Commit Graph

349067 Commits

Author SHA1 Message Date
Thierry Reding 11c0ceec07 gpio: mvebu: Don't free chip label memory
The gpio_chip.label field is a const char * and assigned the value of a
call to dev_name(). Memory obtained from dev_name() should not be freed
by drivers.

Acked-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: Thierry Reding <thierry.reding@avionic-design.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2013-01-17 12:27:08 +01:00
Kukjin Kim 6948ce588b gpio: samsung: skip gpio lib registration for EXYNOS5440
Since exynos5440 can support pinctrl so skip the legacy
gpiolib registration. If not, happens following.

WARNING: at drivers/gpio/gpio-samsung.c:3102 samsung_gpiolib_init+0x68/0x8c()
Unknown SoC in gpio-samsung, no GPIOs added

Acked-by: Thomas Abraham <thomas.ab@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2013-01-17 11:53:54 +01:00
Jani Nikula b514407547 drm/i915: fix FORCEWAKE posting reads
We stopped reading FORCEWAKE for posting reads in

commit 8dee3eea3c
Author: Ben Widawsky <ben@bwidawsk.net>
Date:   Sat Sep 1 22:59:50 2012 -0700

    drm/i915: Never read FORCEWAKE

and started using something from the same cacheline instead. On the
bug reporter's machine this broke entering rc6 states after a
suspend/resume cycle. It turns out reading ECOBUS as posting read
worked fine, while GTFIFODBG did not, preventing RC6 states after
suspend/resume per the bug report referenced below. It's not entirely
clear why, but clearly GTFIFODBG was nowhere near the same cacheline
or address range as FORCEWAKE.

Trying out various registers for posting reads showed that all tested
registers for which NEEDS_FORCE_WAKE() (in i915_drv.c) returns true
work. Conversely, most (but not quite all) registers for which
NEEDS_FORCE_WAKE() returns false do not work. Details in the referenced
bug.

Based on the above, add posting reads on ECOBUS where GTFIFODBG was
previously relied on.

In true cargo cult spirit, add posting reads for FORCEWAKE_VLV writes as
well, but instead of ECOBUS, use FORCEWAKE_ACK_VLV which is in the same
address range as FORCEWAKE_VLV.

v2: Add more details to the commit message. No functional changes.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=52411
Reported-and-tested-by: Alexander Bersenev <bay@hackerdom.ru>
CC: Ben Widawsky <ben@bwidawsk.net>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
[danvet: add cc: stable and make the commit message a bit clearer that
this is a regression fix and what exactly broke.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2013-01-17 11:09:25 +01:00
Kukjin Kim dcb9c3491a gpio: samsung: silent build warning for EXYNOS5 SoCs
This patch fixes following warning:

drivers/gpio/gpio-samsung.c:450:32: warning: 'exynos_gpio_cfg' defined but not used [-Wunused-variable]
drivers/gpio/gpio-samsung.c:2450:33: warning: 'exynos5_gpios_1' defined but not used [-Wunused-variable]
drivers/gpio/gpio-samsung.c:2618:33: warning: 'exynos5_gpios_2' defined but not used [-Wunused-variable]
drivers/gpio/gpio-samsung.c:2679:33: warning: 'exynos5_gpios_3' defined but not used [-Wunused-variable]
drivers/gpio/gpio-samsung.c:2715:33: warning: 'exynos5_gpios_4' defined but not used [-Wunused-variable]

Because current gpio-samsung is valid only on EXYNOS5250.

Cc: Thomas Abraham <thomas.ab@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2013-01-17 09:18:02 +01:00
Kukjin Kim e4a5da51da gpio: samsung: fix pinctrl condition for exynos and exynos5440
Since EXYNOS5440 can select PINCTRL_EXYNOS5440 without PINCTRL_SAMSUNG,
it should be fixed. In detail, PINCTRL_SAMSUNG is a kind of frame work
for supporting pinctrl on most Samsung SoCs including S3C, S5P as well
except EXYNOS5440 so PINCTRL_EXYNOS5440 has been implemented separated.

Cc: Thomas Abraham <thomas.ab@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2013-01-17 09:17:59 +01:00
Linus Torvalds dfdebc2483 xfs: bugfixes for 3.8-rc4
- fix(es) for compound buffers
 - fix for dquot soft timer asserts due to overflow of d_blk_softlimit
 - fix for regression in dir v2 code introduced in commit 20f7e9f3
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (GNU/Linux)
 
