18 Feb, 2011
40 commits
-
commit a6d940dd759bf240d28624198660ed34582a327b upstream.
When xhci_discover_or_reset_device() is called after a host controller
power loss, the virtual device may need to be reallocated. Make sure
xhci_alloc_dev() uses GFP_NOIO. This avoid causing a deadlock by allowing
the kernel to flush pending I/O while reallocating memory for a virtual
device for a USB mass storage device that's holding the backing store for
dirty memory buffers.This patch should be queued for the 2.6.37 stable tree.
Signed-off-by: Sarah Sharp
Signed-off-by: Greg Kroah-Hartman -
commit 653a39d1f61bdc9f277766736d21d2e9be0391cb upstream.
When there's an xHCI host power loss after a suspend from memory, the USB
core attempts to reset and verify the USB devices that are attached to the
system. The xHCI driver has to reallocate those devices, since the
hardware lost all knowledge of them during the power loss.When a hub is plugged in, and the host loses power, the xHCI hardware
structures are not updated to say the device is a hub. This is usually
done in hub_configure() when the USB hub is detected. That function is
skipped during a reset and verify by the USB core, since the core restores
the old configuration and alternate settings, and the hub driver has no
idea this happened. This bug makes the xHCI host controller reject the
enumeration of low speed devices under the resumed hub.Therefore, make the USB core re-setup the internal xHCI hub device
information by calling update_hub_device() when hub_activate() is called
for a hub reset resume. After a host power loss, all devices under the
roothub get a reset-resume or a disconnect.This patch should be queued for the 2.6.37 stable tree.
Signed-off-by: Sarah Sharp
Signed-off-by: Greg Kroah-Hartman -
commit 40a9fb17f32dbe54de3d636142a59288544deed7 upstream.
when unloading xhci_hcd, I got:
[ 134.856813] xhci_hcd 0000:02:00.0: remove, state 4
[ 134.858140] usb usb3: USB disconnect, address 1
[ 134.874956] xhci_hcd 0000:02:00.0: Host controller not halted, aborting reset.
[ 134.876351] BUG: sleeping function called from invalid context at kernel/mutex.c:85
[ 134.877657] in_atomic(): 0, irqs_disabled(): 1, pid: 1451, name: modprobe
[ 134.878975] Pid: 1451, comm: modprobe Not tainted 2.6.37-rc5+ #162
[ 134.880298] Call Trace:
[ 134.881602] [] __might_sleep+0xeb/0xf0
[ 134.882921] [] mutex_lock+0x24/0x50
[ 134.884229] [] free_desc+0x2e/0x5f
[ 134.885538] [] irq_free_descs+0x3b/0x71
[ 134.886853] [] free_irq_at+0x31/0x36
[ 134.888167] [] destroy_irq+0x69/0x71
[ 134.889486] [] native_teardown_msi_irq+0xe/0x10
[ 134.890820] [] default_teardown_msi_irqs+0x57/0x80
[ 134.892158] [] free_msi_irqs+0x8b/0xe9
[ 134.893504] [] pci_disable_msix+0x35/0x39
[ 134.894844] [] xhci_cleanup_msix+0x31/0x51 [xhci_hcd]
[ 134.896186] [] xhci_stop+0x3a/0x80 [xhci_hcd]
[ 134.897521] [] usb_remove_hcd+0xfd/0x14a
[ 134.898859] [] usb_hcd_pci_remove+0x5c/0xc6
[ 134.900193] [] pci_device_remove+0x3f/0x91
[ 134.901535] [] __device_release_driver+0x83/0xd9
[ 134.902899] [] driver_detach+0x86/0xad
[ 134.904222] [] bus_remove_driver+0xb2/0xd8
[ 134.905540] [] driver_unregister+0x6c/0x74
[ 134.906839] [] pci_unregister_driver+0x44/0x89
[ 134.908121] [] xhci_unregister_pci+0x15/0x17 [xhci_hcd]
[ 134.909396] [] xhci_hcd_cleanup+0xe/0x10 [xhci_hcd]
[ 134.910652] [] sys_delete_module+0x1ca/0x23b
[ 134.911882] [] ? path_put+0x22/0x26
[ 134.913104] [] ? audit_syscall_entry+0x2c/0x148
[ 134.914333] [] system_call_fastpath+0x16/0x1b
[ 134.915658] xhci_hcd 0000:02:00.0: USB bus 3 deregistered
[ 134.916465] xhci_hcd 0000:02:00.0: PCI INT A disabledand the same issue when xhci_suspend is invoked. (Note from Sarah: That's
fixed by Andiry's patch before this, by synchronizing the irqs rather than
freeing them on suspend.)Do not run xhci_cleanup_msix with irq disabled.
