/drivers/md/dm-stripe.c
@@ -94,7 +94,7 @@ static int get_stripe(struct dm_target *
 static int stripe_ctr(struct dm_target *ti, unsigned int argc, char **argv)
 {
 	struct stripe_c *sc;
-	sector_t width;
+	sector_t width, tmp_len;
 	uint32_t stripes;
 	uint32_t chunk_size;
 	int r;
@@ -116,15 +116,16 @@ static int stripe_ctr(struct dm_target *
 	}
 
 	width = ti->len;
-	if (sector_div(width, chunk_size)) {
+	if (sector_div(width, stripes)) {
 		ti->error = "Target length not divisible by "
-		    "chunk size";
+		    "number of stripes";
 		return -EINVAL;
 	}
 
-	if (sector_div(width, stripes)) {
+	tmp_len = width;
+	if (sector_div(tmp_len, chunk_size)) {
 		ti->error = "Target length not divisible by "
-		    "number of stripes";
+		    "chunk size";
 		return -EINVAL;
 	}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 015/102] dm bufio: avoid a possible __vmalloc deadlock
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2013-05-17 21:35 ` [ 014/102] dm stripe: fix regression in stripe_width calculation Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 016/102] dm snapshot: fix error return code in snapshot_ctr Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Alasdair G Kergon
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 502624bdad3dba45dfaacaf36b7d83e39e74b2d2 upstream.
This patch uses memalloc_noio_save to avoid a possible deadlock in
dm-bufio.  (it could happen only with large block size, at most
PAGE_SIZE << MAX_ORDER (typically 8MiB).
__vmalloc doesn't fully respect gfp flags. The specified gfp flags are
used for allocation of requested pages, structures vmap_area, vmap_block
and vm_struct and the radix tree nodes.
However, the kernel pagetables are allocated always with GFP_KERNEL.
Thus the allocation of pagetables can recurse back to the I/O layer and
cause a deadlock.
This patch uses the function memalloc_noio_save to set per-process
PF_MEMALLOC_NOIO flag and the function memalloc_noio_restore to restore
it. When this flag is set, all allocations in the process are done with
implied GFP_NOIO flag, thus the deadlock can't happen.
This should be backported to stable kernels, but they don't have the
PF_MEMALLOC_NOIO flag and memalloc_noio_save/memalloc_noio_restore
functions. So, PF_MEMALLOC should be set and restored instead.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-bufio.c |   24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -319,6 +319,9 @@ static void __cache_size_refresh(void)
 static void *alloc_buffer_data(struct dm_bufio_client *c, gfp_t gfp_mask,
 			       enum data_mode *data_mode)
 {
+	unsigned noio_flag;
+	void *ptr;
+
 	if (c->block_size <= DM_BUFIO_BLOCK_SIZE_SLAB_LIMIT) {
 		*data_mode = DATA_MODE_SLAB;
 		return kmem_cache_alloc(DM_BUFIO_CACHE(c), gfp_mask);
@@ -332,7 +335,26 @@ static void *alloc_buffer_data(struct dm
 	}
 
 	*data_mode = DATA_MODE_VMALLOC;
-	return __vmalloc(c->block_size, gfp_mask, PAGE_KERNEL);
+
+	/*
+	 * __vmalloc allocates the data pages and auxiliary structures with
+	 * gfp_flags that were specified, but pagetables are always allocated
+	 * with GFP_KERNEL, no matter what was specified as gfp_mask.
+	 *
+	 * Consequently, we must set per-process flag PF_MEMALLOC_NOIO so that
+	 * all allocations done by this process (including pagetables) are done
+	 * as if GFP_NOIO was specified.
+	 */
+
+	if (gfp_mask & __GFP_NORETRY)
+		noio_flag = memalloc_noio_save();
+
+	ptr = __vmalloc(c->block_size, gfp_mask, PAGE_KERNEL);
+
+	if (gfp_mask & __GFP_NORETRY)
+		memalloc_noio_restore(noio_flag);
+
+	return ptr;
 }
 
 /*
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 016/102] dm snapshot: fix error return code in snapshot_ctr
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2013-05-17 21:35 ` [ 015/102] dm bufio: avoid a possible __vmalloc deadlock Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 017/102] dm cache: fix error return code in cache_create Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wei Yongjun, Alasdair G Kergon
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
commit 09e8b813897a0f85bb401435d009228644c81214 upstream.
Return -ENOMEM instead of success if unable to allocate pending
exception mempool in snapshot_ctr.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-snap.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -1121,6 +1121,7 @@ static int snapshot_ctr(struct dm_target
 	s->pending_pool = mempool_create_slab_pool(MIN_IOS, pending_cache);
 	if (!s->pending_pool) {
 		ti->error = "Could not allocate mempool for pending exceptions";
+		r = -ENOMEM;
 		goto bad_pending_pool;
 	}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 017/102] dm cache: fix error return code in cache_create
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2013-05-17 21:35 ` [ 016/102] dm snapshot: fix error return code in snapshot_ctr Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 018/102] math64: New div64_u64_rem helper Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wei Yongjun, Alasdair G Kergon
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
commit fa4d683af3693863bec761e2761a07e4c1351f86 upstream.
Return -ENOMEM if memory allocation fails in cache_create
instead of 0 (to avoid NULL pointer dereference).
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-cache-target.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1971,6 +1971,7 @@ static int cache_create(struct cache_arg
 	atomic_set(&cache->nr_migrations, 0);
 	init_waitqueue_head(&cache->migration_wait);
 
+	r = -ENOMEM;
 	cache->nr_dirty = 0;
 	cache->dirty_bitset = alloc_bitset(from_cblock(cache->cache_size));
 	if (!cache->dirty_bitset) {
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 018/102] math64: New div64_u64_rem helper
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2013-05-17 21:35 ` [ 017/102] dm cache: fix error return code in cache_create Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 019/102] sched: Lower chances of cputime scaling overflow Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Frederic Weisbecker,
	Stanislaw Gruszka, Steven Rostedt, Peter Zijlstra, Ingo Molnar,
	Andrew Morton
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Frederic Weisbecker <fweisbec@gmail.com>
commit f792685006274a850e6cc0ea9ade275ccdfc90bc upstream.
Provide an extended version of div64_u64() that
also returns the remainder of the division.
We are going to need this to refine the cputime
scaling code.
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/math64.h |   19 ++++++++++++++++++-
 lib/div64.c            |   19 +++++++++++++------
 2 files changed, 31 insertions(+), 7 deletions(-)
--- a/include/linux/math64.h
+++ b/include/linux/math64.h
@@ -30,6 +30,15 @@ static inline s64 div_s64_rem(s64 divide
 }
 
 /**
+ * div64_u64_rem - unsigned 64bit divide with 64bit divisor
+ */
+static inline u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
+{
+	*remainder = dividend % divisor;
+	return dividend / divisor;
+}
+
+/**
  * div64_u64 - unsigned 64bit divide with 64bit divisor
  */
 static inline u64 div64_u64(u64 dividend, u64 divisor)
@@ -61,8 +70,16 @@ static inline u64 div_u64_rem(u64 divide
 extern s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder);
 #endif
 
+#ifndef div64_u64_rem
+extern u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder);
+#endif
+
 #ifndef div64_u64
-extern u64 div64_u64(u64 dividend, u64 divisor);
+static inline u64 div64_u64(u64 dividend, u64 divisor)
+{
+	u64 remainder;
+	return div64_u64_rem(dividend, divisor, &remainder);
+}
 #endif
 
 #ifndef div64_s64
--- a/lib/div64.c
+++ b/lib/div64.c
@@ -79,9 +79,10 @@ EXPORT_SYMBOL(div_s64_rem);
 #endif
 
 /**
- * div64_u64 - unsigned 64bit divide with 64bit divisor
+ * div64_u64_rem - unsigned 64bit divide with 64bit divisor and 64bit remainder
  * @dividend:	64bit dividend
  * @divisor:	64bit divisor
+ * @remainder:  64bit remainder
  *
  * This implementation is a modified version of the algorithm proposed
  * by the book 'Hacker's Delight'.  The original source and full proof
@@ -89,27 +90,33 @@ EXPORT_SYMBOL(div_s64_rem);
  *
  * 'http://www.hackersdelight.org/HDcode/newCode/divDouble.c.txt'
  */
-#ifndef div64_u64
-u64 div64_u64(u64 dividend, u64 divisor)
+#ifndef div64_u64_rem
+u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
 {
 	u32 high = divisor >> 32;
 	u64 quot;
 
 	if (high == 0) {
-		quot = div_u64(dividend, divisor);
+		u32 rem32;
+		quot = div_u64_rem(dividend, divisor, &rem32);
+		*remainder = rem32;
 	} else {
 		int n = 1 + fls(high);
 		quot = div_u64(dividend >> n, divisor >> n);
 
 		if (quot != 0)
 			quot--;
-		if ((dividend - quot * divisor) >= divisor)
+
+		*remainder = dividend - quot * divisor;
+		if (*remainder >= divisor) {
 			quot++;
+			*remainder -= divisor;
+		}
 	}
 
 	return quot;
 }
-EXPORT_SYMBOL(div64_u64);
+EXPORT_SYMBOL(div64_u64_rem);
 #endif
 
 /**
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 019/102] sched: Lower chances of cputime scaling overflow
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2013-05-17 21:35 ` [ 018/102] math64: New div64_u64_rem helper Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 020/102] sched: Avoid " Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Frederic Weisbecker,
	Stanislaw Gruszka, Steven Rostedt, Peter Zijlstra, Ingo Molnar,
	Andrew Morton
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Frederic Weisbecker <fweisbec@gmail.com>
commit d9a3c9823a2e6a543eb7807fb3d15d8233817ec5 upstream.
Some users have reported that after running a process with
hundreds of threads on intensive CPU-bound loads, the cputime
of the group started to freeze after a few days.
This is due to how we scale the tick-based cputime against
the scheduler precise execution time value.
We add the values of all threads in the group and we multiply
that against the sum of the scheduler exec runtime of the whole
group.
This easily overflows after a few days/weeks of execution.
A proposed solution to solve this was to compute that multiplication
on stime instead of utime:
   62188451f0d63add7ad0cd2a1ae269d600c1663d
   ("cputime: Avoid multiplication overflow on utime scaling")
The rationale behind that was that it's easy for a thread to
spend most of its time in userspace under intensive CPU-bound workload
but it's much harder to do CPU-bound intensive long run in the kernel.
This postulate got defeated when a user recently reported he was still
seeing cputime freezes after the above patch. The workload that
triggers this issue relates to intensive networking workloads where
most of the cputime is consumed in the kernel.
To reduce much more the opportunities for multiplication overflow,
lets reduce the multiplication factors to the remainders of the division
between sched exec runtime and cputime. Assuming the difference between
these shouldn't ever be that large, it could work on many situations.
This gets the same results as in the upstream scaling code except for
a small difference: the upstream code always rounds the results to
the nearest integer not greater to what would be the precise result.
The new code rounds to the nearest integer either greater or not
greater. In practice this difference probably shouldn't matter but
it's worth mentioning.
If this solution appears not to be enough in the end, we'll
need to partly revert back to the behaviour prior to commit
     0cf55e1ec08bb5a22e068309e2d8ba1180ab4239
     ("sched, cputime: Introduce thread_group_times()")
Back then, the scaling was done on exit() time before adding the cputime
of an exiting thread to the signal struct. And then we'll need to
scale one-by-one the live threads cputime in thread_group_cputime(). The
drawback may be a slightly slower code on exit time.
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/cputime.c |   46 ++++++++++++++++++++++++++++++++++------------
 1 file changed, 34 insertions(+), 12 deletions(-)
--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -521,18 +521,36 @@ EXPORT_SYMBOL_GPL(vtime_account_irq_ente
 
 #else /* !CONFIG_VIRT_CPU_ACCOUNTING */
 
-static cputime_t scale_stime(cputime_t stime, cputime_t rtime, cputime_t total)
+/*
+ * Perform (stime * rtime) / total with reduced chances
+ * of multiplication overflows by using smaller factors
+ * like quotient and remainders of divisions between
+ * rtime and total.
+ */
+static cputime_t scale_stime(u64 stime, u64 rtime, u64 total)
 {
-	u64 temp = (__force u64) rtime;
-
-	temp *= (__force u64) stime;
+	u64 rem, res, scaled;
 
-	if (sizeof(cputime_t) == 4)
-		temp = div_u64(temp, (__force u32) total);
-	else
-		temp = div64_u64(temp, (__force u64) total);
+	if (rtime >= total) {
+		/*
+		 * Scale up to rtime / total then add
+		 * the remainder scaled to stime / total.
+		 */
+		res = div64_u64_rem(rtime, total, &rem);
+		scaled = stime * res;
+		scaled += div64_u64(stime * rem, total);
+	} else {
+		/*
+		 * Same in reverse: scale down to total / rtime
+		 * then substract that result scaled to
+		 * to the remaining part.
+		 */
+		res = div64_u64_rem(total, rtime, &rem);
+		scaled = div64_u64(stime, res);
+		scaled -= div64_u64(scaled * rem, total);
+	}
 
-	return (__force cputime_t) temp;
+	return (__force cputime_t) scaled;
 }
 
 /*
@@ -560,10 +578,14 @@ static void cputime_adjust(struct task_c
 	 */
 	rtime = nsecs_to_cputime(curr->sum_exec_runtime);
 
-	if (total)
-		stime = scale_stime(stime, rtime, total);
-	else
+	if (!rtime) {
+		stime = 0;
+	} else if (!total) {
 		stime = rtime;
+	} else {
+		stime = scale_stime((__force u64)stime,
+				    (__force u64)rtime, (__force u64)total);
+	}
 
 	/*
 	 * If the tick based count grows faster than the scheduler one,
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 020/102] sched: Avoid cputime scaling overflow
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2013-05-17 21:35 ` [ 019/102] sched: Lower chances of cputime scaling overflow Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 021/102] sched: Do not account bogus utime Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislaw Gruszka,
	Frederic Weisbecker, Dave Hansen, Peter Zijlstra, Ingo Molnar,
	rostedt
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit 55eaa7c1f511af5fb6ef808b5328804f4d4e5243 upstream.
Here is patch, which adds Linus's cputime scaling algorithm to the
kernel.
This is a follow up (well, fix) to commit
d9a3c9823a2e6a543eb7807fb3d15d8233817ec5 ("sched: Lower chances
of cputime scaling overflow") which commit tried to avoid
multiplication overflow, but did not guarantee that the overflow
would not happen.
Linus crated a different algorithm, which completely avoids the
multiplication overflow by dropping precision when numbers are
big.
It was tested by me and it gives good relative error of
scaled numbers. Testing method is described here:
http://marc.info/?l=linux-kernel&m=136733059505406&w=2
Originally-From: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: rostedt@goodmis.org
Cc: Dave Hansen <dave@sr71.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20130430151441.GC10465@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/cputime.c |   57 ++++++++++++++++++++++++++++++-------------------
 1 file changed, 35 insertions(+), 22 deletions(-)
--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -522,34 +522,47 @@ EXPORT_SYMBOL_GPL(vtime_account_irq_ente
 #else /* !CONFIG_VIRT_CPU_ACCOUNTING */
 
 /*
- * Perform (stime * rtime) / total with reduced chances
- * of multiplication overflows by using smaller factors
- * like quotient and remainders of divisions between
- * rtime and total.
+ * Perform (stime * rtime) / total, but avoid multiplication overflow by
+ * loosing precision when the numbers are big.
  */
 static cputime_t scale_stime(u64 stime, u64 rtime, u64 total)
 {
-	u64 rem, res, scaled;
+	u64 scaled;
 
-	if (rtime >= total) {
-		/*
-		 * Scale up to rtime / total then add
-		 * the remainder scaled to stime / total.
-		 */
-		res = div64_u64_rem(rtime, total, &rem);
-		scaled = stime * res;
-		scaled += div64_u64(stime * rem, total);
-	} else {
-		/*
-		 * Same in reverse: scale down to total / rtime
-		 * then substract that result scaled to
-		 * to the remaining part.
-		 */
-		res = div64_u64_rem(total, rtime, &rem);
-		scaled = div64_u64(stime, res);
-		scaled -= div64_u64(scaled * rem, total);
+	for (;;) {
+		/* Make sure "rtime" is the bigger of stime/rtime */
+		if (stime > rtime) {
+			u64 tmp = rtime; rtime = stime; stime = tmp;
+		}
+
+		/* Make sure 'total' fits in 32 bits */
+		if (total >> 32)
+			goto drop_precision;
+
+		/* Does rtime (and thus stime) fit in 32 bits? */
+		if (!(rtime >> 32))
+			break;
+
+		/* Can we just balance rtime/stime rather than dropping bits? */
+		if (stime >> 31)
+			goto drop_precision;
+
+		/* We can grow stime and shrink rtime and try to make them both fit */
+		stime <<= 1;
+		rtime >>= 1;
+		continue;
+
+drop_precision:
+		/* We drop from rtime, it has more bits than stime */
+		rtime >>= 1;
+		total >>= 1;
 	}
 
+	/*
+	 * Make sure gcc understands that this is a 32x32->64 multiply,
+	 * followed by a 64/32->64 divide.
+	 */
+	scaled = div_u64((u64) (u32) stime * (u64) (u32) rtime, (u32)total);
 	return (__force cputime_t) scaled;
 }
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 021/102] sched: Do not account bogus utime
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2013-05-17 21:35 ` [ 020/102] sched: Avoid " Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 022/102] Revert "math64: New div64_u64_rem helper" Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislaw Gruszka,
	Frederic Weisbecker, Linus Torvalds, Dave Hansen, Peter Zijlstra,
	Ingo Molnar, rostedt
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit 772c808a252594692972773f6ee41c289b8e0b2a upstream.
Due to rounding in scale_stime(), for big numbers, scaled stime
values will grow in chunks. Since rtime grow in jiffies and we
calculate utime like below:
	prev->stime = max(prev->stime, stime);
	prev->utime = max(prev->utime, rtime - prev->stime);
we could erroneously account stime values as utime. To prevent
that only update prev->{u,s}time values when they are smaller
than current rtime.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: rostedt@goodmis.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dave Hansen <dave@sr71.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1367314507-9728-2-git-send-email-sgruszka@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/cputime.c |    9 +++++++++
 1 file changed, 9 insertions(+)
--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -591,6 +591,14 @@ static void cputime_adjust(struct task_c
 	 */
 	rtime = nsecs_to_cputime(curr->sum_exec_runtime);
 
+	/*
+	 * Update userspace visible utime/stime values only if actual execution
+	 * time is bigger than already exported. Note that can happen, that we
+	 * provided bigger values due to scaling inaccuracy on big numbers.
+	 */
+	if (prev->stime + prev->utime >= rtime)
+		goto out;
+
 	if (!rtime) {
 		stime = 0;
 	} else if (!total) {
@@ -608,6 +616,7 @@ static void cputime_adjust(struct task_c
 	prev->stime = max(prev->stime, stime);
 	prev->utime = max(prev->utime, rtime - prev->stime);
 
+out:
 	*ut = prev->utime;
 	*st = prev->stime;
 }
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 022/102] Revert "math64: New div64_u64_rem helper"
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2013-05-17 21:35 ` [ 021/102] sched: Do not account bogus utime Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 023/102] sched: Avoid prev->stime underflow Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislaw Gruszka,
	Frederic Weisbecker, Linus Torvalds, Dave Hansen, Peter Zijlstra,
	Ingo Molnar, rostedt
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit f3002134158092178be81339ec5a22ff80e6c308 upstream.
This reverts commit f792685006274a850e6cc0ea9ade275ccdfc90bc.
The cputime scaling code was changed/fixed and does not need the
div64_u64_rem() primitive anymore. It has no other users, so let's
remove them.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: rostedt@goodmis.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dave Hansen <dave@sr71.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1367314507-9728-4-git-send-email-sgruszka@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/math64.h |   19 +------------------
 lib/div64.c            |   19 ++++++-------------
 2 files changed, 7 insertions(+), 31 deletions(-)
--- a/include/linux/math64.h
+++ b/include/linux/math64.h
@@ -30,15 +30,6 @@ static inline s64 div_s64_rem(s64 divide
 }
 
 /**
- * div64_u64_rem - unsigned 64bit divide with 64bit divisor
- */
-static inline u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
-{
-	*remainder = dividend % divisor;
-	return dividend / divisor;
-}
-
-/**
  * div64_u64 - unsigned 64bit divide with 64bit divisor
  */
 static inline u64 div64_u64(u64 dividend, u64 divisor)
@@ -70,16 +61,8 @@ static inline u64 div_u64_rem(u64 divide
 extern s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder);
 #endif
 
-#ifndef div64_u64_rem
-extern u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder);
-#endif
-
 #ifndef div64_u64
-static inline u64 div64_u64(u64 dividend, u64 divisor)
-{
-	u64 remainder;
-	return div64_u64_rem(dividend, divisor, &remainder);
-}
+extern u64 div64_u64(u64 dividend, u64 divisor);
 #endif
 
 #ifndef div64_s64
--- a/lib/div64.c
+++ b/lib/div64.c
@@ -79,10 +79,9 @@ EXPORT_SYMBOL(div_s64_rem);
 #endif
 
 /**
- * div64_u64_rem - unsigned 64bit divide with 64bit divisor and 64bit remainder
+ * div64_u64 - unsigned 64bit divide with 64bit divisor
  * @dividend:	64bit dividend
  * @divisor:	64bit divisor
- * @remainder:  64bit remainder
  *
  * This implementation is a modified version of the algorithm proposed
  * by the book 'Hacker's Delight'.  The original source and full proof
@@ -90,33 +89,27 @@ EXPORT_SYMBOL(div_s64_rem);
  *
  * 'http://www.hackersdelight.org/HDcode/newCode/divDouble.c.txt'
  */
-#ifndef div64_u64_rem
-u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
+#ifndef div64_u64
+u64 div64_u64(u64 dividend, u64 divisor)
 {
 	u32 high = divisor >> 32;
 	u64 quot;
 
 	if (high == 0) {
-		u32 rem32;
-		quot = div_u64_rem(dividend, divisor, &rem32);
-		*remainder = rem32;
+		quot = div_u64(dividend, divisor);
 	} else {
 		int n = 1 + fls(high);
 		quot = div_u64(dividend >> n, divisor >> n);
 
 		if (quot != 0)
 			quot--;
-
-		*remainder = dividend - quot * divisor;
-		if (*remainder >= divisor) {
+		if ((dividend - quot * divisor) >= divisor)
 			quot++;
-			*remainder -= divisor;
-		}
 	}
 
 	return quot;
 }
-EXPORT_SYMBOL(div64_u64_rem);
+EXPORT_SYMBOL(div64_u64);
 #endif
 
 /**
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 023/102] sched: Avoid prev->stime underflow
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2013-05-17 21:35 ` [ 022/102] Revert "math64: New div64_u64_rem helper" Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 024/102] nfsd4: dont allow owner override on 4.1 CLAIM_FH opens Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislaw Gruszka,
	Frederic Weisbecker, Linus Torvalds, Dave Hansen, Peter Zijlstra,
	Ingo Molnar, rostedt
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit 68aa8efcd1ab961e4684ef5af32f72a6ec1911de upstream.
Dave Hansen reported strange utime/stime values on his system:
https://lkml.org/lkml/2013/4/4/435
This happens because prev->stime value is bigger than rtime
value. Root of the problem are non-monotonic rtime values (i.e.
current rtime is smaller than previous rtime) and that should be
debugged and fixed.
But since problem did not manifest itself before commit
62188451f0d63add7ad0cd2a1ae269d600c1663d "cputime: Avoid
multiplication overflow on utime scaling", it should be threated
as regression, which we can easily fixed on cputime_adjust()
function.
For now, let's apply this fix, but further work is needed to fix
root of the problem.
Reported-and-tested-by: Dave Hansen <dave@sr71.net>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: rostedt@goodmis.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dave Hansen <dave@sr71.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1367314507-9728-3-git-send-email-sgruszka@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/cputime.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -574,7 +574,7 @@ static void cputime_adjust(struct task_c
 			   struct cputime *prev,
 			   cputime_t *ut, cputime_t *st)
 {
-	cputime_t rtime, stime, total;
+	cputime_t rtime, stime, utime, total;
 
 	stime = curr->stime;
 	total = stime + curr->utime;
@@ -599,13 +599,13 @@ static void cputime_adjust(struct task_c
 	if (prev->stime + prev->utime >= rtime)
 		goto out;
 
-	if (!rtime) {
-		stime = 0;
-	} else if (!total) {
-		stime = rtime;
-	} else {
+	if (total) {
 		stime = scale_stime((__force u64)stime,
 				    (__force u64)rtime, (__force u64)total);
+		utime = rtime - stime;
+	} else {
+		stime = rtime;
+		utime = 0;
 	}
 
 	/*
@@ -614,7 +614,7 @@ static void cputime_adjust(struct task_c
 	 * Let's enforce monotonicity.
 	 */
 	prev->stime = max(prev->stime, stime);
-	prev->utime = max(prev->utime, rtime - prev->stime);
+	prev->utime = max(prev->utime, utime);
 
 out:
 	*ut = prev->utime;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 024/102] nfsd4: dont allow owner override on 4.1 CLAIM_FH opens
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2013-05-17 21:35 ` [ 023/102] sched: Avoid prev->stime underflow Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 025/102] nfsd: fix oops when legacy_recdir_name_error is passed a -ENOENT error Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bryan Schumaker, J. Bruce Fields
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: "J. Bruce Fields" <bfields@redhat.com>
commit 9f415eb25574db4b73a9a712a4438e41dc284922 upstream.
The Linux client is using CLAIM_FH to implement regular opens, not just
recovery cases, so it depends on the server to check permissions
correctly.
Therefore the owner override, which may make sense in the delegation
recovery case, isn't right in the CLAIM_FH case.
Symptoms: on a client with 49f9a0fafd844c32f2abada047c0b9a5ba0d6255
"NFSv4.1: Enable open-by-filehandle", Bryan noticed this:
	touch test.txt
	chmod 000 test.txt
	echo test > test.txt
succeeding.
Reported-by: Bryan Schumaker <bjschuma@netapp.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfsd/nfs4proc.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -271,6 +271,7 @@ static __be32
 do_open_fhandle(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_open *open)
 {
 	__be32 status;
+	int accmode = 0;
 
 	/* We don't know the target directory, and therefore can not
 	* set the change info
@@ -284,9 +285,19 @@ do_open_fhandle(struct svc_rqst *rqstp,
 
 	open->op_truncate = (open->op_iattr.ia_valid & ATTR_SIZE) &&
 		(open->op_iattr.ia_size == 0);
+	/*
+	 * In the delegation case, the client is telling us about an
+	 * open that it *already* performed locally, some time ago.  We
+	 * should let it succeed now if possible.
+	 *
+	 * In the case of a CLAIM_FH open, on the other hand, the client
+	 * may be counting on us to enforce permissions (the Linux 4.1
+	 * client uses this for normal opens, for example).
+	 */
+	if (open->op_claim_type == NFS4_OPEN_CLAIM_DELEG_CUR_FH)
+		accmode = NFSD_MAY_OWNER_OVERRIDE;
 
-	status = do_open_permission(rqstp, current_fh, open,
-				    NFSD_MAY_OWNER_OVERRIDE);
+	status = do_open_permission(rqstp, current_fh, open, accmode);
 
 	return status;
 }
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 025/102] nfsd: fix oops when legacy_recdir_name_error is passed a -ENOENT error
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2013-05-17 21:35 ` [ 024/102] nfsd4: dont allow owner override on 4.1 CLAIM_FH opens Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 026/102] hp_accel: Ignore the error from lis3lv02d_poweron() at resume Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislav Kinsbursky, Jeff Layton,
	J. Bruce Fields
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@redhat.com>
commit 7255e716b1757dc10fa5e3a4d2eaab303ff9f7b6 upstream.
Toralf reported the following oops to the linux-nfs mailing list:
    -----------------[snip]------------------
    NFSD: unable to generate recoverydir name (-2).
    NFSD: disabling legacy clientid tracking. Reboot recovery will not function correctly!
    BUG: unable to handle kernel NULL pointer dereference at 000003c8
    IP: [<f90a3d91>] nfsd4_client_tracking_exit+0x11/0x50 [nfsd]
    *pdpt = 000000002ba33001 *pde = 0000000000000000
    Oops: 0000 [#1] SMP
    Modules linked in: loop nfsd auth_rpcgss ipt_MASQUERADE xt_owner xt_multiport ipt_REJECT xt_tcpudp xt_recent xt_conntrack nf_conntrack_ftp xt_limit xt_LOG iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables af_packet pppoe pppox ppp_generic slhc bridge stp llc tun arc4 iwldvm mac80211 coretemp kvm_intel uvcvideo sdhci_pci sdhci mmc_core videobuf2_vmalloc videobuf2_memops usblp videobuf2_core i915 iwlwifi psmouse videodev cfg80211 kvm fbcon bitblit cfbfillrect acpi_cpufreq mperf evdev softcursor font cfbimgblt i2c_algo_bit cfbcopyarea intel_agp intel_gtt drm_kms_helper snd_hda_codec_conexant drm agpgart fb fbdev tpm_tis thinkpad_acpi tpm nvram e1000e rfkill thermal ptp wmi pps_core tpm_bios 8250_pci processor 8250 ac snd_hda_intel snd_hda_codec snd_pcm battery video i2c_i801 snd_page_alloc snd_timer button serial_core i2c_core snd soundcore thermal_sys hwmon aesni_intel ablk_helper cryp
td lrw aes_i586 xts gf128mul cbc fuse nfs lockd sunrpc dm_crypt dm_mod hid_monterey hid_microsoft hid_logitech hid_ezkey hid_cypress hid_chicony hid_cherry hid_belkin hid_apple hid_a4tech hid_generic usbhid hid sr_mod cdrom sg [last unloaded: microcode]
    Pid: 6374, comm: nfsd Not tainted 3.9.1 #6 LENOVO 4180F65/4180F65
    EIP: 0060:[<f90a3d91>] EFLAGS: 00010202 CPU: 0
    EIP is at nfsd4_client_tracking_exit+0x11/0x50 [nfsd]
    EAX: 00000000 EBX: fffffffe ECX: 00000007 EDX: 00000007
    ESI: eb9dcb00 EDI: eb2991c0 EBP: eb2bde38 ESP: eb2bde34
    DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    CR0: 80050033 CR2: 000003c8 CR3: 2ba80000 CR4: 000407f0
    DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    DR6: ffff0ff0 DR7: 00000400
    Process nfsd (pid: 6374, ti=eb2bc000 task=eb2711c0 task.ti=eb2bc000)
    Stack:
    fffffffe eb2bde4c f90a3e0c f90a7754 fffffffe eb0a9c00 eb2bdea0 f90a41ed
    eb2991c0 1b270000 eb2991c0 eb2bde7c f9099ce9 eb2bde98 0129a020 eb29a020
    eb2bdecc eb2991c0 eb2bdea8 f9099da5 00000000 eb9dcb00 00000001 67822f08
    Call Trace:
    [<f90a3e0c>] legacy_recdir_name_error+0x3c/0x40 [nfsd]
    [<f90a41ed>] nfsd4_create_clid_dir+0x15d/0x1c0 [nfsd]
    [<f9099ce9>] ? nfsd4_lookup_stateid+0x99/0xd0 [nfsd]
    [<f9099da5>] ? nfs4_preprocess_seqid_op+0x85/0x100 [nfsd]
    [<f90a4287>] nfsd4_client_record_create+0x37/0x50 [nfsd]
    [<f909d6ce>] nfsd4_open_confirm+0xfe/0x130 [nfsd]
    [<f90980b1>] ? nfsd4_encode_operation+0x61/0x90 [nfsd]
    [<f909d5d0>] ? nfsd4_free_stateid+0xc0/0xc0 [nfsd]
    [<f908fd0b>] nfsd4_proc_compound+0x41b/0x530 [nfsd]
    [<f9081b7b>] nfsd_dispatch+0x8b/0x1a0 [nfsd]
    [<f857b85d>] svc_process+0x3dd/0x640 [sunrpc]
    [<f908165d>] nfsd+0xad/0x110 [nfsd]
    [<f90815b0>] ? nfsd_destroy+0x70/0x70 [nfsd]
    [<c1054824>] kthread+0x94/0xa0
    [<c1486937>] ret_from_kernel_thread+0x1b/0x28
    [<c1054790>] ? flush_kthread_work+0xd0/0xd0
    Code: 86 b0 00 00 00 90 c5 0a f9 c7 04 24 70 76 0a f9 e8 74 a9 3d c8 eb ba 8d 76 00 55 89 e5 53 66 66 66 66 90 8b 15 68 c7 0a f9 85 d2 <8b> 88 c8 03 00 00 74 2c 3b 11 77 28 8b 5c 91 08 85 db 74 22 8b
    EIP: [<f90a3d91>] nfsd4_client_tracking_exit+0x11/0x50 [nfsd] SS:ESP 0068:eb2bde34
    CR2: 00000000000003c8
    ---[ end trace 09e54015d145c9c6 ]---
The problem appears to be a regression that was introduced in commit
9a9c6478 "nfsd: make NFSv4 recovery client tracking options per net".
Prior to that commit, it was safe to pass a NULL net pointer to
nfsd4_client_tracking_exit in the legacy recdir case, and
legacy_recdir_name_error did so. After that comit, the net pointer must
be valid.
This patch just fixes legacy_recdir_name_error to pass in a valid net
pointer to that function.
Reported-and-tested-by: Toralf Förster <toralf.foerster@gmx.de>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfsd/nfs4recover.c |   12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -146,7 +146,7 @@ out_no_tfm:
  * then disable recovery tracking.
  */
 static void
-legacy_recdir_name_error(int error)
+legacy_recdir_name_error(struct nfs4_client *clp, int error)
 {
 	printk(KERN_ERR "NFSD: unable to generate recoverydir "
 			"name (%d).\n", error);
@@ -159,9 +159,7 @@ legacy_recdir_name_error(int error)
 	if (error == -ENOENT) {
 		printk(KERN_ERR "NFSD: disabling legacy clientid tracking. "
 			"Reboot recovery will not function correctly!\n");
-
-		/* the argument is ignored by the legacy exit function */
-		nfsd4_client_tracking_exit(NULL);
+		nfsd4_client_tracking_exit(clp->net);
 	}
 }
 
