10 Dec, 2011

40 commits

  • commit 87121ca504fd1d963a66b3fb0c72054b0fd9a177 upstream.

    Oprofile may crash in a KVM guest while unlaoding modules. This
    happens if oprofile_arch_init() fails and oprofile switches to the hr
    timer mode as a fallback. In this case oprofile_arch_exit() is called,
    but it never was initialized properly which causes the crash. This
    patch fixes this.

    oprofile: using timer interrupt.
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
    IP: [] unregister_syscore_ops+0x41/0x58
    PGD 41da3f067 PUD 41d80e067 PMD 0
    Oops: 0002 [#1] PREEMPT SMP
    CPU 5
    Modules linked in: oprofile(-)

    Pid: 2382, comm: modprobe Not tainted 3.1.0-rc7-00018-g709a39d #18 Advanced Micro Device Anaheim/Anaheim
    RIP: 0010:[] [] unregister_syscore_ops+0x41/0x58
    RSP: 0018:ffff88041de1de98 EFLAGS: 00010296
    RAX: 0000000000000000 RBX: ffffffffa00060e0 RCX: dead000000200200
    RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620
    RBP: ffff88041de1dea8 R08: 0000000000000001 R09: 0000000000000082
    R10: 0000000000000000 R11: ffff88041de1dde8 R12: 0000000000000080
    R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210
    FS: 00007f9ae5bef700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000008 CR3: 000000041ca44000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process modprobe (pid: 2382, threadinfo ffff88041de1c000, task ffff88042db6d040)
    Stack:
    ffff88041de1deb8 ffffffffa0006770 ffff88041de1deb8 ffffffffa000251e
    ffff88041de1dec8 ffffffffa00022c2 ffff88041de1ded8 ffffffffa0004993
    ffff88041de1df78 ffffffff81073115 656c69666f72706f 0000000000610200
    Call Trace:
    [] op_nmi_exit+0x15/0x17 [oprofile]
    [] oprofile_arch_exit+0xe/0x10 [oprofile]
    [] oprofile_exit+0x13/0x15 [oprofile]
    [] sys_delete_module+0x1c3/0x22f
    [] ? trace_hardirqs_on_thunk+0x3a/0x3f
    [] system_call_fastpath+0x16/0x1b
    Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81
    89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b
    RIP [] unregister_syscore_ops+0x41/0x58
    RSP
    CR2: 0000000000000008
    ---[ end trace 06d4e95b6aa3b437 ]---

    Signed-off-by: Robert Richter
    Signed-off-by: Greg Kroah-Hartman

    Robert Richter
     
  • commit bbbf7af4bf8fc69bc751818cf30521080fa47dcb upstream.

    If cpu A calls jump_label_inc() just after atomic_add_return() is
    called by cpu B, atomic_inc_not_zero() will return value greater then
    zero and jump_label_inc() will return to a caller before jump_label_update()
    finishes its job on cpu B.

    Link: http://lkml.kernel.org/r/20111018175551.GH17571@redhat.com

    Cc: Peter Zijlstra
    Acked-by: Jason Baron
    Signed-off-by: Gleb Natapov
    Signed-off-by: Steven Rostedt
    Signed-off-by: Greg Kroah-Hartman

    Gleb Natapov
     
  • commit d06c27b22aa66e48e32f03f9387328a9af9b0625 upstream.

    A update is made to the sched:sched_switch event that adds some
    logic to the first parameter of the __print_flags() that shows the
    state of tasks. This change cause perf to fail parsing the flags.

    A simple fix is needed to have the parser be able to process ops
    within the argument.

    Reported-by: Andrew Vagin
    Signed-off-by: Steven Rostedt
    Signed-off-by: Greg Kroah-Hartman

    Steven Rostedt
     
  • commit c1be84309c58b1e7c6d626e28fba41a22b364c3d upstream.

    When a better rated broadcast device is installed, then the current
    active device is not disabled, which results in two running broadcast
    devices.

    Signed-off-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     
  • commit cb59974742aea24adf6637eb0c4b8e7b48bca6fb upstream.

    Fix a bug introduced by e9dbfae5, which prevents event_subsystem from
    ever being released.

    Ref_count was added to keep track of subsystem users, not for counting
    events. Subsystem is created with ref_count = 1, so there is no need to
    increment it for every event, we have nr_events for that. Fix this by
    touching ref_count only when we actually have a new user -
    subsystem_open().

    Signed-off-by: Ilya Dryomov
    Link: http://lkml.kernel.org/r/1320052062-7846-1-git-send-email-idryomov@gmail.com
    Signed-off-by: Steven Rostedt
    Signed-off-by: Greg Kroah-Hartman

    Ilya Dryomov
     
  • commit 6a8943d9ec2567572fca25cf69ad45844d0141a3 upstream.

