17 Nov, 2012
1 commit
-
Iterating over the vma->anon_vma_chain without anon_vma_lock may cause
NULL ptr deref in anon_vma_interval_tree_verify(), because the node in the
chain might have been removed.BUG: unable to handle kernel paging request at fffffffffffffff0
IP: [] anon_vma_interval_tree_verify+0xc/0xa0
PGD 4e28067 PUD 4e29067 PMD 0
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU 0
Pid: 9050, comm: trinity-child64 Tainted: G W 3.7.0-rc2-next-20121025-sasha-00001-g673f98e-dirty #77
RIP: 0010: anon_vma_interval_tree_verify+0xc/0xa0
Process trinity-child64 (pid: 9050, threadinfo ffff880045f80000, task ffff880048eb0000)
Call Trace:
validate_mm+0x58/0x1e0
vma_adjust+0x635/0x6b0
__split_vma.isra.22+0x161/0x220
split_vma+0x24/0x30
sys_madvise+0x5da/0x7b0
tracesys+0xe1/0xe6
RIP anon_vma_interval_tree_verify+0xc/0xa0
CR2: fffffffffffffff0Figured out by Bob Liu.
Reported-by: Sasha Levin
Cc: Bob Liu
Signed-off-by: Michel Lespinasse
Reviewed-by: Rik van Riel
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
16 Nov, 2012
6 commits
-
Pull unicore32 update from Guan Xuetao.
* tag 'for-linus' of git://github.com/gxt/linux:
arch/unicore32: remove CONFIG_EXPERIMENTAL
unicore32: switch to generic sys_execve()
unicore32: switch to generic kernel_thread()/kernel_execve()
unicore32: Use Kbuild infrastructure for kvm_para.h
UAPI: (Scripted) Disintegrate arch/unicore32/include/asm
UniCore32-bugfix: Remove definitions in asm/bug.h to solve difference between native and cross compiler
UniCore32-bugfix: fix mismatch return value of __xchg_bad_pointer
UniCore32 bugfix: add missed CONFIG_ZONE_DMA
unicore32/mm/fault.c: Port OOM changes to do_pf -
Pull UBIFS fixes from Artem Bityutskiy:
"Two patches which fix a problem reported by several people in the
past, but only fixed now because no one gave enough material for
debugging.Anyway, these fix the problem that sometimes after a power cut the
file-system is not mountable with the following symptom:grab_empty_leb: could not find an empty LEB
The fixes make the file-system mountable again."
* tag 'upstream-3.7-rc6' of git://git.infradead.org/linux-ubifs:
UBIFS: fix mounting problems after power cuts
UBIFS: introduce categorized lprops counter -
Pull pstore fix from Anton Vorontsov:
"A small fixup for the persistent storage subsystem. The bug can
prevent kernel booting on a APEI-enabled machines w/ PSTORE_CONSOLE=y
(this is N by default, though)."* tag 'for-v3.7-fixes' of git://git.infradead.org/users/cbou/linux-pstore:
pstore: Fix NULL pointer dereference in console writes -
Pill i2c fixes from Jean Delvare.
