Trond Myklebust [Tue, 3 Mar 2015 04:32:08 +0000 (23:32 -0500)]
NFS: Fix a regression in the read() syscall
When invalidating the page cache for a regular file, we want to first
sync all dirty data to disk and then call invalidate_inode_pages2().
The latter relies on nfs_launder_page() and nfs_release_page() to deal
respectively with dirty pages, and unstable written pages.
When commit 9590544694bec ("NFS: avoid deadlocks with loop-back mounted
NFS filesystems.") changed the behaviour of nfs_release_page(), then it
made it possible for invalidate_inode_pages2() to fail with an EBUSY.
Unfortunately, that error is then propagated back to read().
Let's therefore work around the problem for now by protecting the call
to sync the data and invalidate_inode_pages2() so that they are atomic
w.r.t. the addition of new writes.
Later on, we can revisit whether or not we still need nfs_launder_page()
and nfs_release_page().
Daniel Vetter [Tue, 3 Mar 2015 16:31:21 +0000 (17:31 +0100)]
drm/i915: Fix modeset state confusion in the load detect code
This is a tricky story of the new atomic state handling and the legacy
code fighting over each another. The bug at hand is an underrun of the
framebuffer reference with subsequent hilarity caused by the load
detect code. Which is peculiar since the the exact same code works
fine as the implementation of the legacy setcrtc ioctl.
Let's look at the ingredients:
- Currently our code is a crazy mix of legacy modeset interfaces to
set the parameters and half-baked atomic state tracking underneath.
While this transition is going we're using the transitional plane
helpers to update the atomic side (drm_plane_helper_disable/update
and friends), i.e. plane->state->fb. Since the state structure owns
the fb those functions take care of that themselves.
The legacy state (specifically crtc->primary->fb) is still managed
by the old code (and mostly by the drm core), with the fb reference
counting done by callers (core drm for the ioctl or the i915 load
detect code). The relevant commit is
- drm_plane_helper_disable has special code to handle multiple calls
in a row - it checks plane->crtc == NULL and bails out. This is to
match the proper atomic implementation which needs the crtc to get
at the implied locking context atomic updates always need. See
- The universal plane code split out the implicit primary plane from
the CRTC into it's own full-blown drm_plane object. As part of that
the setcrtc ioctl (which updated both the crtc mode and primary
plane) learned to set crtc->primary->crtc on modeset to make sure
the plane->crtc assignments statate up to date in
Unfortunately we've forgotten to update the load detect code. Which
wasn't a problem since the load detect modeset is temporary and
always undone before we drop the locks.
- Finally there is a organically grown history (i.e. don't ask) around
who sets the legacy plane->fb for the various driver entry points.
Originally updating that was the drivers duty, but for almost all
places we've moved that (plus updating the refcounts) into the core.
Again the exception is the load detect code.
Taking all together the following happens:
- The load detect code doesn't set crtc->primary->crtc. This is only
really an issue on crtcs never before used or when userspace
explicitly disabled the primary plane.
- The plane helper glue code short-circuits because of that and leaves
a non-NULL fb behind in plane->state->fb and plane->fb. The state
fb isn't a real problem (it's properly refcounted on its own), it's
just the canary.
- Load detect code drops the reference for that fb, but doesn't set
plane->fb = NULL. This is ok since it's still living in that old
world where drivers had to clear the pointer but the core/callers
handled the refcounting.
- On the next modeset the drm core notices plane->fb and takes care of
refcounting it properly by doing another unref. This drops the
refcount to zero, leaving state->plane now pointing at freed memory.
- intel_plane_duplicate_state still assume it owns a reference to that
very state->fb and bad things start to happen.
Fix this all by applying the same duct-tape as for the legacy setcrtc
ioctl code and set crtc->primary->crtc properly.
Sifan Naeem [Mon, 2 Mar 2015 16:06:46 +0000 (16:06 +0000)]
spi: img-spfi: Verify max spfi transfer length
Maximum transfer length supported by SPFI is 65535, this is limited
by the number of bits available in SPFI TSize register to represent
the transfer size.
For transfer requests larger than the maximum supported the driver
will return an invalid argument error.
Jean Delvare [Mon, 23 Feb 2015 09:05:21 +0000 (10:05 +0100)]
iommu/io-pgtable-arm: Add built time dependency
If io-pgtable-arm is an ARM-specific driver then configuration option
IOMMU_IO_PGTABLE_LPAE should not be presented to the user by default
for non-ARM kernels.
Dave Airlie [Tue, 3 Mar 2015 09:57:41 +0000 (19:57 +1000)]
Merge tag 'imx-drm-fixes-2015-02-24' of git://git.pengutronix.de/git/pza/linux into drm-fixes
imx-drm fixes for mode fixup, dw_hdmi/imx, and parallel-display
- A clock fix for too large pixel clocks depending on the
DI clock flag simplification patch
- Pruning of unsupported modes and a missing end of array element
for dw_hdmi-imx
- LVDS modeset fix for mode fixup
- Fix parallel-display deferred probing if drm_panel is used
* tag 'imx-drm-fixes-2015-02-24' of git://git.pengutronix.de/git/pza/linux:
DRM: i.MX: parallel display: Support probe deferral for finding DRM panel
drm/imx: imx-ldb: enable DI clock in encoder_mode_set
drm/imx: dw_hdmi-imx: add end of array element to current control array
drm/imx: dw_hdmi-imx: add mode_valid callback prune unsupported modes
gpu: ipu-v3: do not divide by zero if the pixel clock is too large
Tyler Hicks [Wed, 25 Feb 2015 01:28:10 +0000 (19:28 -0600)]
eCryptfs: don't pass fs-specific ioctl commands through
eCryptfs can't be aware of what to expect when after passing an
arbitrary ioctl command through to the lower filesystem. The ioctl
command may trigger an action in the lower filesystem that is
incompatible with eCryptfs.