    The current code checks if abs(delta_delta.tv_sec) is greater or
    equal to two before it discards the old delta value, but this can
    trigger at close to -1 seconds since -1.000000001 seconds is stored
    as tv_sec -2 and tv_nsec 999999999 in a normalized timespec.

    rtc_resume had an early return check if the rtc value had not changed
    since rtc_suspend. This effectivly stops time for the duration of the
    short sleep. Check if sleep_time is positive after all the adjustments
    have been applied instead since this allows the old_system adjustment
    in rtc_suspend to have an effect even for short sleep cycles.

    Signed-off-by: Arve Hjønnevåg
    Signed-off-by: John Stultz
    Signed-off-by: Greg Kroah-Hartman

    Arve Hjønnevåg
     
  • commit c0afabd3d553c521e003779c127143ffde55a16f upstream.

    Currently, the RTC code does not disable the alarm in the hardware.

    This means that after a sequence such as the one below (the files are in the
    RTC sysfs), the box will boot up after 2 minutes even though we've
    asked for the alarm to be turned off.

    # echo $((`cat since_epoch`)+120) > wakealarm
    # echo 0 > wakealarm
    # poweroff

    Fix this by disabling the alarm when there are no timers to run.

    Cc: John Stultz
    Signed-off-by: Rabin Vincent
    Signed-off-by: John Stultz
    Signed-off-by: Greg Kroah-Hartman

    Rabin Vincent
     
  • commit d3d9acf646679c1981032b0985b386d12fccc60c upstream.

    ftrace_event_call->filter is sched RCU protected but didn't use
    rcu_assign_pointer(). Use it.

    TODO: Add proper __rcu annotation to call->filter and all its users.

    -v2: Use RCU_INIT_POINTER() for %NULL clearing as suggested by Eric.

    Link: http://lkml.kernel.org/r/20111123164949.GA29639@google.com

    Cc: Eric Dumazet
    Cc: Frederic Weisbecker
    Cc: Jiri Olsa
    Signed-off-by: Tejun Heo
    Signed-off-by: Steven Rostedt
    Signed-off-by: Greg Kroah-Hartman

    Tejun Heo
     
  • commit c7c6ec8becaf742b223c7b491f4893014be23a07 upstream.

    A forced undef of a config value was used for testing and was
    accidently left in during the final commit. This causes x86 to
    run slower than needed while running function tracing as well
    as causes the function graph selftest to fail when DYNMAIC_FTRACE
    is not set. This is because the code in MCOUNT expects the ftrace
    code to be processed with the config value set that happened to
    be forced not set.

    The forced config option was left in by:
    commit 6331c28c962561aee59e5a493b7556a4bb585957
    ftrace: Fix dynamic selftest failure on some archs

    Link: http://lkml.kernel.org/r/20111102150255.GA6973@debian

    Reported-by: Rabin Vincent
    Signed-off-by: Steven Rostedt
    Signed-off-by: Greg Kroah-Hartman

    Steven Rostedt
     
  • commit 274b89ca3b006926cb9b45d78ab5906f4c0fc0aa upstream.

    Group keys in IBSS or AP mode are not programmed
    into the device since we give the key to it with
    every TX packet. However, we do need mac80211 to
    create the MMIC & PN in all cases. Move the code
    around to set the key flags all the time. We set
    them even when the key is removed again but that
    is obviously harmless.

    Reported-by: Reinette Chatre
    Signed-off-by: Johannes Berg
    Signed-off-by: Wey-Yi Guy
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Johannes Berg
     
  • commit 34a5b4b6af104cf18eb50748509528b9bdbc4036 upstream.

    The ht40 setting should not change after association unless channel switch

    This fix a problem we are seeing which cause uCode assert because driver
    sending invalid information and make uCode confuse