 iQIcBAABAgAGBQJQ9zKnAAoJENaLyazVq6ZORGcP/RemqCHJEw0a89Y0tLLLAcz/
 Es97kJMESdvi3gX3JTdz3vC8LP21dSCR3k3MvVgucb8RsvGoiLixrmluIRxKb79M
 DEmz9YJ/qxFIpnM9y46VxCYV+/ezxUDEv68wA6T2wJbof26nTLlTj2gAgqjvyWiF
 R1c1OmdCsTfA257UvxfxSVixVnWv7E2io2ZXUGsrBkP4J9OMaMtn00UYOuP1YL8S
 NJ44z9QAzTqVEbAfGeaeV/QVUJzMj/IqWCwF7YKEhfmccO/tPyN0+nMG2DI0Fp5e
 cYGsi4JnaFbqE6Aa/7mu3kv8lYnPe0n3t9d3EwzxOEx+PAvuY8N0EW8Qa4c+805n
 zXFvAroLgP0jYEEuIfEGYIwDPxG0xjor6ztu8e2twcIj6cDHzSpeYaDPnYvWJlwu
 FiupnVu+3FX6mVY1jCealI47nOwzM12R7nXysqF3F6Sf95xGJtG3BoTIKioNqk1g
 dzJGMQvwg/WLvquYb9W/ZNb1T314R23wdYtmI7gWJ74z9IQqWCZBWFYyBhQ8y1Pr
 Vf3LFjzqNqqnYNzoe8Wnn9wKQ57Es7onAo34Y9HZCOkslZsn5nKriNTXNN6Q9Upc
 5RKvj1CbTpKAJYrrhWryI1HtlDKqqtMFdmRQulSu+O9ZJuWZh4XNTu4t3oewt0Ac
 5otZwOdk53V3tGxt3prs
 =gA4q
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-v3.8-rc4' of git://oss.sgi.com/xfs/xfs

Pull xfs bugfixes from Ben Myers:

 - fix(es) for compound buffers

 - fix for dquot soft timer asserts due to overflow of d_blk_softlimit

 - fix for regression in dir v2 code introduced in commit 20f7e9f372
   ("xfs: factor dir2 block read operations")

* tag 'for-linus-v3.8-rc4' of git://oss.sgi.com/xfs/xfs:
  xfs: recalculate leaf entry pointer after compacting a dir2 block
  xfs: remove int casts from debug dquot soft limit timer asserts
  xfs: fix the multi-segment log buffer format
  xfs: fix segment in xfs_buf_item_format_segment
  xfs: rename bli_format to avoid confusion with bli_formats
  xfs: use b_maps[] for discontiguous buffers
2013-01-16 16:19:54 -08:00
Linus Torvalds 309b51e879 ACPI and power management fixes for 3.8-rc4
* cpuidle initialization regression fix from Krzysztof Mazur.
 
 * cpuidle fix for power usage fields handling from Daniel Lezcano.
 
 * ACPI build fix from Yinghai Lu.
 
 -
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJQ9xwEAAoJEKhOf7ml8uNsaUEP/iwVRuWSPqEzzl++mLBe8uf5
 vP1+72Ko5NBPG56uqQMCanuB6M9YsIRr1yv4SSYIF15K4DKbYfpXMvR6yoZox3CA
 Y+vrlA62AYOBsX3wOHo+5JVtBdV82IZOBXYhy9hNcxIVzh0NiAWtyz2QxlNIz7I1
 9R33HEfIKwi4L2SSiXBqLEMuz0JKie131FunBwvHEtZ4QTq2OFxmCWxfaFz0syvH
 9NZfOnh2ijiGb0ou3FTAXLqbEJHJUIhYzZnejobrxFCJmhA+hfsmxRnokrRdLZJ+
 14lOpdBQJas06QePs+hadWwLrebjvio+CTb8w0Fhclt5O2fqgMG2jdwO+f4pEWA9
 E7DBo0LJCKoDPofsnAXYjoOI3r9EL6o0fhhMzIrZdZazEFOj8WP+EoK7/nG2KRq2
 eIO4Lv0sfKmlnJriUUzhEjdkLql0ctLBGZk8T+x/o8WQMPYUw6AnNf1+voEvLTPQ
 C2/yyzs+1bPzFj0/0qsvUx5ee6xNgT3p/+YaQW89RlTibW91LN1m5ezNtAF5atEk
 K9va5y1w54molOL/j2U56bP+RrktSTKmrnFHluHWWb9tUVBapOTRrCg03xSgvJOq
 PEv5LHUIfjHHl2r7I67/Lf2LJjgvpqO0BfEGgmfCgJE/BUFTmT7S1FYxllaNJVk+
 EvdSOXokr52pFltHG5Bl
 =4ifX
 -----END PGP SIGNATURE-----

Merge tag 'pm+acpi-for-3.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI and power management fixes from Rafael Wysocki:

 - cpuidle regression fix related to the initialization of state
   kobjects from Krzysztof Mazur.

 - cpuidle fix removing some not very useful code and making some
   user-visible problems go away at the same time.  From Daniel Lezcano.

 - ACPI build fix from Yinghai Lu.

* tag 'pm+acpi-for-3.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpuidle: remove the power_specified field in the driver
  ACPI / glue: Fix build with ACPI_GLUE_DEBUG set
  cpuidle: fix number of initialized/destroyed states
2013-01-16 14:34:52 -08:00
Eric Sandeen 37f13561de xfs: recalculate leaf entry pointer after compacting a dir2 block
Dave Jones hit this assert when doing a compile on recent git, with
CONFIG_XFS_DEBUG enabled:

XFS: Assertion failed: (char *)dup - (char *)hdr == be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)), file: fs/xfs/xfs_dir2_data.c, line: 828

Upon further digging, the tag found by xfs_dir2_data_unused_tag_p(dup)
contained "2" and not the proper offset, and I found that this value was
changed after the memmoves under "Use a stale leaf for our new entry."
in xfs_dir2_block_addname(), i.e.

                        memmove(&blp[mid + 1], &blp[mid],
                                (highstale - mid) * sizeof(*blp));

overwrote it.