@@ -184,7 +182,7 @@ nfsd4_create_clid_dir(struct nfs4_client
 
 	status = nfs4_make_rec_clidname(dname, &clp->cl_name);
 	if (status)
-		return legacy_recdir_name_error(status);
+		return legacy_recdir_name_error(clp, status);
 
 	status = nfs4_save_creds(&original_cred);
 	if (status < 0)
@@ -341,7 +339,7 @@ nfsd4_remove_clid_dir(struct nfs4_client
 
 	status = nfs4_make_rec_clidname(dname, &clp->cl_name);
 	if (status)
-		return legacy_recdir_name_error(status);
+		return legacy_recdir_name_error(clp, status);
 
 	status = mnt_want_write_file(nn->rec_file);
 	if (status)
@@ -601,7 +599,7 @@ nfsd4_check_legacy_client(struct nfs4_cl
 
 	status = nfs4_make_rec_clidname(dname, &clp->cl_name);
 	if (status) {
-		legacy_recdir_name_error(status);
+		legacy_recdir_name_error(clp, status);
 		return status;
 	}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 026/102] hp_accel: Ignore the error from lis3lv02d_poweron() at resume
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2013-05-17 21:35 ` [ 025/102] nfsd: fix oops when legacy_recdir_name_error is passed a -ENOENT error Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...) Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Shuah Khan,
	Matthew Garrett
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Shuah Khan <shuah.khan@hp.com>
commit 7783819920ca52fc582a2782f654fe6ed373f465 upstream.
The error in lis3lv02_poweron() is harmless in the resume path, so
we should ignore it. It is inline with the other usages of lis3lv02_poweron()
and matches the 3.0 code for this routine. This patch is in suse git and
might have missed making it into the mainline.
opensuse - commit id: 66ccdac87c322cf7af12bddba8c805af640b1cff
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Shuah Khan <shuah.khan@hp.com>
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/platform/x86/hp_accel.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/platform/x86/hp_accel.c
+++ b/drivers/platform/x86/hp_accel.c
@@ -362,7 +362,8 @@ static int lis3lv02d_suspend(struct devi
 
 static int lis3lv02d_resume(struct device *dev)
 {
-	return lis3lv02d_poweron(&lis3_dev);
+	lis3lv02d_poweron(&lis3_dev);
+	return 0;
 }
 
 static SIMPLE_DEV_PM_OPS(hp_accel_pm, lis3lv02d_suspend, lis3lv02d_resume);
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2013-05-17 21:35 ` [ 026/102] hp_accel: Ignore the error from lis3lv02d_poweron() at resume Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 22:49   ` Al Viro
  2013-05-17 21:35 ` [ 028/102] shm: fix null pointer deref when userspace specifies invalid hugepage size Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  102 siblings, 1 reply; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander van Heukelum, Al Viro
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Alexander van Heukelum <heukelum@fastmail.fm>
commit 5522ddb3fc0dfd4a503c8278eafd88c9f2d3fada upstream.
Commit 49cb25e9290 x86: 'get rid of pt_regs argument in vm86/vm86old'
got rid of the pt_regs stub for sys_vm86old and sys_vm86. The functions
were, however, not changed to use the calling convention for syscalls.
[AV: killed asmlinkage_protect() - it's done automatically now]
Reported-and-tested-by: Hans de Bruin <jmdebruin@xmsnet.nl>
Signed-off-by: Alexander van Heukelum <heukelum@fastmail.fm>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/syscalls.h |    4 ++--
 arch/x86/kernel/vm86_32.c       |   38 ++++++++++++++------------------------
 2 files changed, 16 insertions(+), 26 deletions(-)
--- a/arch/x86/include/asm/syscalls.h
+++ b/arch/x86/include/asm/syscalls.h
@@ -37,8 +37,8 @@ asmlinkage int sys_get_thread_area(struc
 unsigned long sys_sigreturn(void);
 
 /* kernel/vm86_32.c */
-int sys_vm86old(struct vm86_struct __user *);
-int sys_vm86(unsigned long, unsigned long);
+asmlinkage long sys_vm86old(struct vm86_struct __user *);
+asmlinkage long sys_vm86(unsigned long, unsigned long);
 
 #else /* CONFIG_X86_32 */
 
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -33,6 +33,7 @@
 #include <linux/capability.h>
 #include <linux/errno.h>
 #include <linux/interrupt.h>
+#include <linux/syscalls.h>
 #include <linux/sched.h>
 #include <linux/kernel.h>
 #include <linux/signal.h>
@@ -48,7 +49,6 @@
 #include <asm/io.h>
 #include <asm/tlbflush.h>
 #include <asm/irq.h>
-#include <asm/syscalls.h>
 
 /*
  * Known problems:
@@ -202,36 +202,32 @@ out:
 static int do_vm86_irq_handling(int subfunction, int irqnumber);
 static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk);
 
-int sys_vm86old(struct vm86_struct __user *v86)
+SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86)
 {
 	struct kernel_vm86_struct info; /* declare this _on top_,
 					 * this avoids wasting of stack space.
 					 * This remains on the stack until we
 					 * return to 32 bit user space.
 					 */
-	struct task_struct *tsk;
-	int tmp, ret = -EPERM;
+	struct task_struct *tsk = current;
+	int tmp;
 
-	tsk = current;
 	if (tsk->thread.saved_sp0)
-		goto out;
+		return -EPERM;
 	tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
 				       offsetof(struct kernel_vm86_struct, vm86plus) -
 				       sizeof(info.regs));
-	ret = -EFAULT;
 	if (tmp)
-		goto out;
+		return -EFAULT;
 	memset(&info.vm86plus, 0, (int)&info.regs32 - (int)&info.vm86plus);
 	info.regs32 = current_pt_regs();
 	tsk->thread.vm86_info = v86;
 	do_sys_vm86(&info, tsk);
-	ret = 0;	/* we never return here */
-out:
-	return ret;
+	return 0;	/* we never return here */
 }
 
 
-int sys_vm86(unsigned long cmd, unsigned long arg)
+SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg)
 {
 	struct kernel_vm86_struct info; /* declare this _on top_,
 					 * this avoids wasting of stack space.
@@ -239,7 +235,7 @@ int sys_vm86(unsigned long cmd, unsigned
 					 * return to 32 bit user space.
 					 */
 	struct task_struct *tsk;
-	int tmp, ret;
+	int tmp;
 	struct vm86plus_struct __user *v86;
 
 	tsk = current;
@@ -248,8 +244,7 @@ int sys_vm86(unsigned long cmd, unsigned
 	case VM86_FREE_IRQ:
 	case VM86_GET_IRQ_BITS:
 	case VM86_GET_AND_RESET_IRQ:
-		ret = do_vm86_irq_handling(cmd, (int)arg);
-		goto out;
+		return do_vm86_irq_handling(cmd, (int)arg);
 	case VM86_PLUS_INSTALL_CHECK:
 		/*
 		 * NOTE: on old vm86 stuff this will return the error
@@ -257,28 +252,23 @@ int sys_vm86(unsigned long cmd, unsigned
 		 *  interpreted as (invalid) address to vm86_struct.
 		 *  So the installation check works.
 		 */
-		ret = 0;
-		goto out;
+		return 0;
 	}
 
 	/* we come here only for functions VM86_ENTER, VM86_ENTER_NO_BYPASS */
-	ret = -EPERM;
 	if (tsk->thread.saved_sp0)
-		goto out;
+		return -EPERM;
 	v86 = (struct vm86plus_struct __user *)arg;
 	tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
 				       offsetof(struct kernel_vm86_struct, regs32) -
 				       sizeof(info.regs));
-	ret = -EFAULT;
 	if (tmp)
-		goto out;
+		return -EFAULT;
 	info.regs32 = current_pt_regs();
 	info.vm86plus.is_vm86pus = 1;
 	tsk->thread.vm86_info = (struct vm86_struct __user *)v86;
 	do_sys_vm86(&info, tsk);
-	ret = 0;	/* we never return here */
-out:
-	return ret;
+	return 0;	/* we never return here */
 }
 
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 028/102] shm: fix null pointer deref when userspace specifies invalid hugepage size
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2013-05-17 21:35 ` [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...) Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 029/102] xen/vcpu/pvhvm: Fix vcpu hotplugging hanging Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Jones, Li Zefan, Naoya Horiguchi,
	Rik van Riel, Linus Torvalds
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Li Zefan <lizefan@huawei.com>
commit 091d0d55b286c9340201b4ed4470be87fc568228 upstream.
Dave reported an oops triggered by trinity:
  BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  IP: newseg+0x10d/0x390
  PGD cf8c1067 PUD cf8c2067 PMD 0
  Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
  CPU: 2 PID: 7636 Comm: trinity-child2 Not tainted 3.9.0+#67
  ...
  Call Trace:
    ipcget+0x182/0x380
    SyS_shmget+0x5a/0x60
    tracesys+0xdd/0xe2
This bug was introduced by commit af73e4d9506d ("hugetlbfs: fix mmap
failure in unaligned size request").
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Li Zefan <lizfan@huawei.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 ipc/shm.c |    8 +++++++-
 mm/mmap.c |    8 ++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -493,7 +493,13 @@ static int newseg(struct ipc_namespace *
 	if (shmflg & SHM_HUGETLB) {
 		struct hstate *hs = hstate_sizelog((shmflg >> SHM_HUGE_SHIFT)
 						& SHM_HUGE_MASK);
-		size_t hugesize = ALIGN(size, huge_page_size(hs));
+		size_t hugesize;
+
+		if (!hs) {
+			error = -EINVAL;
+			goto no_file;
+		}
+		hugesize = ALIGN(size, huge_page_size(hs));
 
 		/* hugetlb_file_setup applies strict accounting */
 		if (shmflg & SHM_NORESERVE)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1331,9 +1331,13 @@ SYSCALL_DEFINE6(mmap_pgoff, unsigned lon
 			len = ALIGN(len, huge_page_size(hstate_file(file)));
 	} else if (flags & MAP_HUGETLB) {
 		struct user_struct *user = NULL;
+		struct hstate *hs = hstate_sizelog((flags >> MAP_HUGE_SHIFT) &
+						   SHM_HUGE_MASK);
 
-		len = ALIGN(len, huge_page_size(hstate_sizelog(
-			(flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK)));
+		if (!hs)
+			return -EINVAL;
+
+		len = ALIGN(len, huge_page_size(hs));
 		/*
 		 * VM_NORESERVE is used because the reservations will be
 		 * taken when vm_ops->mmap() is called
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 029/102] xen/vcpu/pvhvm: Fix vcpu hotplugging hanging.
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2013-05-17 21:35 ` [ 028/102] shm: fix null pointer deref when userspace specifies invalid hugepage size Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 030/102] SCSI: sd: fix array cache flushing bug causing performance problems Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefano Stabellini,
	Konrad Rzeszutek Wilk
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
commit 7f1fc268c47491fd5e63548f6415fc8604e13003 upstream.
If a user did:
	echo 0 > /sys/devices/system/cpu/cpu1/online
	echo 1 > /sys/devices/system/cpu/cpu1/online
we would (this a build with DEBUG enabled) get to:
smpboot: ++++++++++++++++++++=_---CPU UP  1
.. snip..
smpboot: Stack at about ffff880074c0ff44
smpboot: CPU1: has booted.
and hang. The RCU mechanism would kick in an try to IPI the CPU1
but the IPIs (and all other interrupts) would never arrive at the
CPU1. At first glance at least. A bit digging in the hypervisor
trace shows that (using xenanalyze):
[vla] d4v1 vec 243 injecting
   0.043163027 --|x d4v1 intr_window vec 243 src 5(vector) intr f3
]  0.043163639 --|x d4v1 vmentry cycles 1468
]  0.043164913 --|x d4v1 vmexit exit_reason PENDING_INTERRUPT eip ffffffff81673254
   0.043164913 --|x d4v1 inj_virq vec 243  real
  [vla] d4v1 vec 243 injecting
   0.043164913 --|x d4v1 intr_window vec 243 src 5(vector) intr f3
]  0.043165526 --|x d4v1 vmentry cycles 1472
]  0.043166800 --|x d4v1 vmexit exit_reason PENDING_INTERRUPT eip ffffffff81673254
   0.043166800 --|x d4v1 inj_virq vec 243  real
  [vla] d4v1 vec 243 injecting
there is a pending event (subsequent debugging shows it is the IPI
from the VCPU0 when smpboot.c on VCPU1 has done
"set_cpu_online(smp_processor_id(), true)") and the guest VCPU1 is
interrupted with the callback IPI (0xf3 aka 243) which ends up calling
__xen_evtchn_do_upcall.
The __xen_evtchn_do_upcall seems to do *something* but not acknowledge
the pending events. And the moment the guest does a 'cli' (that is the
ffffffff81673254 in the log above) the hypervisor is invoked again to
inject the IPI (0xf3) to tell the guest it has pending interrupts.
This repeats itself forever.
The culprit was the per_cpu(xen_vcpu, cpu) pointer. At the bootup
we set each per_cpu(xen_vcpu, cpu) to point to the
shared_info->vcpu_info[vcpu] but later on use the VCPUOP_register_vcpu_info
to register per-CPU  structures (xen_vcpu_setup).
This is used to allow events for more than 32 VCPUs and for performance
optimizations reasons.
When the user performs the VCPU hotplug we end up calling the
the xen_vcpu_setup once more. We make the hypercall which returns
-EINVAL as it does not allow multiple registration calls (and
already has re-assigned where the events are being set). We pick
the fallback case and set per_cpu(xen_vcpu, cpu) to point to the
shared_info->vcpu_info[vcpu] (which is a good fallback during bootup).
However the hypervisor is still setting events in the register
per-cpu structure (per_cpu(xen_vcpu_info, cpu)).
As such when the events are set by the hypervisor (such as timer one),
and when we iterate in __xen_evtchn_do_upcall we end up reading stale
events from the shared_info->vcpu_info[vcpu] instead of the
per_cpu(xen_vcpu_info, cpu) structures. Hence we never acknowledge the
events that the hypervisor has set and the hypervisor keeps on reminding
us to ack the events which we never do.
The fix is simple. Don't on the second time when xen_vcpu_setup is
called over-write the per_cpu(xen_vcpu, cpu) if it points to
per_cpu(xen_vcpu_info).
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/xen/enlighten.c |   15 +++++++++++++++
 1 file changed, 15 insertions(+)
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -156,6 +156,21 @@ static void xen_vcpu_setup(int cpu)
 
 	BUG_ON(HYPERVISOR_shared_info == &xen_dummy_shared_info);
 
+	/*
+	 * This path is called twice on PVHVM - first during bootup via
+	 * smp_init -> xen_hvm_cpu_notify, and then if the VCPU is being
+	 * hotplugged: cpu_up -> xen_hvm_cpu_notify.
+	 * As we can only do the VCPUOP_register_vcpu_info once lets
+	 * not over-write its result.
+	 *
+	 * For PV it is called during restore (xen_vcpu_restore) and bootup
+	 * (xen_setup_vcpu_info_placement). The hotplug mechanism does not
+	 * use this function.
+	 */
+	if (xen_hvm_domain()) {
+		if (per_cpu(xen_vcpu, cpu) == &per_cpu(xen_vcpu_info, cpu))
+			return;
+	}
 	if (cpu < MAX_VIRT_CPUS)
 		per_cpu(xen_vcpu,cpu) = &HYPERVISOR_shared_info->vcpu_info[cpu];
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 030/102] SCSI: sd: fix array cache flushing bug causing performance problems
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2013-05-17 21:35 ` [ 029/102] xen/vcpu/pvhvm: Fix vcpu hotplugging hanging Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 031/102] audit: Syscall rules are not applied to existing processes on non-x86 Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ric Wheeler, James Bottomley
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: James Bottomley <JBottomley@Parallels.com>
commit 39c60a0948cc06139e2fbfe084f83cb7e7deae3b upstream.
Some arrays synchronize their full non volatile cache when the sd driver sends
a SYNCHRONIZE CACHE command.  Unfortunately, they can have Terrabytes of this
and we send a SYNCHRONIZE CACHE for every barrier if an array reports it has a
writeback cache.  This leads to massive slowdowns on journalled filesystems.
The fix is to allow userspace to turn off the writeback cache setting as a
temporary measure (i.e. without doing the MODE SELECT to write it back to the
device), so even though the device reported it has a writeback cache, the
user, knowing that the cache is non volatile and all they care about is
filesystem correctness, can turn that bit off in the kernel and avoid the
performance ruinous (and safety irrelevant) SYNCHRONIZE CACHE commands.
The way you do this is add a 'temporary' prefix when performing the usual
cache setting operations, so
echo temporary write through > /sys/class/scsi_disk/<disk>/cache_type
Reported-by: Ric Wheeler <rwheeler@redhat.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/sd.c |   20 ++++++++++++++++++++
 drivers/scsi/sd.h |    1 +
 2 files changed, 21 insertions(+)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -142,6 +142,7 @@ sd_store_cache_type(struct device *dev,
 	char *buffer_data;
 	struct scsi_mode_data data;
 	struct scsi_sense_hdr sshdr;
+	const char *temp = "temporary ";
 	int len;
 
 	if (sdp->type != TYPE_DISK)
@@ -150,6 +151,13 @@ sd_store_cache_type(struct device *dev,
 		 * it's not worth the risk */
 		return -EINVAL;
 
+	if (strncmp(buf, temp, sizeof(temp) - 1) == 0) {
+		buf += sizeof(temp) - 1;
+		sdkp->cache_override = 1;
+	} else {
+		sdkp->cache_override = 0;
+	}
+
 	for (i = 0; i < ARRAY_SIZE(sd_cache_types); i++) {
 		len = strlen(sd_cache_types[i]);
 		if (strncmp(sd_cache_types[i], buf, len) == 0 &&
@@ -162,6 +170,13 @@ sd_store_cache_type(struct device *dev,
 		return -EINVAL;
 	rcd = ct & 0x01 ? 1 : 0;
 	wce = ct & 0x02 ? 1 : 0;
+
+	if (sdkp->cache_override) {
+		sdkp->WCE = wce;
+		sdkp->RCD = rcd;
+		return count;
+	}
+
 	if (scsi_mode_sense(sdp, 0x08, 8, buffer, sizeof(buffer), SD_TIMEOUT,
 			    SD_MAX_RETRIES, &data, NULL))
 		return -EINVAL;
@@ -2319,6 +2334,10 @@ sd_read_cache_type(struct scsi_disk *sdk
 	int old_rcd = sdkp->RCD;
 	int old_dpofua = sdkp->DPOFUA;
 
+
+	if (sdkp->cache_override)
+		return;
+
 	first_len = 4;
 	if (sdp->skip_ms_page_8) {
 		if (sdp->type == TYPE_RBC)
@@ -2812,6 +2831,7 @@ static void sd_probe_async(void *data, a
 	sdkp->capacity = 0;
 	sdkp->media_present = 1;
 	sdkp->write_prot = 0;
+	sdkp->cache_override = 0;
 	sdkp->WCE = 0;
 	sdkp->RCD = 0;
 	sdkp->ATO = 0;
--- a/drivers/scsi/sd.h
+++ b/drivers/scsi/sd.h
@@ -73,6 +73,7 @@ struct scsi_disk {
 	u8		protection_type;/* Data Integrity Field */
 	u8		provisioning_mode;
 	unsigned	ATO : 1;	/* state of disk ATO bit */
+	unsigned	cache_override : 1; /* temp override of WCE,RCD */
 	unsigned	WCE : 1;	/* state of disk WCE bit */
 	unsigned	RCD : 1;	/* state of disk RCD bit, unused */
 	unsigned	DPOFUA : 1;	/* state of disk DPOFUA bit */
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 031/102] audit: Syscall rules are not applied to existing processes on non-x86
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2013-05-17 21:35 ` [ 030/102] SCSI: sd: fix array cache flushing bug causing performance problems Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 032/102] audit: vfs: fix audit_inode call in O_CREAT case of do_last Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anton Blanchard, Eric Paris
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Anton Blanchard <anton@samba.org>
commit cdee3904b4ce7c03d1013ed6dd704b43ae7fc2e9 upstream.
Commit b05d8447e782 (audit: inline audit_syscall_entry to reduce
burden on archs) changed audit_syscall_entry to check for a dummy
context before calling __audit_syscall_entry. Unfortunately the dummy
context state is maintained in __audit_syscall_entry so once set it
never gets cleared, even if the audit rules change.
As a result, if there are no auditing rules when a process starts
then it will never be subject to any rules added later. x86 doesn't
see this because it has an assembly fast path that calls directly into
__audit_syscall_entry.
I noticed this issue when working on audit performance optimisations.
I wrote a set of simple test cases available at:
http://ozlabs.org/~anton/junkcode/audit_tests.tar.gz
02_new_rule.py fails without the patch and passes with it. The
test case clears all rules, starts a process, adds a rule then
verifies the process produces a syscall audit record.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/audit.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -120,7 +120,7 @@ static inline void audit_syscall_entry(i
 				       unsigned long a1, unsigned long a2,
 				       unsigned long a3)
 {
-	if (unlikely(!audit_dummy_context()))
+	if (unlikely(current->audit_context))
 		__audit_syscall_entry(arch, major, a0, a1, a2, a3);
 }
 static inline void audit_syscall_exit(void *pt_regs)
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 032/102] audit: vfs: fix audit_inode call in O_CREAT case of do_last
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2013-05-17 21:35 ` [ 031/102] audit: Syscall rules are not applied to existing processes on non-x86 Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 033/102] time: Revert ALWAYS_USE_PERSISTENT_CLOCK compile time optimizaitons Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Jaburek, Jeff Layton, Eric Paris
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@redhat.com>
commit 33e2208acfc15ce00d3dd13e839bf6434faa2b04 upstream.
Jiri reported a regression in auditing of open(..., O_CREAT) syscalls.
In older kernels, creating a file with open(..., O_CREAT) created
audit_name records that looked like this:
type=PATH msg=audit(1360255720.628:64): item=1 name="/abc/foo" inode=138810 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
type=PATH msg=audit(1360255720.628:64): item=0 name="/abc/" inode=138635 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
...in recent kernels though, they look like this:
type=PATH msg=audit(1360255402.886:12574): item=2 name=(null) inode=264599 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
type=PATH msg=audit(1360255402.886:12574): item=1 name=(null) inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
type=PATH msg=audit(1360255402.886:12574): item=0 name="/abc/foo" inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
Richard bisected to determine that the problems started with commit
bfcec708, but the log messages have changed with some later
audit-related patches.
The problem is that this audit_inode call is passing in the parent of
the dentry being opened, but audit_inode is being called with the parent
flag false. This causes later audit_inode and audit_inode_child calls to
match the wrong entry in the audit_names list.
This patch simply sets the flag to properly indicate that this inode
represents the parent. With this, the audit_names entries are back to
looking like they did before.
Reported-by: Jiri Jaburek <jjaburek@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Test By: Richard Guy Briggs <rbriggs@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/namei.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2740,7 +2740,7 @@ static int do_last(struct nameidata *nd,
 		if (error)
 			return error;
 
-		audit_inode(name, dir, 0);
+		audit_inode(name, dir, LOOKUP_PARENT);
 		error = -EISDIR;
 		/* trailing slashes? */
 		if (nd->last.name[nd->last.len])
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 033/102] time: Revert ALWAYS_USE_PERSISTENT_CLOCK compile time optimizaitons
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2013-05-17 21:35 ` [ 032/102] audit: vfs: fix audit_inode call in O_CREAT case of do_last Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 034/102] timer: Dont reinitialize the cpu base lock during CPU_UP_PREPARE Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kay Sievers, John Stultz, Feng Tang,
	Jason Gunthorpe, Thomas Gleixner
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: John Stultz <john.stultz@linaro.org>
commit b4f711ee03d28f776fd2324fd0bd999cc428e4d2 upstream.
Kay Sievers noted that the ALWAYS_USE_PERSISTENT_CLOCK config,
which enables some minor compile time optimization to avoid
uncessary code in mostly the suspend/resume path could cause
problems for userland.
In particular, the dependency for RTC_HCTOSYS on
!ALWAYS_USE_PERSISTENT_CLOCK, which avoids setting the time
twice and simplifies suspend/resume, has the side effect
of causing the /sys/class/rtc/rtcN/hctosys flag to always be
zero, and this flag is commonly used by udev to setup the
/dev/rtc symlink to /dev/rtcN, which can cause pain for
older applications.
While the udev rules could use some work to be less fragile,
breaking userland should strongly be avoided. Additionally
the compile time optimizations are fairly minor, and the code
being optimized is likely to be reworked in the future, so
lets revert this change.
Reported-by: Kay Sievers <kay@vrfy.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Cc: Feng Tang <feng.tang@intel.com>
Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Link: http://lkml.kernel.org/r/1366828376-18124-1-git-send-email-john.stultz@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/Kconfig     |    1 -
 drivers/rtc/Kconfig  |    2 --
 include/linux/time.h |    4 ----
 kernel/time/Kconfig  |    5 -----
 4 files changed, 12 deletions(-)
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -107,7 +107,6 @@ config X86
 	select GENERIC_CLOCKEVENTS_BROADCAST if X86_64 || (X86_32 && X86_LOCAL_APIC)
 	select GENERIC_TIME_VSYSCALL if X86_64
 	select KTIME_SCALAR if X86_32
-	select ALWAYS_USE_PERSISTENT_CLOCK
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
 	select HAVE_CONTEXT_TRACKING if X86_64
--- a/drivers/rtc/Kconfig
+++ b/drivers/rtc/Kconfig
@@ -20,7 +20,6 @@ if RTC_CLASS
 config RTC_HCTOSYS
 	bool "Set system time from RTC on startup and resume"
 	default y
-	depends on !ALWAYS_USE_PERSISTENT_CLOCK
 	help
 	  If you say yes here, the system time (wall clock) will be set using
 	  the value read from a specified RTC device. This is useful to avoid
@@ -29,7 +28,6 @@ config RTC_HCTOSYS
 config RTC_SYSTOHC
 	bool "Set the RTC time based on NTP synchronization"
 	default y
-	depends on !ALWAYS_USE_PERSISTENT_CLOCK
 	help
 	  If you say yes here, the system time (wall clock) will be stored
 	  in the RTC specified by RTC_HCTOSYS_DEVICE approximately every 11
--- a/include/linux/time.h
+++ b/include/linux/time.h
@@ -117,14 +117,10 @@ static inline bool timespec_valid_strict
 
 extern bool persistent_clock_exist;
 
-#ifdef ALWAYS_USE_PERSISTENT_CLOCK
-#define has_persistent_clock()	true
-#else
 static inline bool has_persistent_clock(void)
 {
 	return persistent_clock_exist;
 }
-#endif
 
 extern void read_persistent_clock(struct timespec *ts);
 extern void read_boot_clock(struct timespec *ts);
--- a/kernel/time/Kconfig
+++ b/kernel/time/Kconfig
@@ -12,11 +12,6 @@ config CLOCKSOURCE_WATCHDOG
 config ARCH_CLOCKSOURCE_DATA
 	bool
 
-# Platforms has a persistent clock
-config ALWAYS_USE_PERSISTENT_CLOCK
-	bool
-	default n
-
 # Timekeeping vsyscall support
 config GENERIC_TIME_VSYSCALL
 	bool
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 034/102] timer: Dont reinitialize the cpu base lock during CPU_UP_PREPARE
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2013-05-17 21:35 ` [ 033/102] time: Revert ALWAYS_USE_PERSISTENT_CLOCK compile time optimizaitons Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 035/102] tick: Cleanup NOHZ per cpu data on cpu down Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tirupathi Reddy, Thomas Gleixner
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Tirupathi Reddy <tirupath@codeaurora.org>
commit 42a5cf46cd56f46267d2a9fcf2655f4078cd3042 upstream.
An inactive timer's base can refer to a offline cpu's base.
In the current code, cpu_base's lock is blindly reinitialized each
time a CPU is brought up. If a CPU is brought online during the period
that another thread is trying to modify an inactive timer on that CPU
with holding its timer base lock, then the lock will be reinitialized
under its feet. This leads to following SPIN_BUG().
<0> BUG: spinlock already unlocked on CPU#3, kworker/u:3/1466
<0> lock: 0xe3ebe000, .magic: dead4ead, .owner: kworker/u:3/1466, .owner_cpu: 1
<4> [<c0013dc4>] (unwind_backtrace+0x0/0x11c) from [<c026e794>] (do_raw_spin_unlock+0x40/0xcc)
<4> [<c026e794>] (do_raw_spin_unlock+0x40/0xcc) from [<c076c160>] (_raw_spin_unlock+0x8/0x30)
<4> [<c076c160>] (_raw_spin_unlock+0x8/0x30) from [<c009b858>] (mod_timer+0x294/0x310)
<4> [<c009b858>] (mod_timer+0x294/0x310) from [<c00a5e04>] (queue_delayed_work_on+0x104/0x120)
<4> [<c00a5e04>] (queue_delayed_work_on+0x104/0x120) from [<c04eae00>] (sdhci_msm_bus_voting+0x88/0x9c)
<4> [<c04eae00>] (sdhci_msm_bus_voting+0x88/0x9c) from [<c04d8780>] (sdhci_disable+0x40/0x48)
<4> [<c04d8780>] (sdhci_disable+0x40/0x48) from [<c04bf300>] (mmc_release_host+0x4c/0xb0)
<4> [<c04bf300>] (mmc_release_host+0x4c/0xb0) from [<c04c7aac>] (mmc_sd_detect+0x90/0xfc)
<4> [<c04c7aac>] (mmc_sd_detect+0x90/0xfc) from [<c04c2504>] (mmc_rescan+0x7c/0x2c4)
<4> [<c04c2504>] (mmc_rescan+0x7c/0x2c4) from [<c00a6a7c>] (process_one_work+0x27c/0x484)
<4> [<c00a6a7c>] (process_one_work+0x27c/0x484) from [<c00a6e94>] (worker_thread+0x210/0x3b0)
<4> [<c00a6e94>] (worker_thread+0x210/0x3b0) from [<c00aad9c>] (kthread+0x80/0x8c)
<4> [<c00aad9c>] (kthread+0x80/0x8c) from [<c000ea80>] (kernel_thread_exit+0x0/0x8)
As an example, this particular crash occurred when CPU #3 is executing
mod_timer() on an inactive timer whose base is refered to offlined CPU
#2.  The code locked the timer_base corresponding to CPU #2. Before it
could proceed, CPU #2 came online and reinitialized the spinlock
corresponding to its base. Thus now CPU #3 held a lock which was
reinitialized. When CPU #3 finally ended up unlocking the old cpu_base
corresponding to CPU #2, we hit the above SPIN_BUG().
CPU #0		CPU #3				       CPU #2
------		-------				       -------
.....		 ......				      <Offline>
		mod_timer()
		 lock_timer_base
		   spin_lock_irqsave(&base->lock)
cpu_up(2)	 .....				        ......
							init_timers_cpu()
....		 .....				    	spin_lock_init(&base->lock)
.....		   spin_unlock_irqrestore(&base->lock)  ......
		   <spin_bug>
Allocation of per_cpu timer vector bases is done only once under
"tvec_base_done[]" check. In the current code, spinlock_initialization
of base->lock isn't under this check. When a CPU is up each time the
base lock is reinitialized. Move base spinlock initialization under
the check.
Signed-off-by: Tirupathi Reddy <tirupath@codeaurora.org>
Link: http://lkml.kernel.org/r/1368520142-4136-1-git-send-email-tirupath@codeaurora.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/timer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/timer.c
+++ b/kernel/timer.c
@@ -1678,12 +1678,12 @@ static int __cpuinit init_timers_cpu(int
 			boot_done = 1;
 			base = &boot_tvec_bases;
 		}
+		spin_lock_init(&base->lock);
 		tvec_base_done[cpu] = 1;
 	} else {
 		base = per_cpu(tvec_bases, cpu);
 	}
 
-	spin_lock_init(&base->lock);
 
 	for (j = 0; j < TVN_SIZE; j++) {
 		INIT_LIST_HEAD(base->tv5.vec + j);
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 035/102] tick: Cleanup NOHZ per cpu data on cpu down
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2013-05-17 21:35 ` [ 034/102] timer: Dont reinitialize the cpu base lock during CPU_UP_PREPARE Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 036/102] tracing: Fix leaks of filter preds Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Prarit Bhargava, Mike Galbraith,
	Thomas Gleixner
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 4b0c0f294f60abcdd20994a8341a95c8ac5eeb96 upstream.
Prarit reported a crash on CPU offline/online. The reason is that on
CPU down the NOHZ related per cpu data of the dead cpu is not cleaned
up. If at cpu online an interrupt happens before the per cpu tick
device is registered the irq_enter() check potentially sees stale data
and dereferences a NULL pointer.
Cleanup the data after the cpu is dead.
Reported-by: Prarit Bhargava <prarit@redhat.com>
Cc: Mike Galbraith <bitbucket@online.de>
Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1305031451561.2886@ionos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/time/tick-sched.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
@@ -904,7 +904,7 @@ void tick_cancel_sched_timer(int cpu)
 		hrtimer_cancel(&ts->sched_timer);
 # endif
 
-	ts->nohz_mode = NOHZ_MODE_INACTIVE;
+	memset(ts, 0, sizeof(*ts));
 }
 #endif
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 036/102] tracing: Fix leaks of filter preds
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2013-05-17 21:35 ` [ 035/102] tick: Cleanup NOHZ per cpu data on cpu down Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 037/102] ext4: limit group search loop for non-extent files Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steven Rostedt, Tom Zanussi
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 60705c89460fdc7227f2d153b68b3f34814738a4 upstream.
Special preds are created when folding a series of preds that
can be done in serial. These are allocated in an ops field of
the pred structure. But they were never freed, causing memory
leaks.
This was discovered using the kmemleak checker:
unreferenced object 0xffff8800797fd5e0 (size 32):
  comm "swapper/0", pid 1, jiffies 4294690605 (age 104.608s)
  hex dump (first 32 bytes):
    00 00 01 00 03 00 05 00 07 00 09 00 0b 00 0d 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff814b52af>] kmemleak_alloc+0x73/0x98
    [<ffffffff8111ff84>] kmemleak_alloc_recursive.constprop.42+0x16/0x18
    [<ffffffff81120e68>] __kmalloc+0xd7/0x125
    [<ffffffff810d47eb>] kcalloc.constprop.24+0x2d/0x2f
    [<ffffffff810d4896>] fold_pred_tree_cb+0xa9/0xf4
    [<ffffffff810d3781>] walk_pred_tree+0x47/0xcc
    [<ffffffff810d5030>] replace_preds.isra.20+0x6f8/0x72f
    [<ffffffff810d50b5>] create_filter+0x4e/0x8b
    [<ffffffff81b1c30d>] ftrace_test_event_filter+0x5a/0x155
    [<ffffffff8100028d>] do_one_initcall+0xa0/0x137
    [<ffffffff81afbedf>] kernel_init_freeable+0x14d/0x1dc
    [<ffffffff814b24b7>] kernel_init+0xe/0xdb
    [<ffffffff814d539c>] ret_from_fork+0x7c/0xb0
    [<ffffffffffffffff>] 0xffffffffffffffff
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Tom Zanussi <tzanussi@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/trace_events_filter.c |    4 ++++
 1 file changed, 4 insertions(+)
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -777,7 +777,11 @@ static int filter_set_pred(struct event_
 
 static void __free_preds(struct event_filter *filter)
 {
+	int i;
+
 	if (filter->preds) {
+		for (i = 0; i < filter->n_preds; i++)
+			kfree(filter->preds[i].ops);
 		kfree(filter->preds);
 		filter->preds = NULL;
 	}
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 037/102] ext4: limit group search loop for non-extent files
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2013-05-17 21:35 ` [ 036/102] tracing: Fix leaks of filter preds Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 038/102] x86/microcode: Add local mutex to fix physical CPU hot-add deadlock Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lachlan McIlroy, Eric Sandeen,
	Theodore Tso
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Lachlan McIlroy <lmcilroy@redhat.com>
commit e6155736ad76b2070652745f9e54cdea3f0d8567 upstream.
In the case where we are allocating for a non-extent file,
we must limit the groups we allocate from to those below
2^32 blocks, and ext4_mb_regular_allocator() attempts to
do this initially by putting a cap on ngroups for the
subsequent search loop.
However, the initial target group comes in from the
allocation context (ac), and it may already be beyond
the artificially limited ngroups.  In this case,
the limit
	if (group == ngroups)
		group = 0;
at the top of the loop is never true, and the loop will
run away.
Catch this case inside the loop and reset the search to
start at group 0.
[sandeen@redhat.com: add commit msg & comments]
Signed-off-by: Lachlan McIlroy <lmcilroy@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/mballoc.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1994,7 +1994,11 @@ repeat:
 		group = ac->ac_g_ex.fe_group;
 
 		for (i = 0; i < ngroups; group++, i++) {
-			if (group == ngroups)
+			/*
+			 * Artificially restricted ngroups for non-extent
+			 * files makes group > ngroups possible on first loop.
+			 */
+			if (group >= ngroups)
 				group = 0;
 