    Here is the firmware assert message:
    kernel: iwlagn 0000:03:00.0: Microcode SW error detected. Restarting 0x82000000.
    kernel: iwlagn 0000:03:00.0: Loaded firmware version: 17.168.5.3 build 42301
    kernel: iwlagn 0000:03:00.0: Start IWL Error Log Dump:
    kernel: iwlagn 0000:03:00.0: Status: 0x000512E4, count: 6
    kernel: iwlagn 0000:03:00.0: 0x00002078 | ADVANCED_SYSASSERT
    kernel: iwlagn 0000:03:00.0: 0x00009514 | uPc
    kernel: iwlagn 0000:03:00.0: 0x00009496 | branchlink1
    kernel: iwlagn 0000:03:00.0: 0x00009496 | branchlink2
    kernel: iwlagn 0000:03:00.0: 0x0000D1F2 | interruptlink1
    kernel: iwlagn 0000:03:00.0: 0x00000000 | interruptlink2
    kernel: iwlagn 0000:03:00.0: 0x01008035 | data1
    kernel: iwlagn 0000:03:00.0: 0x0000C90F | data2
    kernel: iwlagn 0000:03:00.0: 0x000005A7 | line
    kernel: iwlagn 0000:03:00.0: 0x5080B520 | beacon time
    kernel: iwlagn 0000:03:00.0: 0xCC515AE0 | tsf low
    kernel: iwlagn 0000:03:00.0: 0x00000003 | tsf hi
    kernel: iwlagn 0000:03:00.0: 0x00000000 | time gp1
    kernel: iwlagn 0000:03:00.0: 0x29703BF0 | time gp2
    kernel: iwlagn 0000:03:00.0: 0x00000000 | time gp3
    kernel: iwlagn 0000:03:00.0: 0x000111A8 | uCode version
    kernel: iwlagn 0000:03:00.0: 0x000000B0 | hw version
    kernel: iwlagn 0000:03:00.0: 0x00480303 | board version
    kernel: iwlagn 0000:03:00.0: 0x09E8004E | hcmd
    kernel: iwlagn 0000:03:00.0: CSR values:
    kernel: iwlagn 0000:03:00.0: (2nd byte of CSR_INT_COALESCING is CSR_INT_PERIODIC_REG)
    kernel: iwlagn 0000:03:00.0: CSR_HW_IF_CONFIG_REG: 0X00480303
    kernel: iwlagn 0000:03:00.0: CSR_INT_COALESCING: 0X0000ff40
    kernel: iwlagn 0000:03:00.0: CSR_INT: 0X00000000
    kernel: iwlagn 0000:03:00.0: CSR_INT_MASK: 0X00000000
    kernel: iwlagn 0000:03:00.0: CSR_FH_INT_STATUS: 0X00000000
    kernel: iwlagn 0000:03:00.0: CSR_GPIO_IN: 0X00000030
    kernel: iwlagn 0000:03:00.0: CSR_RESET: 0X00000000
    kernel: iwlagn 0000:03:00.0: CSR_GP_CNTRL: 0X080403c5
    kernel: iwlagn 0000:03:00.0: CSR_HW_REV: 0X000000b0
    kernel: iwlagn 0000:03:00.0: CSR_EEPROM_REG: 0X07d60ffd
    kernel: iwlagn 0000:03:00.0: CSR_EEPROM_GP: 0X90000001
    kernel: iwlagn 0000:03:00.0: CSR_OTP_GP_REG: 0X00030001
    kernel: iwlagn 0000:03:00.0: CSR_GIO_REG: 0X00080044
    kernel: iwlagn 0000:03:00.0: CSR_GP_UCODE_REG: 0X000093bb
    kernel: iwlagn 0000:03:00.0: CSR_GP_DRIVER_REG: 0X00000000
    kernel: iwlagn 0000:03:00.0: CSR_UCODE_DRV_GP1: 0X00000000
    kernel: iwlagn 0000:03:00.0: CSR_UCODE_DRV_GP2: 0X00000000
    kernel: iwlagn 0000:03:00.0: CSR_LED_REG: 0X00000078
    kernel: iwlagn 0000:03:00.0: CSR_DRAM_INT_TBL_REG: 0X88214dd2
    kernel: iwlagn 0000:03:00.0: CSR_GIO_CHICKEN_BITS: 0X27800200
    kernel: iwlagn 0000:03:00.0: CSR_ANA_PLL_CFG: 0X00000000
    kernel: iwlagn 0000:03:00.0: CSR_HW_REV_WA_REG: 0X0001001a
    kernel: iwlagn 0000:03:00.0: CSR_DBG_HPET_MEM_REG: 0Xffff0010
    kernel: iwlagn 0000:03:00.0: FH register values:
    kernel: iwlagn 0000:03:00.0: FH_RSCSR_CHNL0_STTS_WPTR_REG: 0X21316d00
    kernel: iwlagn 0000:03:00.0: FH_RSCSR_CHNL0_RBDCB_BASE_REG: 0X021479c0
    kernel: iwlagn 0000:03:00.0: FH_RSCSR_CHNL0_WPTR: 0X00000060
    kernel: iwlagn 0000:03:00.0: FH_MEM_RCSR_CHNL0_CONFIG_REG: 0X80819104
    kernel: iwlagn 0000:03:00.0: FH_MEM_RSSR_SHARED_CTRL_REG: 0X000000fc
    kernel: iwlagn 0000:03:00.0: FH_MEM_RSSR_RX_STATUS_REG: 0X07030000
    kernel: iwlagn 0000:03:00.0: FH_MEM_RSSR_RX_ENABLE_ERR_IRQ2DRV: 0X00000000
    kernel: iwlagn 0000:03:00.0: FH_TSSR_TX_STATUS_REG: 0X07ff0001
    kernel: iwlagn 0000:03:00.0: FH_TSSR_TX_ERROR_REG: 0X00000000
    kernel: iwlagn 0000:03:00.0: Start IWL Event Log Dump: display last 20 entries
    kernel: ------------[ cut here ]------------
    WARNING: at net/mac80211/util.c:1208 ieee80211_reconfig+0x1f1/0x407()
    kernel: Hardware name: 4290W4H
    kernel: Pid: 1896, comm: kworker/0:0 Not tainted 3.1.0 #2
    kernel: Call Trace:
    kernel: [] ? warn_slowpath_common+0x73/0x87
    kernel: [] ? ieee80211_reconfig+0x1f1/0x407
    kernel: [] ? ieee80211_recalc_smps_work+0x32/0x32
    kernel: [] ? ieee80211_restart_work+0x7e/0x87
    kernel: [] ? process_one_work+0x1c8/0x2e3
    kernel: [] ? worker_thread+0x17a/0x23a
    kernel: [] ? manage_workers.clone.18+0x15b/0x15b
    kernel: [] ? manage_workers.clone.18+0x15b/0x15b
    kernel: [] ? kthread+0x7a/0x82
    kernel: [] ? kernel_thread_helper+0x4/0x10
    kernel: [] ? kthread_flush_work_fn+0x11/0x11
    kernel: [] ? gs_change+0xb/0xb