What has happened is that the previous call to xfs_dir2_block_compact()
has rearranged things; it changes btp->count as well as the
blp array.  So after we make that call, we must recalculate the
proper pointer to the leaf entries by making another call to
xfs_dir2_block_leaf_p().

Dave provided a metadump image which led to a simple reproducer
(create a particular filename in the affected directory) and this
resolves the testcase as well as the bug on his live system.

Thanks also to dchinner for looking at this one with me.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Tested-by: Dave Jones <davej@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-01-16 16:08:55 -06:00
Brian Foster ab7eac2200 xfs: remove int casts from debug dquot soft limit timer asserts
The int casts here make it easy to trigger an assert with a large
soft limit. For example, set a >4TB soft limit on an empty volume
to reproduce a (0 > -x) comparison due to an overflow of
d_blk_softlimit.

Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-01-16 16:08:40 -06:00
Mark Tinguely 91e4bac0b7 xfs: fix the multi-segment log buffer format
Per Dave Chinner suggestion, this patch:
 1) Corrects the detection of whether a multi-segment buffer is
    still tracking data.
 2) Clears all the buffer log formats for a multi-segment buffer.

Signed-off-by: Mark Tinguely <tinguely@sgi.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-01-16 16:08:08 -06:00
Mark Tinguely 2d0e9df579 xfs: fix segment in xfs_buf_item_format_segment
Not every segment in a multi-segment buffer is dirty in a
transaction and they will not be outputted. The assert in
xfs_buf_item_format_segment() that checks for the at least
one chunk of data in the segment to be used is not necessary
true for multi-segmented buffers.

Signed-off-by: Mark Tinguely <tinguely@sgi.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-01-16 16:07:56 -06:00
Mark Tinguely 0f22f9d0cd xfs: rename bli_format to avoid confusion with bli_formats
Rename the bli_format structure to __bli_format to avoid
accidently confusing them with the bli_formats pointer.

Signed-off-by: Mark Tinguely <tinguely@sgi.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-01-16 16:07:37 -06:00
Mark Tinguely d44d9bc68e xfs: use b_maps[] for discontiguous buffers
Commits starting at 77c1a08 introduced a multiple segment support
to xfs_buf. xfs_trans_buf_item_match() could not find a multi-segment
buffer in the transaction because it was looking at the single segment
block number rather than the multi-segment b_maps[0].bm.bn. This
results on a recursive buffer lock that can never be satisfied.

This patch:
 1) Changed the remaining b_map accesses to be b_maps[0] accesses.
 2) Renames the single segment b_map structure to __b_map to avoid
    future confusion.

Signed-off-by: Mark Tinguely <tinguely@sgi.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-01-16 16:07:11 -06:00
Andrew Cooper 9174adbee4 xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
This fixes CVE-2013-0190 / XSA-40

There has been an error on the xen_failsafe_callback path for failed
iret, which causes the stack pointer to be wrong when entering the
iret_exc error path.  This can result in the kernel crashing.

In the classic kernel case, the relevant code looked a little like:

        popl %eax      # Error code from hypervisor
        jz 5f
        addl $16,%esp
        jmp iret_exc   # Hypervisor said iret fault
5:      addl $16,%esp
                       # Hypervisor said segment selector fault

Here, there are two identical addls on either option of a branch which
appears to have been optimised by hoisting it above the jz, and
converting it to an lea, which leaves the flags register unaffected.

In the PVOPS case, the code looks like:

        popl_cfi %eax         # Error from the hypervisor
        lea 16(%esp),%esp     # Add $16 before choosing fault path
        CFI_ADJUST_CFA_OFFSET -16
        jz 5f
        addl $16,%esp         # Incorrectly adjust %esp again
        jmp iret_exc

It is possible unprivileged userspace applications to cause this
behaviour, for example by loading an LDT code selector, then changing
the code selector to be not-present.  At this point, there is a race
condition where it is possible for the hypervisor to return back to
userspace from an interrupt, fault on its own iret, and inject a
failsafe_callback into the kernel.

This bug has been present since the introduction of Xen PVOPS support
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.

Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: stable@vger.kernel.org
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-01-16 16:17:42 -05:00
Kirill Smelkov 3a55fb0d9f Tell the world we gave up on pushing CC_OPTIMIZE_FOR_SIZE
In commit 281dc5c5ec ("Give up on pushing CC_OPTIMIZE_FOR_SIZE") we
already changed the actual default value, but the help-text still
suggested 'y'. Fix the help text too, for all the same reasons.

Sadly, -Os keeps on generating some very suboptimal code for certain
cases, to the point where any I$ miss upside is swamped by the downside.
The main ones are:

 - using "rep movsb" for memcpy, even on CPU's where that is
   horrendously bad for performance.

 - not honoring branch prediction information, so any I$ footprint you
   win from smaller code, you lose from less code density in the I$.

 - using divide instructions when that is very expensive.