One specific example is when one attempts to use the Btrfs clone
ioctl command when the source file is in the Btrfs filesystem that
eCryptfs is mounted on top of and the destination fd is from a new file
created in the eCryptfs mount. The ioctl syscall incorrectly returns
success because the command is passed down to Btrfs which thinks that it
was able to do the clone operation. However, the result is an empty
eCryptfs file.
This patch allows the trim, {g,s}etflags, and {g,s}etversion ioctl
commands through and then copies up the inode metadata from the lower
inode to the eCryptfs inode to catch any changes made to the lower
inode's metadata. Those five ioctl commands are mostly common across all
filesystems but the whitelist may need to be further pruned in the
future.
Max Mansfield [Tue, 3 Mar 2015 01:38:02 +0000 (18:38 -0700)]
usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards
This patch integrates Cyber Cortex AV boards with the existing
ftdi_jtag_quirk in order to use serial port 0 with JTAG which is
required by the manufacturers' software.
Steps: 2
[ftdi_sio_ids.h]
1. Defined the device PID
[ftdi_sio.c]
2. Added a macro declaration to the ids array, in order to enable the
jtag quirk for the device.
Michal Kubeček [Mon, 2 Mar 2015 17:27:11 +0000 (18:27 +0100)]
udp: only allow UFO for packets from SOCK_DGRAM sockets
If an over-MTU UDP datagram is sent through a SOCK_RAW socket to a
UFO-capable device, ip_ufo_append_data() sets skb->ip_summed to
CHECKSUM_PARTIAL unconditionally as all GSO code assumes transport layer
checksum is to be computed on segmentation. However, in this case,
skb->csum_start and skb->csum_offset are never set as raw socket
transmit path bypasses udp_send_skb() where they are usually set. As a
result, driver may access invalid memory when trying to calculate the
checksum and store the result (as observed in virtio_net driver).
Moreover, the very idea of modifying the userspace provided UDP header
is IMHO against raw socket semantics (I wasn't able to find a document
clearly stating this or the opposite, though). And while allowing
CHECKSUM_NONE in the UFO case would be more efficient, it would be a bit
too intrusive change just to handle a corner case like this. Therefore
disallowing UFO for packets from SOCK_DGRAM seems to be the best option.
Ben Hutchings [Tue, 3 Mar 2015 00:53:08 +0000 (00:53 +0000)]
sh_eth: Really fix padding of short frames on TX
My previous fix to clear padding of short frames used skb->len as the
DMA length, assuming that skb_padto() extended skb->len to include the
padding. That isn't the case; we need to use skb_put_padto() instead.
(This wasn't immediately obvious because software padding isn't
actually needed on the R-Car H2. We could make it conditional on
which chip is being driven, but it's probably not worth the effort.)
Reported-by: "Violeta Menéndez González" <[email protected]> Fixes: 612a17a54b50 ("sh_eth: Fix padding of short frames on TX") Signed-off-by: Ben Hutchings <[email protected]> Signed-off-by: David S. Miller <[email protected]>
The hardware manual states that the frame error and multicast bits are
copied to bits 9:0 of RD0, not bits 25:16. I've tested that this is
true for RFS1 (CRC error), RFS3 (frame too short), RFS4 (frame too
long) and RFS8 (multicast).
Ben Hutchings [Tue, 3 Mar 2015 00:52:08 +0000 (00:52 +0000)]
sh_eth: Fix RX recovery on R-Car in case of RX ring underrun
In case of RX ring underrun (RDE), we attempt to reset the software
descriptor pointers (dirty_rx and cur_rx) to match where the hardware
will read the next descriptor from, as that might not be the first
dirty descriptor. This relies on reading RDFAR, but that register
doesn't exist on all supported chips - specifically, not on the R-Car
chips. This will result in unpredictable behaviour on those chips
after an RDE.
Make this pointer reset conditional and assume that it isn't needed on
the R-Car chips. This fix also assumes that RDFAR is never exposed at
offset 0 in the memory map - this is currently true, and a subsequent
commit will fix the ambiguity between offset 0 and no-offset in the
register offset maps.
Fixes: 79fba9f51755 ("net: sh_eth: fix the rxdesc pointer when rx ...") Signed-off-by: Ben Hutchings <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Arnd Bergmann [Thu, 26 Feb 2015 01:26:58 +0000 (17:26 -0800)]
Input: sun4i-ts - add thermal driver dependency
The sun4i-ts driver has had a dependency on the thermal code
with the addition of the thermal zone sensor support, but this
is not currently enforced in Kconfig, so with TOUCHSCREEN_SUN4I=y,
THERMAL=m and THERMAL_OF=y we get
drivers/built-in.o: In function `sun4i_ts_remove':
:(.text+0x2376f4): undefined reference to `thermal_zone_of_sensor_unregister'
drivers/built-in.o: In function `sun4i_ts_probe':
:(.text+0x237a94): undefined reference to `thermal_zone_of_sensor_register'
:(.text+0x237c00): undefined reference to `thermal_zone_of_sensor_unregister'
We need the dependency on THERMAL in order to ensure that this
driver becomes a loadable module if the thermal support itself
is modular, while the dependency on THERMAL_OF is a runtime
dependency and the driver will still build if it is missing.
It is entirely possible to build sun4i-ts without THERMAL_OF
just to use the hwmon sensors and/or touchscreen.
Trond Myklebust [Thu, 26 Feb 2015 19:05:05 +0000 (14:05 -0500)]
NFSv4: Ensure we skip delegations that are already being returned
In nfs_client_return_marked_delegations() and nfs_delegation_reap_unclaimed()
we want to optimise the loop traversal by skipping delegations that are
already in the process of being returned.
Anna Schumaker [Mon, 2 Mar 2015 21:46:09 +0000 (16:46 -0500)]
NFS: Fix stateid used for NFS v4 closes
After 566fcec60 the client uses the "current stateid" from the
nfs4_state structure to close a file. This could potentially contain a
delegation stateid, which is disallowed by the protocol and causes
servers to return NFS4ERR_BAD_STATEID. This patch restores the
(correct) behavior of sending the open stateid to close a file.