    Reported-by: Udo Steinberg
    Signed-off-by: Wey-Yi Guy
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Wey-Yi Guy
     
  • commit 52cef189165d74a5d6030184a8e05595194c69ca upstream.

    Commit 30765b92 ("slab, lockdep: Annotate the locks before using
    them") moves the init_lock_keys() call from after g_cpucache_up =
    FULL, to before it. And overlooks the fact that init_node_lock_keys()
    tests for it and ignores everything !FULL.

    Introduce a LATE stage and change the lockdep test to be
    Cc: Pekka Enberg
    Signed-off-by: Peter Zijlstra
    Signed-off-by: Ingo Molnar
    Signed-off-by: Greg Kroah-Hartman

    Peter Zijlstra
     
  • commit 550acb19269d65f32e9ac4ddb26c2b2070e37f1c upstream.

    In irq_wait_for_interrupt(), the should_stop member is verified before
    setting the task's state to TASK_INTERRUPTIBLE and calling schedule().
    In case kthread_stop sets should_stop and wakes up the process after
    should_stop is checked by the irq thread but before the task's state
    is changed, the irq thread might never exit:

    kthread_stop irq_wait_for_interrupt
    ------------ ----------------------

    ...
    ... while (!kthread_should_stop()) {
    kthread->should_stop = 1;
    wake_up_process(k);
    wait_for_completion(&kthread->exited);
    ...
    set_current_state(TASK_INTERRUPTIBLE);

    ...

    schedule();
    }

    Fix this by checking if the thread should stop after modifying the
    task's state.

    [ tglx: Simplified it a bit ]

    Signed-off-by: Ido Yariv
    Link: http://lkml.kernel.org/r/1322740508-22640-1-git-send-email-ido@wizery.com
    Signed-off-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Ido Yariv
     
  • commit 0bac71af6e66dc798bf07d0c0dd14ee5503362f9 upstream.

    Johannes' patch for "cfg80211: fix regulatory NULL dereference"
    broke user regulaotry hints and it did not address the fact that
    last_request was left populated even if the previous regulatory
    hint was stale due to the wiphy disappearing.

    Fix user reguluatory hints by only bailing out if for those
    regulatory hints where a request_wiphy is expected. The stale last_request
    considerations are addressed through the previous fixes on last_request
    where we reset the last_request to a static world regdom request upon
    reset_regdomains(). In this case though we further enhance the effect
    by simply restoring reguluatory settings completely.

    Cc: Johannes Berg
    Signed-off-by: Luis R. Rodriguez
    Reviewed-by: Johannes Berg
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Luis R. Rodriguez
     
  • commit a042994dd377d86bff9446ee76151ceb6267c9ba upstream.

    There is a theoretical race that if hit will trigger
    a crash. The race is between when we issue the first
    regulatory hint, regulatory_hint_core(), gets processed
    by the workqueue and between when the first device
    gets registered to the wireless core. This is not easy
    to reproduce but it was easy to do so through the
    regulatory simulator I have been working on. This
    is a port of the fix I implemented there [1].

    [1] https://github.com/mcgrof/regsim/commit/a246ccf81f059cb662eee288aa13100f631e4cc8

    Cc: Johannes Berg
    Signed-off-by: Luis R. Rodriguez
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Luis R. Rodriguez
     
  • Upstream commit d305a6557b2c4dca0110f05ffe745b1ef94adb80.

    If addBA responses comes in just after addba_resp_timer has
    expired mac80211 will still accept it and try to open the
    aggregation session. This causes drivers to be confused and
    in some cases even crash.

    This patch fixes the race condition and makes sure that if
    addba_resp_timer has expired addBA response is not longer
    accepted and we do not try to open half-closed session.

    Signed-off-by: Nikolay Martynov
    [some adjustments]
    Signed-off-by: Johannes Berg
    Signed-off-by: John W. Linville

    Nikolay Martynov
     
  • commit c72e8d335e2c6a309b6281f2abcf491f37b8b92b upstream.