Signed-off-by: Kirill Smelkov <kirr@mns.spb.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-01-16 12:42:57 -08:00
Chuansheng Liu fbfc23ef90 mfd, TWL4030: TWL4030 need select REGMAP_I2C
Fix the build error:

  drivers/built-in.o: In function `twl_probe':
  drivers/mfd/twl-core.c:1256: undefined reference to `devm_regmap_init_i2c'
  make: *** [vmlinux] Error 1

Signed-off-by: liu chuansheng <chuansheng.liu@intel.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
[ Samuel is busy, taking it directly  - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-01-16 12:36:22 -08:00
Ralf Baechle 30a4840a4c drivers/base/cpu.c: Fix typo in comment
[ We should make fun of people who can't speel too, but then we'd have
  no time for any real work at all  - Linus ]

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-01-16 12:34:34 -08:00
Jiri Kosina e65b9ad222 lockdep, rwsem: fix down_write_nest_lock() if !CONFIG_DEBUG_LOCK_ALLOC
Commit 1b963c81b1 ("lockdep, rwsem: provide down_write_nest_lock()")
contains a bug in a codepath when CONFIG_DEBUG_LOCK_ALLOC is disabled,
which causes down_read() to be called instead of down_write() by mistake
on such configurations.  Fix that.

Reported-and-tested-by: Andrew Clayton <andrew@digital-domain.net>
Reported-and-tested-by: Zlatko Calusic <zlatko.calusic@iskon.hr>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Reviewed-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-01-16 12:13:20 -08:00
Linus Torvalds 36e7a96ceb Sound fixes #2 for 3.8-rc4
Yet a few more fixes popped up in this week.
 
 The biggest change here is the addition of pinctrl support for Atmel,
 which turned out to be almost mandatory to make things working.
 
 The rest are a few fixes for M-Audio usb-audio device and a fix for
 regression of HD-audio HDMI codecs with alsactl in the recent kernel.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJQ9nYgAAoJEGwxgFQ9KSmkM84QAKWlUp8NFsr5HNNiwj6urp18
 jhPoM4AbMozeb5abfZpWwwalAVhbq/E5R2w2z8ETdnMnd1ohKqhU5Mx/e0mmUprF
 3bZoxm8etTFfqallxPBBTj9exF8iAdA/XPNe5Zw2r1jY7w3viZiQYCgivB1TTSOG
 wt0Y5SF0FmawyHgqujqEjo4nm/K04Rp4FPS4/MpdjRXCfzmW+x9nP6CBbdDxGk5J
 q8v48mOhk7RTBrRCmfCF0Jw/eJNrS9JYL2RagEaKuPFoy5OEm06OwQZZ76mt3XTF
 8S7ExCwfmvbzHW8mIKE3ZFLLDXjWgjxh3jQXeULOAYnPrfe4SHTkUF7mCdmHdbG2
 sDTh86C3R784aIwhusXPAZGyVZJ7km+wqFPZa+20Jzbo848PBNgDotlRgmULSqlo
 cK8Bsuf5QyRmdpVVON58Owo3Mqorp0EtPiFbfwljkr98JsUQrRX5COaAZ+UHmd2i
 18fK0rltPhmJkKwKEAx+0vtqcucoAfvxiS1DSNsjafxDXTy1XJYQ/HmmSUeq1uD/
 i1b2kN1yzQQ/Kki7dW9YhekoF5WYyzRP0OoPO73ekSioaCimTwDOo7IF3RwbVfQM
 G6eiwLkNpA6BWi3V/q3Cic+eKN/NguM9UlZEKYlCpZq01pMLndreG8MNbpub/O3F
 97TzflJSAyIGCShKZH6K
 =Sd6n
 -----END PGP SIGNATURE-----

Merge tag 'sound-3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull second round of sound fixes from Takashi Iwai:
 "Yet a few more fixes popped up in this week.

  The biggest change here is the addition of pinctrl support for Atmel,
  which turned out to be almost mandatory to make things working.

  The rest are a few fixes for M-Audio usb-audio device and a fix for
  regression of HD-audio HDMI codecs with alsactl in the recent kernel."

* tag 'sound-3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda/hdmi - Work around "alsactl restore" errors
  ALSA: usb-audio: selector map for M-Audio FT C400
  ALSA: usb-audio: M-Audio FT C400 skip packet quirk
  ALSA: usb-audio: correct M-Audio C400 clock source quirk
  ALSA: usb - fix race in creation of M-Audio Fast track pro driver
  ASoC: atmel-ssc: add pinctrl selection to driver
  ARM: at91/dts: add pinctrl support for SSC peripheral
2013-01-16 11:33:52 -08:00
Linus Torvalds ce0f706e41 Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
Pull scsi target fixes from Nicholas Bellinger:
 "This includes an important >= v3.6 regression bugfix for active I/O
  shutdown (Roland), some TMR related failure / corner cases fixes for
  long outstanding I/O (Roland), two FCoE target mode fabric fabric role
  fixes (MDR), a fix for an incorrect sense code during LUN
  communication failure (Dr. Hannes), plus a handful of other minor
  fixes.

  There are still some outstanding zero-length control CDB regression
  fixes that need to be addressed for v3.8, that will be coming in a
  follow-up PULL request."

* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
  iscsi-target: Fix CmdSN comparison (use cmd->cmd_sn instead of cmd->stat_sn)
  target: Release se_cmd when LUN lookup fails for TMR
  target: Fix use-after-free in LUN RESET handling
  target: Fix missing CMD_T_ACTIVE bit regression for pending WRITEs
  tcm_fc: Do not report target role when target is not defined
  tcm_fc: Do not indicate retry capability to initiators
  target: Use TCM_NO_SENSE for initialisation
  target: Introduce TCM_NO_SENSE
  target: use correct sense code for LUN communication failure
2013-01-16 11:13:39 -08:00
Linus Torvalds 31db720643 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
Pull ext3 and udf fixes from Jan Kara:
 "One ext3 performance regression fix and one udf regression fix (oops
  on interrupted mount)."