Well, "fixes".. The biggest patch here is actually Jan marking Wolfram
Sang as the main i2c subsystem maintainer, with Jan staying on as the PC
controller maintainer.* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
i2c-mux-pinctrl: Fix probe error path
MAINTAINERS: i2c: 7 years, this is it -
Pull regulator fixes from Mark Brown:
"A few fixes for teardown issues that will be rarely seen, plus a fix
for a silly bug in regulator_is_supported_voltage() which shows how
often the answer to the question should be false.The supported voltage commit is very new as I just edited to add a Cc
to stable, the code itself has been in -next."* tag 'regulator-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: fix voltage check in regulator_is_supported_voltage()
regulator: core: Avoid deadlock when regulator_register fails
Regulator: core: Unregister when gpio request fails. -
Pull sound fixes from Takashi Iwai:
"The only large LOC is seen in WM5102 driver, just writing a bunch of
register updates, but the actual code change is small. Other than
that, all small fixes suitable for rc6."* tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: usb-audio: Fix mutex deadlock at disconnection
ALSA: fm801: precedence bug in snd_fm801_tea575x_get_pins()
ALSA: es1968: precedence bug in snd_es1968_tea575x_get_pins()
ALSA: hda - Add a missing quirk entry for iMac 9,1
ASoC: core: Double control update err for snd_soc_put_volsw_sx
ASoC: dapm: Use card_list during DAPM shutdown
ASoC: cs42l52: fix the return value of cs42l52_set_fmt()
ASoC: bells: Correct type in sub speaker DAI name for WM5102
ASoC: wm8978: pll incorrectly configured when codec is master
ASoC: mxs-saif: Fix channel swap for 24-bit format
ASoC: bells: Select WM1250-EV1 Springbank audio I/O module
ASoC: bells: Add missing select of WM0010
ASoC: mxs-saif: Add MODULE_ALIAS
ASoC: wm5102: Write register value corrections after SYSCLK is enabled
15 Nov, 2012
6 commits
-
Passing a NULL id causes a NULL pointer deference in writers such as
erst_writer and efi_pstore_write because they expect to update this id.
Pass a dummy id instead.This avoids a cascade of oopses caused when the initial
pstore_console_write passes a null which in turn causes writes to the
console causing further oopses in subsequent pstore_console_write calls.Signed-off-by: Colin Ian King
Acked-by: Kees Cook
Cc: stable@vger.kernel.org
Signed-off-by: Anton Vorontsov -
…gulator/fix/supp-volt' into tmp
-
regulator_is_supported_voltage() should return true only if the voltage
of fixed/constant regulator is between min_uV and max_uV.Signed-off-by: Marek Szyprowski
Signed-off-by: Mark Brown
Cc: stable@vger.kernel.org -
Pull power tools fixes from Len Brown:
"A pair of power tools patches -- a 3.7 regression fix plus a bug fix."* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux:
tools/power turbostat: graceful fail on garbage input
tools/power turbostat: Repair Segmentation fault when using -i option -
Pull MIPS update from Ralf Baechle:
"To avoid unnecessary risk and work the preemption fixes are combined
with some preparatory work that isn't strictly required. So it's
really just 3 fixes:- Get is_compat_task() to do the right thing while simplifying it.
The unnecessary complexity hid a rarely striking bug which could be
triggered by ext3/ext4 under certain circumstances.
- Resolve a preemption issue in the irqflags.h functions for kernels
built to support pre-MIPS32 / pre-MIPS64 Release 2 processors.
- Fix the interrupt number of the MIPS Malta's CBUS UART."* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: Malta: Fix interupt number of CBUS UART.
MIPS: Make irqflags.h functions preempt-safe for non-mipsr2 cpus
MIPS: Remove irqflags.h dependency from bitops.h
MIPS: bitops.h: Change use of 'unsigned short' to 'int'
MIPS: compat: Delete now unused TIF_32BIT.
MIPS: compat: Implement is_compat_task() by testing for 32-bit address space.