    The rates bitmap for internal scan requests shoud be filled,
    otherwise there will be probe requests with zero rates supported.

    Signed-off-by: Simon Wunderlich
    Signed-off-by: Mathias Kretschmer
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    Simon Wunderlich
     
  • commit b934069c991355d27a053a932591c77960f4e414 upstream.

    The last breaking event address is a read-only value, the regset misses the
    .set function. If a PTRACE_SETREGSET is done for NT_S390_LAST_BREAK we
    get an oops due to a branch to zero:

    Kernel BUG at 0000000000000002 verbose debug info unavailable
    illegal operation: 0001 #1 SMP
    ...
    Call Trace:
    ( ptrace_regset+0x184/0x188)
    ptrace_request+0x37a/0x4fc
    arch_ptrace+0x108/0x1fc
    SyS_ptrace+0xaa/0x12c
    sysc_noemu+0x16/0x1c
    0x3fffd5ec10c
    Last Breaking-Event-Address:
    ptrace_regset+0x132/0x188

    Add a nop .set function to prevent the branch to zero.

    Signed-off-by: Martin Schwidefsky
    Signed-off-by: Greg Kroah-Hartman

    Martin Schwidefsky
     
  • commit 97f7f8189fe54e3cfe324ef9ad35064f3d2d3bff upstream.

    If oprofile uses the nmi timer interrupt there is a crash while
    unloading the module. The bug can be triggered with oprofile build as
    module and kernel parameter nolapic set. This patch fixes this.

    oprofile: using NMI timer interrupt.
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
    IP: [] unregister_syscore_ops+0x41/0x58
    PGD 42dbca067 PUD 41da6a067 PMD 0
    Oops: 0002 [#1] PREEMPT SMP
    CPU 5
    Modules linked in: oprofile(-) [last unloaded: oprofile]

    Pid: 2518, comm: modprobe Not tainted 3.1.0-rc7-00019-gb2fb49d #19 Advanced Micro Device Anaheim/Anaheim
    RIP: 0010:[] [] unregister_syscore_ops+0x41/0x58
    RSP: 0018:ffff88041ef71e98 EFLAGS: 00010296
    RAX: 0000000000000000 RBX: ffffffffa0017100 RCX: dead000000200200
    RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620
    RBP: ffff88041ef71ea8 R08: 0000000000000001 R09: 0000000000000082
    R10: 0000000000000000 R11: ffff88041ef71de8 R12: 0000000000000080
    R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210
    FS: 00007fc902f20700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000008 CR3: 000000041cdb6000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process modprobe (pid: 2518, threadinfo ffff88041ef70000, task ffff88041d348040)
    Stack:
    ffff88041ef71eb8 ffffffffa0017790 ffff88041ef71eb8 ffffffffa0013532
    ffff88041ef71ec8 ffffffffa00132d6 ffff88041ef71ed8 ffffffffa00159b2
    ffff88041ef71f78 ffffffff81073115 656c69666f72706f 0000000000610200
    Call Trace:
    [] op_nmi_exit+0x15/0x17 [oprofile]
    [] oprofile_arch_exit+0xe/0x10 [oprofile]
    [] oprofile_exit+0x1e/0x20 [oprofile]
    [] sys_delete_module+0x1c3/0x22f
    [] ? trace_hardirqs_on_thunk+0x3a/0x3f
    [] system_call_fastpath+0x16/0x1b
    Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81
    89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b
    RIP [] unregister_syscore_ops+0x41/0x58
    RSP
    CR2: 0000000000000008
    ---[ end trace 43a541a52956b7b0 ]---

    Signed-off-by: Robert Richter
    Signed-off-by: Greg Kroah-Hartman

    Robert Richter
     
  • commit 57d1c0c03c6b48b2b96870d831b9ce6b917f53ac upstream.

    Masami spotted that we always try to decode the instruction stream as
    64bit instructions when running a 64bit kernel, this doesn't work for
    ia32-compat proglets.

    Use TIF_IA32 to detect if we need to use the 32bit instruction
    decoder.

    Reported-by: Masami Hiramatsu
    Signed-off-by: Peter Zijlstra
    Signed-off-by: Ingo Molnar
    Signed-off-by: Greg Kroah-Hartman

    Peter Zijlstra
     
  • commit 2cd1c8d4dc7ecca9e9431e2dabe41ae9c7d89e51 upstream.