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  UDF: Fix a null pointer dereference in udf_sb_free_partitions
  jbd: don't wake kjournald unnecessarily
2013-01-16 10:55:10 -08:00
Linus Torvalds 56400b55c0 Merge git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull s390 KVM fix from Gleb Natapov.

* git://git.kernel.org/pub/scm/virt/kvm/kvm:
  s390/kvm: Fix BUG in include/linux/kvm_host.h:745
2013-01-16 10:17:09 -08:00
Linus Torvalds aa8b550c89 SuperH fixes for 3.8-rc4
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.6 (GNU/Linux)
 
 iD8DBQBQ9nOHGkmNcg7/o7gRAvdJAKCDuE3OKrjfHrNYBl0uC+vjxOgYTQCeL1+Z
 J4fzH7ttaHpsj/i06qYOlcc=
 =I1yY
 -----END PGP SIGNATURE-----

Merge tag 'sh-for-linus' of git://github.com/pmundt/linux-sh

Pull SuperH fixes from Paul Mundt.

* tag 'sh-for-linus' of git://github.com/pmundt/linux-sh:
  sh: ecovec: add sample amixer settings
  sh: Fix up stack debugging build.
  sh: wire up finit_module syscall.
  sh: Fix FDPIC binary loader
  sh: clkfwk: bugfix: sh_clk_div_enable() care sh_clk_div_set_rate() if div6
  sh: define TASK_UNMAPPED_BASE as a page aligned constant
2013-01-16 10:13:04 -08:00
Linus Torvalds a6d3bd274b - Page protection fixes, including proper PAGE_NONE handling
- Timezone vdso sequence counting fix
 - Additional compat syscall wiring
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
 iQIcBAABAgAGBQJQ9ZopAAoJEGvWsS0AyF7xQe8QAJScJBZpw8VZxh+/5fREQ1A4
 5QSFAEx/jNWBbVBU/Ak5DJOZq89RSruI5Jzf2t4SVWcC8YdUOoNEfUoj6R0Xj/9A
 GLwc4dE5QZiYBO5GkfhbYMWTDyVopgesf3cpg9IXGsO7wQBp2a7q67xFo7yMV92h
 lSRDzN0CT0/i1utbNc3F/Sp59Xe+5nQP4I5NkaVnEkG6ZB+IDxK8eqbbjEpd6Yqb
 upUPQFVHKBK7hy7Xb1UhmbZM3N7tURALb2RdKdDsTrE8X554scMfpKLIzCsjyFMU
 wrJodeS/cyRpIepUhfTtupfJOCUIEAv8QDK99zKSFV8F/A+0EzQ0fc9ee8rH1i/h
 Wxu5VTFruRtOi1mH04r9cOm5kZDDyv02gqjrA0cWrWYLwWOT07DgXE92yMHvS2z9
 WcyxrgkjvLZMARIDFJj5pK04u+djz/U4qWovfl2nk9aPDwk2CkW0eDTqyzyUwbHi
 dUN7YIim2fHRB4HIUSCaauAdXVbaPPmPWBZape2IeDmY/c48MnZlgZgLIUOUfL+T
 DAzhpm4J5i3Kx43rjnqepBkf8sOfxV4Mq4ZGit1wQZSnwqKYDGTpUr8bP2wmuPTj
 wSmwO5dIyDeDe/gwik/fZuLdR9325clEaKfcZtNzIlbEfDMl8uRtrRzH04rWrXZL
 F167yWzGgYLm6IDNdovR
 =v7NF
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64

Pull arm64 fixes from Catalin Marinas:
 - Page protection fixes, including proper PAGE_NONE handling
 - Timezone vdso sequence counting fix
 - Additional compat syscall wiring

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
  arm64: compat: add syscall table entries for new syscalls
  arm64: mm: introduce present, faulting entries for PAGE_NONE
  arm64: mm: only wrprotect clean ptes if they are present
  arm64: vdso: remove broken, redundant sequence counting for timezones
2013-01-16 09:44:40 -08:00
Linus Torvalds 2409c873be Merge branch 'x86/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Peter Anvin:
 "This is mainly a workaround for a bug in Sandy Bridge graphics which
  causes corruption of certain memory pages."

* 'x86/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI
  x86/Sandy Bridge: mark arrays in __init functions as __initconst
  x86/Sandy Bridge: reserve pages when integrated graphics is present
  x86, efi: correct precedence of operators in setup_efi_pci
2013-01-16 09:11:50 -08:00
Timur Tabi c4ef9bc4f7 MAINTAINERS: update email address for Timur Tabi
Timur Tabi no longer works for Freescale, so update the email address
and status for all of his maintained projects.

Also mark the QE library as orphaned, for lack of interest in
maintaining it.

The CS4270 driver is marked as "Odd Fixes" because appropriate hardware
is no longer available.