Reported-by: Olga Kornievskaia <[email protected]> Fixes: 566fcec60 (NFSv4: Fix an atomicity problem in CLOSE) Signed-off-by: Anna Schumaker <[email protected]> Signed-off-by: Trond Myklebust <[email protected]>
James Hogan [Tue, 24 Feb 2015 11:46:20 +0000 (11:46 +0000)]
KVM: MIPS: Fix trace event to save PC directly
Currently the guest exit trace event saves the VCPU pointer to the
structure, and the guest PC is retrieved by dereferencing it when the
event is printed rather than directly from the trace record. This isn't
safe as the printing may occur long afterwards, after the PC has changed
and potentially after the VCPU has been freed. Usually this results in
the same (wrong) PC being printed for multiple trace events. It also
isn't portable as userland has no way to access the VCPU data structure
when interpreting the trace record itself.
Lets save the actual PC in the structure so that the correct value is
accessible later.
Linus Torvalds [Mon, 2 Mar 2015 22:13:39 +0000 (14:13 -0800)]
Merge tag 'gpio-v4.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Two GPIO fixes:
- Fix a translation problem in of_get_named_gpiod_flags()
- Fix a long standing container_of() mistake in the TPS65912 driver"
* tag 'gpio-v4.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: tps65912: fix wrong container_of arguments
gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node
Linus Torvalds [Mon, 2 Mar 2015 22:08:10 +0000 (14:08 -0800)]
Merge branch 'fixes-for-4.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
Pull thermal management fixes from Eduardo Valentin:
"Specifics:
- Several fixes in tmon tool.
- Fixes in intel int340x for _ART and _TRT tables.
- Add id for Avoton SoC into powerclamp driver.
- Fixes in RCAR thermal driver to remove race conditions and fix fail
path
- Fixes in TI thermal driver: removal of unnecessary code and build
fix if !CONFIG_PM_SLEEP
- Cleanups in exynos thermal driver
- Add stubs for include/linux/thermal.h. Now drivers using thermal
calls but that also work without CONFIG_THERMAL will be able to
compile for systems that don't care about thermal.
Note: I am sending this pull on Rui's behalf while he fixes issues in
his Linux box"
* 'fixes-for-4.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
thermal: int340x_thermal: Ignore missing _ART, _TRT tables
thermal/intel_powerclamp: add id for Avoton SoC
tools/thermal: tmon: silence 'set but not used' warnings
tools/thermal: tmon: use pkg-config to determine library dependencies
tools/thermal: tmon: support cross-compiling
tools/thermal: tmon: add .gitignore
tools/thermal: tmon: fixup tui windowing calculations
tools/thermal: tmon: tui: don't hard-code dialog window size assumptions
tools/thermal: tmon: add min/max macros
tools/thermal: tmon: add --target-temp parameter
thermal: exynos: Clean-up code to use oneline entry for exynos compatible table
thermal: rcar: Make error and remove paths symmetrical with init
thermal: rcar: Fix race condition between init and interrupt
thermal: Introduce dummy functions when thermal is not defined
ti-soc-thermal: Delete an unnecessary check before the function call "cpufreq_cooling_unregister"
thermal: ti-soc-thermal: bandgap: Fix build warning if !CONFIG_PM_SLEEP
Filipe Manana [Sat, 28 Feb 2015 22:29:22 +0000 (22:29 +0000)]
Btrfs: incremental send, don't rename a directory too soon
There's one more case where we can't issue a rename operation for a
directory as soon as we process it. We used to delay directory renames
only if they have some ancestor directory with a higher inode number
that got renamed too, but there's another case where we need to delay
the rename too - when a directory A is renamed to the old name of a
directory B but that directory B has its rename delayed because it
has now (in the send root) an ancestor with a higher inode number that
was renamed. If we don't delay the directory rename in this case, the
receiving end of the send stream will attempt to rename A to the old
name of B before B got renamed to its new name, which results in a
"directory not empty" error. So fix this by delaying directory renames
for this case too.
Filipe Manana [Mon, 23 Feb 2015 19:50:49 +0000 (19:50 +0000)]
Btrfs: do not ignore errors from btrfs_lookup_xattr in do_setxattr
The return value from btrfs_lookup_xattr() can be a pointer encoding an
error, therefore deal with it. This fixes commit 5f5bc6b1e2d5
("Btrfs: make xattr replace operations atomic").
Filipe Manana [Mon, 23 Feb 2015 19:48:52 +0000 (19:48 +0000)]
Btrfs: fix off-by-one logic error in btrfs_realloc_node
The end_slot variable actually matches the number of pointers in the
node and not the last slot (which is 'nritems - 1'). Therefore in order
to check that the current slot in the for loop doesn't match the last
one, the correct logic is to check if 'i' is less than 'end_slot - 1'
and not 'end_slot - 2'.
Fix this and set end_slot to be 'nritems - 1', as it's less confusing
since the variable name implies it's inclusive rather then exclusive.
Filipe Manana [Sun, 15 Feb 2015 22:38:54 +0000 (22:38 +0000)]
Btrfs: add missing inode update when punching hole
When punching a file hole if we endup only zeroing parts of a page,
because the start offset isn't a multiple of the sector size or the
start offset and length fall within the same page, we were not updating
the inode item. This prevented an fsync from doing anything, if no other
file changes happened in the current transaction, because the fields
in btrfs_inode used to check if the inode needs to be fsync'ed weren't
updated.