    Fix an outstanding issue that has been reported since 2.6.37.
    Under a heavy loaded machine processing "fork()" calls could
    crash with:

    BUG: unable to handle kernel paging request at f573fc8c
    IP: [] swap_count_continued+0x104/0x180
    *pdpt = 000000002a3b9027 *pde = 0000000001bed067 *pte = 0000000000000000 Oops: 0000 [#1] SMP
    Modules linked in:
    Pid: 1638, comm: apache2 Not tainted 3.0.4-linode37 #1
    EIP: 0061:[] EFLAGS: 00210246 CPU: 3
    EIP is at swap_count_continued+0x104/0x180
    .. snip..
    Call Trace:
    [] ? __swap_duplicate+0xc2/0x160
    [] ? pte_mfn_to_pfn+0x87/0xe0
    [] ? swap_duplicate+0x14/0x40
    [] ? copy_pte_range+0x45b/0x500
    [] ? copy_page_range+0x195/0x200
    [] ? dup_mmap+0x1c6/0x2c0
    [] ? dup_mm+0xa8/0x130
    [] ? copy_process+0x98a/0xb30
    [] ? do_fork+0x4f/0x280
    [] ? getnstimeofday+0x43/0x100
    [] ? sys_clone+0x30/0x40
    [] ? ptregs_clone+0x15/0x48
    [] ? syscall_call+0x7/0xb

    The problem is that in copy_page_range() we turn lazy mode on,
    and then in swap_entry_free() we call swap_count_continued()
    which ends up in:

    map = kmap_atomic(page, KM_USER0) + offset;

    and then later we touch *map.

    Since we are running in batched mode (lazy) we don't actually
    set up the PTE mappings and the kmap_atomic is not done
    synchronously and ends up trying to dereference a page that has
    not been set.

    Looking at kmap_atomic_prot_pfn(), it uses
    'arch_flush_lazy_mmu_mode' and doing the same in
    kmap_atomic_prot() and __kunmap_atomic() makes the problem go
    away.

    Interestingly, commit b8bcfe997e4615 ("x86/paravirt: remove lazy
    mode in interrupts") removed part of this to fix an interrupt
    issue - but it went to far and did not consider this scenario.

    Signed-off-by: Konrad Rzeszutek Wilk
    Cc: Peter Zijlstra
    Cc: Jeremy Fitzhardinge
    Signed-off-by: Andrew Morton
    Signed-off-by: Ingo Molnar
    Signed-off-by: Greg Kroah-Hartman

    Konrad Rzeszutek Wilk
     
  • commit 1ef03890969932e9359b9a4c658f7f87771910ac upstream.

    Looks like on some Acer Aspire 1s with older bioses, reboot via bios
    fails. It works on my machine, (with BIOS version 0.3310) but
    not on some others (BIOS version 0.3309).

    There's a log of problems at:

    https://bbs.archlinux.org/viewtopic.php?id=124136

    This patch adds a different callback to the reboot quirk table,
    to allow rebooting via keybaord controller.

    Reported-by: Uroš Vampl
    Tested-by: Vasily Khoruzhick
    Signed-off-by: Peter Chubb
    Cc: Don Zickus
    Cc: Peter Zijlstra
    Link: http://lkml.kernel.org/r/1323093233-9481-1-git-send-email-anarsoul@gmail.com
    Signed-off-by: Ingo Molnar
    Signed-off-by: Greg Kroah-Hartman

    Peter Chubb
     
  • commit 9e6866686bdf2dcf3aeb0838076237ede532dcc8 upstream.

    In commit f8924e770e04 ("x86: unify mp_bus_info"), the 32-bit
    and 64-bit versions of MP_bus_info were rearranged to match each
    other better. Unfortunately it introduced a regression: prior
    to that change we used to always set the mp_bus_not_pci bit,
    then clear it if we found a PCI bus. After it, we set
    mp_bus_not_pci for ISA buses, clear it for PCI buses, and leave
    it alone otherwise.

    In the cases of ISA and PCI, there's not much difference. But
    ISA is not the only non-PCI bus, so it's better to always set
    mp_bus_not_pci and clear it only for PCI.

    Without this change, Dan's Dell PowerEdge 4200 panics on boot
    with a log indicating interrupt routing trouble unless the
    "noapic" option is supplied. With this change, the machine
    boots reliably without "noapic".

    Fixes http://bugs.debian.org/586494

    Reported-bisected-and-tested-by: Dan McGrath
    Signed-off-by: Bjorn Helgaas
    Cc: Dan McGrath
    Cc: Alexey Starikovskiy
    [jrnieder@gmail.com: clarified commit message]
    Signed-off-by: Jonathan Nieder
    Link: http://lkml.kernel.org/r/20111122215000.GA9151@elie.hsd1.il.comcast.net
    Signed-off-by: Ingo Molnar
    Signed-off-by: Greg Kroah-Hartman

    Bjorn Helgaas
     
  • commit 4cecf6d401a01d054afc1e5f605bcbfe553cb9b9 upstream.

    (Added the missing signed-off-by line)

    In hundreds of days, the __cycles_2_ns calculation in sched_clock
    has an overflow. cyc * per_cpu(cyc2ns, cpu) exceeds 64 bits, causing
    the final value to become zero. We can solve this without losing
    any precision.

    We can decompose TSC into quotient and remainder of division by the
    scale factor, and then use this to convert TSC into nanoseconds.