Signed-off-by: Timur Tabi <timur@freescale.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-01-16 09:11:09 -08:00
Luciano Coelho 4adf07fba3 firmware: make sure the fw file size is not 0
If the requested firmware file size is 0 bytes in the filesytem, we
will try to vmalloc(0), which causes a warning:

  vmalloc: allocation failure: 0 bytes
  kworker/1:1: page allocation failure: order:0, mode:0xd2
    __vmalloc_node_range+0x164/0x208
    __vmalloc_node+0x4c/0x58
    vmalloc+0x38/0x44
    _request_firmware_load+0x220/0x6b0
    request_firmware+0x64/0xc8
    wl18xx_setup+0xb4/0x570 [wl18xx]
    wlcore_nvs_cb+0x64/0x9f8 [wlcore]
    request_firmware_work_func+0x94/0x100
    process_one_work+0x1d0/0x750
    worker_thread+0x184/0x4ac
    kthread+0xb4/0xc0

To fix this, check whether the file size is less than or equal to zero
in fw_read_file_contents().

Cc: stable <stable@vger.kernel.org> [3.7]
Signed-off-by: Luciano Coelho <coelho@ti.com>
Acked-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-01-16 09:09:53 -08:00
Tejun Heo 774a1221e8 module, async: async_synchronize_full() on module init iff async is used
If the default iosched is built as module, the kernel may deadlock
while trying to load the iosched module on device probe if the probing
was running off async.  This is because async_synchronize_full() at
the end of module init ends up waiting for the async job which
initiated the module loading.

 async A				modprobe

 1. finds a device
 2. registers the block device
 3. request_module(default iosched)
					4. modprobe in userland
					5. load and init module
					6. async_synchronize_full()

Async A waits for modprobe to finish in request_module() and modprobe
waits for async A to finish in async_synchronize_full().

Because there's no easy to track dependency once control goes out to
userland, implementing properly nested flushing is difficult.  For
now, make module init perform async_synchronize_full() iff module init
has queued async jobs as suggested by Linus.

This avoids the described deadlock because iosched module doesn't use
async and thus wouldn't invoke async_synchronize_full().  This is
hacky and incomplete.  It will deadlock if async module loading nests;
however, this works around the known problem case and seems to be the
best of bad options.

For more details, please refer to the following thread.

  http://thread.gmane.org/gmane.linux.kernel/1420814

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Alex Riesen <raa.lkml@gmail.com>
Tested-by: Ming Lei <ming.lei@canonical.com>
Tested-by: Alex Riesen <raa.lkml@gmail.com>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-01-16 09:05:33 -08:00
Sebastian Ott 509d97b6f9 s390/chsc: fix SEI usage
cbc0dd1 "s390/pci: CHSC PCI support for error and availability events"
introduced a new SEI notification type as part of pci support.
The way SEI was called with nt2 and nt0 consecutive broke the nt0
stuff used for channel subsystem notifications.

The reason why this was broken with the mentioned patch is that you
cannot selectively disable type 0 notifications (so even when asked
for type 2 only, type 0 could be presented).

The way to do it is to tell SEI which types of notification you can
process and -this is the important part- look at the SEI result which
notification type you actually received.

Reviewed-by: Peter Oberparleiter <peter.oberparleiter@de.ibm.com>
Tested-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2013-01-16 15:57:54 +01:00
Heiko Carstens ed4f20943c s390/time: fix sched_clock() overflow
Converting a 64 Bit TOD format value to nanoseconds means that the value
must be divided by 4.096. In order to achieve that we multiply with 125
and divide by 512.
When used within sched_clock() this triggers an overflow after appr.
417 days. Resulting in a sched_clock() return value that is much smaller
than previously and therefore may cause all sort of weird things in
subsystems that rely on a monotonic sched_clock() behaviour.

To fix this implement a tod_to_ns() helper function which converts TOD
values without overflow and call this function from both places that
open coded the conversion: sched_clock() and kvm_s390_handle_wait().

Cc: stable@kernel.org
Reviewed-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2013-01-16 15:57:52 +01:00
Chris Wilson 262b6d363f drm/i915: Invalidate the relocation presumed_offsets along the slow path
In the slow path, we are forced to copy the relocations prior to
acquiring the struct mutex in order to handle pagefaults. We forgo
copying the new offsets back into the relocation entries in order to
prevent a recursive locking bug should we trigger a pagefault whilst
holding the mutex for the reservations of the execbuffer. Therefore, we
need to reset the presumed_offsets just in case the objects are rebound
back into their old locations after relocating for this exexbuffer - if
that were to happen we would assume the relocations were valid and leave
the actual pointers to the kernels dangling, instant hang.

Fixes regression from commit bcf50e2775
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sun Nov 21 22:07:12 2010 +0000

    drm/i915: Handle pagefaults in execbuffer user relocations

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=55984
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@fwll.ch>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2013-01-16 10:53:38 +01:00
Kuninori Morimoto 035688d9c6 sh: ecovec: add sample amixer settings
FSI - DA7210 needs amixer settings to use it.
This patch adds quick setting guide

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
2013-01-16 18:30:44 +09:00
Jani Nikula f30d26e468 drm/i915/eDP: do not write power sequence registers for ghost eDP
Some machines detect an eDP port even if it's not really there, and eDP
initialization has a fail path for this. Typically such machines have an
LVDS display instead. A regression introduced in

commit 82ed61fa1a
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Sat Oct 20 20:57:41 2012 +0200

    drm/i915: make edp panel power sequence setup more robust

updated the power sequence registers PCH_PP_ON_DELAYS, PCH_PP_OFF_DELAYS,
and PCH_PP_DIVISOR also in the ghost eDP case, messing up the LVDS display.