This issue is easy to reproduce and the following excerpt from the
xfstest case I made shows how to trigger it:
# Fsync the file, this makes btrfs update some btrfs inode specific fields
# that are used to track if the inode needs to be written/updated to the fsync
# log or not. After this fsync, the new values for those fields indicate that
# a subsequent fsync does not need to touch the fsync log.
$XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo
# Force a commit of the current transaction. After this point, any operation
# that modifies the data or metadata of our file, should update those fields in
# the btrfs inode with values that make the next fsync operation write to the
# fsync log.
sync
# Punch a hole in our file. This small range affects only 1 page.
# This made the btrfs hole punching implementation write only some zeroes in
# one page, but it did not update the btrfs inode fields used to determine if
# the next fsync needs to write to the fsync log.
$XFS_IO_PROG -c "fpunch 8000 4K" $SCRATCH_MNT/foo
# Another variation of the previously mentioned case.
$XFS_IO_PROG -c "fpunch 15000 100" $SCRATCH_MNT/foo
# Now fsync the file. This was a no-operation because the previous hole punch
# operation didn't update the inode's fields mentioned before, so they remained
# with the values they had after the first fsync - that is, they indicate that
# it is not needed to write to fsync log.
$XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo
echo "File content before:"
od -t x1 $SCRATCH_MNT/foo
# Simulate a crash/power loss.
_load_flakey_table $FLAKEY_DROP_WRITES
_unmount_flakey
# Enable writes and mount the fs. This makes the fsync log replay code run.
_load_flakey_table $FLAKEY_ALLOW_WRITES
_mount_flakey
# Because the last fsync didn't do anything, here the file content matched what
# it was after the first fsync, before the holes were punched, and not what it
# was after the holes were punched.
echo "File content after:"
od -t x1 $SCRATCH_MNT/foo
This issue has been around since 2012, when the punch hole implementation
was added, commit 2aaa66558172 ("Btrfs: add hole punching").
Josef Bacik [Thu, 12 Feb 2015 14:43:51 +0000 (09:43 -0500)]
Btrfs: abort the transaction if we fail to update the free space cache inode
Our gluster boxes were hitting a problem where they'd run out of space when
updating the block group cache and therefore wouldn't be able to update the free
space inode. This is a problem because this is how we invalidate the cache and
protect ourselves from errors further down the stack, so if this fails we have
to abort the transaction so we make sure we don't end up with stale free space
cache. Thanks,
Filipe Manana [Mon, 9 Feb 2015 17:17:43 +0000 (17:17 +0000)]
Btrfs: fix fsync race leading to ordered extent memory leaks
We can have multiple fsync operations against the same file during the
same transaction and they can collect the same ordered extents while they
don't complete (still accessible from the inode's ordered tree). If this
happens, those ordered extents will never get their reference counts
decremented to 0, leading to memory leaks and inode leaks (an iput for an
ordered extent's inode is scheduled only when the ordered extent's refcount
drops to 0). The following sequence diagram explains this race:
mutex_lock(inode->i_mutex)
btrfs_sync_log()
btrfs_wait_logged_extents()
--> list_del_init(&ordered->log_list)
btrfs_log_inode()
btrfs_get_logged_extents()
--> Adds ordered extent X
to logged_list because
at this point:
list_empty(&ordered->log_list)
&& test_bit(BTRFS_ORDERED_LOGGED,
&ordered->flags) == 0
--> Increments ordered extent
X's refcount
--> check if ordered extent's io is
finished or not, start it if
necessary and wait for it to finish
--> sets bit BTRFS_ORDERED_LOGGED
on ordered extent X's flags
and adds it to trans->ordered
btrfs_sync_log() finishes
btrfs_sync_log()
btrfs_wait_logged_extents()
--> Sees ordered extent X has the
bit BTRFS_ORDERED_LOGGED set in
its flags
--> X's refcount is untouched
btrfs_sync_log() finishes
btrfs_sync_file() finishes
btrfs_commit_transaction()
--> called by transaction kthread for e.g.
btrfs_wait_pending_ordered()
--> waits for ordered extent X to
complete
--> decrements ordered extent X's
refcount by 1 only, corresponding
to the increment done by the fsync
task ran by CPU 1
In the scenario of the above diagram, after the transaction commit,
the ordered extent will remain with a refcount of 1 forever, leaking
the ordered extent structure and preventing the i_count of its inode
from ever decreasing to 0, since the delayed iput is scheduled only
when the ordered extent's refcount drops to 0, preventing the inode
from ever being evicted by the VFS.
Fix this by using the flag BTRFS_ORDERED_LOGGED differently. Use it to
mean that an ordered extent is already being processed by an fsync call,
which will attach it to the current transaction, preventing it from being
collected by subsequent fsync operations against the same inode.
This race was introduced with the following change (added in 3.19 and
backported to stable 3.18 and 3.17):
In commit b4eef9b36db4, we started to use hwapic_isr_update() != NULL
instead of kvm_apic_vid_enabled(vcpu->kvm). This didn't work because
SVM had it defined and "apicv" path in apic_{set,clear}_isr() does not
change apic->isr_count, because it should always be 1. The initial
value of apic->isr_count was based on kvm_apic_vid_enabled(vcpu->kvm),
which is always 0 for SVM, so KVM could have injected interrupts when it
shouldn't.
Fix it by implicitly setting SVM's hwapic_isr_update to NULL and make the
initial isr_count depend on hwapic_isr_update() for good measure.
Fixes: b4eef9b36db4 ("kvm: x86: vmx: NULL out hwapic_isr_update() in case of !enable_apicv") Reported-and-tested-by: Borislav Petkov <[email protected]> Signed-off-by: Radim Krčmář <[email protected]> Signed-off-by: Marcelo Tosatti <[email protected]>
Linus Torvalds [Mon, 2 Mar 2015 22:03:27 +0000 (14:03 -0800)]
Merge tag 'md/4.0-fixes' of git://neil.brown.name/md
Pull md fixes from Neil Brown:
"Three md fixes:
- fix a read-balance problem that was reported 2 years ago, but that
I never noticed the report :-(
- fix for rare RAID6 problem causing incorrect bitmap updates when
two devices fail.
- add __ATTR_PREALLOC annotation now that it is possible"
* tag 'md/4.0-fixes' of git://neil.brown.name/md:
md: mark some attributes as pre-alloc
raid5: check faulty flag for array status during recovery.
md/raid1: fix read balance when a drive is write-mostly.