 			/* This now checks without needing the buddy page */
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 038/102] x86/microcode: Add local mutex to fix physical CPU hot-add deadlock
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2013-05-17 21:35 ` [ 037/102] ext4: limit group search loop for non-extent files Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 039/102] ARM: 7720/1: ARM v6/v7 cmpxchg64 shouldnt clear upper 32 bits of the old/new value Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konrad Rzeszutek Wilk, Ingo Molnar,
	fenghua.yu, xen-devel
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
commit 074d72ff57f65de779e2f70d5906964c0ba1c123 upstream.
This can easily be triggered if a new CPU is added (via
ACPI hotplug mechanism) and from user-space you do:
   echo 1 > /sys/devices/system/cpu/cpu3/online
(or wait for UDEV to do it) on a newly appeared physical CPU.
The deadlock is that the "store_online" in drivers/base/cpu.c
takes the cpu_hotplug_driver_lock() lock, then calls "cpu_up".
"cpu_up" eventually ends up calling "save_mc_for_early"
which also takes the cpu_hotplug_driver_lock() lock.
And here is that lockdep thinks of it:
 smpboot: Stack at about ffff880075c39f44
 smpboot: CPU3: has booted.
 microcode: CPU3 sig=0x206a7, pf=0x2, revision=0x25
 =============================================
 [ INFO: possible recursive locking detected ]
 3.9.0upstream-10129-g167af0e #1 Not tainted
 ---------------------------------------------
 sh/2487 is trying to acquire lock:
  (x86_cpu_hotplug_driver_mutex){+.+.+.}, at: [<ffffffff81075512>] cpu_hotplug_driver_lock+0x12/0x20
 but task is already holding lock:
  (x86_cpu_hotplug_driver_mutex){+.+.+.}, at: [<ffffffff81075512>] cpu_hotplug_driver_lock+0x12/0x20
 other info that might help us debug this:
  Possible unsafe locking scenario:
        CPU0
        ----
   lock(x86_cpu_hotplug_driver_mutex);
   lock(x86_cpu_hotplug_driver_mutex);
  *** DEADLOCK ***
  May be due to missing lock nesting notation
 6 locks held by sh/2487:
  #0:  (sb_writers#5){.+.+.+}, at: [<ffffffff811ca48d>] vfs_write+0x17d/0x190
  #1:  (&buffer->mutex){+.+.+.}, at: [<ffffffff812464ef>] sysfs_write_file+0x3f/0x160
  #2:  (s_active#20){.+.+.+}, at: [<ffffffff81246578>] sysfs_write_file+0xc8/0x160
  #3:  (x86_cpu_hotplug_driver_mutex){+.+.+.}, at: [<ffffffff81075512>] cpu_hotplug_driver_lock+0x12/0x20
  #4:  (cpu_add_remove_lock){+.+.+.}, at: [<ffffffff810961c2>] cpu_maps_update_begin+0x12/0x20
  #5:  (cpu_hotplug.lock){+.+.+.}, at: [<ffffffff810962a7>] cpu_hotplug_begin+0x27/0x60
Suggested-and-Acked-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: fenghua.yu@intel.com
Cc: xen-devel@lists.xensource.com
Link: http://lkml.kernel.org/r/1368029583-23337-1-git-send-email-konrad.wilk@oracle.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/microcode_intel_early.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/microcode_intel_early.c
+++ b/arch/x86/kernel/microcode_intel_early.c
@@ -487,6 +487,7 @@ static inline void show_saved_mc(void)
 #endif
 
 #if defined(CONFIG_MICROCODE_INTEL_EARLY) && defined(CONFIG_HOTPLUG_CPU)
+static DEFINE_MUTEX(x86_cpu_microcode_mutex);
 /*
  * Save this mc into mc_saved_data. So it will be loaded early when a CPU is
  * hot added or resumes.
@@ -507,7 +508,7 @@ int save_mc_for_early(u8 *mc)
 	 * Hold hotplug lock so mc_saved_data is not accessed by a CPU in
 	 * hotplug.
 	 */
-	cpu_hotplug_driver_lock();
+	mutex_lock(&x86_cpu_microcode_mutex);
 
 	mc_saved_count_init = mc_saved_data.mc_saved_count;
 	mc_saved_count = mc_saved_data.mc_saved_count;
@@ -544,7 +545,7 @@ int save_mc_for_early(u8 *mc)
 	}
 
 out:
-	cpu_hotplug_driver_unlock();
+	mutex_unlock(&x86_cpu_microcode_mutex);
 
 	return ret;
 }
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 039/102] ARM: 7720/1: ARM v6/v7 cmpxchg64 shouldnt clear upper 32 bits of the old/new value
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2013-05-17 21:35 ` [ 038/102] x86/microcode: Add local mutex to fix physical CPU hot-add deadlock Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 040/102] powerpc: Bring all threads online prior to migration/hibernation Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Will Deacon, Jaccon Bastiaansen,
	Russell King
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jaccon Bastiaansen <jaccon.bastiaansen@gmail.com>
commit 6eabb3301b1facee669d9938f7c5a0295c21d71d upstream.
The implementation of cmpxchg64() for the ARM v6 and v7 architecture
casts parameter 2 and 3 (the old and new 64bit values) to an unsigned
long before calling the atomic_cmpxchg64() function. This clears
the top 32 bits of the old and new values, resulting in the wrong
values being compare-exchanged. Luckily, this only appears to be used
for 64-bit sched_clock, which we don't (yet) have on ARM.
This bug was introduced by commit 3e0f5a15f500 ("ARM: 7404/1: cmpxchg64:
use atomic64 and local64 routines for cmpxchg64").
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jaccon Bastiaansen <jaccon.bastiaansen@gmail.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/include/asm/cmpxchg.h |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/arm/include/asm/cmpxchg.h
+++ b/arch/arm/include/asm/cmpxchg.h
@@ -233,15 +233,15 @@ static inline unsigned long __cmpxchg_lo
 	((__typeof__(*(ptr)))atomic64_cmpxchg(container_of((ptr),	\
 						atomic64_t,		\
 						counter),		\
-					      (unsigned long)(o),	\
-					      (unsigned long)(n)))
+					      (unsigned long long)(o),	\
+					      (unsigned long long)(n)))
 
 #define cmpxchg64_local(ptr, o, n)					\
 	((__typeof__(*(ptr)))local64_cmpxchg(container_of((ptr),	\
 						local64_t,		\
 						a),			\
-					     (unsigned long)(o),	\
-					     (unsigned long)(n)))
+					     (unsigned long long)(o),	\
+					     (unsigned long long)(n)))
 
 #endif	/* __LINUX_ARM_ARCH__ >= 6 */
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 040/102] powerpc: Bring all threads online prior to migration/hibernation
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2013-05-17 21:35 ` [ 039/102] ARM: 7720/1: ARM v6/v7 cmpxchg64 shouldnt clear upper 32 bits of the old/new value Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 041/102] powerpc/kexec: Fix kexec when using VMX optimised memcpy Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Jennings,
	Benjamin Herrenschmidt
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Robert Jennings <rcj@linux.vnet.ibm.com>
commit 120496ac2d2d60aee68d3123a68169502a85f4b5 upstream.
This patch brings online all threads which are present but not online
prior to migration/hibernation.  After migration/hibernation those
threads are taken back offline.
During migration/hibernation all online CPUs must call H_JOIN, this is
required by the hypervisor.  Without this patch, threads that are offline
(H_CEDE'd) will not be woken to make the H_JOIN call and the OS will be
deadlocked (all threads either JOIN'd or CEDE'd).
Signed-off-by: Robert Jennings <rcj@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/rtas.h          |    2 
 arch/powerpc/kernel/rtas.c               |  113 +++++++++++++++++++++++++++++++
 arch/powerpc/platforms/pseries/suspend.c |   22 ++++++
 3 files changed, 137 insertions(+)
--- a/arch/powerpc/include/asm/rtas.h
+++ b/arch/powerpc/include/asm/rtas.h
@@ -262,6 +262,8 @@ extern void rtas_progress(char *s, unsig
 extern void rtas_initialize(void);
 extern int rtas_suspend_cpu(struct rtas_suspend_me_data *data);
 extern int rtas_suspend_last_cpu(struct rtas_suspend_me_data *data);
+extern int rtas_online_cpus_mask(cpumask_var_t cpus);
+extern int rtas_offline_cpus_mask(cpumask_var_t cpus);
 extern int rtas_ibm_suspend_me(struct rtas_args *);
 
 struct rtc_time;
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -19,6 +19,7 @@
 #include <linux/init.h>
 #include <linux/capability.h>
 #include <linux/delay.h>
+#include <linux/cpu.h>
 #include <linux/smp.h>
 #include <linux/completion.h>
 #include <linux/cpumask.h>
@@ -807,6 +808,95 @@ static void rtas_percpu_suspend_me(void
 	__rtas_suspend_cpu((struct rtas_suspend_me_data *)info, 1);
 }
 
+enum rtas_cpu_state {
+	DOWN,
+	UP,
+};
+
+#ifndef CONFIG_SMP
+static int rtas_cpu_state_change_mask(enum rtas_cpu_state state,
+				cpumask_var_t cpus)
+{
+	if (!cpumask_empty(cpus)) {
+		cpumask_clear(cpus);
+		return -EINVAL;
+	} else
+		return 0;
+}
+#else
+/* On return cpumask will be altered to indicate CPUs changed.
+ * CPUs with states changed will be set in the mask,
+ * CPUs with status unchanged will be unset in the mask. */
+static int rtas_cpu_state_change_mask(enum rtas_cpu_state state,
+				cpumask_var_t cpus)
+{
+	int cpu;
+	int cpuret = 0;
+	int ret = 0;
+
+	if (cpumask_empty(cpus))
+		return 0;
+
+	for_each_cpu(cpu, cpus) {
+		switch (state) {
+		case DOWN:
+			cpuret = cpu_down(cpu);
+			break;
+		case UP:
+			cpuret = cpu_up(cpu);
+			break;
+		}
+		if (cpuret) {
+			pr_debug("%s: cpu_%s for cpu#%d returned %d.\n",
+					__func__,
+					((state == UP) ? "up" : "down"),
+					cpu, cpuret);
+			if (!ret)
+				ret = cpuret;
+			if (state == UP) {
+				/* clear bits for unchanged cpus, return */
+				cpumask_shift_right(cpus, cpus, cpu);
+				cpumask_shift_left(cpus, cpus, cpu);
+				break;
+			} else {
+				/* clear bit for unchanged cpu, continue */
+				cpumask_clear_cpu(cpu, cpus);
+			}
+		}
+	}
+
+	return ret;
+}
+#endif
+
+int rtas_online_cpus_mask(cpumask_var_t cpus)
+{
+	int ret;
+
+	ret = rtas_cpu_state_change_mask(UP, cpus);
+
+	if (ret) {
+		cpumask_var_t tmp_mask;
+
+		if (!alloc_cpumask_var(&tmp_mask, GFP_TEMPORARY))
+			return ret;
+
+		/* Use tmp_mask to preserve cpus mask from first failure */
+		cpumask_copy(tmp_mask, cpus);
+		rtas_offline_cpus_mask(tmp_mask);
+		free_cpumask_var(tmp_mask);
+	}
+
+	return ret;
+}
+EXPORT_SYMBOL(rtas_online_cpus_mask);
+
+int rtas_offline_cpus_mask(cpumask_var_t cpus)
+{
+	return rtas_cpu_state_change_mask(DOWN, cpus);
+}
+EXPORT_SYMBOL(rtas_offline_cpus_mask);
+
 int rtas_ibm_suspend_me(struct rtas_args *args)
 {
 	long state;
@@ -814,6 +904,8 @@ int rtas_ibm_suspend_me(struct rtas_args
 	unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
 	struct rtas_suspend_me_data data;
 	DECLARE_COMPLETION_ONSTACK(done);
+	cpumask_var_t offline_mask;
+	int cpuret;
 
 	if (!rtas_service_present("ibm,suspend-me"))
 		return -ENOSYS;
@@ -837,11 +929,24 @@ int rtas_ibm_suspend_me(struct rtas_args
 		return 0;
 	}
 
+	if (!alloc_cpumask_var(&offline_mask, GFP_TEMPORARY))
+		return -ENOMEM;
+
 	atomic_set(&data.working, 0);
 	atomic_set(&data.done, 0);
 	atomic_set(&data.error, 0);
 	data.token = rtas_token("ibm,suspend-me");
 	data.complete = &done;
+
+	/* All present CPUs must be online */
+	cpumask_andnot(offline_mask, cpu_present_mask, cpu_online_mask);
+	cpuret = rtas_online_cpus_mask(offline_mask);
+	if (cpuret) {
+		pr_err("%s: Could not bring present CPUs online.\n", __func__);
+		atomic_set(&data.error, cpuret);
+		goto out;
+	}
+
 	stop_topology_update();
 
 	/* Call function on all CPUs.  One of us will make the
@@ -857,6 +962,14 @@ int rtas_ibm_suspend_me(struct rtas_args
 
 	start_topology_update();
 
+	/* Take down CPUs not online prior to suspend */
+	cpuret = rtas_offline_cpus_mask(offline_mask);
+	if (cpuret)
+		pr_warn("%s: Could not restore CPUs to offline state.\n",
+				__func__);
+
+out:
+	free_cpumask_var(offline_mask);
 	return atomic_read(&data.error);
 }
 #else /* CONFIG_PPC_PSERIES */
--- a/arch/powerpc/platforms/pseries/suspend.c
+++ b/arch/powerpc/platforms/pseries/suspend.c
@@ -16,6 +16,7 @@
   * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
   */
 
+#include <linux/cpu.h>
 #include <linux/delay.h>
 #include <linux/suspend.h>
 #include <linux/stat.h>
@@ -126,11 +127,15 @@ static ssize_t store_hibernate(struct de
 			       struct device_attribute *attr,
 			       const char *buf, size_t count)
 {
+	cpumask_var_t offline_mask;
 	int rc;
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
+	if (!alloc_cpumask_var(&offline_mask, GFP_TEMPORARY))
+		return -ENOMEM;
+
 	stream_id = simple_strtoul(buf, NULL, 16);
 
 	do {
@@ -140,15 +145,32 @@ static ssize_t store_hibernate(struct de
 	} while (rc == -EAGAIN);
 
 	if (!rc) {
+		/* All present CPUs must be online */
+		cpumask_andnot(offline_mask, cpu_present_mask,
+				cpu_online_mask);
+		rc = rtas_online_cpus_mask(offline_mask);
+		if (rc) {
+			pr_err("%s: Could not bring present CPUs online.\n",
+					__func__);
+			goto out;
+		}
+
 		stop_topology_update();
 		rc = pm_suspend(PM_SUSPEND_MEM);
 		start_topology_update();
+
+		/* Take down CPUs not online prior to suspend */
+		if (!rtas_offline_cpus_mask(offline_mask))
+			pr_warn("%s: Could not restore CPUs to offline "
+					"state.\n", __func__);
 	}
 
 	stream_id = 0;
 
 	if (!rc)
 		rc = count;
+out:
+	free_cpumask_var(offline_mask);
 	return rc;
 }
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 041/102] powerpc/kexec: Fix kexec when using VMX optimised memcpy
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2013-05-17 21:35 ` [ 040/102] powerpc: Bring all threads online prior to migration/hibernation Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 042/102] ath9k: fix key allocation error handling for powersave keys Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anton Blanchard,
	Benjamin Herrenschmidt
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Anton Blanchard <anton@au1.ibm.com>
commit 79c66ce8f6448a3295a32efeac88c9debd7f7094 upstream.
commit b3f271e86e5a (powerpc: POWER7 optimised memcpy using VMX and
enhanced prefetch) uses VMX when it is safe to do so (ie not in
interrupt). It also looks at the task struct to decide if we have to
save the current tasks' VMX state.
kexec calls memcpy() at a point where the task struct may have been
overwritten by the new kexec segments. If it has been overwritten
then when memcpy -> enable_altivec looks up current->thread.regs->msr
we get a cryptic oops or lockup.
I also notice we aren't initialising thread_info->cpu, which means
smp_processor_id is broken. Fix that too.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/machine_kexec_64.c |    4 ++++
 1 file changed, 4 insertions(+)
--- a/arch/powerpc/kernel/machine_kexec_64.c
+++ b/arch/powerpc/kernel/machine_kexec_64.c
@@ -17,6 +17,7 @@
 #include <linux/errno.h>
 #include <linux/kernel.h>
 #include <linux/cpu.h>
+#include <linux/hardirq.h>
 
 #include <asm/page.h>
 #include <asm/current.h>
@@ -335,10 +336,13 @@ void default_machine_kexec(struct kimage
 	pr_debug("kexec: Starting switchover sequence.\n");
 
 	/* switch to a staticly allocated stack.  Based on irq stack code.
+	 * We setup preempt_count to avoid using VMX in memcpy.
 	 * XXX: the task struct will likely be invalid once we do the copy!
 	 */
 	kexec_stack.thread_info.task = current_thread_info()->task;
 	kexec_stack.thread_info.flags = 0;
+	kexec_stack.thread_info.preempt_count = HARDIRQ_OFFSET;
+	kexec_stack.thread_info.cpu = current_thread_info()->cpu;
 
 	/* We need a static PACA, too; copy this CPU's PACA over and switch to
 	 * it.  Also poison per_cpu_offset to catch anyone using non-static
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 042/102] ath9k: fix key allocation error handling for powersave keys
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2013-05-17 21:35 ` [ 041/102] powerpc/kexec: Fix kexec when using VMX optimised memcpy Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 043/102] mwifiex: clear is_suspended flag when interrupt is received early Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, John W. Linville
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@openwrt.org>
commit 4ef69d0394cba8caa9f75d3f2e53429bfb8b3045 upstream.
If no keycache slots are available, ath_key_config can return -ENOSPC.
If the key index is not checked for errors, it can lead to logspam that
looks like this: "ath: wiphy0: keyreset: keycache entry 228 out of range"
This can cause follow-up errors if the invalid keycache index gets
used for tx.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/ath/ath9k/main.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -1308,6 +1308,7 @@ static int ath9k_sta_add(struct ieee8021
 	struct ath_common *common = ath9k_hw_common(sc->sc_ah);
 	struct ath_node *an = (struct ath_node *) sta->drv_priv;
 	struct ieee80211_key_conf ps_key = { };
+	int key;
 
 	ath_node_attach(sc, sta, vif);
 
@@ -1315,7 +1316,9 @@ static int ath9k_sta_add(struct ieee8021
 	    vif->type != NL80211_IFTYPE_AP_VLAN)
 		return 0;
 
-	an->ps_key = ath_key_config(common, vif, sta, &ps_key);
+	key = ath_key_config(common, vif, sta, &ps_key);
+	if (key > 0)
+		an->ps_key = key;
 
 	return 0;
 }
@@ -1332,6 +1335,7 @@ static void ath9k_del_ps_key(struct ath_
 	    return;
 
 	ath_key_delete(common, &ps_key);
+	an->ps_key = 0;
 }
 
 static int ath9k_sta_remove(struct ieee80211_hw *hw,
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 043/102] mwifiex: clear is_suspended flag when interrupt is received early
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2013-05-17 21:35 ` [ 042/102] ath9k: fix key allocation error handling for powersave keys Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:35 ` [ 044/102] mwifiex: fix memory leak issue when driver unload Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Drake, Bing Zhao,
	John W. Linville
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bing Zhao <bzhao@marvell.com>
commit 48795424acff7215d5eac0b52793a2c1eb3a6283 upstream.
When the XO-4 with 8787 wireless is woken up due to wake-on-WLAN
mwifiex is often flooded with "not allowed while suspended" messages
and the interface is unusable.
[  202.171609] int: sdio_ireg = 0x1
[  202.180700] info: mwifiex_process_hs_config: auto cancelling host
               sleep since there is interrupt from the firmware
[  202.201880] event: wakeup device...
[  202.211452] event: hs_deactivated
[  202.514638] info: --- Rx: Data packet ---
[  202.514753] data: 4294957544 BSS(0-0): Data <= kernel
[  202.514825] PREP_CMD: device in suspended state
[  202.514839] data: dequeuing the packet ec7248c0 ec4869c0
[  202.514886] mwifiex_write_data_sync: not allowed while suspended
[  202.514886] host_to_card, write iomem (1) failed: -1
[  202.514917] mwifiex_write_data_sync: not allowed while suspended
[  202.514936] host_to_card, write iomem (2) failed: -1
[  202.514949] mwifiex_write_data_sync: not allowed while suspended
[  202.514965] host_to_card, write iomem (3) failed: -1
[  202.514976] mwifiex_write_data_async failed: 0xFFFFFFFF
This can be readily reproduced when putting the XO-4 in a loop where
it goes to sleep due to inactivity, but then wakes up due to an
incoming ping. The error is hit within an hour or two.
This issue happens when an interrupt comes in early while host sleep
is still activated. Driver handles this case by auto cancelling host
sleep. However is_suspended flag is still set which prevents any cmd
or data from being sent to firmware. Fix it by clearing is_suspended
flag in this path.
Reported-by: Daniel Drake <dsd@laptop.org>
Tested-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/mwifiex/cmdevt.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/mwifiex/cmdevt.c
+++ b/drivers/net/wireless/mwifiex/cmdevt.c
@@ -1176,6 +1176,7 @@ mwifiex_process_hs_config(struct mwifiex
 	adapter->if_ops.wakeup(adapter);
 	adapter->hs_activated = false;
 	adapter->is_hs_configured = false;
+	adapter->is_suspended = false;
 	mwifiex_hs_activated_event(mwifiex_get_priv(adapter,
 						    MWIFIEX_BSS_ROLE_ANY),
 				   false);
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 044/102] mwifiex: fix memory leak issue when driver unload
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2013-05-17 21:35 ` [ 043/102] mwifiex: clear is_suspended flag when interrupt is received early Greg Kroah-Hartman
@ 2013-05-17 21:35 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 045/102] mwifiex: fix setting of multicast filter Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Drake, Amitkumar Karwar,
	Bing Zhao, John W. Linville
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Amitkumar Karwar <akarwar@marvell.com>
commit f16fdc9d2dc1e5b270e9a08377587e831e0d36ac upstream.
After unregister_netdevice() call the request is queued and
reg_state is changed to NETREG_UNREGISTERING.
As we check for NETREG_UNREGISTERED state, free_netdev() never
gets executed causing memory leak.
Initialize "dev->destructor" to free_netdev() to free device
data after unregistration.
Reported-by: Daniel Drake <dsd@laptop.org>
Tested-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/mwifiex/cfg80211.c |    3 ---
 drivers/net/wireless/mwifiex/main.c     |    1 +
 2 files changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -2280,9 +2280,6 @@ int mwifiex_del_virtual_intf(struct wiph
 	if (wdev->netdev->reg_state == NETREG_REGISTERED)
 		unregister_netdevice(wdev->netdev);
 
-	if (wdev->netdev->reg_state == NETREG_UNREGISTERED)
-		free_netdev(wdev->netdev);
-
 	/* Clear the priv in adapter */
 	priv->netdev = NULL;
 
--- a/drivers/net/wireless/mwifiex/main.c
+++ b/drivers/net/wireless/mwifiex/main.c
@@ -646,6 +646,7 @@ void mwifiex_init_priv_params(struct mwi
 						struct net_device *dev)
 {
 	dev->netdev_ops = &mwifiex_netdev_ops;
+	dev->destructor = free_netdev;
 	/* Initialize private structure */
 	priv->current_key_index = 0;
 	priv->media_connected = false;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 045/102] mwifiex: fix setting of multicast filter
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2013-05-17 21:35 ` [ 044/102] mwifiex: fix memory leak issue when driver unload Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 046/102] tile: support new Tilera hypervisor Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Drake, Bing Zhao,
	John W. Linville
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Daniel Drake <dsd@laptop.org>
commit ccd384b10420ac81ba3fb9b0a7d18272c7173552 upstream.
A small bug in this code was causing the ALLMULTI filter to be set
when in fact we were just wanting to program a selective multicast list
to the hardware.
Fix that bug and remove a redundant if condition in the code that
follows.
This fixes wakeup behaviour when multicast WOL is enabled. Previously,
all multicast packets would wake up the system. Now, only those that the
host intended to receive trigger wakeups.
Signed-off-by: Daniel Drake <dsd@laptop.org>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/mwifiex/sta_ioctl.c |   21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -99,7 +99,7 @@ int mwifiex_request_set_multicast_list(s
 	} else {
 		/* Multicast */
 		priv->curr_pkt_filter &= ~HostCmd_ACT_MAC_PROMISCUOUS_ENABLE;
-		if (mcast_list->mode == MWIFIEX_MULTICAST_MODE) {
+		if (mcast_list->mode == MWIFIEX_ALL_MULTI_MODE) {
 			dev_dbg(priv->adapter->dev,
 				"info: Enabling All Multicast!\n");
 			priv->curr_pkt_filter |=
@@ -111,20 +111,11 @@ int mwifiex_request_set_multicast_list(s
 				dev_dbg(priv->adapter->dev,
 					"info: Set multicast list=%d\n",
 				       mcast_list->num_multicast_addr);
-				/* Set multicast addresses to firmware */
-				if (old_pkt_filter == priv->curr_pkt_filter) {
-					/* Send request to firmware */
-					ret = mwifiex_send_cmd_async(priv,
-						HostCmd_CMD_MAC_MULTICAST_ADR,
-						HostCmd_ACT_GEN_SET, 0,
-						mcast_list);
-				} else {
-					/* Send request to firmware */
-					ret = mwifiex_send_cmd_async(priv,
-						HostCmd_CMD_MAC_MULTICAST_ADR,
-						HostCmd_ACT_GEN_SET, 0,
-						mcast_list);
-				}
+				/* Send multicast addresses to firmware */
+				ret = mwifiex_send_cmd_async(priv,
+					HostCmd_CMD_MAC_MULTICAST_ADR,
+					HostCmd_ACT_GEN_SET, 0,
+					mcast_list);
 			}
 		}
 	}
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 046/102] tile: support new Tilera hypervisor
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2013-05-17 21:36 ` [ 045/102] mwifiex: fix setting of multicast filter Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 047/102] B43: Handle DMA RX descriptor underrun Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chris Metcalf
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Chris Metcalf <cmetcalf@tilera.com>
commit c539914dcd9a68c63305e055b14115a6a19578a8 upstream.
The Tilera hypervisor shipped in releases up through MDE 4.1 launches
the client operating system (i.e. Linux) at privilege level 1 (PL1).
Starting with MDE 4.2, as part of the work to enable KVM, the
Tilera hypervisor launches Linux at PL2 instead.
This commit makes the KERNEL_PL option default to 2 for tilegx, while
still saying at 1 for tilepro, which doesn't have an updated hypervisor.
It also explains how and when you might want to choose another value.
In addition, we change a small buglet in the on-chip Ethernet driver,
where we were failing to use the KERNEL_PL constant in an API call.
To make the transition cleaner, this change also provides the updated
hv_init() API for the new hypervisor that supports announcing Linux's
compiled-in PL, so the hypervisor can generate a suitable error in the
case of a mismatched hypervisor and Linux binary.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/tile/Kconfig                  |   14 ++++++++++----
 arch/tile/include/hv/hypervisor.h  |   27 ++++++++++++++++++++++++---
 arch/tile/kernel/head_32.S         |    2 +-
 arch/tile/kernel/head_64.S         |   12 +++++++++---
 drivers/net/ethernet/tile/tilegx.c |    2 +-
 5 files changed, 45 insertions(+), 12 deletions(-)
--- a/arch/tile/Kconfig
+++ b/arch/tile/Kconfig
@@ -368,11 +368,17 @@ config HARDWALL
 config KERNEL_PL
 	int "Processor protection level for kernel"
 	range 1 2
-	default "1"
+	default 2 if TILEGX
+	default 1 if !TILEGX
 	---help---
-	  This setting determines the processor protection level the
-	  kernel will be built to run at.  Generally you should use
-	  the default value here.
+	  Since MDE 4.2, the Tilera hypervisor runs the kernel
+	  at PL2 by default.  If running under an older hypervisor,
+	  or as a KVM guest, you must run at PL1.  (The current
+	  hypervisor may also be recompiled with "make HV_PL=2" to
+	  allow it to run a kernel at PL1, but clients running at PL1
+	  are not expected to be supported indefinitely.)
+
+	  If you're not sure, don't change the default.
 
 source "arch/tile/gxio/Kconfig"
 
--- a/arch/tile/include/hv/hypervisor.h
+++ b/arch/tile/include/hv/hypervisor.h
@@ -107,7 +107,22 @@
 #define HV_DISPATCH_ENTRY_SIZE 32
 
 /** Version of the hypervisor interface defined by this file */
-#define _HV_VERSION 11
+#define _HV_VERSION 13
+
+/** Last version of the hypervisor interface with old hv_init() ABI.
+ *
+ * The change from version 12 to version 13 corresponds to launching
+ * the client by default at PL2 instead of PL1 (corresponding to the
+ * hv itself running at PL3 instead of PL2).  To make this explicit,
+ * the hv_init() API was also extended so the client can report its
+ * desired PL, resulting in a more helpful failure diagnostic.  If you
+ * call hv_init() with _HV_VERSION_OLD_HV_INIT and omit the client_pl
+ * argument, the hypervisor will assume client_pl = 1.
+ *
+ * Note that this is a deprecated solution and we do not expect to
+ * support clients of the Tilera hypervisor running at PL1 indefinitely.
+ */
+#define _HV_VERSION_OLD_HV_INIT 12
 
 /* Index into hypervisor interface dispatch code blocks.
  *
@@ -377,7 +392,11 @@ typedef int HV_Errno;
 #ifndef __ASSEMBLER__
 
 /** Pass HV_VERSION to hv_init to request this version of the interface. */
-typedef enum { HV_VERSION = _HV_VERSION } HV_VersionNumber;
+typedef enum {
+  HV_VERSION = _HV_VERSION,
+  HV_VERSION_OLD_HV_INIT = _HV_VERSION_OLD_HV_INIT,
+
+} HV_VersionNumber;
 
 /** Initializes the hypervisor.
  *
@@ -385,9 +404,11 @@ typedef enum { HV_VERSION = _HV_VERSION
  * that this program expects, typically HV_VERSION.
  * @param chip_num Architecture number of the chip the client was built for.
  * @param chip_rev_num Revision number of the chip the client was built for.
+ * @param client_pl Privilege level the client is built for
+ *   (not required if interface_version_number == HV_VERSION_OLD_HV_INIT).
  */
 void hv_init(HV_VersionNumber interface_version_number,
-             int chip_num, int chip_rev_num);
+             int chip_num, int chip_rev_num, int client_pl);
 
 
 /** Queries we can make for hv_sysconf().
--- a/arch/tile/kernel/head_32.S
+++ b/arch/tile/kernel/head_32.S
@@ -38,7 +38,7 @@ ENTRY(_start)
 	  movei r2, TILE_CHIP_REV
 	}
 	{
-	  moveli r0, _HV_VERSION
+	  moveli r0, _HV_VERSION_OLD_HV_INIT
 	  jal hv_init
 	}
 	/* Get a reasonable default ASID in r0 */
--- a/arch/tile/kernel/head_64.S
+++ b/arch/tile/kernel/head_64.S
@@ -34,13 +34,19 @@
 ENTRY(_start)
 	/* Notify the hypervisor of what version of the API we want */
 	{
+#if KERNEL_PL == 1 && _HV_VERSION == 13
+	  /* Support older hypervisors by asking for API version 12. */
+	  movei r0, _HV_VERSION_OLD_HV_INIT
+#else
+	  movei r0, _HV_VERSION
+#endif
 	  movei r1, TILE_CHIP
-	  movei r2, TILE_CHIP_REV
 	}
 	{
-	  moveli r0, _HV_VERSION
-	  jal hv_init
+	  movei r2, TILE_CHIP_REV
+	  movei r3, KERNEL_PL
 	}
+	jal hv_init
 	/* Get a reasonable default ASID in r0 */
 	{
 	  move r0, zero
--- a/drivers/net/ethernet/tile/tilegx.c
+++ b/drivers/net/ethernet/tile/tilegx.c
@@ -930,7 +930,7 @@ static int tile_net_setup_interrupts(str
 		if (info->has_iqueue) {
 			gxio_mpipe_request_notif_ring_interrupt(
 				&context, cpu_x(cpu), cpu_y(cpu),
-				1, ingress_irq, info->iqueue.ring);
+				KERNEL_PL, ingress_irq, info->iqueue.ring);
 		}
 	}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 047/102] B43: Handle DMA RX descriptor underrun
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2013-05-17 21:36 ` [ 046/102] tile: support new Tilera hypervisor Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 048/102] iwl4965: workaround connection regression on passive channel Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Buesch, Thommy Jakobsson,
	John W. Linville
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Thommy Jakobsson <thommyj@gmail.com>
commit 73b82bf0bfbf58e6ff328d3726934370585f6e78 upstream.
Add handling of rx descriptor underflow. This fixes a fault that could
happen on slow machines, where data is received faster than the CPU can
handle. In such a case the device will use up all rx descriptors and
refuse to send any more data before confirming that it is ok. This
patch enables necessary interrupt to discover such a situation and will
handle them by dropping everything in the ring buffer.
Reviewed-by: Michael Buesch <m@bues.ch>
Signed-off-by: Thommy Jakobsson <thommyj@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/b43/dma.c  |   19 +++++++++++++++++
 drivers/net/wireless/b43/dma.h  |    4 ++-
 drivers/net/wireless/b43/main.c |   43 ++++++++++++++++------------------------
 3 files changed, 40 insertions(+), 26 deletions(-)
--- a/drivers/net/wireless/b43/dma.c
+++ b/drivers/net/wireless/b43/dma.c
@@ -1733,6 +1733,25 @@ drop_recycle_buffer:
 	sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize);
 }
 
+void b43_dma_handle_rx_overflow(struct b43_dmaring *ring)
+{
+	int current_slot, previous_slot;
+
+	B43_WARN_ON(ring->tx);
+
+	/* Device has filled all buffers, drop all packets and let TCP
+	 * decrease speed.
+	 * Decrement RX index by one will let the device to see all slots
+	 * as free again
+	 */
+	/*
+	*TODO: How to increase rx_drop in mac80211?
+	*/
+	current_slot = ring->ops->get_current_rxslot(ring);
+	previous_slot = prev_slot(ring, current_slot);
+	ring->ops->set_current_rxslot(ring, previous_slot);
+}
+
 void b43_dma_rx(struct b43_dmaring *ring)
 {
 	const struct b43_dma_ops *ops = ring->ops;
--- a/drivers/net/wireless/b43/dma.h
+++ b/drivers/net/wireless/b43/dma.h
@@ -9,7 +9,7 @@
 /* DMA-Interrupt reasons. */
 #define B43_DMAIRQ_FATALMASK	((1 << 10) | (1 << 11) | (1 << 12) \
 					 | (1 << 14) | (1 << 15))
-#define B43_DMAIRQ_NONFATALMASK	(1 << 13)
+#define B43_DMAIRQ_RDESC_UFLOW		(1 << 13)
 #define B43_DMAIRQ_RX_DONE		(1 << 16)
 
 /*** 32-bit DMA Engine. ***/
@@ -295,6 +295,8 @@ int b43_dma_tx(struct b43_wldev *dev,
 void b43_dma_handle_txstatus(struct b43_wldev *dev,
 			     const struct b43_txstatus *status);
 
+void b43_dma_handle_rx_overflow(struct b43_dmaring *ring);
+
 void b43_dma_rx(struct b43_dmaring *ring);
 
 void b43_dma_direct_fifo_rx(struct b43_wldev *dev,
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -1895,30 +1895,18 @@ static void b43_do_interrupt_thread(stru
 		}
 	}
 