Split the power sequencer initialization into two, delaying the register
updates until after we know the eDP is real.

Note: Keep the PP_CONTROL unlocking in the first part, even if it does not
update registers, per the commit message of the above mentioned commit.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=52601
Reported-and-tested-by: Ryan Coe <ryan@rycomotorsports.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2013-01-16 10:23:01 +01:00
channing 5dd070d21e serial:ifx6x60:Keep word size accordance with SPI controller
As protocol driver, IFX SPI driver initiate to setup SPI master with default
SPI word size as 16 bit/word, however, SPI master may not adopt this default
value due to SPI controller's capability, it might choose an available value by
itself and set it to spi_device.bits_per_word. In order to keep align with
Controller, IFX driver should make use of this value during SPI transfer,
but the default one.

Signed-off-by: Chen Jun <jun.d.chen@intel.com>
Signed-off-by: channing <chao.bi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 21:35:04 -08:00
Maxime Ripard 68e56cb3a0 tty: 8250_dw: Fix inverted arguments to serial_out in IRQ handler
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 21:35:04 -08:00
Thomas Abraham 2eaa865ffd serial: samsung: remove redundant setting of line config during port reset
The setting of uart line control configuration in s3c24xx_serial_resetport
is can be removed since the 'set_termios' call will overwrite any ULCON
register setting which s3c24xx_serial_resetport does.

Acked-by: Kukjin Kim <kgene.kim@samsung.com>
Signed-off-by: Thomas Abraham <thomas.ab@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 21:35:03 -08:00
Konrad Rzeszutek Wilk d55bf532d7 Revert "xen/smp: Fix CPU online/offline bug triggering a BUG: scheduling while atomic."
This reverts commit 41bd956de3.

The fix is incorrect and not appropiate for the latest kernels.
In fact it _causes_ the BUG: scheduling while atomic while
doing vCPU hotplug.

Suggested-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-01-15 22:41:27 -05:00
chao bi 014b9b4ce8 serial:ifx6x60:Delete SPI timer when shut down port
When shut down SPI port, it's possible that MRDY has been asserted and a SPI
timer was activated waiting for SRDY assert, in the case, it needs to delete
this timer.

Signed-off-by: Chen Jun <jun.d.chen@intel.com>
Signed-off-by: channing <chao.bi@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 19:06:42 -08:00
Matt Schulte b7b9041b20 tty/8250: The correct device id for this card is 0x0022
The correct device id for this card is 0x0022

Signed-off-by: Matt Schulte <matts@commtech-fastcom.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 19:06:42 -08:00
Matt Schulte 4f7d67d0de tty/8250: pbn_b0_8_1152000_200 is supposed to be an 8 port definition
tty/8250: pbn_b0_8_1152000_200 is supposed to be an 8 port definition

Signed-off-by: Matt Schulte <matts@commtech-fastcom.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 19:06:42 -08:00
Wei Yongjun a6dd114e16 tty: serial: vt8500: fix return value check in vt8500_serial_probe()
In case of error, function of_clk_get() returns ERR_PTR()
and never returns NULL. The NULL test in the return value
check should be replaced with IS_ERR().

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Tony Prisk <linux@prisktech.co.nz>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 19:06:42 -08:00
fabio.estevam@freescale.com 87b8bed2ce serial: mxs-auart: Index is unsigned
Fix the following warning when building with W=1 option:

drivers/tty/serial/mxs-auart.c: In function 'mxs_auart_tx_chars':
drivers/tty/serial/mxs-auart.c:272:10: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]

Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Acked-by: Marek Vasut <marex@denx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 19:06:41 -08:00
Steffen Trumtrar a6833214cf mxs: uart: fix setting RTS from software
With the patch "serial: mxs-auart: fix the wrong RTS hardware flow control" the
mainline mxs-uart driver now sets RTSEN only when hardware flow control is
enabled via software. It is not possible any longer to set RTS manually via
software. However, the manual modification is a valid operation.
Regain the possibility to set RTS via software and only set RTSEN when hardware
flow control is explicitly enabled via settermios cflag CRTSCTS.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Huang Shijie <b32955@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-01-15 19:06:41 -08:00
Daniel De Graaf 1affa98d23 xen/gntdev: remove erronous use of copy_to_user
Since there is now a mapping of granted pages in kernel address space in
both PV and HVM, use it for UNMAP_NOTIFY_CLEAR_BYTE instead of accessing
memory via copy_to_user and triggering sleep-in-atomic warnings.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-01-15 16:02:40 -05:00
Daniel De Graaf 16a1d0225e xen/gntdev: correctly unmap unlinked maps in mmu notifier
If gntdev_ioctl_unmap_grant_ref is called on a range before unmapping
it, the entry is removed from priv->maps and the later call to
mn_invl_range_start won't find it to do the unmapping. Fix this by
creating another list of freeable maps that the mmu notifier can search
and use to unmap grants.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-01-15 16:01:30 -05:00
Daniel De Graaf 2512f298cb xen/gntdev: fix unsafe vma access
In gntdev_ioctl_get_offset_for_vaddr, we need to hold mmap_sem while
calling find_vma() to avoid potentially having the result freed out from
under us.  Similarly, the MMU notifier functions need to synchronize with
gntdev_vma_close to avoid map->vma being freed during their iteration.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-01-15 16:01:06 -05:00
Andres Lagar-Cavilla 99beae6cb8 xen/privcmd: Fix mmap batch ioctl.
1. If any individual mapping error happens, the V1 case will mark *all*
operations as failed. Fixed.