Linus Torvalds [Mon, 2 Mar 2015 22:02:17 +0000 (14:02 -0800)]
Merge tag 'metag-fixes-v4.0-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag
Pull arch/metag fix from James Hogan:
"This is just a single patch to fix the KSTK_EIP() and KSTK_ESP()
macros for metag which have always been erronously returning the PC
and stack pointer of the task's kernel context rather than from its
user context saved at entry from userland into the kernel, which
affects the contents of /proc/<pid>/maps and /proc/<pid>/stat"
* tag 'metag-fixes-v4.0-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag:
metag: Fix KSTK_EIP() and KSTK_ESP() macros
Input: cyapa - remove superfluous type check in cyapa_gen5_read_idac_data()
drivers/input/mouse/cyapa_gen5.c: In function ‘cyapa_gen5_read_idac_data’:
drivers/input/mouse/cyapa_gen5.c:1876: warning: ‘max_element_cnt’ may be used uninitialized in this function
drivers/input/mouse/cyapa_gen5.c:1873: warning: ‘offset’ may be used uninitialized in this function
If *data_size is non-zero, and idac_data_type contains an unknown type,
max_element_cnt and offset will be uninitialized, and the loop will
process non-existing data.
However, this cannot happen (for now), as there's a test for unknown
types at the top of cyapa_gen5_read_idac_data().
As no "if ... else if ..." is used in other places, remove the
superfluous "if" to silence the compiler warning.
Use asm/unaligned.h instead of linux/unaligned/access_ok.h header file to
fix compiling issues such as following while doing cross platform
compiling:
"include/linux/unaligned/access_ok.h:7:19: error: redefinition of
'get_unaligned_le16'
...
include/linux/unaligned/le_struct.h:6:19: note: previous definition of
'get_unaligned_le16' was here".
Ido Shamay [Mon, 2 Mar 2015 16:22:16 +0000 (18:22 +0200)]
net/mlx4_en: Disbale GRO for incoming loopback/selftest packets
Packets which are sent from the selftest (ethtool) flow,
should not be passed to GRO stack but rather dropped by
the driver after validation. To achieve that, we disable
GRO for the duration of the selftest.
Or Gerlitz [Mon, 2 Mar 2015 16:22:15 +0000 (18:22 +0200)]
net/mlx4_core: Fix wrong mask and error flow for the update-qp command
The bit mask for currently supported driver features (MLX4_UPDATE_QP_SUPPORTED_ATTRS)
of the update-qp command was defined twice (using enum value and pre-processor
define directive) and wrong.
The return value of the call to mlx4_update_qp() from within the SRIOV
resource-tracker was wrongly voided down.
Fix both issues.
issue: none Fixes: 09e05c3f78e9 ('net/mlx4: Set vlan stripping policy by the right command') Fixes: ce8d9e0d6746 ('net/mlx4_core: Add UPDATE_QP SRIOV wrapper support') Signed-off-by: Matan Barak <[email protected]> Signed-off-by: Or Gerlitz <[email protected]> Signed-off-by: David S. Miller <[email protected]>
s390/mm: fix incorrect ASCE after crst_table_downgrade
The switch_mm function does nothing in case the prev and next mm
are the same. It can happen that a crst_table_downgrade has changed
the top-level pgd in the meantime on a different CPU. Always store
the new ASCE to be picked up in entry.S.
[[email protected]]: Bug was introduced with git commit 53e857f30867 ("s390/mm,tlb: race of lazy TLB flush vs. recreation
of TLB entries") and causes random crashes due to broken page tables
being used.
Heiko Carstens [Sat, 28 Feb 2015 10:35:26 +0000 (11:35 +0100)]
s390/ftrace: fix crashes when switching tracers / add notrace to cpu_relax()
With git commit 4d92f50249eb ("s390: reintroduce diag 44 calls for
cpu_relax()") I reintroduced a non-trivial cpu_relax() variant on s390.
The difference to the previous variant however is that the new version is
an out-of-line function, which will be traced if function tracing is enabled.
Switching to different tracers includes instruction patching. Therefore this
is done within stop_machine() "context" to prevent that any function tracing
is going on while instructions are being patched.
With the new out-of-line variant of cpu_relax() this is not true anymore,
since cpu_relax() gets called in a busy loop by all waiting cpus within
stop_machine() until function patching is finished.
Therefore cpu_relax() must be marked notrace.
This fixes kernel crashes when frequently switching between "function" and
"function_graph" tracers.
Moving cpu_relax() to a header file again, doesn't work because of header
include order dependencies.
Martin Hicks [Thu, 19 Feb 2015 20:05:47 +0000 (15:05 -0500)]
sata-fsl: Apply link speed limits
The driver was ignoring limits requested by libata.force. The output
would look like:
fsl-sata ffe18000.sata: Sata FSL Platform/CSB Driver init
ata1: FORCE: PHY spd limit set to 1.5Gbps
ata1: SATA max UDMA/133 irq 74
ata1: Signature Update detected @ 0 msecs
ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 310)
Jason Low [Fri, 13 Feb 2015 03:58:07 +0000 (11:58 +0800)]
cpuset: Fix cpuset sched_relax_domain_level
The cpuset.sched_relax_domain_level can control how far we do
immediate load balancing on a system. However, it was found on recent
kernels that echo'ing a value into cpuset.sched_relax_domain_level
did not reduce any immediate load balancing.
The reason this occurred was because the update_domain_attr_tree() traversal
did not update for the "top_cpuset". This resulted in nothing being changed
when modifying the sched_relax_domain_level parameter.
This patch is able to address that problem by having update_domain_attr_tree()
allow updates for the root in the cpuset traversal.
dmaengine: shdma: Move DMA stop to (runtime) suspend callbacks
During system reboot, the sh-dma-engine device may be runtime-suspended,
causing a crash:
Unhandled fault: imprecise external abort (0x1406) at 0x0002c02c
Internal error: : 1406 [#1] SMP ARM
...