-	if (unlikely(merged_dma_reason & (B43_DMAIRQ_FATALMASK |
-					  B43_DMAIRQ_NONFATALMASK))) {
-		if (merged_dma_reason & B43_DMAIRQ_FATALMASK) {
-			b43err(dev->wl, "Fatal DMA error: "
-			       "0x%08X, 0x%08X, 0x%08X, "
-			       "0x%08X, 0x%08X, 0x%08X\n",
-			       dma_reason[0], dma_reason[1],
-			       dma_reason[2], dma_reason[3],
-			       dma_reason[4], dma_reason[5]);
-			b43err(dev->wl, "This device does not support DMA "
+	if (unlikely(merged_dma_reason & (B43_DMAIRQ_FATALMASK))) {
+		b43err(dev->wl,
+			"Fatal DMA error: 0x%08X, 0x%08X, 0x%08X, 0x%08X, 0x%08X, 0x%08X\n",
+			dma_reason[0], dma_reason[1],
+			dma_reason[2], dma_reason[3],
+			dma_reason[4], dma_reason[5]);
+		b43err(dev->wl, "This device does not support DMA "
 			       "on your system. It will now be switched to PIO.\n");
-			/* Fall back to PIO transfers if we get fatal DMA errors! */
-			dev->use_pio = true;
-			b43_controller_restart(dev, "DMA error");
-			return;
-		}
-		if (merged_dma_reason & B43_DMAIRQ_NONFATALMASK) {
-			b43err(dev->wl, "DMA error: "
-			       "0x%08X, 0x%08X, 0x%08X, "
-			       "0x%08X, 0x%08X, 0x%08X\n",
-			       dma_reason[0], dma_reason[1],
-			       dma_reason[2], dma_reason[3],
-			       dma_reason[4], dma_reason[5]);
-		}
+		/* Fall back to PIO transfers if we get fatal DMA errors! */
+		dev->use_pio = true;
+		b43_controller_restart(dev, "DMA error");
+		return;
 	}
 
 	if (unlikely(reason & B43_IRQ_UCODE_DEBUG))
@@ -1937,6 +1925,11 @@ static void b43_do_interrupt_thread(stru
 		handle_irq_noise(dev);
 
 	/* Check the DMA reason registers for received data. */
+	if (dma_reason[0] & B43_DMAIRQ_RDESC_UFLOW) {
+		if (B43_DEBUG)
+			b43warn(dev->wl, "RX descriptor underrun\n");
+		b43_dma_handle_rx_overflow(dev->dma.rx_ring);
+	}
 	if (dma_reason[0] & B43_DMAIRQ_RX_DONE) {
 		if (b43_using_pio_transfers(dev))
 			b43_pio_rx(dev->pio.rx_queue);
@@ -1994,7 +1987,7 @@ static irqreturn_t b43_do_interrupt(stru
 		return IRQ_NONE;
 
 	dev->dma_reason[0] = b43_read32(dev, B43_MMIO_DMA0_REASON)
-	    & 0x0001DC00;
+	    & 0x0001FC00;
 	dev->dma_reason[1] = b43_read32(dev, B43_MMIO_DMA1_REASON)
 	    & 0x0000DC00;
 	dev->dma_reason[2] = b43_read32(dev, B43_MMIO_DMA2_REASON)
@@ -3126,7 +3119,7 @@ static int b43_chip_init(struct b43_wlde
 		b43_write32(dev, 0x018C, 0x02000000);
 	}
 	b43_write32(dev, B43_MMIO_GEN_IRQ_REASON, 0x00004000);
-	b43_write32(dev, B43_MMIO_DMA0_IRQ_MASK, 0x0001DC00);
+	b43_write32(dev, B43_MMIO_DMA0_IRQ_MASK, 0x0001FC00);
 	b43_write32(dev, B43_MMIO_DMA1_IRQ_MASK, 0x0000DC00);
 	b43_write32(dev, B43_MMIO_DMA2_IRQ_MASK, 0x0000DC00);
 	b43_write32(dev, B43_MMIO_DMA3_IRQ_MASK, 0x0001DC00);
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 048/102] iwl4965: workaround connection regression on passive channel
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2013-05-17 21:36 ` [ 047/102] B43: Handle DMA RX descriptor underrun Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 049/102] drm/mgag200: Fix writes into MGA1064_PIX_CLK_CTL register Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislaw Gruszka, John W. Linville
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit dd9c46408fdc07098333655ff27edf8cac8d9fcf upstream.
Jake reported that since commit 1672c0e31917f49d31d30d79067103432bc20cc7
"mac80211: start auth/assoc timeout on frame status", he is unable to
connect to his AP, which is configured to use passive channel.
After switch to passive channel 4965 firmware drops any TX packet until
it receives beacon. Before commit 1672c0e3 we waited on channel and
retransmit packet after 200ms, that makes we receive beacon on the
meantime and association process succeed. New mac80211 behaviour cause
that any ASSOC frame fail immediately on iwl4965 and we can not
associate.
This patch restore old mac80211 behaviour for iwl4965, by removing
IEEE80211_HW_REPORTS_TX_ACK_STATUS feature. This feature will be
added again to iwl4965 driver, when different, more complex
workaround for this firmware issue, will be added to the driver.
Bisected-by: Jake Edge <jake@lwn.net>
Reported-and-tested-by: Jake Edge <jake@lwn.net>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/iwlegacy/4965-mac.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/net/wireless/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/iwlegacy/4965-mac.c
@@ -5740,8 +5740,7 @@ il4965_mac_setup_register(struct il_priv
 	hw->flags =
 	    IEEE80211_HW_SIGNAL_DBM | IEEE80211_HW_AMPDU_AGGREGATION |
 	    IEEE80211_HW_NEED_DTIM_BEFORE_ASSOC | IEEE80211_HW_SPECTRUM_MGMT |
-	    IEEE80211_HW_REPORTS_TX_ACK_STATUS | IEEE80211_HW_SUPPORTS_PS |
-	    IEEE80211_HW_SUPPORTS_DYNAMIC_PS;
+	    IEEE80211_HW_SUPPORTS_PS | IEEE80211_HW_SUPPORTS_DYNAMIC_PS;
 	if (il->cfg->sku & IL_SKU_N)
 		hw->flags |=
 		    IEEE80211_HW_SUPPORTS_DYNAMIC_SMPS |
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 049/102] drm/mgag200: Fix writes into MGA1064_PIX_CLK_CTL register
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2013-05-17 21:36 ` [ 048/102] iwl4965: workaround connection regression on passive channel Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 050/102] drm/mgag200: Fix framebuffer base address programming Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christopher Harvey, Julia Lemire,
	Mathieu Larouche, Dave Airlie
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Christopher Harvey <charvey@matrox.com>
commit fb70a6690875315a3a1454e52fa339441ee7612b upstream.
The original line,
  WREG_DAC(MGA1064_PIX_CLK_CTL_CLK_DIS, tmp);
wrote tmp into MGA1064_PIX_CLK_CTL_CLK_DIS, where
MGA1064_PIX_CLK_CTL_CLK_DIS is an offset into
MGA1064_PIX_CLK_CTL. Change the line to write properly into
MGA1064_PIX_CLK_CTL. There were other chunks of code nearby that use
the same pattern (but work correctly), so this patch updates them all
to use this new (slightly more efficient) write pattern. The WREG_DAC
macro was causing the DAC_INDEX register to be set to the same value
twice. WREG8(DAC_DATA, foo) takes advantage of the fact that DAC_INDEX
is already at the value we want.
Signed-off-by: Christopher Harvey <charvey@matrox.com>
Acked-by: Julia Lemire <jlemire@matrox.com>
Tested-by: Julia Lemire <jlemire@matrox.com>
Acked-by: Mathieu Larouche <mathieu.larouche@matrox.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/mgag200/mgag200_mode.c |   42 ++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 21 deletions(-)
--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
@@ -189,12 +189,12 @@ static int mga_g200wb_set_plls(struct mg
 		WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 		tmp = RREG8(DAC_DATA);
 		tmp |= MGA1064_PIX_CLK_CTL_CLK_DIS;
-		WREG_DAC(MGA1064_PIX_CLK_CTL_CLK_DIS, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		WREG8(DAC_INDEX, MGA1064_REMHEADCTL);
 		tmp = RREG8(DAC_DATA);
 		tmp |= MGA1064_REMHEADCTL_CLKDIS;
-		WREG_DAC(MGA1064_REMHEADCTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		/* select PLL Set C */
 		tmp = RREG8(MGAREG_MEM_MISC_READ);
@@ -204,7 +204,7 @@ static int mga_g200wb_set_plls(struct mg
 		WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 		tmp = RREG8(DAC_DATA);
 		tmp |= MGA1064_PIX_CLK_CTL_CLK_POW_DOWN | 0x80;
-		WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		udelay(500);
 
@@ -212,7 +212,7 @@ static int mga_g200wb_set_plls(struct mg
 		WREG8(DAC_INDEX, MGA1064_VREF_CTL);
 		tmp = RREG8(DAC_DATA);
 		tmp &= ~0x04;
-		WREG_DAC(MGA1064_VREF_CTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		udelay(50);
 
@@ -236,13 +236,13 @@ static int mga_g200wb_set_plls(struct mg
 		tmp = RREG8(DAC_DATA);
 		tmp &= ~MGA1064_PIX_CLK_CTL_SEL_MSK;
 		tmp |= MGA1064_PIX_CLK_CTL_SEL_PLL;
-		WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		WREG8(DAC_INDEX, MGA1064_REMHEADCTL);
 		tmp = RREG8(DAC_DATA);
 		tmp &= ~MGA1064_REMHEADCTL_CLKSL_MSK;
 		tmp |= MGA1064_REMHEADCTL_CLKSL_PLL;
-		WREG_DAC(MGA1064_REMHEADCTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		/* reset dotclock rate bit */
 		WREG8(MGAREG_SEQ_INDEX, 1);
@@ -253,7 +253,7 @@ static int mga_g200wb_set_plls(struct mg
 		WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 		tmp = RREG8(DAC_DATA);
 		tmp &= ~MGA1064_PIX_CLK_CTL_CLK_DIS;
-		WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		vcount = RREG8(MGAREG_VCOUNT);
 
@@ -318,7 +318,7 @@ static int mga_g200ev_set_plls(struct mg
 	WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 	tmp = RREG8(DAC_DATA);
 	tmp |= MGA1064_PIX_CLK_CTL_CLK_DIS;
-	WREG_DAC(MGA1064_PIX_CLK_CTL_CLK_DIS, tmp);
+	WREG8(DAC_DATA, tmp);
 
 	tmp = RREG8(MGAREG_MEM_MISC_READ);
 	tmp |= 0x3 << 2;
@@ -326,12 +326,12 @@ static int mga_g200ev_set_plls(struct mg
 
 	WREG8(DAC_INDEX, MGA1064_PIX_PLL_STAT);
 	tmp = RREG8(DAC_DATA);
-	WREG_DAC(MGA1064_PIX_PLL_STAT, tmp & ~0x40);
+	WREG8(DAC_DATA, tmp & ~0x40);
 
 	WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 	tmp = RREG8(DAC_DATA);
 	tmp |= MGA1064_PIX_CLK_CTL_CLK_POW_DOWN;
-	WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+	WREG8(DAC_DATA, tmp);
 
 	WREG_DAC(MGA1064_EV_PIX_PLLC_M, m);
 	WREG_DAC(MGA1064_EV_PIX_PLLC_N, n);
@@ -342,7 +342,7 @@ static int mga_g200ev_set_plls(struct mg
 	WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 	tmp = RREG8(DAC_DATA);
 	tmp &= ~MGA1064_PIX_CLK_CTL_CLK_POW_DOWN;
-	WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+	WREG8(DAC_DATA, tmp);
 
 	udelay(500);
 
@@ -350,11 +350,11 @@ static int mga_g200ev_set_plls(struct mg
 	tmp = RREG8(DAC_DATA);
 	tmp &= ~MGA1064_PIX_CLK_CTL_SEL_MSK;
 	tmp |= MGA1064_PIX_CLK_CTL_SEL_PLL;
-	WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+	WREG8(DAC_DATA, tmp);
 
 	WREG8(DAC_INDEX, MGA1064_PIX_PLL_STAT);
 	tmp = RREG8(DAC_DATA);
-	WREG_DAC(MGA1064_PIX_PLL_STAT, tmp | 0x40);
+	WREG8(DAC_DATA, tmp | 0x40);
 
 	tmp = RREG8(MGAREG_MEM_MISC_READ);
 	tmp |= (0x3 << 2);
@@ -363,7 +363,7 @@ static int mga_g200ev_set_plls(struct mg
 	WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 	tmp = RREG8(DAC_DATA);
 	tmp &= ~MGA1064_PIX_CLK_CTL_CLK_DIS;
-	WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+	WREG8(DAC_DATA, tmp);
 
 	return 0;
 }
@@ -416,7 +416,7 @@ static int mga_g200eh_set_plls(struct mg
 		WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 		tmp = RREG8(DAC_DATA);
 		tmp |= MGA1064_PIX_CLK_CTL_CLK_DIS;
-		WREG_DAC(MGA1064_PIX_CLK_CTL_CLK_DIS, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		tmp = RREG8(MGAREG_MEM_MISC_READ);
 		tmp |= 0x3 << 2;
@@ -425,7 +425,7 @@ static int mga_g200eh_set_plls(struct mg
 		WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 		tmp = RREG8(DAC_DATA);
 		tmp |= MGA1064_PIX_CLK_CTL_CLK_POW_DOWN;
-		WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		udelay(500);
 
@@ -439,13 +439,13 @@ static int mga_g200eh_set_plls(struct mg
 		tmp = RREG8(DAC_DATA);
 		tmp &= ~MGA1064_PIX_CLK_CTL_SEL_MSK;
 		tmp |= MGA1064_PIX_CLK_CTL_SEL_PLL;
-		WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 		tmp = RREG8(DAC_DATA);
 		tmp &= ~MGA1064_PIX_CLK_CTL_CLK_DIS;
 		tmp &= ~MGA1064_PIX_CLK_CTL_CLK_POW_DOWN;
-		WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+		WREG8(DAC_DATA, tmp);
 
 		vcount = RREG8(MGAREG_VCOUNT);
 
@@ -515,12 +515,12 @@ static int mga_g200er_set_plls(struct mg
 	WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
 	tmp = RREG8(DAC_DATA);
 	tmp |= MGA1064_PIX_CLK_CTL_CLK_DIS;
-	WREG_DAC(MGA1064_PIX_CLK_CTL_CLK_DIS, tmp);
+	WREG8(DAC_DATA, tmp);
 
 	WREG8(DAC_INDEX, MGA1064_REMHEADCTL);
 	tmp = RREG8(DAC_DATA);
 	tmp |= MGA1064_REMHEADCTL_CLKDIS;
-	WREG_DAC(MGA1064_REMHEADCTL, tmp);
+	WREG8(DAC_DATA, tmp);
 
 	tmp = RREG8(MGAREG_MEM_MISC_READ);
 	tmp |= (0x3<<2) | 0xc0;
@@ -530,7 +530,7 @@ static int mga_g200er_set_plls(struct mg
 	tmp = RREG8(DAC_DATA);
 	tmp &= ~MGA1064_PIX_CLK_CTL_CLK_DIS;
 	tmp |= MGA1064_PIX_CLK_CTL_CLK_POW_DOWN;
-	WREG_DAC(MGA1064_PIX_CLK_CTL, tmp);
+	WREG8(DAC_DATA, tmp);
 
 	udelay(500);
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 050/102] drm/mgag200: Fix framebuffer base address programming
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2013-05-17 21:36 ` [ 049/102] drm/mgag200: Fix writes into MGA1064_PIX_CLK_CTL register Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 051/102] drm/mm: fix dump table BUG Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christopher Harvey, Mathieu Larouche,
	Julia Lemire, Dave Airlie
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Christopher Harvey <charvey@matrox.com>
commit 9f1d036648c1c5ed81b0e98d7a06d55df972701e upstream.
Higher bits of the base address of framebuffers weren't being
programmed properly. This caused framebuffers that didn't happen to be
allocated at a low enough address to not be displayed properly.
Signed-off-by: Christopher Harvey <charvey@matrox.com>
Signed-off-by: Mathieu Larouche <mathieu.larouche@matrox.com>
Acked-by: Julia Lemire <jlemire@matrox.com>
Tested-by: Julia Lemire <jlemire@matrox.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/mgag200/mgag200_mode.c |   27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
@@ -657,12 +657,26 @@ static void mga_g200wb_commit(struct drm
 	WREG_DAC(MGA1064_GEN_IO_DATA, tmp);
 }
 
-
+/*
+   This is how the framebuffer base address is stored in g200 cards:
+   * Assume @offset is the gpu_addr variable of the framebuffer object
+   * Then addr is the number of _pixels_ (not bytes) from the start of
+     VRAM to the first pixel we want to display. (divided by 2 for 32bit
+     framebuffers)
+   * addr is stored in the CRTCEXT0, CRTCC and CRTCD registers
+   addr<20> -> CRTCEXT0<6>
+   addr<19-16> -> CRTCEXT0<3-0>
+   addr<15-8> -> CRTCC<7-0>
+   addr<7-0> -> CRTCD<7-0>
+   CRTCEXT0 has to be programmed last to trigger an update and make the
+   new addr variable take effect.
+ */
 void mga_set_start_address(struct drm_crtc *crtc, unsigned offset)
 {
 	struct mga_device *mdev = crtc->dev->dev_private;
 	u32 addr;
 	int count;
+	u8 crtcext0;
 
 	while (RREG8(0x1fda) & 0x08);
 	while (!(RREG8(0x1fda) & 0x08));
@@ -670,10 +684,17 @@ void mga_set_start_address(struct drm_cr
 	count = RREG8(MGAREG_VCOUNT) + 2;
 	while (RREG8(MGAREG_VCOUNT) < count);
 
-	addr = offset >> 2;
+	WREG8(MGAREG_CRTCEXT_INDEX, 0);
+	crtcext0 = RREG8(MGAREG_CRTCEXT_DATA);
+	crtcext0 &= 0xB0;
+	addr = offset / 8;
+	/* Can't store addresses any higher than that...
+	   but we also don't have more than 16MB of memory, so it should be fine. */
+	WARN_ON(addr > 0x1fffff);
+	crtcext0 |= (!!(addr & (1<<20)))<<6;
 	WREG_CRT(0x0d, (u8)(addr & 0xff));
 	WREG_CRT(0x0c, (u8)(addr >> 8) & 0xff);
-	WREG_CRT(0xaf, (u8)(addr >> 16) & 0xf);
+	WREG_ECRT(0x0, ((u8)(addr >> 16) & 0xf) | crtcext0);
 }
 
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 051/102] drm/mm: fix dump table BUG
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2013-05-17 21:36 ` [ 050/102] drm/mgag200: Fix framebuffer base address programming Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 052/102] drm: dont check modeset locks in panic handler Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christopher Harvey, Dave Airlie,
	Chris Wilson, Daniel Vetter
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Daniel Vetter <daniel.vetter@ffwll.ch>
commit 3a359f0b21ab218c1bf7a6a1b638b6fd143d0b99 upstream.
In
commit 9e8944ab564f2e3dde90a518cd32048c58918608
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Thu Nov 15 11:32:17 2012 +0000
    drm: Introduce an iterator over holes in the drm_mm range manager
helpers and iterators for hole handling have been introduced with some
debug BUG_ONs sprinkled over. Unfortunately this broke the mm dumper
which unconditionally tried to compute the size of the very first
hole.
While at it unify the code a bit with the hole dumping in the loop.
v2: Extract a hole dump helper.
Reported-by: Christopher Harvey <charvey@matrox.com>
Cc: Christopher Harvey <charvey@matrox.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Acked-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_mm.c |   34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)
--- a/drivers/gpu/drm/drm_mm.c
+++ b/drivers/gpu/drm/drm_mm.c
@@ -755,33 +755,35 @@ void drm_mm_debug_table(struct drm_mm *m
 EXPORT_SYMBOL(drm_mm_debug_table);
 
 #if defined(CONFIG_DEBUG_FS)
-int drm_mm_dump_table(struct seq_file *m, struct drm_mm *mm)
+static unsigned long drm_mm_dump_hole(struct seq_file *m, struct drm_mm_node *entry)
 {
-	struct drm_mm_node *entry;
-	unsigned long total_used = 0, total_free = 0, total = 0;
 	unsigned long hole_start, hole_end, hole_size;
 
-	hole_start = drm_mm_hole_node_start(&mm->head_node);
-	hole_end = drm_mm_hole_node_end(&mm->head_node);
-	hole_size = hole_end - hole_start;
-	if (hole_size)
+	if (entry->hole_follows) {
+		hole_start = drm_mm_hole_node_start(entry);
+		hole_end = drm_mm_hole_node_end(entry);
+		hole_size = hole_end - hole_start;
 		seq_printf(m, "0x%08lx-0x%08lx: 0x%08lx: free\n",
 				hole_start, hole_end, hole_size);
-	total_free += hole_size;
+		return hole_size;
+	}
+
+	return 0;
+}
+
+int drm_mm_dump_table(struct seq_file *m, struct drm_mm *mm)
+{
+	struct drm_mm_node *entry;
+	unsigned long total_used = 0, total_free = 0, total = 0;
+
+	total_free += drm_mm_dump_hole(m, &mm->head_node);
 
 	drm_mm_for_each_node(entry, mm) {
 		seq_printf(m, "0x%08lx-0x%08lx: 0x%08lx: used\n",
 				entry->start, entry->start + entry->size,
 				entry->size);
 		total_used += entry->size;
-		if (entry->hole_follows) {
-			hole_start = drm_mm_hole_node_start(entry);
-			hole_end = drm_mm_hole_node_end(entry);
-			hole_size = hole_end - hole_start;
-			seq_printf(m, "0x%08lx-0x%08lx: 0x%08lx: free\n",
-					hole_start, hole_end, hole_size);
-			total_free += hole_size;
-		}
+		total_free += drm_mm_dump_hole(m, entry);
 	}
 	total = total_free + total_used;
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 052/102] drm: dont check modeset locks in panic handler
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2013-05-17 21:36 ` [ 051/102] drm/mm: fix dump table BUG Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 053/102] drm/i915: clear the stolen fb before resuming Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Airlie, Borislav Petkov,
	Daniel Vetter
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Daniel Vetter <daniel.vetter@ffwll.ch>
commit a9b054e8ab06504c2afa0e307ee78d3778993a1d upstream.
Since we know that locking is broken in that case and it's more
important to not flood the dmesg with random gunk.
Reported-and-tested-by: Borislav Petkov <bp@suse.de>
References: http://lkml.kernel.org/r/20130502000206.GH15623@pd.tnic
Cc: Dave Airlie <airlied@gmail.com>
Cc: Borislav Petkov <bp@alien8.de>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/drm_crtc.c |    4 ++++
 1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -78,6 +78,10 @@ void drm_warn_on_modeset_not_all_locked(
 {
 	struct drm_crtc *crtc;
 
+	/* Locking is currently fubar in the panic handler. */
+	if (oops_in_progress)
+		return;
+
 	list_for_each_entry(crtc, &dev->mode_config.crtc_list, head)
 		WARN_ON(!mutex_is_locked(&crtc->mutex));
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 053/102] drm/i915: clear the stolen fb before resuming
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2013-05-17 21:36 ` [ 052/102] drm: dont check modeset locks in panic handler Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 054/102] tcp: force a dst refcount when prequeue packet Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jani Nikula, Chris Wilson,
	Daniel Vetter
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 1ffc5289bfcf7f4c4e4213240bb4be68c48ce603 upstream.
Similar to
commit 88afe715dd5469bc24ca7a19ac62dd3c241cab48
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sun Dec 16 12:15:41 2012 +0000
    drm/i915: Clear the stolen fb before enabling
but on the resume path.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=57191
Reported-and-tested-by: Nikolay Amiantov <nikoamia@gmail.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/intel_fb.c |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/intel_fb.c
+++ b/drivers/gpu/drm/i915/intel_fb.c
@@ -261,10 +261,22 @@ void intel_fbdev_fini(struct drm_device
 void intel_fbdev_set_suspend(struct drm_device *dev, int state)
 {
 	drm_i915_private_t *dev_priv = dev->dev_private;
-	if (!dev_priv->fbdev)
+	struct intel_fbdev *ifbdev = dev_priv->fbdev;
+	struct fb_info *info;
+
+	if (!ifbdev)
 		return;
 
-	fb_set_suspend(dev_priv->fbdev->helper.fbdev, state);
+	info = ifbdev->helper.fbdev;
+
+	/* On resume from hibernation: If the object is shmemfs backed, it has
+	 * been restored from swap. If the object is stolen however, it will be
+	 * full of whatever garbage was left in there.
+	 */
+	if (!state && ifbdev->ifb.obj->stolen)
+		memset_io(info->screen_base, 0, info->screen_size);
+
+	fb_set_suspend(info, state);
 }
 
 MODULE_LICENSE("GPL and additional rights");
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 054/102] tcp: force a dst refcount when prequeue packet
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2013-05-17 21:36 ` [ 053/102] drm/i915: clear the stolen fb before resuming Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 055/102] sfc: Fix naming of MTD partitions for FPGA bitfiles Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Galbraith, Eric Dumazet,
	David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 093162553c33e9479283e107b4431378271c735d ]
Before escaping RCU protected section and adding packet into
prequeue, make sure the dst is refcounted.
Reported-by: Mike Galbraith <bitbucket@online.de>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/tcp.h |    1 +
 1 file changed, 1 insertion(+)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1049,6 +1049,7 @@ static inline bool tcp_prequeue(struct s
 	    skb_queue_len(&tp->ucopy.prequeue) == 0)
 		return false;
 
+	skb_dst_force(skb);
 	__skb_queue_tail(&tp->ucopy.prequeue, skb);
 	tp->ucopy.memory += skb->truesize;
 	if (tp->ucopy.memory > sk->sk_rcvbuf) {
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 055/102] sfc: Fix naming of MTD partitions for FPGA bitfiles
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2013-05-17 21:36 ` [ 054/102] tcp: force a dst refcount when prequeue packet Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 056/102] net: tun: release the reference of tun device in tun_recvmsg Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Hutchings, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <bhutchings@solarflare.com>
[ Upstream commit 89cc80a44b7c320e08599cb86f6aef0ead8986a1 ]
efx_mcdi_get_board_cfg() uses a buffer for the firmware response that
is only large enough to hold subtypes for the originally defined set
of NVRAM partitions.  Longer responses are truncated, and we may read
off the end of the buffer when copying out subtypes for additional
partitions.  In particular, this can result in the MTD partition for
an FPGA bitfile being named e.g. 'eth5 sfc_fpga:00' when it should be
'eth5 sfc_fpga:01'.  This means the firmware update tool (sfupdate)
can't tell which bitfile should be written to the partition.
Correct the response buffer size.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/sfc/mcdi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/sfc/mcdi.c
+++ b/drivers/net/ethernet/sfc/mcdi.c
@@ -667,7 +667,7 @@ fail:
 int efx_mcdi_get_board_cfg(struct efx_nic *efx, u8 *mac_address,
 			   u16 *fw_subtype_list, u32 *capabilities)
 {
-	uint8_t outbuf[MC_CMD_GET_BOARD_CFG_OUT_LENMIN];
+	uint8_t outbuf[MC_CMD_GET_BOARD_CFG_OUT_LENMAX];
 	size_t outlen, offset, i;
 	int port_num = efx_port_num(efx);
 	int rc;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 056/102] net: tun: release the reference of tun device in tun_recvmsg
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2013-05-17 21:36 ` [ 055/102] sfc: Fix naming of MTD partitions for FPGA bitfiles Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 057/102] net: mac802154: comparision issue of type cast, finding by EXTRA_CFLAGS=-W Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gao feng, Jason Wang, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Gao feng <gaofeng@cn.fujitsu.com>
[ Upstream commit 3811ae76bc84e5dc1a670ae10695f046b310bee1 ]
We forget to release the reference of tun device in tun_recvmsg.
bug introduced in commit 54f968d6efdbf7dec36faa44fc11f01b0e4d1990
(tuntap: move socket to tun_file)
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/tun.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1471,14 +1471,17 @@ static int tun_recvmsg(struct kiocb *ioc
 	if (!tun)
 		return -EBADFD;
 
-	if (flags & ~(MSG_DONTWAIT|MSG_TRUNC))
-		return -EINVAL;
+	if (flags & ~(MSG_DONTWAIT|MSG_TRUNC)) {
+		ret = -EINVAL;
+		goto out;
+	}
 	ret = tun_do_read(tun, tfile, iocb, m->msg_iov, total_len,
 			  flags & MSG_DONTWAIT);
 	if (ret > total_len) {
 		m->msg_flags |= MSG_TRUNC;
 		ret = flags & MSG_TRUNC ? ret : total_len;
 	}
+out:
 	tun_put(tun);
 	return ret;
 }
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 057/102] net: mac802154: comparision issue of type cast, finding by EXTRA_CFLAGS=-W
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2013-05-17 21:36 ` [ 056/102] net: tun: release the reference of tun device in tun_recvmsg Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 058/102] tcp: reset timer after any SYNACK retransmit Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chen Gang, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Chen Gang <gang.chen@asianux.com>
[ Upstream commit 2c1bbbffa0b644fab4f91878cde0c2e8f52e2dcc ]
Change MAC802154_CHAN_NONE from ~(u8)0 to 0xff, or the comparison in
mac802154_wpan_xmit() for ``chan == MAC802154_CHAN_NONE'' will not
succeed.
This bug can be boiled down to ``u8 foo = 0xff; if (foo == ~(u8)0)
[...] else [...]'' where the condition will always take the else
branch.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac802154/mac802154.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac802154/mac802154.h
+++ b/net/mac802154/mac802154.h
@@ -90,7 +90,7 @@ struct mac802154_sub_if_data {
 
 #define MAC802154_MAX_XMIT_ATTEMPTS	3
 
-#define MAC802154_CHAN_NONE		(~(u8)0) /* No channel is assigned */
+#define MAC802154_CHAN_NONE		0xff /* No channel is assigned */
 
 extern struct ieee802154_reduced_mlme_ops mac802154_mlme_reduced;
 extern struct ieee802154_mlme_ops mac802154_mlme_wpan;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 058/102] tcp: reset timer after any SYNACK retransmit
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2013-05-17 21:36 ` [ 057/102] net: mac802154: comparision issue of type cast, finding by EXTRA_CFLAGS=-W Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 059/102] 3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA) Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuchung Cheng, Eric Dumazet,
	Neal Cardwell, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Yuchung Cheng <ycheng@google.com>
[ Upstream commit cd75eff64dae8856afbf6ef0f0ca3c145465d8e0 ]
Linux immediately returns SYNACK on (spurious) SYN retransmits, but
keeps the SYNACK timer running independently. Thus the timer may
fire right after the SYNACK retransmit and causes a SYN-SYNACK
cross-fire burst.
Adopt the fast retransmit/recovery idea in established state by
re-arming the SYNACK timer after the fast (SYNACK) retransmit. The
timer may fire late up to 500ms due to the current SYNACK timer wheel,
but it's OK to be conservative when network is congested. Eric's new
listener design should address this issue.
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_minisocks.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -583,8 +583,13 @@ struct sock *tcp_check_req(struct sock *
 		 *
 		 * Note that even if there is new data in the SYN packet
 		 * they will be thrown away too.
+		 *
+		 * Reset timer after retransmitting SYNACK, similar to
+		 * the idea of fast retransmit in recovery.
 		 */
-		inet_rtx_syn_ack(sk, req);
+		if (!inet_rtx_syn_ack(sk, req))
+			req->expires = min(TCP_TIMEOUT_INIT << req->num_timeout,
+					   TCP_RTO_MAX) + jiffies;
 		return NULL;
 	}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 059/102] 3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA)
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2013-05-17 21:36 ` [ 058/102] tcp: reset timer after any SYNACK retransmit Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 060/102] net_sched: act_ipt forward compat with xtables Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthew Whitehead, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Matthew Whitehead <tedheadster@gmail.com>
[ Upstream commit 3b54912f9cd167641b91d4a697bd742f70e534fe ]
The venerable 3c509 driver only sets its device parent in one case, the ISAPnP one.
It does this with the SET_NETDEV_DEV function. It should register with the device
hierarchy in two additional cases: standard (non-PnP) ISA and EISA.
- Currently they appear here:
/sys/devices/virtual/net/eth0 (standard ISA)
/sys/devices/virtual/net/eth1 (EISA)
- Rather, they should instead be here:
/sys/devices/isa/3c509.0/net/eth0 (standard ISA)
/sys/devices/pci0000:00/0000:00:07.0/00:04/net/eth1 (EISA)
Tested on ISA and EISA boards.
Signed-off-by: Matthew Whitehead <tedheadster@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/3com/3c509.c |    2 ++
 1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/3com/3c509.c
+++ b/drivers/net/ethernet/3com/3c509.c
@@ -306,6 +306,7 @@ static int el3_isa_match(struct device *
 	if (!dev)
 		return -ENOMEM;
 
+	SET_NETDEV_DEV(dev, pdev);
 	netdev_boot_setup_check(dev);
 
 	if (!request_region(ioaddr, EL3_IO_EXTENT, "3c509-isa")) {
@@ -595,6 +596,7 @@ static int __init el3_eisa_probe (struct
 		return -ENOMEM;
 	}
 
+	SET_NETDEV_DEV(dev, device);
 	netdev_boot_setup_check(dev);
 
 	el3_dev_fill(dev, phys_addr, ioaddr, irq, if_port, EL3_EISA);
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 060/102] net_sched: act_ipt forward compat with xtables
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2013-05-17 21:36 ` [ 059/102] 3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA) Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 061/102] net: use netdev_features_t in skb_needs_linearize() Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jamal Hadi Salim, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 0dcffd09641f3abb21ac5cabc61542ab289d1a3c ]
Deal with changes in newer xtables while maintaining backward
compatibility. Thanks to Jan Engelhardt for suggestions.
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/act_ipt.c |   33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -8,7 +8,7 @@
  *		as published by the Free Software Foundation; either version
  *		2 of the License, or (at your option) any later version.
  *
- * Copyright:	Jamal Hadi Salim (2002-4)
+ * Copyright:	Jamal Hadi Salim (2002-13)
  */
 
 #include <linux/types.h>
@@ -303,17 +303,44 @@ static struct tc_action_ops act_ipt_ops
 	.walk		=	tcf_generic_walker
 };
 