This patch should be queued for the 2.6.37 stable tree.
Signed-off-by: Zhang Rui
Signed-off-by: Sarah Sharp
Signed-off-by: Greg Kroah-Hartman -
commit 5fe49d86f9d01044abf687a8cd21edef636d58aa upstream.
Early chipsets (gen2/3) used function 1 as a placeholder for multi-head.
We used to ignore these since they were not assigned to
PCI_CLASS_DISPLAY_VGA. However with 934f992c7 we attempt to bind to all
Intel PCI_CLASS_DISPLAY devices (and functions) to work in multi-gpu
systems. This fails hard on gen2/3.Reported-by: Ferenc Wágner
Tested-by: Ferenc Wágner
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=28012
Signed-off-by: Chris Wilson
Signed-off-by: Greg Kroah-Hartman -
commit a70b95c017e8b518e1e069853355e4e497453dbb upstream.
Some BIOSs (eg. the AMI BIOS on the Asus P4P800 motherboard) don't
initialise the GART address, and pcibios_assign_resources() can ignore it
because it can be marked as a host bridge (see
https://bugzilla.kernel.org/show_bug.cgi?id=24392#c5 for details). This
was handled correctly up to 2.6.35, but the pci_enable_device() cleanup in
2.6.36 96576a9e1a0cdb8 ("agp: intel-agp: do not use PCI resources before
pci_enable_device()") means that the kernel tries to enable the GART
before assigning it an address; in such cases the GART overlaps with other
device assignments and ends up being disabled.This patch fixes https://bugzilla.kernel.org/show_bug.cgi?id=24392
Note that I imagine efficeon-agp.c probably has the same problem, but
I can't test that and I'd like to make sure this patch is suitable for
-stable (since 2.6.36 and 2.6.37 are affected).Signed-off-by: Stephen Kitt
Cc: Bjorn Helgaas
Cc: Maciej Rutecki
Cc: "Rafael J. Wysocki"
Cc: Kulikov Vasiliy
Cc: Florian Mickler
Signed-off-by: Andrew Morton
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit 831d52bc153971b70e64eccfbed2b232394f22f8 upstream.
Clearing the cpu in prev's mm_cpumask early will avoid the flush tlb
IPI's while the cr3 is still pointing to the prev mm. And this window
can lead to the possibility of bogus TLB fills resulting in strange
failures. One such problematic scenario is mentioned below.T1. CPU-1 is context switching from mm1 to mm2 context and got a NMI
etc between the point of clearing the cpu from the mm_cpumask(mm1)
and before reloading the cr3 with the new mm2.T2. CPU-2 is tearing down a specific vma for mm1 and will proceed with
flushing the TLB for mm1. It doesn't send the flush TLB to CPU-1
as it doesn't see that cpu listed in the mm_cpumask(mm1).T3. After the TLB flush is complete, CPU-2 goes ahead and frees the
page-table pages associated with the removed vma mapping.T4. CPU-2 now allocates those freed page-table pages for something
else.T5. As the CR3 and TLB caches for mm1 is still active on CPU-1, CPU-1
can potentially speculate and walk through the page-table caches
and can insert new TLB entries. As the page-table pages are
already freed and being used on CPU-2, this page walk can
potentially insert a bogus global TLB entry depending on the
(random) contents of the page that is being used on CPU-2.T6. This bogus TLB entry being global will be active across future CR3
changes and can result in weird memory corruption etc.To avoid this issue, for the prev mm that is handing over the cpu to
another mm, clear the cpu from the mm_cpumask(prev) after the cr3 is
changed.Marking it for -stable, though we haven't seen any reported failure that
can be attributed to this.Signed-off-by: Suresh Siddha
Acked-by: Ingo Molnar
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit 934f992c763ae1e5eefcce8af769c16444085df7 upstream.
Starting with SandyBridge (though possible with earlier hacked BIOSes),
the BIOS may initialise the IGFX as secondary to a discrete GPU. Prior,
it would simply disable the integrated GPU. So we adjust our PCI class
mask to match any DISPLAY_CLASS device.In such a configuration, the IGFX is not a primary VGA controller and
so should not take part in VGA arbitration, and the error return from
vga_client_register() is expected.Signed-off-by: Chris Wilson
Signed-off-by: Greg Kroah-Hartman -
commit f7ab9b407b3bc83161c2aa74c992ba4782e87c9c upstream.