PC is at sh_dmae_ctl_stop+0x28/0x64
LR is at sh_dmae_ctl_stop+0x24/0x64
If the sh-dma-engine is runtime-suspended, its module clock is turned
off, and its registers cannot be accessed.
To fix this, move the call to sh_dmae_ctl_stop(), which touches the
DMAOR register, to the sh_dmae_suspend() and sh_dmae_runtime_suspend()
callbacks. This makes PM operations more symmetric, as both
sh_dmae_resume() and sh_dmae_runtime_resume() already call sh_dmae_rst()
to re-initialize the DMAOR register.
Mark Brown [Tue, 17 Feb 2015 02:36:58 +0000 (11:36 +0900)]
of/overlay: Directly include idr.h
The overlay code uses IDRs but does not explicitly include the header
providing the interface, instead relying on an implicit inclusion. Make
the dependency explicit to avoid potential future build issues if the
implicit inclusion goes away.
Lukasz Majewski [Tue, 24 Feb 2015 15:31:28 +0000 (16:31 +0100)]
MAINTAINERS: Add entry for SAMSUNG THERMAL DRIVER
This patch adds entry for SAMSUNG THERMAL DRIVER in the MAINTAINERS file.
It has been agreed, that pull request are going to be sent to Eduardo
Valentin.
Lukasz Majewski [Thu, 5 Feb 2015 15:45:06 +0000 (16:45 +0100)]
cpufreq: exynos: Use simple approach to asses if cpu cooling can be used
Commit: e725d26c4857e5e41975b5e74e64ce6ab09a7121 provided possibility to
use device tree to asses if cpu can be used as cooling device. Since the
code was somewhat awkward, simpler approach has been proposed.
Chanwoo Choi [Tue, 24 Feb 2015 04:56:54 +0000 (13:56 +0900)]
thermal: exynos: Fix wrong control of power down detection mode for Exynos7
This patch fixes the wrong control of PD_DET_EN (power down detection mode)
for Exynos7 because exynos7_tmu_control() always enables the power down detection
mode regardless 'on' parameter.
Nicolas PLANEL [Sun, 1 Mar 2015 18:47:22 +0000 (13:47 -0500)]
USB: ch341: set tty baud speed according to tty struct
The ch341_set_baudrate() function initialize the device baud speed
according to the value on priv->baud_rate. By default the ch341_open() set
it to a hardcoded value (DEFAULT_BAUD_RATE 9600). Unfortunately, the
tty_struct is not initialized with the same default value. (usually 56700)
This means that the tty_struct and the device baud rate generator are not
synchronized after opening the port.
Fixup is done by calling ch341_set_termios() if tty exist.
Remove unnecessary variable priv->baud_rate setup as it's already done by
ch341_port_probe().
Remove unnecessary call to ch341_set_{handshake,baudrate}() in
ch341_open() as there already called in ch341_configure() and
ch341_set_termios()
Trond Myklebust [Mon, 23 Feb 2015 23:51:32 +0000 (18:51 -0500)]
NFS: Don't require a filehandle to refresh the inode in nfs_prime_dcache()
If the server does not return a valid set of attributes that we can
use to either create a file or refresh the inode, then there is no
value in calling nfs_prime_dcache().
However if we're just refreshing the inode using the attributes that
the server returned, then it shouldn't matter whether or not we have
a filehandle, as long as we check the fsid+fileid combination.
Trond Myklebust [Mon, 23 Feb 2015 21:15:00 +0000 (16:15 -0500)]
NFSv3: Use the readdir fileid as the mounted-on-fileid
When we call readdirplus, set the fileid normally returned by readdir
as the mounted-on-fileid, since that is commonly the case if there is
a mountpoint. To ensure that we get it right, we only set the flag if
the readdir fileid differs from the one returned in the readdirplus
attributes.
This again means that we can avoid the issues described in commit 2ef47eb1aee17 ("NFS: Fix use of nfs_attr_use_mounted_on_fileid()"),
which only fixed NFSv4.
Trond Myklebust [Sun, 22 Feb 2015 21:35:36 +0000 (16:35 -0500)]
NFS: Don't invalidate a submounted dentry in nfs_prime_dcache()
If we're traversing a directory which contains a submounted filesystem,
or one that has a referral, the NFS server that is processing the READDIR
request will often return information for the underlying (mounted-on)
directory. It may, or may not, also return filehandle information.
If this happens, and the lookup in nfs_prime_dcache() returns the
dentry for the submounted directory, the filehandle comparison will
fail, and we call d_invalidate(). Post-commit 8ed936b5671bf
("vfs: Lazily remove mounts on unlinked files and directories."), this
means the entire subtree is unmounted.
The following minimal patch addresses this problem by punting on
the invalidation if there is a submount.
Kudos to Neil Brown <[email protected]> for having tracked down this
issue (see link).
Trond Myklebust [Thu, 26 Feb 2015 22:57:14 +0000 (17:57 -0500)]
NFS: Remove size hack in nfs_inode_attrs_need_update()
Prior to this patch, we used to always OK attribute updates that extended
the file size on the assumption that we might be performing writeback.
Now that we have attribute barriers to protect the writeback related updates,
we should remove this hack, as it can cause truncate() operations to
apparently be reverted if/when a readahead or getattr RPC call races
with our on-the-wire SETATTR.
Trond Myklebust [Thu, 26 Feb 2015 21:09:04 +0000 (16:09 -0500)]
NFS: Add attribute update barriers to nfs_setattr_update_inode()
Ensure that other operations which raced with our setattr RPC call
cannot revert the file attribute changes that were made on the server.
To do so, we artificially bump the attribute generation counter on
the inode so that all calls to nfs_fattr_init() that precede ours
will be dropped.
The motivation for the patch came from Chuck Lever's reports of readaheads
racing with truncate operations and causing the file size to be reverted.