MIPS: compat: Fix use of TIF_32BIT_ADDR vs _TIF_32BIT_ADDR -
Pull cgroup fixes from Tejun Heo:
"This contains two fix patches for device_cgroup. One fixes a
regression introduced earlier in 3.7 cycle where device_cgroup could
try to dereference the NULL parent of the root cgroup. The other one
is RCU usage fix."* 'for-3.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
device_cgroup: fix RCU usage
device_cgroup: fix unchecked cgroup parent usage
14 Nov, 2012
5 commits
-
The recent change for USB-audio disconnection race fixes introduced a
mutex deadlock again. There is a circular dependency between
chip->shutdown_rwsem and pcm->open_mutex, depicted like below, when a
device is opened during the disconnection operation:A. snd_usb_audio_disconnect() ->
card.c::register_mutex ->
chip->shutdown_rwsem (write) ->
snd_card_disconnect() ->
pcm.c::register_mutex ->
pcm->open_mutexB. snd_pcm_open() ->
pcm->open_mutex ->
snd_usb_pcm_open() ->
chip->shutdown_rwsem (read)Since the chip->shutdown_rwsem protection in the case A is required
only for turning on the chip->shutdown flag and it doesn't have to be
taken for the whole operation, we can reduce its window in
snd_usb_audio_disconnect().Reported-by: Jiri Slaby
Cc:
Signed-off-by: Takashi Iwai -
When regulator_register fails and exits through the scrub path the
regulator_put function was called whilst holding the
regulator_list_mutex, causing deadlock.This patch adds a private version of the regulator_put function which
can be safely called whilst holding the mutex, replacing the
aforementioned call.Signed-off-by: Charles Keepax
Signed-off-by: Mark Brown -
There is a precedence bug because | has higher precedence than ?:. This
code was cut and pasted and I fixed a similar bug a few days ago.Signed-off-by: Dan Carpenter
Signed-off-by: Takashi Iwai -
When allocating the memory for i2c busses, the code checked the wrong
variable and thus never detected if there was a memory error.Signed-off-by: Guenter Roeck
Cc: stable@vger.kernel.org
Signed-off-by: Jean Delvare -
I have been maintaining the i2c subsystem for 7 years now, it's about
time to let someone else take over. Just before I leave, I would like
to thank several individuals who made this possible at all:* Greg Kroah-Hartman, for his faith in my potential subsystem
maintainer skills. Greg, I hope I met your expectations.
* Late David Brownell, for helping me convert the i2c subsystem to the
standard device driver model. Rest in peace David, we're missing you.
* Ben Dooks, for stepping in when I asked for someone to take care of
the huge flow of new i2c adapter drivers for embedded systems.
* Wolfram Sang, for joining the crew when it became clear that there
was more review work than Ben and myself could deal with.I hope I did not forget anyone, please forgive me if I did.
Another big thank is due to Wolfram again, who quickly proposed to
take over as the main i2c subsystem maintainer. This will allow for a
smooth and fast transition.Note that I will keep maintaining all I2C/SMBus controller drivers for
PC systems as well as a few others. I am hereby updating MAINTAINERS
accordingly. I'll also keep maintaining user-space i2c-tools.Signed-off-by: Jean Delvare
Cc: Greg Kroah-Hartman
Cc: Ben Dooks
Acked-by: Wolfram Sang
13 Nov, 2012
15 commits
-
The CBUS UART's interrupt number was wrong conflicting with the interrupt
being tied to the Intel PIIX4. Since the PIIX4's interrupt is registered
before the CBUS UART which is not being used on most systems this would
not be noticed.Attempts to open the ttyS2 CBUS UART would result in:
genirq: Flags mismatch irq 18. 00000000 (serial) vs. 00010000 (XT-PIC cascade)
serial_link_irq_chain: request failed: -16 for irq: 18Qemu was written to match the kernel so will need to be fixed also.
Signed-off-by: Ralf Baechle
-
I don't think this works as intended. '|' higher precedence than ?: so
the bitwize OR "0 | (val & STR_MOST)" is a no-op.I have re-written it to be more clear.
Signed-off-by: Dan Carpenter
Signed-off-by: Takashi Iwai -
ASoC: Fixes for v3.7
A few small fixes plus a large but simple change for WM5102 which writes
out a bunch of register updates to the device when we enable the clock
as recommended following chip evaluation. -
…' and 'fix/wm8978' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into tmp
-
Pull KVM fix from Marcelo Tosatti:
"A correction for user triggerable oops"* git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-2012-4461) -
Pull ux500 clk fixes from Mike Turquette:
"Missing clkdev entries are causing regressions on the U8500 platform.