    Signed-off-by: Salman Qazi
    Acked-by: John Stultz
    Reviewed-by: Paul Turner
    Signed-off-by: Peter Zijlstra
    Link: http://lkml.kernel.org/r/20111115221121.7262.88871.stgit@dungbeetle.mtv.corp.google.com
    Signed-off-by: Ingo Molnar
    Signed-off-by: Greg Kroah-Hartman

    Salman Qazi
     
  • commit 158886cd2cf4599e04f9b7e10cb767f5f39b14f1 upstream.

    When system enters suspend, xHCI driver clears command ring by writing zero
    to all the TRBs. However, this also writes zero to the Link TRB, and the ring
    is mangled. This may cause driver accesses wrong memory address and the
    result is unpredicted.

    When clear the command ring, keep the last Link TRB intact, only clear its
    cycle bit. This should fix the "command ring full" issue reported by Oliver
    Neukum.

    This should be backported to stable kernels as old as 2.6.37, since the
    commit 89821320 "xhci: Fix command ring replay after resume" is merged.

    Signed-off-by: Andiry Xu
    Signed-off-by: Sarah Sharp
    Reported-by: Oliver Neukum
    Signed-off-by: Greg Kroah-Hartman

    Andiry Xu
     
  • commit e3420901eba65b1c46bed86d360e3a8685d20734 upstream.

    Fix a regression that was introduced by commit
    811c926c538f7e8d3c08b630dd5844efd7e000f6 (USB: EHCI: fix HUB TT scheduling
    issue with iso transfer).

    We detect an error if next == start, but this means uframe 0 can't be allocated
    anymore for iso transfer...

    Reported-by: Sander Eikelenboom
    Signed-off-by: Matthieu CASTET
    Acked-by: Alan Stern
    Signed-off-by: Greg Kroah-Hartman

    Matthieu CASTET
     
  • commit 811c926c538f7e8d3c08b630dd5844efd7e000f6 upstream.

    The current TT scheduling doesn't allow to play and then record on a
    full-speed device connected to a high speed hub.

    The IN iso stream can only start on the first uframe (0-2 for a 165 us)
    because of CSPLIT transactions.
    For the OUT iso stream there no such restriction. uframe 0-5 are possible.

    The idea of this patch is that the first uframe are precious (for IN TT iso
    stream) and we should allocate the last uframes first if possible.

    For that we reverse the order of uframe allocation (last uframe first).

    Here an example :

    hid interrupt stream
    ----------------------------------------------------------------------
    uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
    ----------------------------------------------------------------------
    max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 |
    ----------------------------------------------------------------------
    used usecs on a frame | 13 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
    ----------------------------------------------------------------------

    iso OUT stream
    ----------------------------------------------------------------------
    uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
    ----------------------------------------------------------------------
    max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 |
    ----------------------------------------------------------------------
    used usecs on a frame | 13 | 125 | 39 | 0 | 0 | 0 | 0 | 0 |
    ----------------------------------------------------------------------

    There no place for iso IN stream (uframe 0-2 are used) and we got "cannot
    submit datapipe for urb 0, error -28: not enough bandwidth" error.

    With the patch this become.

    iso OUT stream
    ----------------------------------------------------------------------
    uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
    ----------------------------------------------------------------------
    max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 |
    ----------------------------------------------------------------------
    used usecs on a frame | 13 | 0 | 0 | 0 | 125 | 39 | 0 | 0 |
    ----------------------------------------------------------------------

    iso IN stream
    ----------------------------------------------------------------------
    uframe | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
    ----------------------------------------------------------------------
    max_tt_usecs | 125 | 125 | 125 | 125 | 125 | 125 | 30 | 0 |
    ----------------------------------------------------------------------
    used usecs on a frame | 13 | 0 | 125 | 40 | 125 | 39 | 0 | 0 |
    ----------------------------------------------------------------------

    Signed-off-by: Matthieu Castet
    Signed-off-by: Thomas Poussevin
    Signed-off-by: Alan Stern
    Signed-off-by: Greg Kroah-Hartman

    Thomas Poussevin
     
  • commit 580da35a31f91a594f3090b7a2c39b85cb051a12 upstream.

    Commit f2c31e32b37 ("net: fix NULL dereferences in check_peer_redir()")
    forgot to take care of infiniband uses of dst neighbours.

    Many thanks to Marc Aurele who provided a nice bug report and feedback.

    Reported-by: Marc Aurele La France
    Signed-off-by: Eric Dumazet
    Cc: David Miller
    Signed-off-by: Roland Dreier

    Eric Dumazet
     
  • commit cec28a5428793b6bc64e56687fb239759d6da74e upstream.

    Kingston DT 101 G2 replies a wrong tag while transporting, add an
    unusal_devs entry to ignore the tag validation.