-MODULE_AUTHOR("Jamal Hadi Salim(2002-4)");
+static struct tc_action_ops act_xt_ops = {
+	.kind		=	"xt",
+	.hinfo		=	&ipt_hash_info,
+	.type		=	TCA_ACT_IPT,
+	.capab		=	TCA_CAP_NONE,
+	.owner		=	THIS_MODULE,
+	.act		=	tcf_ipt,
+	.dump		=	tcf_ipt_dump,
+	.cleanup	=	tcf_ipt_cleanup,
+	.lookup		=	tcf_hash_search,
+	.init		=	tcf_ipt_init,
+	.walk		=	tcf_generic_walker
+};
+
+MODULE_AUTHOR("Jamal Hadi Salim(2002-13)");
 MODULE_DESCRIPTION("Iptables target actions");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("act_xt");
 
 static int __init ipt_init_module(void)
 {
-	return tcf_register_action(&act_ipt_ops);
+	int ret1, ret2;
+	ret1 = tcf_register_action(&act_xt_ops);
+	if (ret1 < 0)
+		printk("Failed to load xt action\n");
+	ret2 = tcf_register_action(&act_ipt_ops);
+	if (ret2 < 0)
+		printk("Failed to load ipt action\n");
+
+	if (ret1 < 0 && ret2 < 0)
+		return ret1;
+	else
+		return 0;
 }
 
 static void __exit ipt_cleanup_module(void)
 {
+	tcf_unregister_action(&act_xt_ops);
 	tcf_unregister_action(&act_ipt_ops);
 }
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 061/102] net: use netdev_features_t in skb_needs_linearize()
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2013-05-17 21:36 ` [ 060/102] net_sched: act_ipt forward compat with xtables Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 062/102] net: vlan,ethtool: netdev_features_t is more than 32 bit Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Patrick McHardy, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Patrick McHardy <kaber@trash.net>
[ Upstream commit 6708c9e5cc9bfc7c9a00ce9c0fdd0b1d4952b3d1 ]
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2458,7 +2458,7 @@ EXPORT_SYMBOL(netif_skb_features);
  *	2. skb is fragmented and the device does not support SG.
  */
 static inline int skb_needs_linearize(struct sk_buff *skb,
-				      int features)
+				      netdev_features_t features)
 {
 	return skb_is_nonlinear(skb) &&
 			((skb_has_frag_list(skb) &&
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 062/102] net: vlan,ethtool: netdev_features_t is more than 32 bit
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2013-05-17 21:36 ` [ 061/102] net: use netdev_features_t in skb_needs_linearize() Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 063/102] bridge: fix race with topology change timer Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bjørn Mork, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Bjørn Mork <bjorn@mork.no>
[ Upstream commit b29d3145183da4e07d4b570fa8acdd3ac4a5c572 ]
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/8021q/vlan_dev.c |    2 +-
 net/core/ethtool.c   |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -627,7 +627,7 @@ static netdev_features_t vlan_dev_fix_fe
 	netdev_features_t features)
 {
 	struct net_device *real_dev = vlan_dev_priv(dev)->real_dev;
-	u32 old_features = features;
+	netdev_features_t old_features = features;
 
 	features &= real_dev->vlan_features;
 	features |= NETIF_F_RXCSUM;
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -1416,7 +1416,7 @@ int dev_ethtool(struct net *net, struct
 	void __user *useraddr = ifr->ifr_data;
 	u32 ethcmd;
 	int rc;
-	u32 old_features;
+	netdev_features_t old_features;
 
 	if (!dev || !netif_device_present(dev))
 		return -ENODEV;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 063/102] bridge: fix race with topology change timer
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2013-05-17 21:36 ` [ 062/102] net: vlan,ethtool: netdev_features_t is more than 32 bit Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 064/102] asix: fix BUG in receive path when lowering MTU Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, JerryKang, Stephen Hemminger,
	David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: stephen hemminger <stephen@networkplumber.org>
[ Upstream commit 83401eb4990ff6af55aeed8f49681558544192e6 ]
A bridge should only send topology change notice if it is not
the root bridge. It is possible for message age timer to elect itself
as a new root bridge, and still have a topology change timer running
but waiting for bridge lock on other CPU.
Solve the race by checking if we are root bridge before continuing.
This was the root cause of the cases where br_send_tcn_bpdu would OOPS.
Reported-by: JerryKang <jerry.kang@samsung.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bridge/br_stp_timer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bridge/br_stp_timer.c
+++ b/net/bridge/br_stp_timer.c
@@ -107,7 +107,7 @@ static void br_tcn_timer_expired(unsigne
 
 	br_debug(br, "tcn timer expired\n");
 	spin_lock(&br->lock);
-	if (br->dev->flags & IFF_UP) {
+	if (!br_is_root_bridge(br) && (br->dev->flags & IFF_UP)) {
 		br_transmit_tcn(br);
 
 		mod_timer(&br->tcn_timer,jiffies + br->bridge_hello_time);
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 064/102] asix: fix BUG in receive path when lowering MTU
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2013-05-17 21:36 ` [ 063/102] bridge: fix race with topology change timer Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 065/102] packet: tpacket_v3: do not trigger bug() on wrong header status Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Holger Eitzenberger, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: "holger@eitzenberger.org" <holger@eitzenberger.org>
[ Upstream commit c5060cec6ba27ad3f0e7facfdf05d2f18e3e3010 ]
There is bug in the receive path of the asix driver at the time a
packet is received larger than MTU size and DF bit set:
 BUG: unable to handle kernel paging request at 0000004000000001
 IP: [<ffffffff8126f65b>] skb_release_head_state+0x2d/0xd2
 ...
 Call Trace:
  <IRQ>
  [<ffffffff8126f86d>] ? skb_release_all+0x9/0x1e
  [<ffffffff8126f8ad>] ? __kfree_skb+0x9/0x6f
  [<ffffffffa00b4200>] ? asix_rx_fixup_internal+0xff/0x1ae [asix]
  [<ffffffffa00fb3dc>] ? usbnet_bh+0x4f/0x226 [usbnet]
  ...
It is easily reproducable by setting an MTU of 512 e. g. and sending
something like
  ping -s 1472 -c 1 -M do $SELF
from another box.
And this is because the rx->ax_skb is freed on error, but rx->ax_skb
is not reset, and the size is not reset to zero in this case.
And since the skb is added again to the usbnet->done skb queue it is
accessing already freed memory, resulting in the BUG when freeing a
2nd time.  I therefore think the value 0x0000004000000001 show in the
trace is more or less random data.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/asix_common.c |    3 +++
 1 file changed, 3 insertions(+)
--- a/drivers/net/usb/asix_common.c
+++ b/drivers/net/usb/asix_common.c
@@ -100,6 +100,9 @@ int asix_rx_fixup_internal(struct usbnet
 			netdev_err(dev->net, "asix_rx_fixup() Bad RX Length %d\n",
 				   rx->size);
 			kfree_skb(rx->ax_skb);
+			rx->ax_skb = NULL;
+			rx->size = 0U;
+
 			return 0;
 		}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 065/102] packet: tpacket_v3: do not trigger bug() on wrong header status
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2013-05-17 21:36 ` [ 064/102] asix: fix BUG in receive path when lowering MTU Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 066/102] virtio: dont expose u16 in userspace api Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Zawadzki, Daniel Borkmann,
	David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
[ Upstream commit 8da3056c04bfc5f69f840ab038a38389e2de8189 ]
Jakub reported that it is fairly easy to trigger the BUG() macro
from user space with TPACKET_V3's RX_RING by just giving a wrong
header status flag. We already had a similar situation in commit
7f5c3e3a80e6654 (``af_packet: remove BUG statement in
tpacket_destruct_skb'') where this was the case in the TX_RING
side that could be triggered from user space. So really, don't use
BUG() or BUG_ON() unless there's really no way out, and i.e.
don't use it for consistency checking when there's user space
involved, no excuses, especially not if you're slapping the user
with WARN + dump_stack + BUG all at once. The two functions are
of concern:
  prb_retire_current_block() [when block status != TP_STATUS_KERNEL]
  prb_open_block() [when block_status != TP_STATUS_KERNEL]
Calls to prb_open_block() are guarded by ealier checks if block_status
is really TP_STATUS_KERNEL (racy!), but the first one BUG() is easily
triggable from user space. System behaves still stable after they are
removed. Also remove that yoda condition entirely, since it's already
guarded.
Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |   53 +++++++++++++++++++++----------------------------
 1 file changed, 23 insertions(+), 30 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -693,36 +693,33 @@ static void prb_open_block(struct tpacke
 
 	smp_rmb();
 
-	if (likely(TP_STATUS_KERNEL == BLOCK_STATUS(pbd1))) {
+	/* We could have just memset this but we will lose the
+	 * flexibility of making the priv area sticky
+	 */
 
-		/* We could have just memset this but we will lose the
-		 * flexibility of making the priv area sticky
-		 */
-		BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;
-		BLOCK_NUM_PKTS(pbd1) = 0;
-		BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
-		getnstimeofday(&ts);
-		h1->ts_first_pkt.ts_sec = ts.tv_sec;
-		h1->ts_first_pkt.ts_nsec = ts.tv_nsec;
-		pkc1->pkblk_start = (char *)pbd1;
-		pkc1->nxt_offset = pkc1->pkblk_start + BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
-		BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
-		BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;
-		pbd1->version = pkc1->version;
-		pkc1->prev = pkc1->nxt_offset;
-		pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;
-		prb_thaw_queue(pkc1);
-		_prb_refresh_rx_retire_blk_timer(pkc1);
+	BLOCK_SNUM(pbd1) = pkc1->knxt_seq_num++;
+	BLOCK_NUM_PKTS(pbd1) = 0;
+	BLOCK_LEN(pbd1) = BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
 
-		smp_wmb();
+	getnstimeofday(&ts);
 
-		return;
-	}
+	h1->ts_first_pkt.ts_sec = ts.tv_sec;
+	h1->ts_first_pkt.ts_nsec = ts.tv_nsec;
+
+	pkc1->pkblk_start = (char *)pbd1;
+	pkc1->nxt_offset = pkc1->pkblk_start + BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
 
-	WARN(1, "ERROR block:%p is NOT FREE status:%d kactive_blk_num:%d\n",
-		pbd1, BLOCK_STATUS(pbd1), pkc1->kactive_blk_num);
-	dump_stack();
-	BUG();
+	BLOCK_O2FP(pbd1) = (__u32)BLK_PLUS_PRIV(pkc1->blk_sizeof_priv);
+	BLOCK_O2PRIV(pbd1) = BLK_HDR_LEN;
+
+	pbd1->version = pkc1->version;
+	pkc1->prev = pkc1->nxt_offset;
+	pkc1->pkblk_end = pkc1->pkblk_start + pkc1->kblk_size;
+
+	prb_thaw_queue(pkc1);
+	_prb_refresh_rx_retire_blk_timer(pkc1);
+
+	smp_wmb();
 }
 
 /*
@@ -813,10 +810,6 @@ static void prb_retire_current_block(str
 		prb_close_block(pkc, pbd, po, status);
 		return;
 	}
-
-	WARN(1, "ERROR-pbd[%d]:%p\n", pkc->kactive_blk_num, pbd);
-	dump_stack();
-	BUG();
 }
 
 static int prb_curr_blk_in_use(struct tpacket_kbdq_core *pkc,
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 066/102] virtio: dont expose u16 in userspace api
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2013-05-17 21:36 ` [ 065/102] packet: tpacket_v3: do not trigger bug() on wrong header status Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 067/102] net: frag, fix race conditions in LRU list maintenance Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Hemminger, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: stephen hemminger <stephen@networkplumber.org>
[ Upstream commit 77d21f23a1e4db8639e3916547c903a3b3c7a07c ]
Programs using virtio headers outside of kernel will no longer
build because u16 type does not exist in userspace. All user ABI
must use __u16 typedef instead.
Bug introduce by:
  commit 986a4f4d452dec004697f667439d27c3fda9c928
  Author: Jason Wang <jasowang@redhat.com>
  Date:   Fri Dec 7 07:04:56 2012 +0000
    virtio_net: multiqueue support
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/uapi/linux/virtio_net.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/uapi/linux/virtio_net.h
+++ b/include/uapi/linux/virtio_net.h
@@ -191,7 +191,7 @@ struct virtio_net_ctrl_mac {
  * specified.
  */
 struct virtio_net_ctrl_mq {
-	u16 virtqueue_pairs;
+	__u16 virtqueue_pairs;
 };
 
 #define VIRTIO_NET_CTRL_MQ   4
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 067/102] net: frag, fix race conditions in LRU list maintenance
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2013-05-17 21:36 ` [ 066/102] virtio: dont expose u16 in userspace api Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 068/102] 3c59x: fix freeing nonexistent resource on driver unload Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov,
	Jesper Dangaard Brouer, Florian Westphal, Eric Dumazet,
	David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov <khlebnikov@openvz.org>
[ Upstream commit b56141ab34e2c3e2d7960cea12c20c99530c0c76 ]
This patch fixes race between inet_frag_lru_move() and inet_frag_lru_add()
which was introduced in commit 3ef0eb0db4bf92c6d2510fe5c4dc51852746f206
("net: frag, move LRU list maintenance outside of rwlock")
One cpu already added new fragment queue into hash but not into LRU.
Other cpu found it in hash and tries to move it to the end of LRU.
This leads to NULL pointer dereference inside of list_move_tail().
Another possible race condition is between inet_frag_lru_move() and
inet_frag_lru_del(): move can happens after deletion.
This patch initializes LRU list head before adding fragment into hash and
inet_frag_lru_move() doesn't touches it if it's empty.
I saw this kernel oops two times in a couple of days.
[119482.128853] BUG: unable to handle kernel NULL pointer dereference at           (null)
[119482.132693] IP: [<ffffffff812ede89>] __list_del_entry+0x29/0xd0
[119482.136456] PGD 2148f6067 PUD 215ab9067 PMD 0
[119482.140221] Oops: 0000 [#1] SMP
[119482.144008] Modules linked in: vfat msdos fat 8021q fuse nfsd auth_rpcgss nfs_acl nfs lockd sunrpc ppp_async ppp_generic bridge slhc stp llc w83627ehf hwmon_vid snd_hda_codec_hdmi snd_hda_codec_realtek kvm_amd k10temp kvm snd_hda_intel snd_hda_codec edac_core radeon snd_hwdep ath9k snd_pcm ath9k_common snd_page_alloc ath9k_hw snd_timer snd soundcore drm_kms_helper ath ttm r8169 mii
[119482.152692] CPU 3
[119482.152721] Pid: 20, comm: ksoftirqd/3 Not tainted 3.9.0-zurg-00001-g9f95269 #132 To Be Filled By O.E.M. To Be Filled By O.E.M./RS880D
[119482.161478] RIP: 0010:[<ffffffff812ede89>]  [<ffffffff812ede89>] __list_del_entry+0x29/0xd0
[119482.166004] RSP: 0018:ffff880216d5db58  EFLAGS: 00010207
[119482.170568] RAX: 0000000000000000 RBX: ffff88020882b9c0 RCX: dead000000200200
[119482.175189] RDX: 0000000000000000 RSI: 0000000000000880 RDI: ffff88020882ba00
[119482.179860] RBP: ffff880216d5db58 R08: ffffffff8155c7f0 R09: 0000000000000014
[119482.184570] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88020882ba00
[119482.189337] R13: ffffffff81c8d780 R14: ffff880204357f00 R15: 00000000000005a0
[119482.194140] FS:  00007f58124dc700(0000) GS:ffff88021fcc0000(0000) knlGS:0000000000000000
[119482.198928] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[119482.203711] CR2: 0000000000000000 CR3: 00000002155f0000 CR4: 00000000000007e0
[119482.208533] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[119482.213371] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[119482.218221] Process ksoftirqd/3 (pid: 20, threadinfo ffff880216d5c000, task ffff880216d3a9a0)
[119482.223113] Stack:
[119482.228004]  ffff880216d5dbd8 ffffffff8155dcda 0000000000000000 ffff000200000001
[119482.233038]  ffff8802153c1f00 ffff880000289440 ffff880200000014 ffff88007bc72000
[119482.238083]  00000000000079d5 ffff88007bc72f44 ffffffff00000002 ffff880204357f00
[119482.243090] Call Trace:
[119482.248009]  [<ffffffff8155dcda>] ip_defrag+0x8fa/0xd10
[119482.252921]  [<ffffffff815a8013>] ipv4_conntrack_defrag+0x83/0xe0
[119482.257803]  [<ffffffff8154485b>] nf_iterate+0x8b/0xa0
[119482.262658]  [<ffffffff8155c7f0>] ? inet_del_offload+0x40/0x40
[119482.267527]  [<ffffffff815448e4>] nf_hook_slow+0x74/0x130
[119482.272412]  [<ffffffff8155c7f0>] ? inet_del_offload+0x40/0x40
[119482.277302]  [<ffffffff8155d068>] ip_rcv+0x268/0x320
[119482.282147]  [<ffffffff81519992>] __netif_receive_skb_core+0x612/0x7e0
[119482.286998]  [<ffffffff81519b78>] __netif_receive_skb+0x18/0x60
[119482.291826]  [<ffffffff8151a650>] process_backlog+0xa0/0x160
[119482.296648]  [<ffffffff81519f29>] net_rx_action+0x139/0x220
[119482.301403]  [<ffffffff81053707>] __do_softirq+0xe7/0x220
[119482.306103]  [<ffffffff81053868>] run_ksoftirqd+0x28/0x40
[119482.310809]  [<ffffffff81074f5f>] smpboot_thread_fn+0xff/0x1a0
[119482.315515]  [<ffffffff81074e60>] ? lg_local_lock_cpu+0x40/0x40
[119482.320219]  [<ffffffff8106d870>] kthread+0xc0/0xd0
[119482.324858]  [<ffffffff8106d7b0>] ? insert_kthread_work+0x40/0x40
[119482.329460]  [<ffffffff816c32dc>] ret_from_fork+0x7c/0xb0
[119482.334057]  [<ffffffff8106d7b0>] ? insert_kthread_work+0x40/0x40
[119482.338661] Code: 00 00 55 48 8b 17 48 b9 00 01 10 00 00 00 ad de 48 8b 47 08 48 89 e5 48 39 ca 74 29 48 b9 00 02 20 00 00 00 ad de 48 39 c8 74 7a <4c> 8b 00 4c 39 c7 75 53 4c 8b 42 08 4c 39 c7 75 2b 48 89 42 08
[119482.343787] RIP  [<ffffffff812ede89>] __list_del_entry+0x29/0xd0
[119482.348675]  RSP <ffff880216d5db58>
[119482.353493] CR2: 0000000000000000
Oops happened on this path:
ip_defrag() -> ip_frag_queue() -> inet_frag_lru_move() -> list_move_tail() -> __list_del_entry()
Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Eric Dumazet <edumazet@google.com>
Cc: David S. Miller <davem@davemloft.net>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/inet_frag.h  |    5 +++--
 net/ipv4/inet_fragment.c |    1 +
 2 files changed, 4 insertions(+), 2 deletions(-)
--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -135,14 +135,15 @@ static inline int sum_frag_mem_limit(str
 static inline void inet_frag_lru_move(struct inet_frag_queue *q)
 {
 	spin_lock(&q->net->lru_lock);
-	list_move_tail(&q->lru_list, &q->net->lru_list);
+	if (!list_empty(&q->lru_list))
+		list_move_tail(&q->lru_list, &q->net->lru_list);
 	spin_unlock(&q->net->lru_lock);
 }
 
 static inline void inet_frag_lru_del(struct inet_frag_queue *q)
 {
 	spin_lock(&q->net->lru_lock);
-	list_del(&q->lru_list);
+	list_del_init(&q->lru_list);
 	spin_unlock(&q->net->lru_lock);
 }
 
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -257,6 +257,7 @@ static struct inet_frag_queue *inet_frag
 	setup_timer(&q->timer, f->frag_expire, (unsigned long)q);
 	spin_lock_init(&q->lock);
 	atomic_set(&q->refcnt, 1);
+	INIT_LIST_HEAD(&q->lru_list);
 
 	return q;
 }
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 068/102] 3c59x: fix freeing nonexistent resource on driver unload
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2013-05-17 21:36 ` [ 067/102] net: frag, fix race conditions in LRU list maintenance Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 069/102] 3c59x: fix PCI resource management Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthew Whitehead, Sergei Shtylyov,
	David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
[ Upstream commit c81400be716aa4c76f6ebf339ba94358dbbf6da6 ]
When unloading the driver that drives an EISA board, a message similar to the
following one is displayed:
Trying to free nonexistent resource <0000000000013000-000000000001301f>
Then an user is unable to reload the driver because the resource it requested in
the previous load hasn't been freed. This happens most probably due to a typo in
vortex_eisa_remove() which calls release_region() with 'dev->base_addr'  instead
of 'edev->base_addr'...
Reported-by: Matthew Whitehead <tedheadster@gmail.com>
Tested-by: Matthew Whitehead <tedheadster@gmail.com>
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/3com/3c59x.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/3com/3c59x.c
+++ b/drivers/net/ethernet/3com/3c59x.c
@@ -951,7 +951,7 @@ static int vortex_eisa_remove(struct dev
 
 	unregister_netdev(dev);
 	iowrite16(TotalReset|0x14, ioaddr + EL3_CMD);
-	release_region(dev->base_addr, VORTEX_TOTAL_SIZE);
+	release_region(edev->base_addr, VORTEX_TOTAL_SIZE);
 
 	free_netdev(dev);
 	return 0;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 069/102] 3c59x: fix PCI resource management
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2013-05-17 21:36 ` [ 068/102] 3c59x: fix freeing nonexistent resource on driver unload Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 070/102] if_cablemodem.h: Add parenthesis around ioctl macros Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
[ Upstream commit 4b264a1676e70dc656ba53a8cac690f2d4b65f4e ]
The driver wrongly claimed I/O ports at an address returned by pci_iomap() --
even if it was passed an MMIO address.  Fix this by claiming/releasing all PCI
resources in the PCI driver's probe()/remove() methods instead and get rid of
'must_free_region' flag weirdness (why would Cardbus claim anything for us?).
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/3com/3c59x.c |   25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)
--- a/drivers/net/ethernet/3com/3c59x.c
+++ b/drivers/net/ethernet/3com/3c59x.c
@@ -632,7 +632,6 @@ struct vortex_private {
 		pm_state_valid:1,				/* pci_dev->saved_config_space has sane contents */
 		open:1,
 		medialock:1,
-		must_free_region:1,				/* Flag: if zero, Cardbus owns the I/O region */
 		large_frames:1,			/* accept large frames */
 		handling_irq:1;			/* private in_irq indicator */
 	/* {get|set}_wol operations are already serialized by rtnl.
@@ -1012,6 +1011,12 @@ static int vortex_init_one(struct pci_de
 	if (rc < 0)
 		goto out;
 
+	rc = pci_request_regions(pdev, DRV_NAME);
+	if (rc < 0) {
+		pci_disable_device(pdev);
+		goto out;
+	}
+
 	unit = vortex_cards_found;
 
 	if (global_use_mmio < 0 && (unit >= MAX_UNITS || use_mmio[unit] < 0)) {
@@ -1027,6 +1032,7 @@ static int vortex_init_one(struct pci_de
 	if (!ioaddr) /* If mapping fails, fall-back to BAR 0... */
 		ioaddr = pci_iomap(pdev, 0, 0);
 	if (!ioaddr) {
+		pci_release_regions(pdev);
 		pci_disable_device(pdev);
 		rc = -ENOMEM;
 		goto out;
@@ -1036,6 +1042,7 @@ static int vortex_init_one(struct pci_de
 			   ent->driver_data, unit);
 	if (rc < 0) {
 		pci_iounmap(pdev, ioaddr);
+		pci_release_regions(pdev);
 		pci_disable_device(pdev);
 		goto out;
 	}
@@ -1178,11 +1185,6 @@ static int vortex_probe1(struct device *
 
 	/* PCI-only startup logic */
 	if (pdev) {
-		/* EISA resources already marked, so only PCI needs to do this here */
-		/* Ignore return value, because Cardbus drivers already allocate for us */
-		if (request_region(dev->base_addr, vci->io_size, print_name) != NULL)
-			vp->must_free_region = 1;
-
 		/* enable bus-mastering if necessary */
 		if (vci->flags & PCI_USES_MASTER)
 			pci_set_master(pdev);
@@ -1220,7 +1222,7 @@ static int vortex_probe1(struct device *
 					   &vp->rx_ring_dma);
 	retval = -ENOMEM;
 	if (!vp->rx_ring)
-		goto free_region;
+		goto free_device;
 
 	vp->tx_ring = (struct boom_tx_desc *)(vp->rx_ring + RX_RING_SIZE);
 	vp->tx_ring_dma = vp->rx_ring_dma + sizeof(struct boom_rx_desc) * RX_RING_SIZE;
@@ -1484,9 +1486,7 @@ free_ring:
 							+ sizeof(struct boom_tx_desc) * TX_RING_SIZE,
 						vp->rx_ring,
 						vp->rx_ring_dma);
-free_region:
-	if (vp->must_free_region)
-		release_region(dev->base_addr, vci->io_size);
+free_device:
 	free_netdev(dev);
 	pr_err(PFX "vortex_probe1 fails.  Returns %d\n", retval);
 out:
@@ -3254,8 +3254,9 @@ static void vortex_remove_one(struct pci
 							+ sizeof(struct boom_tx_desc) * TX_RING_SIZE,
 						vp->rx_ring,
 						vp->rx_ring_dma);
-	if (vp->must_free_region)
-		release_region(dev->base_addr, vp->io_size);
+
+	pci_release_regions(pdev);
+
 	free_netdev(dev);
 }
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 070/102] if_cablemodem.h: Add parenthesis around ioctl macros
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2013-05-17 21:36 ` [ 069/102] 3c59x: fix PCI resource management Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 071/102] macvlan: fix passthru mode race between dev removal and rx path Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Wouters, Josh Boyer,
	David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Josh Boyer <jwboyer@redhat.com>
[ Upstream commit 4f924b2aa4d3cb30f07e57d6b608838edcbc0d88 ]
Protect the SIOCGCM* ioctl macros with parenthesis.
Reported-by: Paul Wouters <pwouters@redhat.com>
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/uapi/linux/if_cablemodem.h |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
--- a/include/uapi/linux/if_cablemodem.h
+++ b/include/uapi/linux/if_cablemodem.h
@@ -12,11 +12,11 @@
  */
 
 /* some useful defines for sb1000.c e cmconfig.c - fv */
-#define SIOCGCMSTATS		SIOCDEVPRIVATE+0	/* get cable modem stats */
-#define SIOCGCMFIRMWARE		SIOCDEVPRIVATE+1	/* get cm firmware version */
-#define SIOCGCMFREQUENCY	SIOCDEVPRIVATE+2	/* get cable modem frequency */
-#define SIOCSCMFREQUENCY	SIOCDEVPRIVATE+3	/* set cable modem frequency */
-#define SIOCGCMPIDS			SIOCDEVPRIVATE+4	/* get cable modem PIDs */
-#define SIOCSCMPIDS			SIOCDEVPRIVATE+5	/* set cable modem PIDs */
+#define SIOCGCMSTATS		(SIOCDEVPRIVATE+0)	/* get cable modem stats */
+#define SIOCGCMFIRMWARE		(SIOCDEVPRIVATE+1)	/* get cm firmware version */
+#define SIOCGCMFREQUENCY	(SIOCDEVPRIVATE+2)	/* get cable modem frequency */
+#define SIOCSCMFREQUENCY	(SIOCDEVPRIVATE+3)	/* set cable modem frequency */
+#define SIOCGCMPIDS			(SIOCDEVPRIVATE+4)	/* get cable modem PIDs */
+#define SIOCSCMPIDS			(SIOCDEVPRIVATE+5)	/* set cable modem PIDs */
 
 #endif
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 071/102] macvlan: fix passthru mode race between dev removal and rx path
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2013-05-17 21:36 ` [ 070/102] if_cablemodem.h: Add parenthesis around ioctl macros Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 072/102] ipv6: do not clear pinet6 field Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Pirko, Eric Dumazet,
	David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Jiri Pirko <jiri@resnulli.us>
[ Upstream commit 233c7df0821c4190e2d3f4be0f2ca0ab40a5ed8c ]
Currently, if macvlan in passthru mode is created and data are rxed and
you remove this device, following panic happens:
NULL pointer dereference at 0000000000000198
IP: [<ffffffffa0196058>] macvlan_handle_frame+0x153/0x1f7 [macvlan]
I'm using following script to trigger this:
<script>
while [ 1 ]
do
	ip link add link e1 name macvtap0 type macvtap mode passthru
	ip link set e1 up
	ip link set macvtap0 up
	IFINDEX=`ip link |grep macvtap0 | cut -f 1 -d ':'`
	cat /dev/tap$IFINDEX  >/dev/null &
	ip link del dev macvtap0
done
</script>
I run this script while "ping -f" is running on another machine to send
packets to e1 rx.
Reason of the panic is that list_first_entry() is blindly called in
macvlan_handle_frame() even if the list was empty. vlan is set to
incorrect pointer which leads to the crash.
I'm fixing this by protecting port->vlans list by rcu and by preventing
from getting incorrect pointer in case the list is empty.
Introduced by: commit eb06acdc85585f2 "macvlan: Introduce 'passthru' mode to takeover the underlying device"
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/macvlan.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -222,7 +222,8 @@ static rx_handler_result_t macvlan_handl
 	}
 
 	if (port->passthru)
-		vlan = list_first_entry(&port->vlans, struct macvlan_dev, list);
+		vlan = list_first_or_null_rcu(&port->vlans,
+					      struct macvlan_dev, list);
 	else
 		vlan = macvlan_hash_lookup(port, eth->h_dest);
 	if (vlan == NULL)
@@ -807,7 +808,7 @@ int macvlan_common_newlink(struct net *s
 	if (err < 0)
 		goto upper_dev_unlink;
 
-	list_add_tail(&vlan->list, &port->vlans);
+	list_add_tail_rcu(&vlan->list, &port->vlans);
 	netif_stacked_transfer_operstate(lowerdev, dev);
 
 	return 0;
@@ -835,7 +836,7 @@ void macvlan_dellink(struct net_device *
 {
 	struct macvlan_dev *vlan = netdev_priv(dev);
 
-	list_del(&vlan->list);
+	list_del_rcu(&vlan->list);
 	unregister_netdevice_queue(dev, head);
 	netdev_upper_dev_unlink(vlan->lowerdev, dev);
 }
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 072/102] ipv6: do not clear pinet6 field
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2013-05-17 21:36 ` [ 071/102] macvlan: fix passthru mode race between dev removal and rx path Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-21 11:44   ` Roman Gushchin
  2013-05-17 21:36 ` [ 073/102] ipv6,gre: do not leak info to user-space Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  102 siblings, 1 reply; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f77d602124d865c38705df7fa25c03de9c284ad2 ]
We have seen multiple NULL dereferences in __inet6_lookup_established()
After analysis, I found that inet6_sk() could be NULL while the
check for sk_family == AF_INET6 was true.
Bug was added in linux-2.6.29 when RCU lookups were introduced in UDP
and TCP stacks.
Once an IPv6 socket, using SLAB_DESTROY_BY_RCU is inserted in a hash
table, we no longer can clear pinet6 field.
This patch extends logic used in commit fcbdf09d9652c891
("net: fix nulls list corruptions in sk_prot_alloc")
TCP/UDP/UDPLite IPv6 protocols provide their own .clear_sk() method
to make sure we do not clear pinet6 field.
At socket clone phase, we do not really care, as cloning the parent (non
NULL) pinet6 is not adding a fatal race.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/sock.h  |   12 ++++++++++++
 net/core/sock.c     |   12 ------------
 net/ipv6/tcp_ipv6.c |   12 ++++++++++++
 net/ipv6/udp.c      |   13 ++++++++++++-
 net/ipv6/udp_impl.h |    2 ++
 net/ipv6/udplite.c  |    2 +-
 6 files changed, 39 insertions(+), 14 deletions(-)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -865,6 +865,18 @@ struct inet_hashinfo;
 struct raw_hashinfo;
 struct module;
 
+/*
+ * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes
+ * un-modified. Special care is taken when initializing object to zero.
+ */
+static inline void sk_prot_clear_nulls(struct sock *sk, int size)
+{
+	if (offsetof(struct sock, sk_node.next) != 0)
+		memset(sk, 0, offsetof(struct sock, sk_node.next));
+	memset(&sk->sk_node.pprev, 0,
+	       size - offsetof(struct sock, sk_node.pprev));
+}
+
 /* Networking protocol blocks we attach to sockets.
  * socket layer -> transport layer interface
  * transport -> network interface is defined by struct inet_proto
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1209,18 +1209,6 @@ static void sock_copy(struct sock *nsk,
 #endif
 }
 
-/*
- * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes
- * un-modified. Special care is taken when initializing object to zero.
- */
-static inline void sk_prot_clear_nulls(struct sock *sk, int size)
-{
-	if (offsetof(struct sock, sk_node.next) != 0)
-		memset(sk, 0, offsetof(struct sock, sk_node.next));
-	memset(&sk->sk_node.pprev, 0,
-	       size - offsetof(struct sock, sk_node.pprev));
-}
-
 void sk_prot_clear_portaddr_nulls(struct sock *sk, int size)
 {
 	unsigned long nulls1, nulls2;
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1937,6 +1937,17 @@ void tcp6_proc_exit(struct net *net)
 }
 #endif
 
+static void tcp_v6_clear_sk(struct sock *sk, int size)
+{
+	struct inet_sock *inet = inet_sk(sk);
+
+	/* we do not want to clear pinet6 field, because of RCU lookups */
+	sk_prot_clear_nulls(sk, offsetof(struct inet_sock, pinet6));
+
+	size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6);
+	memset(&inet->pinet6 + 1, 0, size);
+}
+
 struct proto tcpv6_prot = {
 	.name			= "TCPv6",
 	.owner			= THIS_MODULE,
@@ -1980,6 +1991,7 @@ struct proto tcpv6_prot = {
 #ifdef CONFIG_MEMCG_KMEM
 	.proto_cgroup		= tcp_proto_cgroup,
 #endif
+	.clear_sk		= tcp_v6_clear_sk,
 };
 
 static const struct inet6_protocol tcpv6_protocol = {
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1422,6 +1422,17 @@ void udp6_proc_exit(struct net *net) {
 }
 #endif /* CONFIG_PROC_FS */
 
+void udp_v6_clear_sk(struct sock *sk, int size)
+{
+	struct inet_sock *inet = inet_sk(sk);
+
+	/* we do not want to clear pinet6 field, because of RCU lookups */
+	sk_prot_clear_portaddr_nulls(sk, offsetof(struct inet_sock, pinet6));
+
+	size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6);
+	memset(&inet->pinet6 + 1, 0, size);
+}
+
 /* ------------------------------------------------------------------------ */
 
 struct proto udpv6_prot = {
@@ -1452,7 +1463,7 @@ struct proto udpv6_prot = {
 	.compat_setsockopt = compat_udpv6_setsockopt,
 	.compat_getsockopt = compat_udpv6_getsockopt,
 #endif
-	.clear_sk	   = sk_prot_clear_portaddr_nulls,
+	.clear_sk	   = udp_v6_clear_sk,
 };
 
 static struct inet_protosw udpv6_protosw = {
--- a/net/ipv6/udp_impl.h
+++ b/net/ipv6/udp_impl.h
@@ -31,6 +31,8 @@ extern int	udpv6_recvmsg(struct kiocb *i
 extern int	udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb);
 extern void	udpv6_destroy_sock(struct sock *sk);
 
+extern void udp_v6_clear_sk(struct sock *sk, int size);
+
 #ifdef CONFIG_PROC_FS
 extern int	udp6_seq_show(struct seq_file *seq, void *v);
 #endif
--- a/net/ipv6/udplite.c
+++ b/net/ipv6/udplite.c
@@ -56,7 +56,7 @@ struct proto udplitev6_prot = {
 	.compat_setsockopt = compat_udpv6_setsockopt,
 	.compat_getsockopt = compat_udpv6_getsockopt,
 #endif
-	.clear_sk	   = sk_prot_clear_portaddr_nulls,
+	.clear_sk	   = udp_v6_clear_sk,
 };
 
 static struct inet_protosw udplite6_protosw = {
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 073/102] ipv6,gre: do not leak info to user-space
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2013-05-17 21:36 ` [ 072/102] ipv6: do not clear pinet6 field Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 074/102] xfrm6: release dev before returning error Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller, Cong Wang
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Amerigo Wang <amwang@redhat.com>
[ Upstream commit 5dbd5068430b8bd1c19387d46d6c1a88b261257f ]
There is a hole in struct ip6_tnl_parm2, so we have to
zero the struct on stack before copying it to user-space.
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_gre.c |    2 ++
 1 file changed, 2 insertions(+)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1135,6 +1135,7 @@ static int ip6gre_tunnel_ioctl(struct ne
 		}
 		if (t == NULL)
 			t = netdev_priv(dev);
+		memset(&p, 0, sizeof(p));
 		ip6gre_tnl_parm_to_user(&p, &t->parms);
 		if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
 			err = -EFAULT;
@@ -1182,6 +1183,7 @@ static int ip6gre_tunnel_ioctl(struct ne
 		if (t) {
 			err = 0;
 