This pull request contains those missing clkdev entries which are
needed to boot that platform."* tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux:
clk: ux500: Register slimbus clock lookups for u8500
clk: ux500: Update rtc clock lookup for u8500
clk: ux500: Register msp clock lookups for u8500
clk: ux500: Register ssp clock lookups for u8500
clk: ux500: Register i2c clock lookups for u8500 -
Pull menuconfig portability fix from Michal Marek:
"Here is a fix for v3.7 that makes menuconfig compile again on systems
whose C library is lacking CIRCLEQ_* macros. I thought I sent it
earlier, but apparently I did not."* 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
menuconfig: Replace CIRCLEQ by list_head-style lists. -
Pull LED fix from Bryan Wu.
* 'fixes-for-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds:
ledtrig-cpu: kill useless mutex to fix sleep in atomic context -
Pull futex fix from Thomas Gleixner:
"Single fix for a long standing futex race when taking over a futex
whose owner died. You can end up with two owners, which violates
quite some rules."* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex: Handle futex_pi OWNER_DIED take over correctly -
On hosts without the XSAVE support unprivileged local user can trigger
oops similar to the one below by setting X86_CR4_OSXSAVE bit in guest
cr4 register using KVM_SET_SREGS ioctl and later issuing KVM_RUN
ioctl.invalid opcode: 0000 [#2] SMP
Modules linked in: tun ip6table_filter ip6_tables ebtable_nat ebtables
...
Pid: 24935, comm: zoog_kvm_monito Tainted: G D 3.2.0-3-686-pae
EIP: 0060:[] EFLAGS: 00210246 CPU: 0
EIP is at kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm]
EAX: 00000001 EBX: 000f387e ECX: 00000000 EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: ef5a0060 ESP: d7c63e70
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process zoog_kvm_monito (pid: 24935, ti=d7c62000 task=ed84a0c0
task.ti=d7c62000)
Stack:
00000001 f70a1200 f8b940a9 ef5a0060 00000000 00200202 f8769009 00000000
ef5a0060 000f387e eda5c020 8722f9c8 00015bae 00000000 ed84a0c0 ed84a0c0
c12bf02d 0000ae80 ef7f8740 fffffffb f359b740 ef5a0060 f8b85dc1 0000ae80
Call Trace:
[] ? kvm_arch_vcpu_ioctl_set_sregs+0x2fe/0x308 [kvm]
...
[] ? syscall_call+0x7/0xb
Code: 89 e8 e8 14 ee ff ff ba 00 00 04 00 89 e8 e8 98 48 ff ff 85 c0 74
1e 83 7d 48 00 75 18 8b 85 08 07 00 00 31 c9 8b 95 0c 07 00 00 01
d1 c7 45 48 01 00 00 00 c7 45 1c 01 00 00 00 0f ae f0 89
EIP: [] kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] SS:ESP
0068:d7c63e70QEMU first retrieves the supported features via KVM_GET_SUPPORTED_CPUID
and then sets them later. So guest's X86_FEATURE_XSAVE should be masked
out on hosts without X86_FEATURE_XSAVE, making kvm_set_cr4 with
X86_CR4_OSXSAVE fail. Userspaces that allow specifying guest cpuid with
X86_FEATURE_XSAVE even on hosts that do not support it, might be
susceptible to this attack from inside the guest as well.Allow setting X86_CR4_OSXSAVE bit only if host has XSAVE support.