Without tmpfs, shmem_readpage() is not compiled in causing an OOPS as
soon as we try to allocate some swappable pages for GEM.Jan 19 22:52:26 harlie kernel: Modules linked in: i915(+) drm_kms_helper cfbcopyarea video backlight cfbimgblt cfbfillrect
Jan 19 22:52:26 harlie kernel:
Jan 19 22:52:26 harlie kernel: Pid: 1125, comm: modprobe Not tainted 2.6.37Harlie #10 To be filled by O.E.M./To be filled by O.E.M.
Jan 19 22:52:26 harlie kernel: EIP: 0060:[] EFLAGS: 00010246 CPU: 3
Jan 19 22:52:26 harlie kernel: EIP is at 0x0
Jan 19 22:52:26 harlie kernel: EAX: 00000000 EBX: f7b7d000 ECX: f3383100 EDX: f7b7d000
Jan 19 22:52:26 harlie kernel: ESI: f1456118 EDI: 00000000 EBP: f2303c98 ESP: f2303c7c
Jan 19 22:52:26 harlie kernel: DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Jan 19 22:52:26 harlie kernel: Process modprobe (pid: 1125, ti=f2302000 task=f259cd80 task.ti=f2302000)
Jan 19 22:52:26 harlie kernel: Stack:
Jan 19 22:52:26 harlie udevd-work[1072]: '/sbin/modprobe -b pci:v00008086d00000046sv00000000sd00000000bc03sc00i00' unexpected exit with status 0x0009
Jan 19 22:52:26 harlie kernel: c1074061 000000d0 f2f42b80 00000000 000a13d2 f2d5dcc0 00000001 f2303cac
Jan 19 22:52:26 harlie kernel: c107416f 00000000 000a13d2 00000000 f2303cd4 f8d620ed f2cee620 00001000
Jan 19 22:52:26 harlie kernel: 00000000 000a13d2 f1456118 f2d5dcc0 f1a40000 00001000 f2303d04 f8d637ab
Jan 19 22:52:26 harlie kernel: Call Trace:
Jan 19 22:52:26 harlie kernel: [] ? do_read_cache_page+0x71/0x160
Jan 19 22:52:26 harlie kernel: [] ? read_cache_page_gfp+0x1f/0x30
Jan 19 22:52:26 harlie kernel: [] ? i915_gem_object_get_pages+0xad/0x1d0 [i915]
Jan 19 22:52:26 harlie kernel: [] ? i915_gem_object_bind_to_gtt+0xeb/0x2d0 [i915]
Jan 19 22:52:26 harlie kernel: [] ? i915_gem_object_pin+0x151/0x190 [i915]
Jan 19 22:52:26 harlie kernel: [] ? drm_gem_object_init+0x3d/0x60
Jan 19 22:52:26 harlie kernel: [] ? i915_gem_init_ringbuffer+0x105/0x1e0 [i915]
Jan 19 22:52:26 harlie kernel: [] ? i915_driver_load+0x667/0x1160 [i915]Reported-by: John J. Stimson-III
Signed-off-by: Chris Wilson
Signed-off-by: Greg Kroah-Hartman -
commit 22ab70d3262ddb6e69b3c246a34e2967ba5eb1e8 upstream.
Signed-off-by: Knut Petersen
Signed-off-by: Chris Wilson
Signed-off-by: Greg Kroah-Hartman -
commit 3c5a62b5226ca5db993660281e9c2a7275d9fb02 upstream.
Some voltage swing/pre-emphasis level use the same value on eDP
Sandybridge, like 400mv_0db and 600mv_0db are with the same value
of (0x0 << 22). So, fix them, and point out the value if it isn't
a supported voltage swing/pre-emphasis level.Signed-off-by: Yuanhan Liu
Signed-off-by: Chris Wilson
Signed-off-by: Greg Kroah-Hartman -
commit 0ba41e449fd0f45f5b29c1009020ab1b298bedda upstream.
... or else we may end up disabling the wrong framebuffer, leading to an
OOPS, e.g:[ 6033.229012] kernel BUG at drivers/gpu/drm/i915/i915_gem.c:3271!