+			memset(&p, 0, sizeof(p));
 			ip6gre_tnl_parm_to_user(&p, &t->parms);
 			if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
 				err = -EFAULT;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 074/102] xfrm6: release dev before returning error
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2013-05-17 21:36 ` [ 073/102] ipv6,gre: do not leak info to user-space Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 075/102] pch_dma: Use GFP_ATOMIC because called from interrupt context Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cong Wang, Herbert Xu,
	Steffen Klassert, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Cong Wang <amwang@redhat.com>
[ Upstream commit 84c4a9dfbf430861e7588d95ae3ff61535dca351 ]
We forget to call dev_put() on error path in xfrm6_fill_dst(),
its caller doesn't handle this.
Signed-off-by: Cong Wang <amwang@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/xfrm6_policy.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -103,8 +103,10 @@ static int xfrm6_fill_dst(struct xfrm_ds
 	dev_hold(dev);
 
 	xdst->u.rt6.rt6i_idev = in6_dev_get(dev);
-	if (!xdst->u.rt6.rt6i_idev)
+	if (!xdst->u.rt6.rt6i_idev) {
+		dev_put(dev);
 		return -ENODEV;
+	}
 
 	rt6_transfer_peer(&xdst->u.rt6, rt);
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 075/102] pch_dma: Use GFP_ATOMIC because called from interrupt context
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2013-05-17 21:36 ` [ 074/102] xfrm6: release dev before returning error Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 076/102] watchdog: Fix race condition in registration code Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tomoya MORINAGA, Vinod Koul
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Tomoya MORINAGA <tomoya.rohm@gmail.com>
commit 5c1ef59168c485318e40ba485c1eba57d81d0faa upstream.
pdc_desc_get() is called from pd_prep_slave_sg, and the function is
called from interrupt context(e.g. Uart driver "pch_uart.c").
In fact, I saw kernel error message.
So, GFP_ATOMIC must be used not GFP_NOIO.
Signed-off-by: Tomoya MORINAGA <tomoya.rohm@gmail.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/dma/pch_dma.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/dma/pch_dma.c
+++ b/drivers/dma/pch_dma.c
@@ -476,7 +476,7 @@ static struct pch_dma_desc *pdc_desc_get
 	dev_dbg(chan2dev(&pd_chan->chan), "scanned %d descriptors\n", i);
 
 	if (!ret) {
-		ret = pdc_alloc_desc(&pd_chan->chan, GFP_NOIO);
+		ret = pdc_alloc_desc(&pd_chan->chan, GFP_ATOMIC);
 		if (ret) {
 			spin_lock(&pd_chan->lock);
 			pd_chan->descs_allocated++;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 076/102] watchdog: Fix race condition in registration code
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2013-05-17 21:36 ` [ 075/102] pch_dma: Use GFP_ATOMIC because called from interrupt context Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 077/102] drbd: Fix build error when CONFIG_CRYPTO_HMAC is not set Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arkadiusz Miskiewicz, Guenter Roeck,
	Wim Van Sebroeck
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 60403f7a4d9368d187f79cba5e4672d01df37574 upstream.
A race condition exists when registering the first watchdog device.
Sequence of events:
- watchdog_register_device calls watchdog_dev_register
- watchdog_dev_register creates the watchdog misc device by calling
  misc_register.
  At that time, the matching character device (/dev/watchdog0) does not yet
  exist, and old_wdd is not set either.
- Userspace gets an event and opens /dev/watchdog
- watchdog_open is called and sets wdd = old_wdd, which is still NULL,
  and tries to dereference it. This causes the kernel to panic.
Seen with systemd trying to open /dev/watchdog immediately after
it was created.
Reported-by: Arkadiusz Miskiewicz <arekm@maven.pl>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Arkadiusz Miskiewicz <arekm@maven.pl>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/watchdog/watchdog_dev.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -523,6 +523,7 @@ int watchdog_dev_register(struct watchdo
 	int err, devno;
 
 	if (watchdog->id == 0) {
+		old_wdd = watchdog;
 		watchdog_miscdev.parent = watchdog->parent;
 		err = misc_register(&watchdog_miscdev);
 		if (err != 0) {
@@ -531,9 +532,9 @@ int watchdog_dev_register(struct watchdo
 			if (err == -EBUSY)
 				pr_err("%s: a legacy watchdog module is probably present.\n",
 					watchdog->info->identity);
+			old_wdd = NULL;
 			return err;
 		}
-		old_wdd = watchdog;
 	}
 
 	/* Fill in the data structures */
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 077/102] drbd: Fix build error when CONFIG_CRYPTO_HMAC is not set
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2013-05-17 21:36 ` [ 076/102] watchdog: Fix race condition in registration code Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 078/102] drbd: fix memory leak Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philipp Reisner, Lars Ellenberg,
	Jens Axboe, Jonghwan Choi
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Philipp Reisner <philipp.reisner@linbit.com>
commit ef57f9e6bb9278720c8a5278728f252ab85d7ac6 upstream.
Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/drbd/drbd_receiver.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -4659,8 +4659,8 @@ static int drbd_do_features(struct drbd_
 #if !defined(CONFIG_CRYPTO_HMAC) && !defined(CONFIG_CRYPTO_HMAC_MODULE)
 static int drbd_do_auth(struct drbd_tconn *tconn)
 {
-	dev_err(DEV, "This kernel was build without CONFIG_CRYPTO_HMAC.\n");
-	dev_err(DEV, "You need to disable 'cram-hmac-alg' in drbd.conf.\n");
+	conn_err(tconn, "This kernel was build without CONFIG_CRYPTO_HMAC.\n");
+	conn_err(tconn, "You need to disable 'cram-hmac-alg' in drbd.conf.\n");
 	return -1;
 }
 #else
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 078/102] drbd: fix memory leak
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2013-05-17 21:36 ` [ 077/102] drbd: Fix build error when CONFIG_CRYPTO_HMAC is not set Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 079/102] drbd: fix for deadlock when using automatic split-brain-recovery Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philipp Reisner, Lars Ellenberg,
	Jens Axboe, Jonghwan Choi
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Lars Ellenberg <lars.ellenberg@linbit.com>
commit 94ad0a101415978be04945b2787be1e8e8a874db upstream.
We forgot to free the disk_conf,
so for each attach/detach cycle we leaked 336 bytes.
Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/drbd/drbd_main.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -2795,6 +2795,7 @@ void drbd_free_bc(struct drbd_backing_de
 	blkdev_put(ldev->backing_bdev, FMODE_READ | FMODE_WRITE | FMODE_EXCL);
 	blkdev_put(ldev->md_bdev, FMODE_READ | FMODE_WRITE | FMODE_EXCL);
 
+	kfree(ldev->disk_conf);
 	kfree(ldev);
 }
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 079/102] drbd: fix for deadlock when using automatic split-brain-recovery
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2013-05-17 21:36 ` [ 078/102] drbd: fix memory leak Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 080/102] VSOCK: Drop bogus __init annotation from vsock_init_tables() Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philipp Reisner, Lars Ellenberg,
	Jens Axboe, Jonghwan Choi
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Philipp Reisner <philipp.reisner@linbit.com>
commit 7c689e63a847316c1b2500f86891b0a574ce7e69 upstream.
With an automatic after split-brain recovery policy of
"after-sb-1pri call-pri-lost-after-sb",
when trying to drbd_set_role() to R_SECONDARY,
we run into a deadlock.
This was first recognized and supposedly fixed by
2009-06-10 "Fixed a deadlock when using automatic split brain recovery when both nodes are"
replacing drbd_set_role() with drbd_change_state() in that code-path,
but the first hunk of that patch forgets to remove the drbd_set_role().
We apparently only ever tested the "two primaries" case.
Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/drbd/drbd_receiver.c |    1 -
 1 file changed, 1 deletion(-)
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -2661,7 +2661,6 @@ static int drbd_asb_recover_1p(struct dr
 		if (hg == -1 && mdev->state.role == R_PRIMARY) {
 			enum drbd_state_rv rv2;
 
-			drbd_set_role(mdev, R_SECONDARY, 0);
 			 /* drbd_change_state() does not sleep while in SS_IN_TRANSIENT_STATE,
 			  * we might be here in C_WF_REPORT_PARAMS which is transient.
 			  * we do not need to wait for the after state change work either. */
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 080/102] VSOCK: Drop bogus __init annotation from vsock_init_tables()
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2013-05-17 21:36 ` [ 079/102] drbd: fix for deadlock when using automatic split-brain-recovery Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 081/102] ARM: EXYNOS5: Fix kernel dump in AFTR idle mode Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, David S. Miller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
commit 22ee3b57c3ff71772b0c4178404b04f5df78d501 upstream.
If gcc (e.g. 4.1.2) decides not to inline vsock_init_tables(), this will
cause a section mismatch:
WARNING: net/vmw_vsock/vsock.o(.text+0x1bc): Section mismatch in reference from the function __vsock_core_init() to the function .init.text:vsock_init_tables()
The function __vsock_core_init() references
the function __init vsock_init_tables().
This is often because __vsock_core_init lacks a __init
annotation or the annotation of vsock_init_tables is wrong.
This may cause crashes if VSOCKETS=y and VMWARE_VMCI_VSOCKETS=m.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/vmw_vsock/af_vsock.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -165,7 +165,7 @@ static struct list_head vsock_bind_table
 static struct list_head vsock_connected_table[VSOCK_HASH_SIZE];
 static DEFINE_SPINLOCK(vsock_table_lock);
 
-static __init void vsock_init_tables(void)
+static void vsock_init_tables(void)
 {
 	int i;
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 081/102] ARM: EXYNOS5: Fix kernel dump in AFTR idle mode
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2013-05-17 21:36 ` [ 080/102] VSOCK: Drop bogus __init annotation from vsock_init_tables() Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 082/102] drivers/rtc/rtc-pcf2123.c: fix error return code in pcf2123_probe() Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Inderpal Singh, Chander Kashyap,
	Olof Johansson, Jonghwan Choi
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Inderpal Singh <inderpal.singh@linaro.org>
commit 088584618836b159947bc4ab5011a5cf1f081a62 upstream.
The kernel crashes while resuming from AFTR idle mode. It happens
because L2 cache was not going into retention state.
This patch configures the USE_RETENTION bit of ARM_L2_OPTION register
so that it does not depend on MANUAL_L2RSTDISABLE_CONTROL of
ARM_COMMON_OPTION register for L2RSTDISABLE signal.
Signed-off-by: Inderpal Singh <inderpal.singh@linaro.org>
Tested-by: Chander Kashyap <chander.kashyap@linaro.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/mach-exynos/include/mach/regs-pmu.h |    1 +
 arch/arm/mach-exynos/pmu.c                   |    5 ++---
 2 files changed, 3 insertions(+), 3 deletions(-)
--- a/arch/arm/mach-exynos/include/mach/regs-pmu.h
+++ b/arch/arm/mach-exynos/include/mach/regs-pmu.h
@@ -344,6 +344,7 @@
 #define EXYNOS5_FSYS_ARM_OPTION					S5P_PMUREG(0x2208)
 #define EXYNOS5_ISP_ARM_OPTION					S5P_PMUREG(0x2288)
 #define EXYNOS5_ARM_COMMON_OPTION				S5P_PMUREG(0x2408)
+#define EXYNOS5_ARM_L2_OPTION					S5P_PMUREG(0x2608)
 #define EXYNOS5_TOP_PWR_OPTION					S5P_PMUREG(0x2C48)
 #define EXYNOS5_TOP_PWR_SYSMEM_OPTION				S5P_PMUREG(0x2CC8)
 #define EXYNOS5_JPEG_MEM_OPTION					S5P_PMUREG(0x2F48)
--- a/arch/arm/mach-exynos/pmu.c
+++ b/arch/arm/mach-exynos/pmu.c
@@ -228,6 +228,7 @@ static struct exynos_pmu_conf exynos5250
 	{ EXYNOS5_DIS_IRQ_ISP_ARM_CENTRAL_SYS_PWR_REG,	{ 0x0, 0x0, 0x0} },
 	{ EXYNOS5_ARM_COMMON_SYS_PWR_REG,		{ 0x0, 0x0, 0x2} },
 	{ EXYNOS5_ARM_L2_SYS_PWR_REG,			{ 0x3, 0x3, 0x3} },
+	{ EXYNOS5_ARM_L2_OPTION,			{ 0x10, 0x10, 0x0 } },
 	{ EXYNOS5_CMU_ACLKSTOP_SYS_PWR_REG,		{ 0x1, 0x0, 0x1} },
 	{ EXYNOS5_CMU_SCLKSTOP_SYS_PWR_REG,		{ 0x1, 0x0, 0x1} },
 	{ EXYNOS5_CMU_RESET_SYS_PWR_REG,		{ 0x1, 0x1, 0x0} },
@@ -353,11 +354,9 @@ static void exynos5_init_pmu(void)
 
 	/*
 	 * SKIP_DEACTIVATE_ACEACP_IN_PWDN_BITFIELD Enable
-	 * MANUAL_L2RSTDISABLE_CONTROL_BITFIELD Enable
 	 */
 	tmp = __raw_readl(EXYNOS5_ARM_COMMON_OPTION);
-	tmp |= (EXYNOS5_MANUAL_L2RSTDISABLE_CONTROL |
-		EXYNOS5_SKIP_DEACTIVATE_ACEACP_IN_PWDN);
+	tmp |= EXYNOS5_SKIP_DEACTIVATE_ACEACP_IN_PWDN;
 	__raw_writel(tmp, EXYNOS5_ARM_COMMON_OPTION);
 
 	/*
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 082/102] drivers/rtc/rtc-pcf2123.c: fix error return code in pcf2123_probe()
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2013-05-17 21:36 ` [ 081/102] ARM: EXYNOS5: Fix kernel dump in AFTR idle mode Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 083/102] cpufreq / intel_pstate: remove idle time and duration from sample and calculations Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wei Yongjun, Jingoo Han,
	Andrew Morton, Linus Torvalds, Jonghwan Choi
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
commit 35623715818dfa720cccf99cd280dcbb4b78da23 upstream.
Fix to return -ENODEV in the chip not found error handling
case instead of 0, as done elsewhere in this function.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/rtc/rtc-pcf2123.c |    1 +
 1 file changed, 1 insertion(+)
--- a/drivers/rtc/rtc-pcf2123.c
+++ b/drivers/rtc/rtc-pcf2123.c
@@ -265,6 +265,7 @@ static int pcf2123_probe(struct spi_devi
 
 	if (!(rxbuf[0] & 0x20)) {
 		dev_err(&spi->dev, "chip not found\n");
+		ret = -ENODEV;
 		goto kfree_exit;
 	}
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 083/102] cpufreq / intel_pstate: remove idle time and duration from sample and calculations
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2013-05-17 21:36 ` [ 082/102] drivers/rtc/rtc-pcf2123.c: fix error return code in pcf2123_probe() Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 084/102] cpufreq / intel_pstate: use lowest requested max performance Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Lothian, Dirk Brandewie,
	Rafael J. Wysocki
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dirk Brandewie <dirk.j.brandewie@intel.com>
commit 1abc4b20b85b42e8573957e54b193385cf48b0d6 upstream.
Idle time is taken into account in the APERF/MPERF ratio calculation
there is no reason for the driver to track it seperately.  This
reduces the work in the driver and makes the code more readable.
Removal of the tracking of sample duration removes the possibility of
the divide by zero exception when the duration is sub 1us
References: https://bugzilla.kernel.org/show_bug.cgi?id=56691
Reported-by: Mike Lothian <mike@fireburn.co.uk>
Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/cpufreq/intel_pstate.c |   43 ++++++-----------------------------------
 1 file changed, 7 insertions(+), 36 deletions(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -48,12 +48,7 @@ static inline int32_t div_fp(int32_t x,
 }
 
 struct sample {
-	ktime_t start_time;
-	ktime_t end_time;
 	int core_pct_busy;
-	int pstate_pct_busy;
-	u64 duration_us;
-	u64 idletime_us;
 	u64 aperf;
 	u64 mperf;
 	int freq;
@@ -91,8 +86,6 @@ struct cpudata {
 	int min_pstate_count;
 	int idle_mode;
 
-	ktime_t prev_sample;
-	u64	prev_idle_time_us;
 	u64	prev_aperf;
 	u64	prev_mperf;
 	int	sample_ptr;
@@ -450,48 +443,26 @@ static inline void intel_pstate_calc_bus
 					struct sample *sample)
 {
 	u64 core_pct;
-	sample->pstate_pct_busy = 100 - div64_u64(
-					sample->idletime_us * 100,
-					sample->duration_us);
 	core_pct = div64_u64(sample->aperf * 100, sample->mperf);
 	sample->freq = cpu->pstate.max_pstate * core_pct * 1000;
 
-	sample->core_pct_busy = div_s64((sample->pstate_pct_busy * core_pct),
-					100);
+	sample->core_pct_busy = core_pct;
 }
 
 static inline void intel_pstate_sample(struct cpudata *cpu)
 {
-	ktime_t now;
-	u64 idle_time_us;
 	u64 aperf, mperf;
 
-	now = ktime_get();
-	idle_time_us = get_cpu_idle_time_us(cpu->cpu, NULL);
-
 	rdmsrl(MSR_IA32_APERF, aperf);
 	rdmsrl(MSR_IA32_MPERF, mperf);
-	/* for the first sample, don't actually record a sample, just
-	 * set the baseline */
-	if (cpu->prev_idle_time_us > 0) {
-		cpu->sample_ptr = (cpu->sample_ptr + 1) % SAMPLE_COUNT;
-		cpu->samples[cpu->sample_ptr].start_time = cpu->prev_sample;
-		cpu->samples[cpu->sample_ptr].end_time = now;
-		cpu->samples[cpu->sample_ptr].duration_us =
-			ktime_us_delta(now, cpu->prev_sample);
-		cpu->samples[cpu->sample_ptr].idletime_us =
-			idle_time_us - cpu->prev_idle_time_us;
-
-		cpu->samples[cpu->sample_ptr].aperf = aperf;
-		cpu->samples[cpu->sample_ptr].mperf = mperf;
-		cpu->samples[cpu->sample_ptr].aperf -= cpu->prev_aperf;
-		cpu->samples[cpu->sample_ptr].mperf -= cpu->prev_mperf;
+	cpu->sample_ptr = (cpu->sample_ptr + 1) % SAMPLE_COUNT;
+	cpu->samples[cpu->sample_ptr].aperf = aperf;
+	cpu->samples[cpu->sample_ptr].mperf = mperf;
+	cpu->samples[cpu->sample_ptr].aperf -= cpu->prev_aperf;
+	cpu->samples[cpu->sample_ptr].mperf -= cpu->prev_mperf;
 
-		intel_pstate_calc_busy(cpu, &cpu->samples[cpu->sample_ptr]);
-	}
+	intel_pstate_calc_busy(cpu, &cpu->samples[cpu->sample_ptr]);
 
-	cpu->prev_sample = now;
-	cpu->prev_idle_time_us = idle_time_us;
 	cpu->prev_aperf = aperf;
 	cpu->prev_mperf = mperf;
 }
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 084/102] cpufreq / intel_pstate: use lowest requested max performance
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2013-05-17 21:36 ` [ 083/102] cpufreq / intel_pstate: remove idle time and duration from sample and calculations Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 085/102] cpufreq / intel_pstate: fix ffmpeg regression Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Pandruvada, Dirk Brandewie,
	Rafael J. Wysocki
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dirk Brandewie <dirk.j.brandewie@intel.com>
commit d8f469e9cff3bc4a6317d923e9506be046aa7bdc upstream.
There are two ways that the maximum p-state can be clamped, via a
policy change and via the sysfs file.
The acpi-thermal driver adjusts the p-state policy in response to
thermal events.  These changes override the users settings at the
moment.
Use the lowest of the two requested values this ensures that we will
not exceed the requested pstate from either mechanism.
Reported-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/cpufreq/intel_pstate.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -117,6 +117,8 @@ struct perf_limits {
 	int min_perf_pct;
 	int32_t max_perf;
 	int32_t min_perf;
+	int max_policy_pct;
+	int max_sysfs_pct;
 };
 
 static struct perf_limits limits = {
@@ -125,6 +127,8 @@ static struct perf_limits limits = {
 	.max_perf = int_tofp(1),
 	.min_perf_pct = 0,
 	.min_perf = 0,
+	.max_policy_pct = 100,
+	.max_sysfs_pct = 100,
 };
 
 static inline void pid_reset(struct _pid *pid, int setpoint, int busy,
@@ -295,7 +299,8 @@ static ssize_t store_max_perf_pct(struct
 	if (ret != 1)
 		return -EINVAL;
 
-	limits.max_perf_pct = clamp_t(int, input, 0 , 100);
+	limits.max_sysfs_pct = clamp_t(int, input, 0 , 100);
+	limits.max_perf_pct = min(limits.max_policy_pct, limits.max_sysfs_pct);
 	limits.max_perf = div_fp(int_tofp(limits.max_perf_pct), int_tofp(100));
 	return count;
 }
@@ -641,8 +646,9 @@ static int intel_pstate_set_policy(struc
 	limits.min_perf_pct = clamp_t(int, limits.min_perf_pct, 0 , 100);
 	limits.min_perf = div_fp(int_tofp(limits.min_perf_pct), int_tofp(100));
 
-	limits.max_perf_pct = policy->max * 100 / policy->cpuinfo.max_freq;
-	limits.max_perf_pct = clamp_t(int, limits.max_perf_pct, 0 , 100);
+	limits.max_policy_pct = policy->max * 100 / policy->cpuinfo.max_freq;
+	limits.max_policy_pct = clamp_t(int, limits.max_policy_pct, 0 , 100);
+	limits.max_perf_pct = min(limits.max_policy_pct, limits.max_sysfs_pct);
 	limits.max_perf = div_fp(int_tofp(limits.max_perf_pct), int_tofp(100));
 
 	if (policy->policy == CPUFREQ_POLICY_PERFORMANCE) {
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 085/102] cpufreq / intel_pstate: fix ffmpeg regression
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2013-05-17 21:36 ` [ 084/102] cpufreq / intel_pstate: use lowest requested max performance Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 086/102] iscsi-target: Fix processing of OOO commands Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dirk Brandewie, Rafael J. Wysocki
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dirk Brandewie <dirk.j.brandewie@intel.com>
commit ca182aee389f8026401510f4c63841cb02c820e8 upstream.
The ffmpeg benchmark in the phoronix test suite has threads on
multiple cores that rely on the progress on of threads on other cores
and ping pong back and forth fast enough to make the core appear less
busy than it "should" be.  If the core has been at minimum p-state for
a while bump the pstate up to kick the core to see if it is in this
ping pong state.  If the core is truly idle the p-state will be
reduced at the next sample time.  If the core makes more progress it
will send more work to the thread bringing both threads out of the
ping pong scenario and the p-state will be selected normally.
This fixes a performance regression of approximately 30%
Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/cpufreq/intel_pstate.c |   10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -551,22 +551,16 @@ static void intel_pstate_timer_func(unsi
 	struct cpudata *cpu = (struct cpudata *) __data;
 
 	intel_pstate_sample(cpu);
+	intel_pstate_adjust_busy_pstate(cpu);
 
-	if (!cpu->idle_mode)
-		intel_pstate_adjust_busy_pstate(cpu);
-	else
-		intel_pstate_adjust_idle_pstate(cpu);
-
-#if defined(XPERF_FIX)
 	if (cpu->pstate.current_pstate == cpu->pstate.min_pstate) {
 		cpu->min_pstate_count++;
 		if (!(cpu->min_pstate_count % 5)) {
 			intel_pstate_set_pstate(cpu, cpu->pstate.max_pstate);
-			intel_pstate_idle_mode(cpu);
 		}
 	} else
 		cpu->min_pstate_count = 0;
-#endif
+
 	intel_pstate_set_sample_time(cpu);
 }
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 086/102] iscsi-target: Fix processing of OOO commands
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2013-05-17 21:36 ` [ 085/102] cpufreq / intel_pstate: fix ffmpeg regression Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 087/102] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shlomo Pongratz, Nicholas Bellinger
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Shlomo Pongratz <shlomop@mellanox.com>
commit 3eccfdb01da58fbd0f789ae6ca61cee3769e26de upstream.
Fix two issues in OOO commands processing done at iscsit_attach_ooo_cmdsn.
Handle command serial numbers wrap around by using iscsi_sna_lt and not regular comparisson.
The routine iterates until it finds an entry whose serial number is greater than the serial number of
the new one, thus the new entry should be inserted before that entry and not after.
Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/target/iscsi/iscsi_target_erl1.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_erl1.c
+++ b/drivers/target/iscsi/iscsi_target_erl1.c
@@ -819,7 +819,7 @@ static int iscsit_attach_ooo_cmdsn(
 		/*
 		 * CmdSN is greater than the tail of the list.
 		 */
-		if (ooo_tail->cmdsn < ooo_cmdsn->cmdsn)
+		if (iscsi_sna_lt(ooo_tail->cmdsn, ooo_cmdsn->cmdsn))
 			list_add_tail(&ooo_cmdsn->ooo_list,
 					&sess->sess_ooo_cmdsn_list);
 		else {
@@ -829,11 +829,12 @@ static int iscsit_attach_ooo_cmdsn(
 			 */
 			list_for_each_entry(ooo_tmp, &sess->sess_ooo_cmdsn_list,
 						ooo_list) {
-				if (ooo_tmp->cmdsn < ooo_cmdsn->cmdsn)
+				if (iscsi_sna_lt(ooo_tmp->cmdsn, ooo_cmdsn->cmdsn))
 					continue;
 
+				/* Insert before this entry */
 				list_add(&ooo_cmdsn->ooo_list,
-					&ooo_tmp->ooo_list);
+					ooo_tmp->ooo_list.prev);
 				break;
 			}
 		}
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 087/102] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2013-05-17 21:36 ` [ 086/102] iscsi-target: Fix processing of OOO commands Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 088/102] target/iblock: Fix WCE=1 + DPOFUA=1 backend WRITE regression Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joern Engel, Nicholas Bellinger
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Joern Engel <joern@logfs.org>
commit ccf5ae83a6cf3d9cfe9a7038bfe7cd38ab03d5e1 upstream.
It is possible for one thread to to take se_sess->sess_cmd_lock in
core_tmr_abort_task() before taking a reference count on
se_cmd->cmd_kref, while another thread in target_put_sess_cmd() drops
se_cmd->cmd_kref before taking se_sess->sess_cmd_lock.
This introduces kref_put_spinlock_irqsave() and uses it in
target_put_sess_cmd() to close the race window.
Signed-off-by: Joern Engel <joern@logfs.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/target/target_core_transport.c |   11 +++++------
 include/linux/kref.h                   |   33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 6 deletions(-)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2213,21 +2213,19 @@ static void target_release_cmd_kref(stru
 {
 	struct se_cmd *se_cmd = container_of(kref, struct se_cmd, cmd_kref);
 	struct se_session *se_sess = se_cmd->se_sess;
-	unsigned long flags;
 
-	spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
 	if (list_empty(&se_cmd->se_cmd_list)) {
-		spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+		spin_unlock(&se_sess->sess_cmd_lock);
 		se_cmd->se_tfo->release_cmd(se_cmd);
 		return;
 	}
 	if (se_sess->sess_tearing_down && se_cmd->cmd_wait_set) {
-		spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+		spin_unlock(&se_sess->sess_cmd_lock);
 		complete(&se_cmd->cmd_wait_comp);
 		return;
 	}
 	list_del(&se_cmd->se_cmd_list);
-	spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+	spin_unlock(&se_sess->sess_cmd_lock);
 
 	se_cmd->se_tfo->release_cmd(se_cmd);
 }
@@ -2238,7 +2236,8 @@ static void target_release_cmd_kref(stru
  */
 int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd)
 {
-	return kref_put(&se_cmd->cmd_kref, target_release_cmd_kref);
+	return kref_put_spinlock_irqsave(&se_cmd->cmd_kref, target_release_cmd_kref,
+			&se_sess->sess_cmd_lock);
 }
 EXPORT_SYMBOL(target_put_sess_cmd);
 
--- a/include/linux/kref.h
+++ b/include/linux/kref.h
@@ -19,6 +19,7 @@
 #include <linux/atomic.h>
 #include <linux/kernel.h>
 #include <linux/mutex.h>
+#include <linux/spinlock.h>
 
 struct kref {
 	atomic_t refcount;
@@ -95,6 +96,38 @@ static inline int kref_put(struct kref *
 	return kref_sub(kref, 1, release);
 }
 
+/**
+ * kref_put_spinlock_irqsave - decrement refcount for object.
+ * @kref: object.
+ * @release: pointer to the function that will clean up the object when the
+ *	     last reference to the object is released.
+ *	     This pointer is required, and it is not acceptable to pass kfree
+ *	     in as this function.
+ * @lock: lock to take in release case
+ *
+ * Behaves identical to kref_put with one exception.  If the reference count
+ * drops to zero, the lock will be taken atomically wrt dropping the reference
+ * count.  The release function has to call spin_unlock() without _irqrestore.
+ */
+static inline int kref_put_spinlock_irqsave(struct kref *kref,
+		void (*release)(struct kref *kref),
+		spinlock_t *lock)
+{
+	unsigned long flags;
+
+	WARN_ON(release == NULL);
+	if (atomic_add_unless(&kref->refcount, -1, 1))
+		return 0;
+	spin_lock_irqsave(lock, flags);
+	if (atomic_dec_and_test(&kref->refcount)) {
+		release(kref);
+		local_irq_restore(flags);
+		return 1;
+	}
+	spin_unlock_irqrestore(lock, flags);
+	return 0;
+}
+
 static inline int kref_put_mutex(struct kref *kref,
 				 void (*release)(struct kref *kref),
 				 struct mutex *lock)
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 088/102] target/iblock: Fix WCE=1 + DPOFUA=1 backend WRITE regression
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2013-05-17 21:36 ` [ 087/102] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 089/102] ACPI / EC: Restart transaction even when the IBF flag set Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Boot, Hannes Reinecke,
	Nicholas Bellinger
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit d2bdbee0d91a5d3ba2e439ce889e20bfe6fd4f1b upstream.
This patch fixes a regression bug introduced in v3.9-rc1 where if the
underlying struct block_device for a IBLOCK backend is configured with
WCE=1 + DPOFUA=1 settings, the rw = WRITE assignment no longer occurs
in iblock_execute_rw(), and rw = 0 is passed to iblock_submit_bios()
in effect causing a READ bio operation to occur.
The offending commit is:
commit d0c8b259f8970d39354c1966853363345d401330
Author: Nicholas Bellinger <nab@linux-iscsi.org>
Date:   Tue Jan 29 22:10:06 2013 -0800
    target/iblock: Use backend REQ_FLUSH hint for WriteCacheEnabled status
Note the WCE=1 + DPOFUA=0, WCE=0 + DPOFUA=1, and WCE=0 + DPOFUA=0 cases
are not affected by this regression bug.
Reported-by: Chris Boot <bootc@bootc.net>
Tested-by: Chris Boot <bootc@bootc.net>
Reported-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/target/target_core_iblock.c |    2 ++
 1 file changed, 2 insertions(+)
--- a/drivers/target/target_core_iblock.c
+++ b/drivers/target/target_core_iblock.c
@@ -679,6 +679,8 @@ iblock_execute_rw(struct se_cmd *cmd)
 				rw = WRITE_FUA;
 			else if (!(q->flush_flags & REQ_FLUSH))
 				rw = WRITE_FUA;
+			else
+				rw = WRITE;
 		} else {
 			rw = WRITE;
 		}
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 089/102] ACPI / EC: Restart transaction even when the IBF flag set
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2013-05-17 21:36 ` [ 088/102] target/iblock: Fix WCE=1 + DPOFUA=1 backend WRITE regression Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 090/102] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lan Tianyu, Rafael J. Wysocki
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Lan Tianyu <tianyu.lan@intel.com>
commit 28fe5c825f8e15744d04c7c1b8df197950923ecd upstream.
The EC driver works abnormally with IBF flag always set.
IBF means "The host has written a byte of data to the command
or data port, but the embedded controller has not yet read it".
If IBF is set in the EC status and not cleared, this will cause
all subsequent EC requests to fail with a timeout error.
Change the EC driver so that it doesn't refuse to restart a
transaction if IBF is set in the status.  Also increase the
number of transaction restarts to 5, as it turns out that 2
is not sufficient in some cases.
This bug happens on several different machines (Asus V1S,
Dell Latitude E6530, Samsung R719, Acer Aspire 5930G,
Sony Vaio SR19VN and others).
[rjw: Changelog]
References: https://bugzilla.kernel.org/show_bug.cgi?id=14733
References: https://bugzilla.kernel.org/show_bug.cgi?id=15560
References: https://bugzilla.kernel.org/show_bug.cgi?id=15946
References: https://bugzilla.kernel.org/show_bug.cgi?id=42945
References: https://bugzilla.kernel.org/show_bug.cgi?id=48221
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/ec.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -223,7 +223,7 @@ static int ec_check_sci_sync(struct acpi
 static int ec_poll(struct acpi_ec *ec)
 {
 	unsigned long flags;
-	int repeat = 2; /* number of command restarts */
+	int repeat = 5; /* number of command restarts */
 	while (repeat--) {
 		unsigned long delay = jiffies +
 			msecs_to_jiffies(ec_delay);
@@ -241,8 +241,6 @@ static int ec_poll(struct acpi_ec *ec)
 			}
 			advance_transaction(ec, acpi_ec_read_status(ec));
 		} while (time_before(jiffies, delay));
-		if (acpi_ec_read_status(ec) & ACPI_EC_FLAG_IBF)
-			break;
 		pr_debug(PREFIX "controller reset, restart transaction\n");
 		spin_lock_irqsave(&ec->lock, flags);
 		start_transaction(ec);
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 090/102] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2013-05-17 21:36 ` [ 089/102] ACPI / EC: Restart transaction even when the IBF flag set Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 091/102] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen Gang, Corey Minyard,
	Linus Torvalds
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Chen Gang <gang.chen@asianux.com>
commit a5f2b3d6a738e7d4180012fe7b541172f8c8dcea upstream.
When calling memcpy, read_data and write_data need additional 2 bytes.
  write_data:
    for checking:  "if (size > IPMI_MAX_MSG_LENGTH)"
    for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)"
  read_data:
    for checking:  "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)"
    for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)"
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/ipmi/ipmi_bt_sm.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/char/ipmi/ipmi_bt_sm.c
+++ b/drivers/char/ipmi/ipmi_bt_sm.c
@@ -95,9 +95,9 @@ struct si_sm_data {
 	enum bt_states	state;
 	unsigned char	seq;		/* BT sequence number */
 	struct si_sm_io	*io;
-	unsigned char	write_data[IPMI_MAX_MSG_LENGTH];
+	unsigned char	write_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */
 	int		write_count;
-	unsigned char	read_data[IPMI_MAX_MSG_LENGTH];
+	unsigned char	read_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */
 	int		read_count;
 	int		truncated;
 	long		timeout;	/* microseconds countdown */
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 091/102] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2013-05-17 21:36 ` [ 090/102] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 092/102] ASoC: da7213: Fix setting dmic_samplephase and dmic_clk_rate Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin LaHaise, Corey Minyard,
	Linus Torvalds
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Benjamin LaHaise <bcrl@kvack.org>
commit 6368087e851e697679af059b4247aca33a69cef3 upstream.
When a 32 bit version of ipmitool is used on a 64 bit kernel, the
ipmi_devintf code fails to correctly acquire ipmi_mutex.  This results in
incomplete data being retrieved in some cases, or other possible failures.
Add a wrapper around compat_ipmi_ioctl() to take ipmi_mutex to fix this.
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/ipmi/ipmi_devintf.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_devintf.c
+++ b/drivers/char/ipmi/ipmi_devintf.c
@@ -837,13 +837,25 @@ static long compat_ipmi_ioctl(struct fil
 		return ipmi_ioctl(filep, cmd, arg);
 	}
 }
+
+static long unlocked_compat_ipmi_ioctl(struct file *filep, unsigned int cmd,
+				       unsigned long arg)
+{
+	int ret;
+
+	mutex_lock(&ipmi_mutex);
+	ret = compat_ipmi_ioctl(filep, cmd, arg);
+	mutex_unlock(&ipmi_mutex);
+
+	return ret;
+}
 #endif
 