Signed-off-by: Petr Matousek
Signed-off-by: Marcelo Tosatti -
At the same time the prcc bit for the kclk is corrected to
bit 8 instead of 3.Signed-off-by: Ulf Hansson
Acked-by: Linus Walleij
Acked-by: Lee Jones
Signed-off-by: Mike Turquette -
Signed-off-by: Ulf Hansson
Acked-by: Linus Walleij
Acked-by: Lee Jones
Signed-off-by: Mike Turquette -
Cc: Mark Brown
Signed-off-by: Ulf Hansson
Acked-by: Linus Walleij
Acked-by: Lee Jones
Signed-off-by: Mike Turquette -
Signed-off-by: Ulf Hansson
Acked-by: Linus Walleij
Acked-by: Lee Jones
Signed-off-by: Mike Turquette -
Cc: Ben Dooks
Cc: Wolfram Sang
Acked-by: Linus Walleij
Acked-by: Lee Jones
Signed-off-by: Ulf Hansson
Signed-off-by: Mike Turquette
12 Nov, 2012
2 commits
-
This is another variant of iMac 9,1 with a different codec SSID.
Reported-and-tested-by: Everaldo Canuto
Cc: [v3.3+]
Signed-off-by: Takashi Iwai -
Seeing the following every time the CPU enters or leaves idle on a
Beagleboard:BUG: sleeping function called from invalid context at kernel/mutex.c:269
in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0
no locks held by swapper/0/0.
[] (unwind_backtrace+0x0/0xf8) from [] (mutex_lock_nested+0x24/0x380)
[] (mutex_lock_nested+0x24/0x380) from [] (ledtrig_cpu+0x38/0x88)
[] (ledtrig_cpu+0x38/0x88) from [] (cpu_idle+0xf4/0x120)
[] (cpu_idle+0xf4/0x120) from [] (start_kernel+0x2bc/0x30c)Miles Lane has reported seeing similar splats during system suspend.
The mutex in struct led_trigger_cpu appears to have no function: it
resides in a per-cpu data structure which never changes after the
trigger is registered. So just remove it.Reported-by: Miles Lane
Signed-off-by: Nathan Lynch
Signed-off-by: Bryan Wu
11 Nov, 2012
3 commits
-
Pull networking fixes from David Miller:
"Bug fixes galore, mostly in drivers as is often the case:1) USB gadget and cdc_eem drivers need adjustments to their frame size
lengths in order to handle VLANs correctly. From Ian Coolidge.2) TIPC and several network drivers erroneously call tasklet_disable
before tasklet_kill, fix from Xiaotian Feng.3) r8169 driver needs to apply the WOL suspend quirk to more chipsets,
fix from Cyril Brulebois.4) Fix multicast filters on RTL_GIGA_MAC_VER_35 r8169 chips, from
Nathan Walp.5) FDB netlink dumps should use RTM_NEWNEIGH as the message type, not
zero. From John Fastabend.6) Fix smsc95xx tx checksum offload on big-endian, from Steve
Glendinning.7) __inet_diag_dump() needs to repsect and report the error value
returned from inet_diag_lock_handler() rather than ignore it.
Otherwise if an inet diag handler is not available for a particular
protocol, we essentially report success instead of giving an error
indication. Fix from Cyrill Gorcunov.8) When the QFQ packet scheduler sees TSO/GSO packets it does not
handle things properly, and in fact ends up corrupting it's
datastructures as well as mis-schedule packets. Fix from Paolo
Valente.9) Fix oopser in skb_loop_sk(), from Eric Leblond.
10) CXGB4 passes partially uninitialized datastructures in to FW
commands, fix from Vipul Pandya.11) When we send unsolicited ipv6 neighbour advertisements, we should
send them to the link-local allnodes multicast address, as per
RFC4861. Fix from Hannes Frederic Sowa.12) There is some kind of bug in the usbnet's kevent deferral
mechanism, but more immediately when it triggers an uncontrolled
stream of kernel messages spam the log. Rate limit the error log
message triggered when this problem occurs, as sending thousands
of error messages into the kernel log doesn't help matters at all,
and in fact makes further diagnosis more difficult.From Steve Glendinning.
13) Fix gianfar restore from hibernation, from Wang Dongsheng.