[ 6033.229012] invalid opcode: 0000 [#1] SMP
[ 6033.229012] last sysfs file:
/sys/devices/virtual/backlight/acpi_video0/uevent
[ 6033.229012] Modules linked in: sunrpc cpufreq_ondemand acpi_cpufreq
mperf snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_seq
snd_seq_device snd_pcm snd_timer thinkpad_acpi ppdev snd r852 sm_common
iTCO_wdt uvcvideo i2c_i801 iTCO_vendor_support microcode wmi nand
videodev nand_ids nand_ecc snd_page_alloc parport_pc parport mtd
soundcore joydev v4l1_compat pcspkr uinput ipv6 sdhci_pci sdhci mmc_core
yenta_socket i915 drm_kms_helper drm i2c_algo_bit i2c_core video output
[last unloaded: scsi_wait_scan]
[ 6033.229012]
[ 6033.229012] Pid: 4834, comm: Xorg Not tainted 2.6.37-rc8+ #25 7661BL5/7661BL5
[ 6033.229012] EIP: 0060:[] EFLAGS: 00013246 CPU: 0
[ 6033.229012] EIP is at i915_gem_object_unpin+0x23/0x76 [i915]
[ 6033.229012] EAX: f68a4000 EBX: f6831f00 ECX: 000600fa EDX: f68a8000
[ 6033.229012] ESI: f68a4014 EDI: f68a42b8 EBP: f2169c44 ESP: f2169c3c
[ 6033.229012] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 6033.229012] Process Xorg (pid: 4834, ti=f2168000 task=f21c8000 task.ti=f2168000)
[ 6033.229012] Stack:
[ 6033.229012] f3a84800 f68a4014 f2169c54 f87045d8 f3a84800 f872d9a8 f2169c68 f7fd8091
[ 6033.229012] f3b952a4 00000000 f68a414c f2169cf0 f7fd9377 00000000 00000000 f7fd98b0
[ 6033.229012] f7fd9f4e 0000000f f7f328a0 00000000 00000000 00000000 f2169ca4 f68a414c
[ 6033.229012] Call Trace:
[ 6033.229012] [] ? intel_crtc_disable+0x36/0x41 [i915]
[ 6033.229012] [] ? drm_helper_disable_unused_functions+0xcd/0xf9 [drm_kms_helper]
[ 6033.229012] [] ? drm_crtc_helper_set_config+0x62a/0x7f7 [drm_kms_helper]
[ 6033.229012] [] ? __slab_free+0x1b/0xa4
[ 6033.229012] [] ? drm_fb_helper_initial_config+0x466/0x497 [drm_kms_helper]
[ 6033.229012] [] ? drm_fb_helper_restore+0x10/0x2a [drm_kms_helper]
[ 6033.229012] [] ? i915_driver_lastclose+0x2a/0x57 [i915]
[ 6033.229012] [] ? drm_lastclose+0x45/0x23e [drm]
[ 6033.229012] [] ? drm_release+0x462/0x4d7 [drm]Signed-off-by: Chris Wilson
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit 87364760de5d631390c478fcbac8db1b926e0adf upstream.
The accelerate mode bit gets checked by certain atom
command tables to set up some register state. It needs
to be clear when setting modes and set when not.Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=26942Signed-off-by: Alex Deucher
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit 63a507800c8aca5a1891d598ae13f829346e8e39 upstream.
0x4243 is a PCI bridge, not a GPU.
Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=33815Signed-off-by: Alex Deucher
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit 51d4bf840a27fe02c883ddc6d9708af056773769 upstream.
Signed-off-by: Alex Deucher
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit 6bba2e116808ca12e30c8d88dfedabf8b8d67390 upstream.
Check if there is a big enough dp clock & enough dp lane to
drive the video mode provided.Signed-off-by: Jerome Glisse
Reviewed-By: Alex Deucher
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit be23da8ad219650517cbbb7acbeaeb235667113a upstream.
Seems some other boards do this as well.
Reported-by: Andrea Merello
Signed-off-by: Alex Deucher
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit 2f299d5de02da3ffb1f9e1a05c91dcd1173ebd3c upstream.
Acer laptop (TravelMate 5730G) has an HDMI connector
on the laptop and a DVI connector on the docking station
and both share the same encoder, hpd pin, and ddc line.
The bios connector table reflects this and is technically
correct, however, we drop the DVI connector here since
xrandr has no concept of encoders (only crtcs and connectors)
and will try and drive both connectors with different crtcs
which isn't possible on the hardware side and leaves no crtcs
for LVDS or VGA.Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=32732Signed-off-by: Alex Deucher
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit f598aa7593427ffe3a61e7767c34bd695a5e7ed0 upstream.
Reported-by: 屋国遥
Signed-off-by: Alex Deucher
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit 862f0982eadcea0e114576c57ea426d3d51a69a6 upstream.