    Signed-off-by: Qinglin Ye
    Signed-off-by: Greg Kroah-Hartman

    Qinglin Ye
     
  • commit ec0cd94d881ca89cc9fb61d00d0f4b2b52e605b3 upstream.

    Tested with SIM5218EVB-KIT evaluation kit.

    Signed-off-by: Veli-Pekka Peltola
    Signed-off-by: Greg Kroah-Hartman

    Veli-Pekka Peltola
     
  • commit 46b1848360c8e634e0b063932a1261062fa0f7d6 upstream.

    This patch creates the missing controlling devices for the Huawei E353
    HSPA+ stick.

    Signed-off-by: Dirk Nehring
    Signed-off-by: Greg Kroah-Hartman

    Dirk Nehring
     
  • commit 307369b0ca06b27b511b61714e335ddfccf19c4f upstream.

    Signed-off-by: Marcin Kościelnicki
    Signed-off-by: Greg Kroah-Hartman

    Marcin Kościelnicki
     
  • commit b1807719f6acdf18cc4bde3b5400d05d77801494 upstream.

    Genera Touch told us that 0001 is their single point device
    and 0003 is the multitouch one. Apparently, we made the tests
    someone having a prototype, and not the final product.
    They said it should be safe to do the switch.

    This partially reverts 5572da0 ("HID: hid-mulitouch: add support
    for the 'Sensing Win7-TwoFinger'").

    Signed-off-by: Benjamin Tissoires
    Signed-off-by: Jiri Kosina
    Signed-off-by: Greg Kroah-Hartman

    Benjamin Tissoires
     
  • commit 8746c83d538cab273d335acb2be226d096f4a5af upstream.

    qset->qh.link is an __le64 field and we should be using cpu_to_le64()
    to fill it.

    Signed-off-by: Dan Carpenter
    Signed-off-by: Greg Kroah-Hartman

    Dan Carpenter
     
  • commit 5d193ce8f1fa7c67c7fd7be2c03ef31eed344a4f upstream.

    Currently the driver tries to save context in the suspend path, but
    will cause an abort if the device is already runtime suspended. This
    happens, for example, if MUSB loaded/compiled-in, in host mode, but no
    USB devices are attached. MUSB will be runtime suspended, but then
    attempting a system suspend will crash due to the context save
    being attempted while the device is disabled.

    On OMAP, as of v3.1, the driver's ->runtime_suspend() callback will be
    called late in the suspend path (by the PM domain layer) if the driver
    is not already runtime suspended, ensuring a full shutdown.

    Therefore, the context save is not needed in the ->suspend() method
    since it will be called in the ->runtime_suspend() method anyways
    (similarily for resume.)

    NOTE: this leaves the suspend/resume methods basically empty (with
    some FIXMEs and comments, but I'll leave it to the maintainers
    to decide whether to remove them.

    Signed-off-by: Kevin Hilman
    Signed-off-by: Felipe Balbi
    Signed-off-by: Greg Kroah-Hartman

    Kevin Hilman
     
  • commit 6a9ce6b654e491981f6ef7e214cbd4f63e033848 upstream.

    After sleeping on a wait queue, signal_pending(current) should be
    checked (not before sleeping).

    Acked-by: Alessandro Rubini
    Signed-off-by: Federico Vaga
    Signed-off-by: Greg Kroah-Hartman

    Federico Vaga
     
  • commit df30b21cb0eed5ba8a8e0cdfeebc66ba8cde821d upstream.

    In comedi_fops, mmap_count is decremented at comedi_vm_ops->close but
    it is not incremented at comedi_vm_ops->open. This may result in a negative
    counter. The patch introduces the open method to keep the counter
    consistent.

    The bug was triggerd by this sample code:

    mmap(0, ...., comedi_fd);
    fork();
    exit(0);

    Acked-by: Alessandro Rubini
    Signed-off-by: Federico Vaga
    Signed-off-by: Greg Kroah-Hartman

    Federico Vaga
     
  • commit 3ffab428f40849ed5f21bcfd7285bdef7902f9ca upstream.

    This fixes kernel oops when an USB DAQ device is plugged out while it's
    communicating with the userspace software.

    Signed-off-by: Bernd Porr
    Signed-off-by: Greg Kroah-Hartman

    Bernd Porr
     
  • commit 438957f8d4a84daa7fa5be6978ad5897a2e9e5e5 upstream.

    Interrupts must be disabled prior to calling usb_hcd_unlink_urb_from_ep.
    If interrupts are not disabled, it can potentially lead to a deadlock.
    The deadlock is readily reproduceable on a slower (ARM based) device
    such as the TI Pandaboard.

    Signed-off-by: Bart Westgeest
    Signed-off-by: Greg Kroah-Hartman

    Bart Westgeest
     
  • commit f7364ba04b0961f3a1f978bbe77102606801e35f upstream.

    Complete scanning_done variable if rtsx-scan thread created failed.

    Signed-off-by: wwang
    Signed-off-by: Greg Kroah-Hartman

    wwang