14) The netlink message attribute sizes are wrong in the ipv6 GRE
driver, it was using the size of ipv4 addresses instead of ipv6
ones :-) Fix from Nicolas Dichtel."* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
gre6: fix rtnl dump messages
gianfar: ethernet vanishes after restoring from hibernation
usbnet: ratelimit kevent may have been dropped warnings
ipv6: send unsolicited neighbour advertisements to all-nodes
net: usb: cdc_eem: Fix rx skb allocation for 802.1Q VLANs
usb: gadget: g_ether: fix frame size check for 802.1Q
cxgb4: Fix initialization of SGE_CONTROL register
isdn: Make CONFIG_ISDN depend on CONFIG_NETDEVICES
cxgb4: Initialize data structures before using.
af-packet: fix oops when socket is not present
pkt_sched: enable QFQ to support TSO/GSO
net: inet_diag -- Return error code if protocol handler is missed
net: bnx2x: Fix typo in bnx2x driver
smsc95xx: fix tx checksum offload for big endian
rtnetlink: Use nlmsg type RTM_NEWNEIGH from dflt fdb dump
ptp: update adjfreq callback description
r8169: allow multicast packets on sub-8168f chipset.
r8169: Fix WoL on RTL8168d/8111d.
drivers/net: use tasklet_kill in device remove/close process
tipc: do not use tasklet_disable before tasklet_kill -
Pull sparc fixes from David Miller:
"Several build/bug fixes for sparc, including:1) Configuring a mix of static vs. modular sparc64 crypto modules
didn't work, remove an ill-conceived attempt to only have to build
the device match table for these drivers once to fix the problem.Reported by Meelis Roos.
2) Make the montgomery multiple/square and mpmul instructions actually
usable in 32-bit tasks. Essentially this involves providing 32-bit
userspace with a way to use a 64-bit stack when it needs to.3) Our sparc64 atomic backoffs don't yield cpu strands properly on
Niagara chips. Use pause instruction when available to achieve
this, otherwise use a benign instruction we know blocks the strand
for some time.4) Wire up kcmp
5) Fix the build of various drivers by removing the unnecessary
blocking of OF_GPIO when SPARC.6) Fix unintended regression wherein of_address_to_resource stopped
being provided. Fix from Andreas Larsson.7) Fix NULL dereference in leon_handle_ext_irq(), also from Andreas
Larsson."* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc64: Fix build with mix of modular vs. non-modular crypto drivers.
sparc: Support atomic64_dec_if_positive properly.
of/address: sparc: Declare of_address_to_resource() as an extern function for sparc again
sparc32, leon: Check for existent irq_map entry in leon_handle_ext_irq
sparc: Add sparc support for platform_get_irq()
sparc: Allow OF_GPIO on sparc.
qlogicpti: Fix build warning.
sparc: Wire up sys_kcmp.
sparc64: Improvde documentation and readability of atomic backoff code.
sparc64: Use pause instruction when available.
sparc64: Fix cpu strand yielding.
sparc64: Make montmul/montsqr/mpmul usable in 32-bit threads.
10 Nov, 2012
2 commits
-
Pull cifs fixes from Jeff Layton.
* 'for-linus' of git://git.samba.org/sfrench/cifs-2.6:
cifs: Do not lookup hashed negative dentry in cifs_atomic_open
cifs: fix potential buffer overrun in cifs.idmap handling code -
Pull arm64 fixes from Catalin Marinas:
- correct argument type (pgprot_t) when calling __ioremap()
- PCI_IOBASE virtual address change
- use architected event for CPU cycle counter
- fix ELF core dumping
- select CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION
- missing completion for secondary CPU boot
- booting on systems with all memory beyond 4GB* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
arm64: mm: fix booting on systems with no memory below 4GB
arm64: smp: add missing completion for secondary boot
arm64: compat: select CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION
arm64: elf: fix core dumping definitions for GP and FP registers
arm64: perf: use architected event for CPU cycle counter
arm64: Move PCI_IOBASE closer to MODULES_VADDR
arm64: Use pgprot_t as the last argument when invoking __ioremap()