Trond Myklebust [Sat, 28 Feb 2015 03:54:19 +0000 (22:54 -0500)]
NFS: Ensure that buffered writes wait for O_DIRECT writes to complete
The O_DIRECT code will grab the inode->i_mutex and flush out buffered
writes, before scheduling a read or a write. However there is no
equivalent in the buffered write code to wait for O_DIRECT to complete.
Fixes a reported issue in xfstests generic/133, when first performing an
O_DIRECT write followed by a buffered write.
Set the internal device state to to disabled after hardware reset in stop flow.
This will cover cases when driver was not brought to disabled state because of
an error and in stop flow we wish not to retry the reset.
Ian Abbott [Fri, 27 Feb 2015 16:04:42 +0000 (16:04 +0000)]
staging: comedi: adv_pci1710: fix AI INSN_READ for non-zero channel
Reading of analog input channels by the `INSN_READ` comedi instruction
is broken for all except channel 0. `pci171x_ai_insn_read()` calls
`pci171x_ai_read_sample()` with the wrong value for the third parameter.
It is supposed to be the current index in a channel list (which is
always of length 1 in this case, so the index should be 0), but instead
it is passing the actual channel number. `pci171x_ai_read_sample()`
checks the channel number encoded in the raw sample value read from the
hardware matches the channel number stored in the specified index of the
previously set up channel list and returns `-ENODATA` if it doesn't
match. Since the index should always be 0 in this case, the match will
fail unless the channel number is also 0. Fix it by passing 0 as the
channel index.
Note that when the bug first appeared, it was `pci171x_ai_dropout()`
that was called with the wrong parameter value. `pci171x_ai_dropout()`
got replaced with `pci171x_ai_read_sample()` in commit 7fd2dae2500d
("staging: comedi: adv_pci1710: introduce pci171x_ai_read_sample()").
Andrey Ryabinin [Fri, 27 Feb 2015 17:44:21 +0000 (20:44 +0300)]
android: binder: fix binder mmap failures
binder_update_page_range() initializes only addr and size
fields in 'struct vm_struct tmp_area;' and passes it to
map_vm_area().
Before 71394fe50146 ("mm: vmalloc: add flag preventing guard hole allocation")
this was because map_vm_area() didn't use any other fields
in vm_struct except addr and size.
Now get_vm_area_size() (used in map_vm_area()) reads vm_struct's
flags to determine whether vm area has guard hole or not.
binder_update_page_range() don't initialize flags field, so
this causes following binder mmap failures:
-----------[ cut here ]------------
WARNING: CPU: 0 PID: 1971 at mm/vmalloc.c:130
vmap_page_range_noflush+0x119/0x144()
CPU: 0 PID: 1971 Comm: healthd Not tainted 4.0.0-rc1-00399-g7da3fdc-dirty #157
Hardware name: ARM-Versatile Express
[<c001246d>] (unwind_backtrace) from [<c000f7f9>] (show_stack+0x11/0x14)
[<c000f7f9>] (show_stack) from [<c049a221>] (dump_stack+0x59/0x7c)
[<c049a221>] (dump_stack) from [<c001cf21>] (warn_slowpath_common+0x55/0x84)
[<c001cf21>] (warn_slowpath_common) from [<c001cfe3>]
(warn_slowpath_null+0x17/0x1c)
[<c001cfe3>] (warn_slowpath_null) from [<c00c66c5>]
(vmap_page_range_noflush+0x119/0x144)
[<c00c66c5>] (vmap_page_range_noflush) from [<c00c716b>] (map_vm_area+0x27/0x48)
[<c00c716b>] (map_vm_area) from [<c038ddaf>]
(binder_update_page_range+0x12f/0x27c)
[<c038ddaf>] (binder_update_page_range) from [<c038e857>]
(binder_mmap+0xbf/0x1ac)
[<c038e857>] (binder_mmap) from [<c00c2dc7>] (mmap_region+0x2eb/0x4d4)
[<c00c2dc7>] (mmap_region) from [<c00c3197>] (do_mmap_pgoff+0x1e7/0x250)
[<c00c3197>] (do_mmap_pgoff) from [<c00b35b5>] (vm_mmap_pgoff+0x45/0x60)
[<c00b35b5>] (vm_mmap_pgoff) from [<c00c1f39>] (SyS_mmap_pgoff+0x5d/0x80)
[<c00c1f39>] (SyS_mmap_pgoff) from [<c000ce81>] (ret_fast_syscall+0x1/0x5c)
---[ end trace 48c2c4b9a1349e54 ]---
binder: 1982: binder_alloc_buf failed to map page at f0e00000 in kernel
binder: binder_mmap: 1982 b6bde000-b6cdc000 alloc small buf failed -12
Use map_kernel_range_noflush() instead of map_vm_area() as this is better
API for binder's purposes and it allows to get rid of 'vm_struct tmp_area' at all.
Tero Kristo [Fri, 27 Feb 2015 13:59:26 +0000 (15:59 +0200)]
ARM: OMAP4+: PRM: fix omap4 version of prm_save_and_clear_irqen
This was incorrectly reading the irq status registers during the save
and clear, instead of the irq enable. This worked because there is only
one user for the prcm interrupts currently, namely the io-chain. Whenever
the function was called, an io-chain interrupt was both pending and
enabled.
Deasserting hardreset increases the usecount for the hwmod parent clockdomain
always, however usecount is only decreased at end in certain error cases.
This causes software supervised clockdomains to remain always on, preventing
idle. Fixed by always releasing the hwmods clockdomain parent when exiting
the function.