2. The err_array was allocated with kcalloc, resulting in potentially O(n) page
allocations. Refactor code to not use this array.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-01-15 16:00:52 -05:00
Konrad Rzeszutek Wilk 7bcc1ec077 Linux 3.7
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQEcBAABAgAGBQJQxqj1AAoJEHm+PkMAQRiG9MQH/j21UwP2QGpdpXbWAnFMjtlv
 uE/yCFhPoqR1QjjE6oRlO6MHFA41xGDbr5RQki9Ik2AfSYiastt4ZWYvtSJKVTCr
 O0Lj+Cdt/2qBkGiARHqVEBZ4S/l/cw4/EHPb5StFyu3ggnPPQhoPIP7oAmRn0+mh
 NNb5CEcJOLqIaJSteqMP71Q899ncbLayBnimYCaC2f6r00beqNXIqxSHipcPlUsf
 ehNxqCX+5z5Q788EL33EL8GpBcy4Ueevu6nvnuVI8qIEnBnrBVngsiaQ4Hti+2eK
 A//4DYoF2N1wLjQv7hFeiwMURQ16OlxXoc/Z66sv2QQRwPxOIQlxdhWuey4KebA=
 =7LYr
 -----END PGP SIGNATURE-----

Merge tag 'v3.7' into stable/for-linus-3.8

Linux 3.7

* tag 'v3.7': (833 commits)
  Linux 3.7
  Input: matrix-keymap - provide proper module license
  Revert "revert "Revert "mm: remove __GFP_NO_KSWAPD""" and associated damage
  ipv4: ip_check_defrag must not modify skb before unsharing
  Revert "mm: avoid waking kswapd for THP allocations when compaction is deferred or contended"
  inet_diag: validate port comparison byte code to prevent unsafe reads
  inet_diag: avoid unsafe and nonsensical prefix matches in inet_diag_bc_run()
  inet_diag: validate byte code to prevent oops in inet_diag_bc_run()
  inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state
  mm: vmscan: fix inappropriate zone congestion clearing
  vfs: fix O_DIRECT read past end of block device
  net: gro: fix possible panic in skb_gro_receive()
  tcp: bug fix Fast Open client retransmission
  tmpfs: fix shared mempolicy leak
  mm: vmscan: do not keep kswapd looping forever due to individual uncompactable zones
  mm: compaction: validate pfn range passed to isolate_freepages_block
  mmc: sh-mmcif: avoid oops on spurious interrupts (second try)
  Revert misapplied "mmc: sh-mmcif: avoid oops on spurious interrupts"
  mmc: sdhci-s3c: fix missing clock for gpio card-detect
  lib/Makefile: Fix oid_registry build dependency
  ...

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Conflicts:
	arch/arm/xen/enlighten.c
	drivers/xen/Makefile

[We need to have the v3.7 base as the 'for-3.8' was based off v3.7-rc3
and there are some patches in v3.7-rc6 that we to have in our branch]
2013-01-15 15:58:25 -05:00
Jan Beulich e5c702d3b2 Xen: properly bound buffer access when parsing cpu/*/availability
At the same time reduce the local buffers to 16 bytes each.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-01-15 15:57:02 -05:00
Matt Wilson d0b4d64aad xen/grant-table: correctly initialize grant table version 1
Commit 85ff6acb07 (xen/granttable: Grant
tables V2 implementation) changed the GREFS_PER_GRANT_FRAME macro from
a constant to a conditional expression. The expression depends on
grant_table_version being appropriately set. Unfortunately, at init
time grant_table_version will be 0. The GREFS_PER_GRANT_FRAME
conditional expression checks for "grant_table_version == 1", and
therefore returns the number of grant references per frame for v2.

This causes gnttab_init() to allocate fewer pages for gnttab_list, as
a frame can old half the number of v2 entries than v1 entries. After
gnttab_resume() is called, grant_table_version is appropriately
set. nr_init_grefs will then be miscalculated and gnttab_free_count
will hold a value larger than the actual number of free gref entries.

If a guest is heavily utilizing improperly initialized v1 grant
tables, memory corruption can occur. One common manifestation is
corruption of the vmalloc list, resulting in a poisoned pointer
derefrence when accessing /proc/meminfo or /proc/vmallocinfo:

[   40.770064] BUG: unable to handle kernel paging request at 0000200200001407
[   40.770083] IP: [<ffffffff811a6fb0>] get_vmalloc_info+0x70/0x110
[   40.770102] PGD 0
[   40.770107] Oops: 0000 [#1] SMP
[   40.770114] CPU 10

This patch introduces a static variable, grefs_per_grant_frame, to
cache the calculated value. gnttab_init() now calls
gnttab_request_version() early so that grant_table_version and
grefs_per_grant_frame can be appropriately set. A few BUG_ON()s have
been added to prevent this type of bug from reoccurring in the future.

Signed-off-by: Matt Wilson <msw@amazon.com>
Reviewed-and-Tested-by: Steven Noonan <snoonan@amazon.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Annie Li <annie.li@oracle.com>
Cc: xen-devel@lists.xen.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # v3.3 and newer
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2013-01-15 15:56:55 -05:00