FEC_MMFR_OP_WRITE should be used than FEC_MMFR_OP_READ in
a mdio write operation.It's probably a typo introduced by commit:
e6b043d512fa8d9a3801bf5d72bfa3b8fc3b3cc8
netdev/fec.c: add phylib supporting to enable carrier detection (v2)Signed-off-by: Shawn Guo
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit 09c9d4c9b6a2b5909ae3c6265e4cd3820b636863 upstream.
Revert commit 224cb3e981f1b2f9f93dbd49eaef505d17d894c2
dm: Call blk_abort_queue on failed pathsMultipath began to use blk_abort_queue() to allow for
lower latency path deactivation. This was found to
cause list corruption:the cmd gets blk_abort_queued/timedout run on it and the scsi eh
somehow is able to complete and run scsi_queue_insert while
scsi_request_fn is still trying to process the request.https://www.redhat.com/archives/dm-devel/2010-November/msg00085.html
Signed-off-by: Mike Snitzer
Signed-off-by: Alasdair G Kergon
Cc: Mike Anderson
Cc: Mike Christie
Signed-off-by: Greg Kroah-Hartman -
commit c217649bf2d60ac119afd71d938278cffd55962b upstream.
No longer needlessly hold md->bdev->bd_inode->i_mutex when changing the
size of a DM device. This additional locking is unnecessary because
i_size_write() is already protected by the existing critical section in
dm_swap_table(). DM already has a reference on md->bdev so the
associated bd_inode may be changed without lifetime concerns.A negative side-effect of having held md->bdev->bd_inode->i_mutex was
that a concurrent DM device resize and flush (via fsync) would deadlock.
Dropping md->bdev->bd_inode->i_mutex eliminates this potential for
deadlock. The following reproducer no longer deadlocks:
https://www.redhat.com/archives/dm-devel/2009-July/msg00284.htmlSigned-off-by: Mike Snitzer
Signed-off-by: Mikulas Patocka
Signed-off-by: Alasdair G Kergon
Signed-off-by: Greg Kroah-Hartman -
commit 8d661f1e462d50bd83de87ee628aaf820ce3c66c upstream.
It is defined in include/linux/ieee80211.h. As per IEEE spec.
bit6 to bit15 in block ack parameter represents buffer size.
So the bitmask should be 0xFFC0.Signed-off-by: Amitkumar Karwar
Signed-off-by: Bing Zhao
Reviewed-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: Greg Kroah-Hartman -
commit 3f0d3d016d89a5efb8b926d4707eb21fa13f3d27 upstream.
Some Lenovos have TPMs that require a quirk to function correctly. This can
be autodetected by checking whether the device has a _HID of INTC0102. This
is an invalid PNPid, and as such is discarded by the pnp layer - however
it's still present in the ACPI code, so we can pull it out that way. This
means that the quirk won't be automatically applied on non-ACPI systems,
but without ACPI we don't have any way to identify the chip anyway so I
don't think that's a great concern.Signed-off-by: Matthew Garrett
Acked-by: Rajiv Andrade
Tested-by: Jiri Kosina
Tested-by: Andy Isaacson
Signed-off-by: James Morris
Signed-off-by: Greg Kroah-Hartman -
commit 415103f9932d45f7927f4b17e3a9a13834cdb9a1 upstream.
selinux_inode_init_security computes transitions sids even for filesystems
that use mount point labeling. It shouldn't do that. It should just use
the mount point label always and no matter what.This causes 2 problems. 1) it makes file creation slower than it needs to be
since we calculate the transition sid and 2) it allows files to be created
with a different label than the mount point!# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
# sesearch --type --class file --source sysadm_t --target tmp_t
Found 1 semantic te rules:
type_transition sysadm_t tmp_t : file user_tmp_t;# mount -o loop,context="system_u:object_r:tmp_t:s0" /tmp/fs /mnt/tmp
# ls -lZ /mnt/tmp
drwx------. root root system_u:object_r:tmp_t:s0 lost+found
# touch /mnt/tmp/file1
# ls -lZ /mnt/tmp
-rw-r--r--. root root staff_u:object_r:user_tmp_t:s0 file1
drwx------. root root system_u:object_r:tmp_t:s0 lost+foundWhoops, we have a mount point labeled filesystem tmp_t with a user_tmp_t
labeled file!Signed-off-by: Eric Paris
Reviewed-by: Reviewed-by: James Morris
Signed-off-by: Greg Kroah-Hartman -
commit 350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8 upstream.