Linus Torvalds [Sun, 1 Mar 2015 20:22:44 +0000 (12:22 -0800)]
Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
"A CR4-shadow 32-bit init fix, plus two typo fixes"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86: Init per-cpu shadow copy of CR4 on 32-bit CPUs too
x86/platform/intel-mid: Fix trivial printk message typo in intel_mid_arch_setup()
x86/cpu/intel: Fix trivial typo in intel_tlb_table[]
Linus Torvalds [Sun, 1 Mar 2015 19:56:13 +0000 (11:56 -0800)]
Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
"Two kprobes fixes and a handful of tooling fixes"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf tools: Make sparc64 arch point to sparc
perf symbols: Define EM_AARCH64 for older OSes
perf top: Fix SIGBUS on sparc64
perf tools: Fix probing for PERF_FLAG_FD_CLOEXEC flag
perf tools: Fix pthread_attr_setaffinity_np build error
perf tools: Define _GNU_SOURCE on pthread_attr_setaffinity_np feature check
perf bench: Fix order of arguments to memcpy_alloc_mem
kprobes/x86: Check for invalid ftrace location in __recover_probed_insn()
kprobes/x86: Use 5-byte NOP when the code might be modified by ftrace
David S. Miller [Sun, 1 Mar 2015 19:02:24 +0000 (14:02 -0500)]
Merge branch 'bcmgenet_systemport_stats'
Florian Fainelli says:
====================
net: bcmgenet and systemport statistics fixes
This two patches fix a similar problem in the GENET and SYSTEMPORT drivers
for software maintained statistics used to track DMA mapping and SKB
re-allocation failures.
====================
Commit 60b4ea1781fd ("net: systemport: log RX buffer allocation and RX/TX DMA
failures") added a few software maintained statistics using
BCM_SYSPORT_STAT_MIB_RX and BCM_SYSPORT_STAT_MIB_TX. These statistics are read
from the hardware MIB counters, such that bcm_sysport_update_mib_counters() was
trying to read from a non-existing MIB offset for these counters.
Fix this by introducing a special type: BCM_SYSPORT_STAT_SOFT, similar to
BCM_SYSPORT_STAT_NETDEV, such that bcm_sysport_get_ethtool_stats will read from
the software mib.
Fixes: 60b4ea1781fd ("net: systemport: log RX buffer allocation and RX/TX DMA failures") Signed-off-by: Florian Fainelli <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Commit 44c8bc3ce39f ("net: bcmgenet: log RX buffer allocation and RX/TX dma
failures") added a few software maintained statistics using
BCMGENET_STAT_MIB_RX and BCMGENET_STAT_MIB_TX. These statistics are read from
the hardware MIB counters, such that bcmgenet_update_mib_counters() was trying
to read from a non-existing MIB offset for these counters.
Fix this by introducing a special type: BCMGENET_STAT_SOFT, similar to
BCMGENET_STAT_NETDEV, such that bcmgenet_get_ethtool_stats will read from the
software mib.
Fixes: 44c8bc3ce39f ("net: bcmgenet: log RX buffer allocation and RX/TX dma failures") Signed-off-by: Florian Fainelli <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Arvid Brodin [Fri, 27 Feb 2015 20:26:03 +0000 (21:26 +0100)]
net/hsr: Fix NULL pointer dereference and refcnt bugs when deleting a HSR interface.
To repeat:
$ sudo ip link del hsr0
BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: [<ffffffff8187f495>] hsr_del_port+0x15/0xa0
etc...
Bug description:
As part of the hsr master device destruction, hsr_del_port() is called for each of
the hsr ports. At each such call, the master device is updated regarding features
and mtu. When the master device is freed before the slave interfaces, master will
be NULL in hsr_del_port(), which led to a NULL pointer dereference.
Additionally, dev_put() was called on the master device itself in hsr_del_port(),
causing a refcnt error.
A third bug in the same code path was that the rtnl lock was not taken before
hsr_del_port() was called as part of hsr_dev_destroy().
The reporter (Nicolas Dichtel) also said: "hsr_netdev_notify() supposes that the
port will always be available when the notification is for an hsr interface. It's
wrong. For example, netdev_wait_allrefs() may resend NETDEV_UNREGISTER.". As a
precaution against this, a check for port == NULL was added in hsr_dev_notify().
Reported-by: Nicolas Dichtel <[email protected]> Fixes: 51f3c605318b056a ("net/hsr: Move slave init to hsr_slave.c.") Signed-off-by: Arvid Brodin <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Vaishali Thakkar [Fri, 27 Feb 2015 18:50:59 +0000 (00:20 +0530)]
net: pasemi: Use setup_timer and mod_timer
Use timer API functions setup_timer and mod_timer instead
of structure assignments as they are standard way to set
the timer and to update the expire field of an active timer
respectively.
This is done using Coccinelle and semantic patch used for
this is as follows:
Vaishali Thakkar [Fri, 27 Feb 2015 18:42:34 +0000 (00:12 +0530)]
net: stmmac: Use setup_timer and mod_timer
Use timer API functions setup_timer and mod_timer instead
of structure assignments as they are standard way to set
the timer and to update the expire field of an active timer
respectively.
This is done using Coccinelle and semantic patch used for
this is as follows:
Vaishali Thakkar [Fri, 27 Feb 2015 18:32:34 +0000 (00:02 +0530)]
net: 8390: axnet_cs: Use setup_timer and mod_timer
Use timer API functions setup_timer and mod_timer instead
of structure assignments as they are standard way to set
the timer and to update the expire field of an active timer
respectively.
This is done using Coccinelle and semantic patch used for
this is as follows:
Vaishali Thakkar [Fri, 27 Feb 2015 18:23:03 +0000 (23:53 +0530)]
net: 8390: pcnet_cs: Use setup_timer and mod_timer
Use timer API functions setup_timer and mod_timer instead
of structure assignments as they are standard way to set
the timer and to update the expire field of an active timer
respectively.
This is done using Coccinelle and semantic patch used for
this is as follows:
Vaishali Thakkar [Fri, 27 Feb 2015 18:10:24 +0000 (23:40 +0530)]
net: smc91c92_cs: Use setup_timer and mod_timer
Use timer API functions setup_timer and mod_timer instead
of structure assignments as they are standard way to set
the timer and to update the expire field of an active timer
respectively.
This is done using Coccinelle and semantic patch used for
this is as follows:
projects / linux.git / log