 static const struct file_operations ipmi_fops = {
 	.owner		= THIS_MODULE,
 	.unlocked_ioctl	= ipmi_unlocked_ioctl,
 #ifdef CONFIG_COMPAT
-	.compat_ioctl   = compat_ipmi_ioctl,
+	.compat_ioctl   = unlocked_compat_ipmi_ioctl,
 #endif
 	.open		= ipmi_open,
 	.release	= ipmi_release,
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 092/102] ASoC: da7213: Fix setting dmic_samplephase and dmic_clk_rate
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2013-05-17 21:36 ` [ 091/102] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 093/102] drm/radeon: check incoming cliprects pointer Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Axel Lin, Mark Brown
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Axel Lin <axel.lin@ingics.com>
commit 61559af111e41761f5f4f20ce0897345eb59076e upstream.
When set dmic_samplephase and dmic_clk_rate bits for dmic_cfg,
current code checks pdata->dmic_data_sel which is wrong.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/codecs/da7213.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/sound/soc/codecs/da7213.c
+++ b/sound/soc/codecs/da7213.c
@@ -1488,17 +1488,17 @@ static int da7213_probe(struct snd_soc_c
 				     DA7213_DMIC_DATA_SEL_SHIFT);
 			break;
 		}
-		switch (pdata->dmic_data_sel) {
+		switch (pdata->dmic_samplephase) {
 		case DA7213_DMIC_SAMPLE_ON_CLKEDGE:
 		case DA7213_DMIC_SAMPLE_BETWEEN_CLKEDGE:
-			dmic_cfg |= (pdata->dmic_data_sel <<
+			dmic_cfg |= (pdata->dmic_samplephase <<
 				     DA7213_DMIC_SAMPLEPHASE_SHIFT);
 			break;
 		}
-		switch (pdata->dmic_data_sel) {
+		switch (pdata->dmic_clk_rate) {
 		case DA7213_DMIC_CLK_3_0MHZ:
 		case DA7213_DMIC_CLK_1_5MHZ:
-			dmic_cfg |= (pdata->dmic_data_sel <<
+			dmic_cfg |= (pdata->dmic_clk_rate <<
 				     DA7213_DMIC_CLK_RATE_SHIFT);
 			break;
 		}
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 093/102] drm/radeon: check incoming cliprects pointer
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2013-05-17 21:36 ` [ 092/102] ASoC: da7213: Fix setting dmic_samplephase and dmic_clk_rate Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 094/102] drm/radeon: restore nomodeset operation (v2) Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kees Cook, Dave Airlie
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit fefaedcfb82d2e57c2320acf60604ab03b750cc0 upstream.
The "boxes" parameter points into userspace memory. It should be verified
like any other operation against user memory.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/radeon/r300_cmdbuf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/radeon/r300_cmdbuf.c
+++ b/drivers/gpu/drm/radeon/r300_cmdbuf.c
@@ -75,7 +75,7 @@ static int r300_emit_cliprects(drm_radeo
 		OUT_RING(CP_PACKET0(R300_RE_CLIPRECT_TL_0, nr * 2 - 1));
 
 		for (i = 0; i < nr; ++i) {
-			if (DRM_COPY_FROM_USER_UNCHECKED
+			if (DRM_COPY_FROM_USER
 			    (&box, &cmdbuf->boxes[n + i], sizeof(box))) {
 				DRM_ERROR("copy cliprect faulted\n");
 				return -EFAULT;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 094/102] drm/radeon: restore nomodeset operation (v2)
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2013-05-17 21:36 ` [ 093/102] drm/radeon: check incoming cliprects pointer Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 095/102] usermodehelper: check subprocess_info->path != NULL Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alex Deucher, Christian König,
	Dave Airlie
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit e9ced8e040ebe40e9953db90acbe7d0b58702ebb upstream.
When UMS was deprecated it removed support for nomodeset commandline
we really want this in distro land so we can debug stuff, everyone
should fallback to vesa correctly.
v2: oops -1 isn't used anymore, restore original behaviour
-1 is default, so we can boot with nomodeset on the command line,
then use radeon.modeset=1 to override it for debugging later.
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/radeon/radeon_drv.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/radeon/radeon_drv.c
+++ b/drivers/gpu/drm/radeon/radeon_drv.c
@@ -144,7 +144,7 @@ static inline void radeon_unregister_atp
 #endif
 
 int radeon_no_wb;
-int radeon_modeset = 1;
+int radeon_modeset = -1;
 int radeon_dynclks = -1;
 int radeon_r4xx_atom = 0;
 int radeon_agpmode = 0;
@@ -449,6 +449,16 @@ static struct pci_driver radeon_kms_pci_
 
 static int __init radeon_init(void)
 {
+#ifdef CONFIG_VGA_CONSOLE
+	if (vgacon_text_force() && radeon_modeset == -1) {
+		DRM_INFO("VGACON disable radeon kernel modesetting.\n");
+		radeon_modeset = 0;
+	}
+#endif
+	/* set to modesetting by default if not nomodeset */
+	if (radeon_modeset == -1)
+		radeon_modeset = 1;
+
 	if (radeon_modeset == 1) {
 		DRM_INFO("radeon kernel modesetting enabled.\n");
 		driver = &kms_driver;
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 095/102] usermodehelper: check subprocess_info->path != NULL
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2013-05-17 21:36 ` [ 094/102] drm/radeon: restore nomodeset operation (v2) Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 096/102] parisc: only re-enable interrupts if we need to schedule or deliver signals when returning to userspace Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Lucas De Marchi,
	Linus Torvalds
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 264b83c07a84223f0efd0d1db9ccc66d6f88288f upstream.
argv_split(empty_or_all_spaces) happily succeeds, it simply returns
argc == 0 and argv[0] == NULL. Change call_usermodehelper_exec() to
check sub_info->path != NULL to avoid the crash.
This is the minimal fix, todo:
 - perhaps we should change argv_split() to return NULL or change the
   callers.
 - kill or justify ->path[0] check
 - narrow the scope of helper_lock()
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-By: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/kmod.c |    5 +++++
 1 file changed, 5 insertions(+)
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -570,6 +570,11 @@ int call_usermodehelper_exec(struct subp
 	int retval = 0;
 
 	helper_lock();
+	if (!sub_info->path) {
+		retval = -EINVAL;
+		goto out;
+	}
+
 	if (sub_info->path[0] == '\0')
 		goto out;
 
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 096/102] parisc: only re-enable interrupts if we need to schedule or deliver signals when returning to userspace
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2013-05-17 21:36 ` [ 095/102] usermodehelper: check subprocess_info->path != NULL Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 097/102] parisc: fix SMP races when updating PTE and TLB entries in entry.S Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John David Anglin, Helge Deller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit c207a76bf155cb5cf24cf849c08f6555e9180594 upstream.
Helge and I have found that we have a kernel stack overflow problem
which causes a variety of random failures.
Currently, we re-enable interrupts when returning from an external
interrupt incase we need to schedule or delivery
signals.  As a result, a potentially unlimited number of interrupts
can occur while we are running on the kernel
stack.  It is very limited in space (currently, 16k).  This change
defers enabling interrupts until we have
actually decided to schedule or delivery signals.  This only occurs
when we about to return to userspace.  This
limits the number of interrupts on the kernel stack to one.  In other
cases, interrupts remain disabled until the
final return from interrupt (rfi).
Signed-off-by: John David Anglin  <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/parisc/kernel/entry.S |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -825,11 +825,6 @@ ENTRY(syscall_exit_rfi)
 	STREG   %r19,PT_SR7(%r16)
 
 intr_return:
-	/* NOTE: Need to enable interrupts incase we schedule. */
-	ssm     PSW_SM_I, %r0
-
-intr_check_resched:
-
 	/* check for reschedule */
 	mfctl   %cr30,%r1
 	LDREG   TI_FLAGS(%r1),%r19	/* sched.h: TIF_NEED_RESCHED */
@@ -856,6 +851,11 @@ intr_check_sig:
 	LDREG	PT_IASQ1(%r16), %r20
 	cmpib,COND(=),n 0,%r20,intr_restore /* backward */
 
+	/* NOTE: We need to enable interrupts if we have to deliver
+	 * signals. We used to do this earlier but it caused kernel
+	 * stack overflows. */
+	ssm     PSW_SM_I, %r0
+
 	copy	%r0, %r25			/* long in_syscall = 0 */
 #ifdef CONFIG_64BIT
 	ldo	-16(%r30),%r29			/* Reference param save area */
@@ -907,6 +907,10 @@ intr_do_resched:
 	cmpib,COND(=)	0, %r20, intr_do_preempt
 	nop
 
+	/* NOTE: We need to enable interrupts if we schedule.  We used
+	 * to do this earlier but it caused kernel stack overflows. */
+	ssm     PSW_SM_I, %r0
+
 #ifdef CONFIG_64BIT
 	ldo	-16(%r30),%r29		/* Reference param save area */
 #endif
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 097/102] parisc: fix SMP races when updating PTE and TLB entries in entry.S
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2013-05-17 21:36 ` [ 096/102] parisc: only re-enable interrupts if we need to schedule or deliver signals when returning to userspace Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 098/102] parisc: use long branch in fork_like macro Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John David Anglin, Helge Deller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit f0a18819e261afc5fdbd8c5c6f9943123c5461ba upstream.
Currently, race conditions exist in the handling of TLB interruptions in
entry.S.  In particular, dirty bit updates can be lost if an accessed
interruption occurs just after the dirty bit interruption on a different
cpu.  Lost dirty bit updates result in user pages not being flushed and
general system instability.  This change adds lock and unlock macros to
synchronize all PTE and TLB updates done in entry.S.  As a result,
userspace stability is significantly improved.
Signed-off-by: John David Anglin  <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/parisc/kernel/entry.S |  155 ++++++++++++++++++++++++---------------------
 1 file changed, 83 insertions(+), 72 deletions(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -444,9 +444,41 @@
 	L2_ptep		\pgd,\pte,\index,\va,\fault
 	.endm
 
+	/* Acquire pa_dbit_lock lock. */
+	.macro		dbit_lock	spc,tmp,tmp1
+#ifdef CONFIG_SMP
+	cmpib,COND(=),n	0,\spc,2f
+	load32		PA(pa_dbit_lock),\tmp
+1:	LDCW		0(\tmp),\tmp1
+	cmpib,COND(=)	0,\tmp1,1b
+	nop
+2:
+#endif
+	.endm
+
+	/* Release pa_dbit_lock lock without reloading lock address. */
+	.macro		dbit_unlock0	spc,tmp
+#ifdef CONFIG_SMP
+	or,COND(=)	%r0,\spc,%r0
+	stw             \spc,0(\tmp)
+#endif
+	.endm
+
+	/* Release pa_dbit_lock lock. */
+	.macro		dbit_unlock1	spc,tmp
+#ifdef CONFIG_SMP
+	load32		PA(pa_dbit_lock),\tmp
+	dbit_unlock0	\spc,\tmp
+#endif
+	.endm
+
 	/* Set the _PAGE_ACCESSED bit of the PTE.  Be clever and
 	 * don't needlessly dirty the cache line if it was already set */
-	.macro		update_ptep	ptep,pte,tmp,tmp1
+	.macro		update_ptep	spc,ptep,pte,tmp,tmp1
+#ifdef CONFIG_SMP
+	or,COND(=)	%r0,\spc,%r0
+	LDREG		0(\ptep),\pte
+#endif
 	ldi		_PAGE_ACCESSED,\tmp1
 	or		\tmp1,\pte,\tmp
 	and,COND(<>)	\tmp1,\pte,%r0
@@ -455,7 +487,11 @@
 
 	/* Set the dirty bit (and accessed bit).  No need to be
 	 * clever, this is only used from the dirty fault */
-	.macro		update_dirty	ptep,pte,tmp
+	.macro		update_dirty	spc,ptep,pte,tmp
+#ifdef CONFIG_SMP
+	or,COND(=)	%r0,\spc,%r0
+	LDREG		0(\ptep),\pte
+#endif
 	ldi		_PAGE_ACCESSED|_PAGE_DIRTY,\tmp
 	or		\tmp,\pte,\pte
 	STREG		\pte,0(\ptep)
@@ -1103,11 +1139,13 @@ dtlb_miss_20w:
 
 	L3_ptep		ptp,pte,t0,va,dtlb_check_alias_20w
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb	spc,pte,prot
 	
 	idtlbt          pte,prot
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1127,11 +1165,13 @@ nadtlb_miss_20w:
 
 	L3_ptep		ptp,pte,t0,va,nadtlb_check_alias_20w
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb	spc,pte,prot
 
 	idtlbt          pte,prot
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1153,7 +1193,8 @@ dtlb_miss_11:
 
 	L2_ptep		ptp,pte,t0,va,dtlb_check_alias_11
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb_11	spc,pte,prot
 
@@ -1164,6 +1205,7 @@ dtlb_miss_11:
 	idtlbp		prot,(%sr1,va)
 
 	mtsp		t0, %sr1	/* Restore sr1 */
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1184,7 +1226,8 @@ nadtlb_miss_11:
 
 	L2_ptep		ptp,pte,t0,va,nadtlb_check_alias_11
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb_11	spc,pte,prot
 
@@ -1196,6 +1239,7 @@ nadtlb_miss_11:
 	idtlbp		prot,(%sr1,va)
 
 	mtsp		t0, %sr1	/* Restore sr1 */
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1216,13 +1260,15 @@ dtlb_miss_20:
 
 	L2_ptep		ptp,pte,t0,va,dtlb_check_alias_20
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb	spc,pte,prot
 
 	f_extend	pte,t0
 
 	idtlbt          pte,prot
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1242,13 +1288,15 @@ nadtlb_miss_20:
 
 	L2_ptep		ptp,pte,t0,va,nadtlb_check_alias_20
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb	spc,pte,prot
 
 	f_extend	pte,t0
 	
         idtlbt          pte,prot
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1349,11 +1397,13 @@ itlb_miss_20w:
 
 	L3_ptep		ptp,pte,t0,va,itlb_fault
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb	spc,pte,prot
 	
 	iitlbt          pte,prot
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1371,11 +1421,13 @@ naitlb_miss_20w:
 
 	L3_ptep		ptp,pte,t0,va,naitlb_check_alias_20w
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb	spc,pte,prot
 
 	iitlbt          pte,prot
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1397,7 +1449,8 @@ itlb_miss_11:
 
 	L2_ptep		ptp,pte,t0,va,itlb_fault
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb_11	spc,pte,prot
 
@@ -1408,6 +1461,7 @@ itlb_miss_11:
 	iitlbp		prot,(%sr1,va)
 
 	mtsp		t0, %sr1	/* Restore sr1 */
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1419,7 +1473,8 @@ naitlb_miss_11:
 
 	L2_ptep		ptp,pte,t0,va,naitlb_check_alias_11
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb_11	spc,pte,prot
 
@@ -1430,6 +1485,7 @@ naitlb_miss_11:
 	iitlbp		prot,(%sr1,va)
 
 	mtsp		t0, %sr1	/* Restore sr1 */
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1451,13 +1507,15 @@ itlb_miss_20:
 
 	L2_ptep		ptp,pte,t0,va,itlb_fault
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb	spc,pte,prot
 
 	f_extend	pte,t0	
 
 	iitlbt          pte,prot
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1469,13 +1527,15 @@ naitlb_miss_20:
 
 	L2_ptep		ptp,pte,t0,va,naitlb_check_alias_20
 
-	update_ptep	ptp,pte,t0,t1
+	dbit_lock	spc,t0,t1
+	update_ptep	spc,ptp,pte,t0,t1
 
 	make_insert_tlb	spc,pte,prot
 
 	f_extend	pte,t0
 
 	iitlbt          pte,prot
+	dbit_unlock1	spc,t0
 
 	rfir
 	nop
@@ -1499,29 +1559,13 @@ dbit_trap_20w:
 
 	L3_ptep		ptp,pte,t0,va,dbit_fault
 
-#ifdef CONFIG_SMP
-	cmpib,COND(=),n        0,spc,dbit_nolock_20w
-	load32		PA(pa_dbit_lock),t0
-
-dbit_spin_20w:
-	LDCW		0(t0),t1
-	cmpib,COND(=)         0,t1,dbit_spin_20w
-	nop
-
-dbit_nolock_20w:
-#endif
-	update_dirty	ptp,pte,t1
+	dbit_lock	spc,t0,t1
+	update_dirty	spc,ptp,pte,t1
 
 	make_insert_tlb	spc,pte,prot
 		
 	idtlbt          pte,prot
-#ifdef CONFIG_SMP
-	cmpib,COND(=),n        0,spc,dbit_nounlock_20w
-	ldi             1,t1
-	stw             t1,0(t0)
-
-dbit_nounlock_20w:
-#endif
+	dbit_unlock0	spc,t0
 
 	rfir
 	nop
@@ -1535,18 +1579,8 @@ dbit_trap_11:
 
 	L2_ptep		ptp,pte,t0,va,dbit_fault
 
-#ifdef CONFIG_SMP
-	cmpib,COND(=),n        0,spc,dbit_nolock_11
-	load32		PA(pa_dbit_lock),t0
-
-dbit_spin_11:
-	LDCW		0(t0),t1
-	cmpib,=         0,t1,dbit_spin_11
-	nop
-
-dbit_nolock_11:
-#endif
-	update_dirty	ptp,pte,t1
+	dbit_lock	spc,t0,t1
+	update_dirty	spc,ptp,pte,t1
 
 	make_insert_tlb_11	spc,pte,prot
 
@@ -1557,13 +1591,7 @@ dbit_nolock_11:
 	idtlbp		prot,(%sr1,va)
 
 	mtsp            t1, %sr1     /* Restore sr1 */
-#ifdef CONFIG_SMP
-	cmpib,COND(=),n        0,spc,dbit_nounlock_11
-	ldi             1,t1
-	stw             t1,0(t0)
-
-dbit_nounlock_11:
-#endif
+	dbit_unlock0	spc,t0
 
 	rfir
 	nop
@@ -1575,32 +1603,15 @@ dbit_trap_20:
 
 	L2_ptep		ptp,pte,t0,va,dbit_fault
 
-#ifdef CONFIG_SMP
-	cmpib,COND(=),n        0,spc,dbit_nolock_20
-	load32		PA(pa_dbit_lock),t0
-
-dbit_spin_20:
-	LDCW		0(t0),t1
-	cmpib,=         0,t1,dbit_spin_20
-	nop
-
-dbit_nolock_20:
-#endif
-	update_dirty	ptp,pte,t1
+	dbit_lock	spc,t0,t1
+	update_dirty	spc,ptp,pte,t1
 
 	make_insert_tlb	spc,pte,prot
 
 	f_extend	pte,t1
 	
         idtlbt          pte,prot
-
-#ifdef CONFIG_SMP
-	cmpib,COND(=),n        0,spc,dbit_nounlock_20
-	ldi             1,t1
-	stw             t1,0(t0)
-
-dbit_nounlock_20:
-#endif
+	dbit_unlock0	spc,t0
 
 	rfir
 	nop
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 098/102] parisc: use long branch in fork_like macro
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2013-05-17 21:36 ` [ 097/102] parisc: fix SMP races when updating PTE and TLB entries in entry.S Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 099/102] parisc: fix NATIVE set up in build Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John David Anglin, Helge Deller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit bbbfde782084b4f0d85ddffb88f1cf4650ff40e4 upstream.
The "b" branch instruction used in the fork_like macro only can handle
17-bit pc-relative offsets.
This fails with an out of range offset with some .config files.
Rewrite to use the "be" instruction which
can branch to any address in a space.
Signed-off-by: John David Anglin  <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/parisc/kernel/entry.S |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1709,7 +1709,8 @@ ENTRY(sys_\name\()_wrapper)
 	ldo	TASK_REGS(%r1),%r1
 	reg_save %r1
 	mfctl	%cr27, %r28
-	b	sys_\name
+	ldil	L%sys_\name, %r31
+	be	R%sys_\name(%sr4,%r31)
 	STREG	%r28, PT_CR27(%r1)
 ENDPROC(sys_\name\()_wrapper)
 	.endm
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 099/102] parisc: fix NATIVE set up in build
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2013-05-17 21:36 ` [ 098/102] parisc: use long branch in fork_like macro Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 100/102] parisc: make default cross compiler search more robust (v3) Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Frysinger, Helge Deller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Mike Frysinger <vapier@gentoo.org>
commit 93782eba49e23c3f311a6b05a19ba15927ec4e8b upstream.
The ifeq operator does not accept globs, so this little bit of code will
never match (unless uname literally prints out "parsic*").  Rewrite to
use a pattern matching operator so that NATIVE is set to 1 on parisc.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/parisc/Makefile |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/parisc/Makefile
+++ b/arch/parisc/Makefile
@@ -24,9 +24,7 @@ CHECKFLAGS	+= -D__hppa__=1
 LIBGCC		= $(shell $(CC) $(KBUILD_CFLAGS) -print-libgcc-file-name)
 
 MACHINE		:= $(shell uname -m)
-ifeq ($(MACHINE),parisc*)
-NATIVE		:= 1
-endif
+NATIVE		:= $(if $(filter parisc%,$(MACHINE)),1,0)
 
 ifdef CONFIG_64BIT
 UTS_MACHINE	:= parisc64
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 100/102] parisc: make default cross compiler search more robust (v3)
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2013-05-17 21:36 ` [ 099/102] parisc: fix NATIVE set up in build Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 101/102] audit: Make testing for a valid loginuid explicit Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Frysinger, Jeroen Roovers,
	John David Anglin, Helge Deller
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 6880b0150a7c25fd75c5ece80abc49ebf53c38c1 upstream.
People/distros vary how they prefix the toolchain name for 64bit builds.
Rather than enforce one convention over another, add a for loop which
does a search for all the general prefixes.
For 64bit builds, we now search for (in order):
	hppa64-unknown-linux-gnu
	hppa64-linux-gnu
	hppa64-linux
For 32bit builds, we look for:
	hppa-unknown-linux-gnu
	hppa-linux-gnu
	hppa-linux
	hppa2.0-unknown-linux-gnu
	hppa2.0-linux-gnu
	hppa2.0-linux
	hppa1.1-unknown-linux-gnu
	hppa1.1-linux-gnu
	hppa1.1-linux
This patch was initiated by Mike Frysinger, with feedback from Jeroen
Roovers, John David Anglin and Helge Deller.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Jeroen Roovers <jer@gentoo.org>
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/parisc/Makefile |   21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)
--- a/arch/parisc/Makefile
+++ b/arch/parisc/Makefile
@@ -23,24 +23,21 @@ NM		= sh $(srctree)/arch/parisc/nm
 CHECKFLAGS	+= -D__hppa__=1
 LIBGCC		= $(shell $(CC) $(KBUILD_CFLAGS) -print-libgcc-file-name)
 
-MACHINE		:= $(shell uname -m)
-NATIVE		:= $(if $(filter parisc%,$(MACHINE)),1,0)
-
 ifdef CONFIG_64BIT
 UTS_MACHINE	:= parisc64
 CHECKFLAGS	+= -D__LP64__=1 -m64
-WIDTH		:= 64
+CC_ARCHES	= hppa64
 else # 32-bit
-WIDTH		:=
+CC_ARCHES	= hppa hppa2.0 hppa1.1
 endif
 
-# attempt to help out folks who are cross-compiling
-ifeq ($(NATIVE),1)
-CROSS_COMPILE	:= hppa$(WIDTH)-linux-
-else
- ifeq ($(CROSS_COMPILE),)
- CROSS_COMPILE	:= hppa$(WIDTH)-linux-gnu-
- endif
+ifneq ($(SUBARCH),$(UTS_MACHINE))
+	ifeq ($(CROSS_COMPILE),)
+		CC_SUFFIXES = linux linux-gnu unknown-linux-gnu
+		CROSS_COMPILE := $(call cc-cross-prefix, \
+			$(foreach a,$(CC_ARCHES), \
+			$(foreach s,$(CC_SUFFIXES),$(a)-$(s)-)))
+	endif
 endif
 
 OBJCOPY_FLAGS =-O binary -R .note -R .comment -S
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 101/102] audit: Make testing for a valid loginuid explicit.
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2013-05-17 21:36 ` [ 100/102] parisc: make default cross compiler search more robust (v3) Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-17 21:36 ` [ 102/102] target: Use FD_MAX_SECTORS/FD_BLOCKSIZE for blockdevs using fileio Greg Kroah-Hartman
  2013-05-19 13:00 ` [ 000/102] 3.9.3-stable review Satoru Takeuchi
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Grubb, Eric W. Biederman,
	Richard Guy Briggs, Eric Paris
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 780a7654cee8d61819512385e778e4827db4bfbc upstream.
audit rule additions containing "-F auid!=4294967295" were failing
with EINVAL because of a regression caused by e1760bd.
Apparently some userland audit rule sets want to know if loginuid uid
has been set and are using a test for auid != 4294967295 to determine
that.
In practice that is a horrible way to ask if a value has been set,
because it relies on subtle implementation details and will break
every time the uid implementation in the kernel changes.
So add a clean way to test if the audit loginuid has been set, and
silently convert the old idiom to the cleaner and more comprehensible
new idiom.
RGB notes: In upstream, audit_rule_to_entry has been refactored out.
This is patch is already upstream in functionally the same form in
commit 780a7654cee8d61819512385e778e4827db4bfbc .  The decimal constant
was cast to unsigned to quiet GCC 4.6 32-bit architecture warnings.
Reported-By: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Tested-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Backported-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/audit.h      |    5 +++++
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |   31 ++++++++++++++++++++++++++++++-
 kernel/auditsc.c           |    5 ++++-
 4 files changed, 40 insertions(+), 2 deletions(-)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -390,6 +390,11 @@ static inline void audit_ptrace(struct t
 #define audit_signals 0
 #endif /* CONFIG_AUDITSYSCALL */
 
+static inline bool audit_loginuid_set(struct task_struct *tsk)
+{
+	return uid_valid(audit_get_loginuid(tsk));
+}
+
 #ifdef CONFIG_AUDIT
 /* These are defined in audit.c */
 				/* Public API */
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -246,6 +246,7 @@
 #define AUDIT_OBJ_TYPE	21
 #define AUDIT_OBJ_LEV_LOW	22
 #define AUDIT_OBJ_LEV_HIGH	23
+#define AUDIT_LOGINUID_SET	24
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -345,6 +345,12 @@ static struct audit_entry *audit_rule_to
 		f->uid = INVALID_UID;
 		f->gid = INVALID_GID;
 
+		/* Support legacy tests for a valid loginuid */
+		if ((f->type == AUDIT_LOGINUID) && (f->val == 4294967295U)) {
+			f->type = AUDIT_LOGINUID_SET;
+			f->val = 0;
+		}
+
 		err = -EINVAL;
 		if (f->op == Audit_bad)
 			goto exit_free;
@@ -352,6 +358,12 @@ static struct audit_entry *audit_rule_to
 		switch(f->type) {
 		default:
 			goto exit_free;
+		case AUDIT_LOGINUID_SET:
+			if ((f->val != 0) && (f->val != 1))
+				goto exit_free;
+			if (f->op != Audit_not_equal && f->op != Audit_equal)
+				goto exit_free;
+			break;
 		case AUDIT_UID:
 		case AUDIT_EUID:
 		case AUDIT_SUID:
@@ -459,7 +471,20 @@ static struct audit_entry *audit_data_to
 		f->gid = INVALID_GID;
 		f->lsm_str = NULL;
 		f->lsm_rule = NULL;
-		switch(f->type) {
+
+		/* Support legacy tests for a valid loginuid */
+		if ((f->type == AUDIT_LOGINUID) && (f->val == 4294967295U)) {
+			f->type = AUDIT_LOGINUID_SET;
+			f->val = 0;
+		}
+
+		switch (f->type) {
+		case AUDIT_LOGINUID_SET:
+			if ((f->val != 0) && (f->val != 1))
+				goto exit_free;
+			if (f->op != Audit_not_equal && f->op != Audit_equal)
+				goto exit_free;
+			break;
 		case AUDIT_UID:
 		case AUDIT_EUID:
 		case AUDIT_SUID:
@@ -1378,6 +1403,10 @@ static int audit_filter_user_rules(struc
 			result = audit_uid_comparator(audit_get_loginuid(current),
 						  f->op, f->uid);
 			break;
+		case AUDIT_LOGINUID_SET:
+			result = audit_comparator(audit_loginuid_set(current),
+						  f->op, f->val);
+			break;
 		case AUDIT_SUBJ_USER:
 		case AUDIT_SUBJ_ROLE:
 		case AUDIT_SUBJ_TYPE:
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -742,6 +742,9 @@ static int audit_filter_rules(struct tas
 			if (ctx)
 				result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
 			break;
+		case AUDIT_LOGINUID_SET:
+			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
+			break;
 		case AUDIT_SUBJ_USER:
 		case AUDIT_SUBJ_ROLE:
 		case AUDIT_SUBJ_TYPE:
@@ -2309,7 +2312,7 @@ int audit_set_loginuid(kuid_t loginuid)
 	unsigned int sessionid;
 
 #ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
-	if (uid_valid(task->loginuid))
+	if (audit_loginuid_set(task))
 		return -EPERM;
 #else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
 	if (!capable(CAP_AUDIT_CONTROL))
^ permalink raw reply	[flat|nested] 113+ messages in thread
* [ 102/102] target: Use FD_MAX_SECTORS/FD_BLOCKSIZE for blockdevs using fileio
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2013-05-17 21:36 ` [ 101/102] audit: Make testing for a valid loginuid explicit Greg Kroah-Hartman
@ 2013-05-17 21:36 ` Greg Kroah-Hartman
  2013-05-19 13:00 ` [ 000/102] 3.9.3-stable review Satoru Takeuchi
  102 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 21:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Harney, Andy Grover,
	Nicholas Bellinger
3.9-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Andy Grover <agrover@redhat.com>
commit e3e84cda321703b123f36488f50700f371bc7230 upstream.
We can still see the error reported in
https://patchwork.kernel.org/patch/2338981/
when using fileio backed by a block device.
I'm assuming this will get us past that error (from sbc_parse_cdb),
and also assuming it's OK to have our max_sectors be larger than
the block's queue max hw sectors?
Reported-by: Eric Harney <eharney@redhat.com>
Signed-off-by: Andy Grover <agrover@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/target/target_core_file.c |   10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)
--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -148,13 +148,8 @@ static int fd_configure_device(struct se
 	 */
 	inode = file->f_mapping->host;
 	if (S_ISBLK(inode->i_mode)) {
-		struct request_queue *q = bdev_get_queue(inode->i_bdev);
 		unsigned long long dev_size;
 
-		dev->dev_attrib.hw_block_size =
-			bdev_logical_block_size(inode->i_bdev);
-		dev->dev_attrib.hw_max_sectors = queue_max_hw_sectors(q);
-
 		/*
 		 * Determine the number of bytes from i_size_read() minus
 		 * one (1) logical sector from underlying struct block_device
@@ -173,13 +168,12 @@ static int fd_configure_device(struct se
 				" block_device\n");
 			goto fail;
 		}
-
-		dev->dev_attrib.hw_block_size = FD_BLOCKSIZE;
-		dev->dev_attrib.hw_max_sectors = FD_MAX_SECTORS;
 	}
 
 	fd_dev->fd_block_size = dev->dev_attrib.hw_block_size;
 