Commit 2f90b865 added two new netlink message types to the netlink route
socket. SELinux has hooks to define if netlink messages are allowed to
be sent or received, but it did not know about these two new message
types. By default we allow such actions so noone likely noticed. This
patch adds the proper definitions and thus proper permissions
enforcement.Signed-off-by: Eric Paris
Cc: James Morris
Signed-off-by: Greg Kroah-Hartman -
commit 3fc5e98d8cf85e0d77fc597b49e9268dff67400e upstream.
In construct_alloc_key(), up_write() is called in the error path if
__key_link_begin() fails, but this is incorrect as __key_link_begin() only
returns with the nominated keyring locked if it returns successfully.Without this patch, you might see the following in dmesg:
=====================================
[ BUG: bad unlock balance detected! ]
-------------------------------------
mount.cifs/5769 is trying to release lock (&key->sem) at:
[] request_key_and_link+0x263/0x3fc
but there are no more locks to release!other info that might help us debug this:
3 locks held by mount.cifs/5769:
#0: (&type->s_umount_key#41/1){+.+.+.}, at: [] sget+0x278/0x3e7
#1: (&ret_buf->session_mutex){+.+.+.}, at: [] cifs_get_smb_ses+0x35a/0x443 [cifs]
#2: (root_key_user.cons_lock){+.+.+.}, at: [] request_key_and_link+0x10a/0x3fcstack backtrace:
Pid: 5769, comm: mount.cifs Not tainted 2.6.37-rc6+ #1
Call Trace:
[] ? request_key_and_link+0x263/0x3fc
[] print_unlock_inbalance_bug+0xca/0xd5
[] lock_release_non_nested+0xc1/0x263
[] ? request_key_and_link+0x263/0x3fc
[] ? request_key_and_link+0x263/0x3fc
[] lock_release+0x17d/0x1a4
[] up_write+0x23/0x3b
[] request_key_and_link+0x263/0x3fc
[] ? cifs_get_spnego_key+0x61/0x21f [cifs]
[] request_key+0x41/0x74
[] cifs_get_spnego_key+0x200/0x21f [cifs]
[] CIFS_SessSetup+0x55d/0x1273 [cifs]
[] cifs_setup_session+0x90/0x1ae [cifs]
[] cifs_get_smb_ses+0x37f/0x443 [cifs]
[] cifs_mount+0x1aa1/0x23f3 [cifs]
[] ? alloc_debug_processing+0xdb/0x120
[] ? cifs_get_spnego_key+0x1ef/0x21f [cifs]
[] cifs_do_mount+0x165/0x2b3 [cifs]
[] vfs_kern_mount+0xaf/0x1dc
[] do_kern_mount+0x4d/0xef
[] do_mount+0x6f4/0x733
[] sys_mount+0x88/0xc2
[] system_call_fastpath+0x16/0x1bReported-by: Jeff Layton
Signed-off-by: David Howells
Reviewed-and-Tested-by: Jeff Layton
Signed-off-by: Linus Torvalds
Cc: James Morris
Signed-off-by: Greg Kroah-Hartman -
commit 9b29050f8f75916f974a2d231ae5d3cd59792296 upstream.
The current TPM TIS driver in git discards the timeout values returned
from the TPM. The check of the response packet needs to consider that
the return_code field is 0 on success and the size of the expected
packet is equivalent to the header size + u32 length indicator for the
TPM_GetCapability() result + 3 timeout indicators of type u32.I am also adding a sysfs entry 'timeouts' showing the timeouts that are
being used.Signed-off-by: Stefan Berger
Tested-by: Guillaume Chazarain
Signed-off-by: Rajiv Andrade
Signed-off-by: Greg Kroah-Hartman -
commit c4ff4b829ef9e6353c0b133b7adb564a68054979 upstream.
If duration variable value is 0 at this point, it's because
chip->vendor.duration wasn't filled by tpm_get_timeouts() yet.
This patch sets then the lowest timeout just to give enough
time for tpm_get_timeouts() to further succeed.This fix avoids long boot times in case another entity attempts
to send commands to the TPM when the TPM isn't accessible.Signed-off-by: Rajiv Andrade
Signed-off-by: James Morris
Signed-off-by: Greg Kroah-Hartman -
commit 0ca7a5b9ac5d301845dd6382ff25a699b6263a81 upstream.
Fixes the following kernel oops in nilfs_setup_super() which could
arise if one of two super-blocks is unavailable.> BUG: unable to handle kernel NULL pointer dereference at (null)
> Pid: 3529, comm: mount.nilfs2 Not tainted 2.6.37 #1 /
> EIP: 0060:[] EFLAGS: 00010202 CPU: 3
> EIP is at memcpy+0xc/0x1b
> Call Trace:
> [] ? nilfs_setup_super+0x6c/0xa5 [nilfs2]
> [] ? nilfs_get_root_dentry+0x81/0xcb [nilfs2]
> [] ? nilfs_mount+0x4f9/0x62c [nilfs2]
> [] ? kstrdup+0x36/0x3f
> [] ? nilfs_mount+0x0/0x62c [nilfs2]
> [] ? vfs_kern_mount+0x4d/0x12c
> [] ? get_fs_type+0x76/0x8f
> [] ? do_kern_mount+0x33/0xbf
> [] ? do_mount+0x2ed/0x714
> [] ? copy_mount_options+0x28/0xfc
> [] ? sys_mount+0x72/0xaf
> [] ? syscall_call+0x7/0xbReported-by: Wakko Warner
Signed-off-by: Ryusuke Konishi
Tested-by: Wakko Warner
LKML-Reference:
Signed-off-by: Greg Kroah-Hartman -
commit f87f928882d080eaec8b0d76aecff003d664697d upstream.
This patch fixes 32 bit legacy paging with NPT enabled. The
mmu_check_root call on the top-level of the loop causes
root_gfn to take values (in the tdp_enabled path) which are
outside of guest memory. So the mmu_check_root call fails at
some point in the loop interation causing the guest to
tiple-fault.
This patch changes the mmu_check_root calls to the places
where they are really necessary. As a side-effect it
introduces a check for the root of a pae page table too.Signed-off-by: Joerg Roedel
Signed-off-by: Marcelo Tosatti
Signed-off-by: Greg Kroah-Hartman -
commit c093b8b46c5f0dd12d799f0d6a3b579863df72f6 upstream.
We use the physical address instead of the base gfn for the four
PAE page directories we use in unpaged mode. When the guest accesses
an address above 1GB that is backed by a large host page, a BUG_ON()
in kvm_mmu_set_gfn() triggers.Resolves: https://bugzilla.kernel.org/show_bug.cgi?id=21962
Reported-and-tested-by: Nicolas Prochazka
Signed-off-by: Avi Kivity
Cc: Marcelo Tosatti
Signed-off-by: Greg Kroah-Hartman -
commit a0272630bb594b4eac03a79e77957df7dad8eade upstream.
isr_ack is never initialized. So, until the first PIC reset, interrupts
may fail to be injected. This can cause Windows XP to fail to boot, as
reported in the fallout from the fix to
https://bugzilla.kernel.org/show_bug.cgi?id=21962.Reported-and-tested-by: Nicolas Prochazka
Signed-off-by: Avi Kivity
Signed-off-by: Greg Kroah-Hartman -
commit e91ece5590b3c728624ab57043fc7a05069c604a upstream.
md_make_request was calling bio_sectors() for part_stat_add
after it was calling the make_request function. This is
bad because the make_request function can free the bio and
because the bi_size field can change around.The fix here was suggested by Jens Axboe. It saves the
sector count before the make_request call. I hit this
with CONFIG_DEBUG_PAGEALLOC turned on while trying to break
his pretty fusionio card.Signed-off-by: Chris Mason
Signed-off-by: NeilBrown
Signed-off-by: Greg Kroah-Hartman -
commit 77c5fd19075d299fe820bb59bb21b0b113676e20 upstream.
pata_mpc52xx supports BMDMA but inherits ata_sff_port_ops which
triggers BUG_ON() when a DMA command is issued. Fix it.Signed-off-by: Tejun Heo
Reported-by: Roman Fietze
Cc: Sergei Shtylyov
Signed-off-by: Jeff Garzik
Signed-off-by: Greg Kroah-Hartman -
commit bf2cb0dab8c97f00a71875d9b13dbac17a2f47ca upstream.
When a RAID6 is converted to a RAID5, the extra drive should
be discarded. However it isn't due to a typo in a comparison.This bug was introduced in commit e93f68a1fc6 in 2.6.35-rc4
and is suitable for any -stable since than.As the extra drive is not removed, the 'degraded' counter is wrong and
so the RAID5 will not respond correctly to a subsequent failure.Signed-off-by: NeilBrown
Signed-off-by: Greg Kroah-Hartman -
commit 0ca69886a8273ac1350143d562280bfcbe4760dc upstream.