+	dev->dev_attrib.hw_block_size = FD_BLOCKSIZE;
+	dev->dev_attrib.hw_max_sectors = FD_MAX_SECTORS;
 	dev->dev_attrib.hw_queue_depth = FD_MAX_DEVICE_QUEUE_DEPTH;
 
 	if (fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) {
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
  2013-05-17 21:35 ` [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...) Greg Kroah-Hartman
@ 2013-05-17 22:49   ` Al Viro
  2013-05-17 23:51     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 113+ messages in thread
From: Al Viro @ 2013-05-17 22:49 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Alexander van Heukelum
On Fri, May 17, 2013 at 02:35:42PM -0700, Greg Kroah-Hartman wrote:
> 3.9-stable review patch.  If anyone has any objections, please let me know.
This is seriously wrong.  For 3.9 you _need_ asmlinkage_protect() in that
thing; by the time when that went into the tree, mainline already had
it generated automatically by SYSCALL_DEFINE, so there was no point in
that part of patch - the switch to SYSCALL_DEFINE alone did the job.
For 3.9 it's very much needed; as the matter of fact, in 3.9 that commit
is a no-op in the form you took.
We can grab all prereqs into 3.9-stable (there's not that much of those),
but that would be much more intrusive than the variant adding explicit
asmlinkage_protect() in those two syscalls.
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
  2013-05-17 22:49   ` Al Viro
@ 2013-05-17 23:51     ` Greg Kroah-Hartman
  2013-05-19 12:58       ` Satoru Takeuchi
  2013-05-19 18:37       ` Greg Kroah-Hartman
  0 siblings, 2 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-17 23:51 UTC (permalink / raw)
  To: Al Viro; +Cc: linux-kernel, stable, Alexander van Heukelum
On Fri, May 17, 2013 at 11:49:30PM +0100, Al Viro wrote:
> On Fri, May 17, 2013 at 02:35:42PM -0700, Greg Kroah-Hartman wrote:
> > 3.9-stable review patch.  If anyone has any objections, please let me know.
> 
> This is seriously wrong.  For 3.9 you _need_ asmlinkage_protect() in that
> thing; by the time when that went into the tree, mainline already had
> it generated automatically by SYSCALL_DEFINE, so there was no point in
> that part of patch - the switch to SYSCALL_DEFINE alone did the job.
> For 3.9 it's very much needed; as the matter of fact, in 3.9 that commit
> is a no-op in the form you took.
> 
> We can grab all prereqs into 3.9-stable (there's not that much of those),
> but that would be much more intrusive than the variant adding explicit
> asmlinkage_protect() in those two syscalls.
Ok, Alexander was saying something was off here.
Can someone send me just the needed patch to get this working properly,
and I will be glad to drop this one from the 3.9.x tree.
thanks,
greg k-h
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
  2013-05-17 23:51     ` Greg Kroah-Hartman
@ 2013-05-19 12:58       ` Satoru Takeuchi
  2013-05-19 18:37       ` Greg Kroah-Hartman
  1 sibling, 0 replies; 113+ messages in thread
From: Satoru Takeuchi @ 2013-05-19 12:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Al Viro, linux-kernel, stable, Alexander van Heukelum
At Fri, 17 May 2013 16:51:33 -0700,
Greg Kroah-Hartman wrote:
> 
> On Fri, May 17, 2013 at 11:49:30PM +0100, Al Viro wrote:
> > On Fri, May 17, 2013 at 02:35:42PM -0700, Greg Kroah-Hartman wrote:
> > > 3.9-stable review patch.  If anyone has any objections, please let me know.
> > 
> > This is seriously wrong.  For 3.9 you _need_ asmlinkage_protect() in that
> > thing; by the time when that went into the tree, mainline already had
> > it generated automatically by SYSCALL_DEFINE, so there was no point in
> > that part of patch - the switch to SYSCALL_DEFINE alone did the job.
> > For 3.9 it's very much needed; as the matter of fact, in 3.9 that commit
> > is a no-op in the form you took.
> > 
> > We can grab all prereqs into 3.9-stable (there's not that much of those),
> > but that would be much more intrusive than the variant adding explicit
> > asmlinkage_protect() in those two syscalls.
> 
> Ok, Alexander was saying something was off here.
> 
> Can someone send me just the needed patch to get this working properly,
> and I will be glad to drop this one from the 3.9.x tree.
I'll be able to do it tomorrow if there'll be not available then.
Satoru
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 000/102] 3.9.3-stable review
  2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2013-05-17 21:36 ` [ 102/102] target: Use FD_MAX_SECTORS/FD_BLOCKSIZE for blockdevs using fileio Greg Kroah-Hartman
@ 2013-05-19 13:00 ` Satoru Takeuchi
  2013-05-19 18:38   ` Greg Kroah-Hartman
  102 siblings, 1 reply; 113+ messages in thread
From: Satoru Takeuchi @ 2013-05-19 13:00 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, torvalds, akpm, stable
At Fri, 17 May 2013 14:35:15 -0700,
Greg Kroah-Hartman wrote:
> 
> This is the start of the stable review cycle for the 3.9.3 release.
> There are 102 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun May 19 21:30:33 UTC 2013.
> Anything received after that time might be too late.
This kernel can be built and boot without any problem.
Building a kernel with this kernel also works fine.
 - Build Machine: debian wheezy x86_64
   CPU: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz x 4
   memory: 8GB
 - Test machine: debian wheezy x86_64(KVM guest on the Build Machine)
   vCPU: x2
   memory: 2GB
[will do tomorrow]
  write fixed patch for [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
Thanks,
Satoru
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
  2013-05-17 23:51     ` Greg Kroah-Hartman
  2013-05-19 12:58       ` Satoru Takeuchi
@ 2013-05-19 18:37       ` Greg Kroah-Hartman
  2013-05-20 12:42         ` Satoru Takeuchi
  1 sibling, 1 reply; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-19 18:37 UTC (permalink / raw)
  To: Al Viro; +Cc: linux-kernel, stable, Alexander van Heukelum
On Fri, May 17, 2013 at 04:51:33PM -0700, Greg Kroah-Hartman wrote:
> On Fri, May 17, 2013 at 11:49:30PM +0100, Al Viro wrote:
> > On Fri, May 17, 2013 at 02:35:42PM -0700, Greg Kroah-Hartman wrote:
> > > 3.9-stable review patch.  If anyone has any objections, please let me know.
> > 
> > This is seriously wrong.  For 3.9 you _need_ asmlinkage_protect() in that
> > thing; by the time when that went into the tree, mainline already had
> > it generated automatically by SYSCALL_DEFINE, so there was no point in
> > that part of patch - the switch to SYSCALL_DEFINE alone did the job.
> > For 3.9 it's very much needed; as the matter of fact, in 3.9 that commit
> > is a no-op in the form you took.
> > 
> > We can grab all prereqs into 3.9-stable (there's not that much of those),
> > but that would be much more intrusive than the variant adding explicit
> > asmlinkage_protect() in those two syscalls.
> 
> Ok, Alexander was saying something was off here.
> 
> Can someone send me just the needed patch to get this working properly,
> and I will be glad to drop this one from the 3.9.x tree.
I've now dropped this, and will release without it.
greg k-h
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 000/102] 3.9.3-stable review
  2013-05-19 13:00 ` [ 000/102] 3.9.3-stable review Satoru Takeuchi
@ 2013-05-19 18:38   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2013-05-19 18:38 UTC (permalink / raw)
  To: Satoru Takeuchi; +Cc: linux-kernel, torvalds, akpm, stable
On Sun, May 19, 2013 at 10:00:55PM +0900, Satoru Takeuchi wrote:
> At Fri, 17 May 2013 14:35:15 -0700,
> Greg Kroah-Hartman wrote:
> > 
> > This is the start of the stable review cycle for the 3.9.3 release.
> > There are 102 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Sun May 19 21:30:33 UTC 2013.
> > Anything received after that time might be too late.
> 
> This kernel can be built and boot without any problem.
> Building a kernel with this kernel also works fine.
Thanks for testing.
greg k-h
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
  2013-05-19 18:37       ` Greg Kroah-Hartman
@ 2013-05-20 12:42         ` Satoru Takeuchi
  0 siblings, 0 replies; 113+ messages in thread
From: Satoru Takeuchi @ 2013-05-20 12:42 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Al Viro, linux-kernel, stable, Alexander van Heukelum
At Sun, 19 May 2013 11:37:27 -0700,
Greg Kroah-Hartman wrote:
> 
> On Fri, May 17, 2013 at 04:51:33PM -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 17, 2013 at 11:49:30PM +0100, Al Viro wrote:
> > > On Fri, May 17, 2013 at 02:35:42PM -0700, Greg Kroah-Hartman wrote:
> > > > 3.9-stable review patch.  If anyone has any objections, please let me know.
> > > 
> > > This is seriously wrong.  For 3.9 you _need_ asmlinkage_protect() in that
> > > thing; by the time when that went into the tree, mainline already had
> > > it generated automatically by SYSCALL_DEFINE, so there was no point in
> > > that part of patch - the switch to SYSCALL_DEFINE alone did the job.
> > > For 3.9 it's very much needed; as the matter of fact, in 3.9 that commit
> > > is a no-op in the form you took.
> > > 
> > > We can grab all prereqs into 3.9-stable (there's not that much of those),
> > > but that would be much more intrusive than the variant adding explicit
> > > asmlinkage_protect() in those two syscalls.
> > 
> > Ok, Alexander was saying something was off here.
> > 
> > Can someone send me just the needed patch to get this working properly,
> > and I will be glad to drop this one from the 3.9.x tree.
> 
> I've now dropped this, and will release without it.
Here is the backported patch. It calls asmlinkage_protect() properly and is
as similar to upstream patch as possible.
It can be applied to 3.9.3 and can be built successfully.
Satoru
---
From: Satoru Takeuchi <satoru.takeuchi@gmail.com>
Date: Mon, 20 May 2013 21:32:20 +0900
Subject: x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
commit 5522ddb3fc0dfd4a503c8278eafd88c9f2d3fada upstream.
Commit 49cb25e9290 x86: 'get rid of pt_regs argument in vm86/vm86old'
got rid of the pt_regs stub for sys_vm86old and sys_vm86. The functions
were, however, not changed to use the calling convention for syscalls.
Reported-and-tested-by: Hans de Bruin <jmdebruin@xmsnet.nl>
Signed-off-by: Alexander van Heukelum <heukelum@fastmail.fm>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/syscalls.h |    4 ++--
 arch/x86/kernel/vm86_32.c       |   11 ++++++-----
 2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/syscalls.h b/arch/x86/include/asm/syscalls.h
index 6cf0a9c..5a0be0a 100644
--- a/arch/x86/include/asm/syscalls.h
+++ b/arch/x86/include/asm/syscalls.h
@@ -37,8 +37,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *);
 unsigned long sys_sigreturn(void);
 
 /* kernel/vm86_32.c */
-int sys_vm86old(struct vm86_struct __user *);
-int sys_vm86(unsigned long, unsigned long);
+asmlinkage long sys_vm86old(struct vm86_struct __user *);
+asmlinkage long sys_vm86(unsigned long, unsigned long);
 
 #else /* CONFIG_X86_32 */
 
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index 1cf5766..3dbdd9c 100644
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -33,6 +33,7 @@
 #include <linux/capability.h>
 #include <linux/errno.h>
 #include <linux/interrupt.h>
+#include <linux/syscalls.h>
 #include <linux/sched.h>
 #include <linux/kernel.h>
 #include <linux/signal.h>
@@ -48,7 +49,6 @@
 #include <asm/io.h>
 #include <asm/tlbflush.h>
 #include <asm/irq.h>
-#include <asm/syscalls.h>
 
 /*
  * Known problems:
@@ -202,17 +202,16 @@ out:
 static int do_vm86_irq_handling(int subfunction, int irqnumber);
 static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk);
 
-int sys_vm86old(struct vm86_struct __user *v86)
+SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86)
 {
 	struct kernel_vm86_struct info; /* declare this _on top_,
 					 * this avoids wasting of stack space.
 					 * This remains on the stack until we
 					 * return to 32 bit user space.
 					 */
-	struct task_struct *tsk;
+	struct task_struct *tsk = current;
 	int tmp, ret = -EPERM;
 
-	tsk = current;
 	if (tsk->thread.saved_sp0)
 		goto out;
 	tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
@@ -227,11 +226,12 @@ int sys_vm86old(struct vm86_struct __user *v86)
 	do_sys_vm86(&info, tsk);
 	ret = 0;	/* we never return here */
 out:
+	asmlinkage_protect(1, ret, v86);
 	return ret;
 }
 
 
-int sys_vm86(unsigned long cmd, unsigned long arg)
+SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg)
 {
 	struct kernel_vm86_struct info; /* declare this _on top_,
 					 * this avoids wasting of stack space.
@@ -278,6 +278,7 @@ int sys_vm86(unsigned long cmd, unsigned long arg)
 	do_sys_vm86(&info, tsk);
 	ret = 0;	/* we never return here */
 out:
+	asmlinkage_protect(2, ret, cmd, arg);
 	return ret;
 }
 
-- 
1.7.10.4
^ permalink raw reply related	[flat|nested] 113+ messages in thread
* Re: [ 072/102] ipv6: do not clear pinet6 field
  2013-05-17 21:36 ` [ 072/102] ipv6: do not clear pinet6 field Greg Kroah-Hartman
@ 2013-05-21 11:44   ` Roman Gushchin
  2013-05-21 21:47     ` Eric Dumazet
  0 siblings, 1 reply; 113+ messages in thread
From: Roman Gushchin @ 2013-05-21 11:44 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Eric Dumazet, David S. Miller
Hi, all!
I think, it's good, but not enough.
We still can't rely on the sk->sk_family field by dereferencing the 
inet_sk(sk)->pinet6 field, because we can set the sk_family field to
the PF_INET6 value before setting pinet6 to an appropriate value 
(assuming it is NULL just because it was not a PF_INET6 socket in a 
previous life).
net/ipv6/af_inet6.c:
static int inet6_create(struct net *net, struct socket *sock, int 
protocol, int kern)
{
	<...>
	err = -ENOBUFS;
	sk = sk_alloc(net, PF_INET6, GFP_KERNEL, answer_prot);
	if (sk == NULL)
		goto out;
	<...>
	sk->sk_destruct		= inet_sock_destruct;
	sk->sk_family		= PF_INET6;
	sk->sk_protocol		= protocol;
	sk->sk_backlog_rcv	= answer->prot->backlog_rcv;
	inet_sk(sk)->pinet6 = np = inet6_sk_generic(sk);
	<...>
}
net/core/sock.c:
struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
		      struct proto *prot)
{
	struct sock *sk;
	sk = sk_prot_alloc(prot, priority | __GFP_ZERO, family);
	if (sk) {
		sk->sk_family = family;
	<...>
}
So, we need to care about setting sk_family to PF_INET6 _strictly_ after 
setting the pinet6 field to a valid value (using rcu_assign_pointer(), 
for instance).
Regards,
Roman
On 18.05.2013 01:36, Greg Kroah-Hartman wrote:
> 3.9-stable review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
>
> From: Eric Dumazet <edumazet@google.com>
>
> [ Upstream commit f77d602124d865c38705df7fa25c03de9c284ad2 ]
>
> We have seen multiple NULL dereferences in __inet6_lookup_established()
>
> After analysis, I found that inet6_sk() could be NULL while the
> check for sk_family == AF_INET6 was true.
>
> Bug was added in linux-2.6.29 when RCU lookups were introduced in UDP
> and TCP stacks.
>
> Once an IPv6 socket, using SLAB_DESTROY_BY_RCU is inserted in a hash
> table, we no longer can clear pinet6 field.
>
> This patch extends logic used in commit fcbdf09d9652c891
> ("net: fix nulls list corruptions in sk_prot_alloc")
>
> TCP/UDP/UDPLite IPv6 protocols provide their own .clear_sk() method
> to make sure we do not clear pinet6 field.
>
> At socket clone phase, we do not really care, as cloning the parent (non
> NULL) pinet6 is not adding a fatal race.
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>   include/net/sock.h  |   12 ++++++++++++
>   net/core/sock.c     |   12 ------------
>   net/ipv6/tcp_ipv6.c |   12 ++++++++++++
>   net/ipv6/udp.c      |   13 ++++++++++++-
>   net/ipv6/udp_impl.h |    2 ++
>   net/ipv6/udplite.c  |    2 +-
>   6 files changed, 39 insertions(+), 14 deletions(-)
>
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -865,6 +865,18 @@ struct inet_hashinfo;
>   struct raw_hashinfo;
>   struct module;
>
> +/*
> + * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes
> + * un-modified. Special care is taken when initializing object to zero.
> + */
> +static inline void sk_prot_clear_nulls(struct sock *sk, int size)
> +{
> +	if (offsetof(struct sock, sk_node.next) != 0)
> +		memset(sk, 0, offsetof(struct sock, sk_node.next));
> +	memset(&sk->sk_node.pprev, 0,
> +	       size - offsetof(struct sock, sk_node.pprev));
> +}
> +
>   /* Networking protocol blocks we attach to sockets.
>    * socket layer -> transport layer interface
>    * transport -> network interface is defined by struct inet_proto
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1209,18 +1209,6 @@ static void sock_copy(struct sock *nsk,
>   #endif
>   }
>
> -/*
> - * caches using SLAB_DESTROY_BY_RCU should let .next pointer from nulls nodes
> - * un-modified. Special care is taken when initializing object to zero.
> - */
> -static inline void sk_prot_clear_nulls(struct sock *sk, int size)
> -{
> -	if (offsetof(struct sock, sk_node.next) != 0)
> -		memset(sk, 0, offsetof(struct sock, sk_node.next));
> -	memset(&sk->sk_node.pprev, 0,
> -	       size - offsetof(struct sock, sk_node.pprev));
> -}
> -
>   void sk_prot_clear_portaddr_nulls(struct sock *sk, int size)
>   {
>   	unsigned long nulls1, nulls2;
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1937,6 +1937,17 @@ void tcp6_proc_exit(struct net *net)
>   }
>   #endif
>
> +static void tcp_v6_clear_sk(struct sock *sk, int size)
> +{
> +	struct inet_sock *inet = inet_sk(sk);
> +
> +	/* we do not want to clear pinet6 field, because of RCU lookups */
> +	sk_prot_clear_nulls(sk, offsetof(struct inet_sock, pinet6));
> +
> +	size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6);
> +	memset(&inet->pinet6 + 1, 0, size);
> +}
> +
>   struct proto tcpv6_prot = {
>   	.name			= "TCPv6",
>   	.owner			= THIS_MODULE,
> @@ -1980,6 +1991,7 @@ struct proto tcpv6_prot = {
>   #ifdef CONFIG_MEMCG_KMEM
>   	.proto_cgroup		= tcp_proto_cgroup,
>   #endif
> +	.clear_sk		= tcp_v6_clear_sk,
>   };
>
>   static const struct inet6_protocol tcpv6_protocol = {
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1422,6 +1422,17 @@ void udp6_proc_exit(struct net *net) {
>   }
>   #endif /* CONFIG_PROC_FS */
>
> +void udp_v6_clear_sk(struct sock *sk, int size)
> +{
> +	struct inet_sock *inet = inet_sk(sk);
> +
> +	/* we do not want to clear pinet6 field, because of RCU lookups */
> +	sk_prot_clear_portaddr_nulls(sk, offsetof(struct inet_sock, pinet6));
> +
> +	size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6);
> +	memset(&inet->pinet6 + 1, 0, size);
> +}
> +
>   /* ------------------------------------------------------------------------ */
>
>   struct proto udpv6_prot = {
> @@ -1452,7 +1463,7 @@ struct proto udpv6_prot = {
>   	.compat_setsockopt = compat_udpv6_setsockopt,
>   	.compat_getsockopt = compat_udpv6_getsockopt,
>   #endif
> -	.clear_sk	   = sk_prot_clear_portaddr_nulls,
> +	.clear_sk	   = udp_v6_clear_sk,
>   };
>
>   static struct inet_protosw udpv6_protosw = {
> --- a/net/ipv6/udp_impl.h
> +++ b/net/ipv6/udp_impl.h
> @@ -31,6 +31,8 @@ extern int	udpv6_recvmsg(struct kiocb *i
>   extern int	udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb);
>   extern void	udpv6_destroy_sock(struct sock *sk);
>
> +extern void udp_v6_clear_sk(struct sock *sk, int size);
> +
>   #ifdef CONFIG_PROC_FS
>   extern int	udp6_seq_show(struct seq_file *seq, void *v);
>   #endif
> --- a/net/ipv6/udplite.c
> +++ b/net/ipv6/udplite.c
> @@ -56,7 +56,7 @@ struct proto udplitev6_prot = {
>   	.compat_setsockopt = compat_udpv6_setsockopt,
>   	.compat_getsockopt = compat_udpv6_getsockopt,
>   #endif
> -	.clear_sk	   = sk_prot_clear_portaddr_nulls,
> +	.clear_sk	   = udp_v6_clear_sk,
>   };
>
>   static struct inet_protosw udplite6_protosw = {
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 072/102] ipv6: do not clear pinet6 field
  2013-05-21 11:44   ` Roman Gushchin
@ 2013-05-21 21:47     ` Eric Dumazet
  2013-05-22  8:12       ` Roman Gushchin
  0 siblings, 1 reply; 113+ messages in thread
From: Eric Dumazet @ 2013-05-21 21:47 UTC (permalink / raw)
  To: Roman Gushchin
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Eric Dumazet,
	David S. Miller
On Tue, 2013-05-21 at 15:44 +0400, Roman Gushchin wrote:
> Hi, all!
> 
> I think, it's good, but not enough.
> 
> We still can't rely on the sk->sk_family field by dereferencing the 
> inet_sk(sk)->pinet6 field, because we can set the sk_family field to
> the PF_INET6 value before setting pinet6 to an appropriate value 
> (assuming it is NULL just because it was not a PF_INET6 socket in a 
> previous life).
> 
> net/ipv6/af_inet6.c:
> static int inet6_create(struct net *net, struct socket *sock, int 
> protocol, int kern)
> {
> 	<...>
> 	err = -ENOBUFS;
> 	sk = sk_alloc(net, PF_INET6, GFP_KERNEL, answer_prot);
> 	if (sk == NULL)
> 		goto out;
> 	<...>
> 	sk->sk_destruct		= inet_sock_destruct;
> 	sk->sk_family		= PF_INET6;
> 	sk->sk_protocol		= protocol;
> 
> 	sk->sk_backlog_rcv	= answer->prot->backlog_rcv;
> 
> 	inet_sk(sk)->pinet6 = np = inet6_sk_generic(sk);
> 	<...>
> }
> 
> net/core/sock.c:
> struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
> 		      struct proto *prot)
> {
> 	struct sock *sk;
> 
> 	sk = sk_prot_alloc(prot, priority | __GFP_ZERO, family);
> 	if (sk) {
> 		sk->sk_family = family;
> 	<...>
> }
> 
> 
> So, we need to care about setting sk_family to PF_INET6 _strictly_ after 
> setting the pinet6 field to a valid value (using rcu_assign_pointer(), 
> for instance).
This can never happen.
A socket cannot be find in a hash chain while pinet6 is not set.
For a given socket pointer sk (say TCP or UDP), pinet6 is a constant and
cannot change. (This is a property of SLAB_DESTROY_BY_RCU : slab cannot
be merged, so all objects are of the same type)
So the order of writing sk_family / pinet6 is irrelevant.
Before inserting socket into tcp/udp hash table, all memory writes will
have been committed.
Only concern is when a socket is deleted/reused, and my patch address
the problem.
Thanks
^ permalink raw reply	[flat|nested] 113+ messages in thread
* Re: [ 072/102] ipv6: do not clear pinet6 field
  2013-05-21 21:47     ` Eric Dumazet
@ 2013-05-22  8:12       ` Roman Gushchin
  0 siblings, 0 replies; 113+ messages in thread
From: Roman Gushchin @ 2013-05-22  8:12 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Eric Dumazet,
	David S. Miller
On 22.05.2013 01:47, Eric Dumazet wrote:
> On Tue, 2013-05-21 at 15:44 +0400, Roman Gushchin wrote:
>> Hi, all!
>>
>> I think, it's good, but not enough.
>>
>> We still can't rely on the sk->sk_family field by dereferencing the
>> inet_sk(sk)->pinet6 field, because we can set the sk_family field to
>> the PF_INET6 value before setting pinet6 to an appropriate value
>> (assuming it is NULL just because it was not a PF_INET6 socket in a
>> previous life).
>>
>> net/ipv6/af_inet6.c:
>> static int inet6_create(struct net *net, struct socket *sock, int
>> protocol, int kern)
>> {
>> 	<...>
>> 	err = -ENOBUFS;
>> 	sk = sk_alloc(net, PF_INET6, GFP_KERNEL, answer_prot);
>> 	if (sk == NULL)
>> 		goto out;
>> 	<...>
>> 	sk->sk_destruct		= inet_sock_destruct;
>> 	sk->sk_family		= PF_INET6;
>> 	sk->sk_protocol		= protocol;
>>
>> 	sk->sk_backlog_rcv	= answer->prot->backlog_rcv;
>>
>> 	inet_sk(sk)->pinet6 = np = inet6_sk_generic(sk);
>> 	<...>
>> }
>>
>> net/core/sock.c:
>> struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
>> 		      struct proto *prot)
>> {
>> 	struct sock *sk;
>>
>> 	sk = sk_prot_alloc(prot, priority | __GFP_ZERO, family);
>> 	if (sk) {
>> 		sk->sk_family = family;
>> 	<...>
>> }
>>
>>
>> So, we need to care about setting sk_family to PF_INET6 _strictly_ after
>> setting the pinet6 field to a valid value (using rcu_assign_pointer(),
>> for instance).
>
> This can never happen.
>
> A socket cannot be find in a hash chain while pinet6 is not set.
>
> For a given socket pointer sk (say TCP or UDP), pinet6 is a constant and
> cannot change. (This is a property of SLAB_DESTROY_BY_RCU : slab cannot
> be merged, so all objects are of the same type)
I missed that.
>
> So the order of writing sk_family / pinet6 is irrelevant.
Agree.
Thank you for clarification!
Regards,
Roman
^ permalink raw reply	[flat|nested] 113+ messages in thread
end of thread, other threads:[~2013-05-22  8:12 UTC | newest]
Thread overview: 113+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-17 21:35 [ 000/102] 3.9.3-stable review Greg Kroah-Hartman
2013-05-17 21:35 ` [ 001/102] KVM: VMX: fix halt emulation while emulating invalid guest sate Greg Kroah-Hartman
2013-05-17 21:35 ` [ 002/102] KVM: emulator: emulate AAM Greg Kroah-Hartman
2013-05-17 21:35 ` [ 003/102] KVM: emulator: emulate XLAT Greg Kroah-Hartman
2013-05-17 21:35 ` [ 004/102] KVM: emulator: emulate SALC Greg Kroah-Hartman
2013-05-17 21:35 ` [ 005/102] HID: reintroduce fix-up for certain Sony RF receivers Greg Kroah-Hartman
2013-05-17 21:35 ` [ 006/102] ARM: OMAP: RX-51: change probe order of touchscreen and panel SPI devices Greg Kroah-Hartman
2013-05-17 21:35 ` [ 007/102] ASoC: wm8994: missing break in wm8994_aif3_hw_params() Greg Kroah-Hartman
2013-05-17 21:35 ` [ 008/102] ACPICA: Fix possible buffer overflow during a field unit read operation Greg Kroah-Hartman
2013-05-17 21:35 ` [ 009/102] Revert "ALSA: hda - Dont set up active streams twice" Greg Kroah-Hartman
2013-05-17 21:35 ` [ 010/102] ALSA: HDA: Fix Oops caused by dereference NULL pointer Greg Kroah-Hartman
2013-05-17 21:35 ` [ 011/102] ALSA: hda - Fix 3.9 regression of EAPD init on Conexant codecs Greg Kroah-Hartman
2013-05-17 21:35 ` [ 012/102] DMA: OF: Check properties value before running be32_to_cpup() on it Greg Kroah-Hartman
2013-05-17 21:35 ` [ 013/102] dm table: fix write same support Greg Kroah-Hartman
2013-05-17 21:35 ` [ 014/102] dm stripe: fix regression in stripe_width calculation Greg Kroah-Hartman
2013-05-17 21:35 ` [ 015/102] dm bufio: avoid a possible __vmalloc deadlock Greg Kroah-Hartman
2013-05-17 21:35 ` [ 016/102] dm snapshot: fix error return code in snapshot_ctr Greg Kroah-Hartman
2013-05-17 21:35 ` [ 017/102] dm cache: fix error return code in cache_create Greg Kroah-Hartman
2013-05-17 21:35 ` [ 018/102] math64: New div64_u64_rem helper Greg Kroah-Hartman
2013-05-17 21:35 ` [ 019/102] sched: Lower chances of cputime scaling overflow Greg Kroah-Hartman
2013-05-17 21:35 ` [ 020/102] sched: Avoid " Greg Kroah-Hartman
2013-05-17 21:35 ` [ 021/102] sched: Do not account bogus utime Greg Kroah-Hartman
2013-05-17 21:35 ` [ 022/102] Revert "math64: New div64_u64_rem helper" Greg Kroah-Hartman
2013-05-17 21:35 ` [ 023/102] sched: Avoid prev->stime underflow Greg Kroah-Hartman
2013-05-17 21:35 ` [ 024/102] nfsd4: dont allow owner override on 4.1 CLAIM_FH opens Greg Kroah-Hartman
2013-05-17 21:35 ` [ 025/102] nfsd: fix oops when legacy_recdir_name_error is passed a -ENOENT error Greg Kroah-Hartman
2013-05-17 21:35 ` [ 026/102] hp_accel: Ignore the error from lis3lv02d_poweron() at resume Greg Kroah-Hartman
2013-05-17 21:35 ` [ 027/102] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...) Greg Kroah-Hartman
2013-05-17 22:49   ` Al Viro
2013-05-17 23:51     ` Greg Kroah-Hartman
2013-05-19 12:58       ` Satoru Takeuchi
2013-05-19 18:37       ` Greg Kroah-Hartman
2013-05-20 12:42         ` Satoru Takeuchi
2013-05-17 21:35 ` [ 028/102] shm: fix null pointer deref when userspace specifies invalid hugepage size Greg Kroah-Hartman
2013-05-17 21:35 ` [ 029/102] xen/vcpu/pvhvm: Fix vcpu hotplugging hanging Greg Kroah-Hartman
2013-05-17 21:35 ` [ 030/102] SCSI: sd: fix array cache flushing bug causing performance problems Greg Kroah-Hartman
2013-05-17 21:35 ` [ 031/102] audit: Syscall rules are not applied to existing processes on non-x86 Greg Kroah-Hartman
2013-05-17 21:35 ` [ 032/102] audit: vfs: fix audit_inode call in O_CREAT case of do_last Greg Kroah-Hartman
2013-05-17 21:35 ` [ 033/102] time: Revert ALWAYS_USE_PERSISTENT_CLOCK compile time optimizaitons Greg Kroah-Hartman
2013-05-17 21:35 ` [ 034/102] timer: Dont reinitialize the cpu base lock during CPU_UP_PREPARE Greg Kroah-Hartman
2013-05-17 21:35 ` [ 035/102] tick: Cleanup NOHZ per cpu data on cpu down Greg Kroah-Hartman
2013-05-17 21:35 ` [ 036/102] tracing: Fix leaks of filter preds Greg Kroah-Hartman
2013-05-17 21:35 ` [ 037/102] ext4: limit group search loop for non-extent files Greg Kroah-Hartman
2013-05-17 21:35 ` [ 038/102] x86/microcode: Add local mutex to fix physical CPU hot-add deadlock Greg Kroah-Hartman
2013-05-17 21:35 ` [ 039/102] ARM: 7720/1: ARM v6/v7 cmpxchg64 shouldnt clear upper 32 bits of the old/new value Greg Kroah-Hartman
2013-05-17 21:35 ` [ 040/102] powerpc: Bring all threads online prior to migration/hibernation Greg Kroah-Hartman
2013-05-17 21:35 ` [ 041/102] powerpc/kexec: Fix kexec when using VMX optimised memcpy Greg Kroah-Hartman
2013-05-17 21:35 ` [ 042/102] ath9k: fix key allocation error handling for powersave keys Greg Kroah-Hartman
2013-05-17 21:35 ` [ 043/102] mwifiex: clear is_suspended flag when interrupt is received early Greg Kroah-Hartman
2013-05-17 21:35 ` [ 044/102] mwifiex: fix memory leak issue when driver unload Greg Kroah-Hartman
2013-05-17 21:36 ` [ 045/102] mwifiex: fix setting of multicast filter Greg Kroah-Hartman
2013-05-17 21:36 ` [ 046/102] tile: support new Tilera hypervisor Greg Kroah-Hartman
2013-05-17 21:36 ` [ 047/102] B43: Handle DMA RX descriptor underrun Greg Kroah-Hartman
2013-05-17 21:36 ` [ 048/102] iwl4965: workaround connection regression on passive channel Greg Kroah-Hartman
2013-05-17 21:36 ` [ 049/102] drm/mgag200: Fix writes into MGA1064_PIX_CLK_CTL register Greg Kroah-Hartman
2013-05-17 21:36 ` [ 050/102] drm/mgag200: Fix framebuffer base address programming Greg Kroah-Hartman
2013-05-17 21:36 ` [ 051/102] drm/mm: fix dump table BUG Greg Kroah-Hartman
2013-05-17 21:36 ` [ 052/102] drm: dont check modeset locks in panic handler Greg Kroah-Hartman
2013-05-17 21:36 ` [ 053/102] drm/i915: clear the stolen fb before resuming Greg Kroah-Hartman
2013-05-17 21:36 ` [ 054/102] tcp: force a dst refcount when prequeue packet Greg Kroah-Hartman
2013-05-17 21:36 ` [ 055/102] sfc: Fix naming of MTD partitions for FPGA bitfiles Greg Kroah-Hartman
2013-05-17 21:36 ` [ 056/102] net: tun: release the reference of tun device in tun_recvmsg Greg Kroah-Hartman
2013-05-17 21:36 ` [ 057/102] net: mac802154: comparision issue of type cast, finding by EXTRA_CFLAGS=-W Greg Kroah-Hartman
2013-05-17 21:36 ` [ 058/102] tcp: reset timer after any SYNACK retransmit Greg Kroah-Hartman
2013-05-17 21:36 ` [ 059/102] 3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA) Greg Kroah-Hartman
2013-05-17 21:36 ` [ 060/102] net_sched: act_ipt forward compat with xtables Greg Kroah-Hartman
2013-05-17 21:36 ` [ 061/102] net: use netdev_features_t in skb_needs_linearize() Greg Kroah-Hartman
2013-05-17 21:36 ` [ 062/102] net: vlan,ethtool: netdev_features_t is more than 32 bit Greg Kroah-Hartman
2013-05-17 21:36 ` [ 063/102] bridge: fix race with topology change timer Greg Kroah-Hartman
2013-05-17 21:36 ` [ 064/102] asix: fix BUG in receive path when lowering MTU Greg Kroah-Hartman
2013-05-17 21:36 ` [ 065/102] packet: tpacket_v3: do not trigger bug() on wrong header status Greg Kroah-Hartman
2013-05-17 21:36 ` [ 066/102] virtio: dont expose u16 in userspace api Greg Kroah-Hartman
2013-05-17 21:36 ` [ 067/102] net: frag, fix race conditions in LRU list maintenance Greg Kroah-Hartman
2013-05-17 21:36 ` [ 068/102] 3c59x: fix freeing nonexistent resource on driver unload Greg Kroah-Hartman
2013-05-17 21:36 ` [ 069/102] 3c59x: fix PCI resource management Greg Kroah-Hartman
2013-05-17 21:36 ` [ 070/102] if_cablemodem.h: Add parenthesis around ioctl macros Greg Kroah-Hartman
2013-05-17 21:36 ` [ 071/102] macvlan: fix passthru mode race between dev removal and rx path Greg Kroah-Hartman
2013-05-17 21:36 ` [ 072/102] ipv6: do not clear pinet6 field Greg Kroah-Hartman
2013-05-21 11:44   ` Roman Gushchin
2013-05-21 21:47     ` Eric Dumazet
2013-05-22  8:12       ` Roman Gushchin
2013-05-17 21:36 ` [ 073/102] ipv6,gre: do not leak info to user-space Greg Kroah-Hartman
2013-05-17 21:36 ` [ 074/102] xfrm6: release dev before returning error Greg Kroah-Hartman
2013-05-17 21:36 ` [ 075/102] pch_dma: Use GFP_ATOMIC because called from interrupt context Greg Kroah-Hartman
2013-05-17 21:36 ` [ 076/102] watchdog: Fix race condition in registration code Greg Kroah-Hartman
2013-05-17 21:36 ` [ 077/102] drbd: Fix build error when CONFIG_CRYPTO_HMAC is not set Greg Kroah-Hartman
2013-05-17 21:36 ` [ 078/102] drbd: fix memory leak Greg Kroah-Hartman
2013-05-17 21:36 ` [ 079/102] drbd: fix for deadlock when using automatic split-brain-recovery Greg Kroah-Hartman
2013-05-17 21:36 ` [ 080/102] VSOCK: Drop bogus __init annotation from vsock_init_tables() Greg Kroah-Hartman
2013-05-17 21:36 ` [ 081/102] ARM: EXYNOS5: Fix kernel dump in AFTR idle mode Greg Kroah-Hartman
2013-05-17 21:36 ` [ 082/102] drivers/rtc/rtc-pcf2123.c: fix error return code in pcf2123_probe() Greg Kroah-Hartman
2013-05-17 21:36 ` [ 083/102] cpufreq / intel_pstate: remove idle time and duration from sample and calculations Greg Kroah-Hartman
2013-05-17 21:36 ` [ 084/102] cpufreq / intel_pstate: use lowest requested max performance Greg Kroah-Hartman
2013-05-17 21:36 ` [ 085/102] cpufreq / intel_pstate: fix ffmpeg regression Greg Kroah-Hartman
2013-05-17 21:36 ` [ 086/102] iscsi-target: Fix processing of OOO commands Greg Kroah-Hartman
2013-05-17 21:36 ` [ 087/102] target: close target_put_sess_cmd() vs. core_tmr_abort_task() race Greg Kroah-Hartman
2013-05-17 21:36 ` [ 088/102] target/iblock: Fix WCE=1 + DPOFUA=1 backend WRITE regression Greg Kroah-Hartman
2013-05-17 21:36 ` [ 089/102] ACPI / EC: Restart transaction even when the IBF flag set Greg Kroah-Hartman
2013-05-17 21:36 ` [ 090/102] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow Greg Kroah-Hartman
2013-05-17 21:36 ` [ 091/102] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex Greg Kroah-Hartman
2013-05-17 21:36 ` [ 092/102] ASoC: da7213: Fix setting dmic_samplephase and dmic_clk_rate Greg Kroah-Hartman
2013-05-17 21:36 ` [ 093/102] drm/radeon: check incoming cliprects pointer Greg Kroah-Hartman
2013-05-17 21:36 ` [ 094/102] drm/radeon: restore nomodeset operation (v2) Greg Kroah-Hartman
2013-05-17 21:36 ` [ 095/102] usermodehelper: check subprocess_info->path != NULL Greg Kroah-Hartman
2013-05-17 21:36 ` [ 096/102] parisc: only re-enable interrupts if we need to schedule or deliver signals when returning to userspace Greg Kroah-Hartman
2013-05-17 21:36 ` [ 097/102] parisc: fix SMP races when updating PTE and TLB entries in entry.S Greg Kroah-Hartman
2013-05-17 21:36 ` [ 098/102] parisc: use long branch in fork_like macro Greg Kroah-Hartman
2013-05-17 21:36 ` [ 099/102] parisc: fix NATIVE set up in build Greg Kroah-Hartman
2013-05-17 21:36 ` [ 100/102] parisc: make default cross compiler search more robust (v3) Greg Kroah-Hartman
2013-05-17 21:36 ` [ 101/102] audit: Make testing for a valid loginuid explicit Greg Kroah-Hartman
2013-05-17 21:36 ` [ 102/102] target: Use FD_MAX_SECTORS/FD_BLOCKSIZE for blockdevs using fileio Greg Kroah-Hartman
2013-05-19 13:00 ` [ 000/102] 3.9.3-stable review Satoru Takeuchi
2013-05-19 18:38   ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).