When an md device is in the process of coming on line it is possible
for an IO request (typically a partition table probe) to get through
before the array is fully initialised, which can cause unexpected
behaviour (e.g. a crash).So explicitly record when the array is ready for IO and don't allow IO
through until then.There is no possibility for a similar problem when the array is going
off-line as there must only be one 'open' at that time, and it is busy
off-lining the array and so cannot send IO requests. So no memory
barrier is needed in md_stop()This has been a bug since commit 409c57f3801 in 2.6.30 which
introduced md_make_request. Before then, each personality would
register its own make_request_fn when it was ready.
This is suitable for any stable kernel from 2.6.30.y onwards.Signed-off-by: NeilBrown
Reported-by: "Hawrylewicz Czarnowski, Przemyslaw"
Signed-off-by: Greg Kroah-Hartman -
commit 6c9879101442b08581e8a0e3ae6b7f643a78fd63 upstream.
commit 589a594be1fb (2.6.37-rc4) fixed a problem were md_thread would
sometimes call the ->run function at a bad time.If an error is detected during array start up after the md_thread has
been started, the md_thread is killed. This resulted in the ->run
function being called once. However the array may not be in a state
that it is safe to call ->run.However the fix imposed meant that ->run was not called on a timeout.
This means that when an array goes idle, bitmap bits do not get
cleared promptly. While the array is busy the bits will still be
cleared when appropriate so this is not very serious. There is no
risk to data.Change the test so that we only avoid calling ->run when the thread
is being stopped. This more explicitly addresses the problem situation.This is suitable for 2.6.37-stable and any -stable kernel to which
589a594be1fb was applied.Signed-off-by: NeilBrown
Signed-off-by: Greg Kroah-Hartman -
commit bf572541ab44240163eaa2d486b06f306a31d45a upstream.
Commit 1a855a0606 (2.6.37-rc4) fixed a problem where devices were
re-added when they shouldn't be but caused a regression in a less
common case that means sometimes devices cannot be re-added when they
should be.In particular, when re-adding a device to an array without metadata
we should always access the device, but after the above commit we
didn't.This patch sets the In_sync flag in that case so that the re-add
succeeds.This patch is suitable for any -stable kernel to which 1a855a0606 was
applied.Signed-off-by: NeilBrown
Signed-off-by: Greg Kroah-Hartman -
commit 6dc19899958e420a931274b94019e267e2396d3e upstream.
I noticed a failure where we hit the following WARN_ON in
generic_smp_call_function_interrupt:if (!cpumask_test_and_clear_cpu(cpu, data->cpumask))
continue;data->csd.func(data->csd.info);
refs = atomic_dec_return(&data->refs);
WARN_ON(refs < 0); cpumask sees and
clears bit in cpumask
might be using old or new fn!
decrements refs below 0set data->refs (too late!)
The important thing to note is since the interrupt handler walks a
potentially stale call_function.queue without any locking, then another
cpu can view the percpu *data structure at any time, even when the owner
is in the process of initialising it.The following test case hits the WARN_ON 100% of the time on my PowerPC
box (having 128 threads does help :)#include
#include#define ITERATIONS 100
static void do_nothing_ipi(void *dummy)
{
}static void do_ipis(struct work_struct *dummy)
{
int i;for (i = 0; i < ITERATIONS; i++)
smp_call_function(do_nothing_ipi, NULL, 1);printk(KERN_DEBUG "cpu %d finished\n", smp_processor_id());
}static struct work_struct work[NR_CPUS];
static int __init testcase_init(void)
{
int cpu;for_each_online_cpu(cpu) {
INIT_WORK(&work[cpu], do_ipis);
schedule_work_on(cpu, &work[cpu]);
}return 0;
}static void __exit testcase_exit(void)
{
}module_init(testcase_init)
module_exit(testcase_exit)
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Anton Blanchard");I tried to fix it by ordering the read and the write of ->cpumask and
->refs. In doing so I missed a critical case but Paul McKenney was able
to spot my bug thankfully :) To ensure we arent viewing previous
iterations the interrupt handler needs to read ->refs then ->cpumask then
->refs _again_.Thanks to Milton Miller and Paul McKenney for helping to debug this issue.
[miltonm@bga.com: add WARN_ON and BUG_ON, remove extra read of refs before initial read of mask that doesn't help (also noted by Peter Zijlstra), adjust comments, hopefully clarify scenario ]
[miltonm@bga.com: remove excess tests]
Signed-off-by: Anton Blanchard
Signed-off-by: Milton Miller
Cc: Ingo Molnar
Cc: "Paul E. McKenney"
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
