7 years agoLinux 3.8.13 master v3.8.13
Greg Kroah-Hartman [Sat, 11 May 2013 20:57:46 +0000 (13:57 -0700)]
Linux 3.8.13

7 years agox86/mm: account for PGDIR_SIZE alignment
Jerry Hoemann [Tue, 30 Apr 2013 21:15:55 +0000 (15:15 -0600)]
x86/mm: account for PGDIR_SIZE alignment

Patch for -stable.  Function find_early_table_space removed upstream.

Fixes panic in alloc_low_page due to pgt_buf overflow during

find_early_table_space sizes pgt_buf based upon the size of the
memory being mapped, but it does not take into account the alignment
of the memory.  When the region being mapped spans a 512GB (PGDIR_SIZE)
alignment, a panic from alloc_low_pages occurs.

kernel_physical_mapping_init takes into account PGDIR_SIZE alignment.
This causes an extra call to alloc_low_page to be made.  This extra call
isn't accounted for by find_early_table_space and causes a kernel panic.

Change is to take into account PGDIR_SIZE alignment in find_early_table_space.

Signed-off-by: Jerry Hoemann <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agokernel/audit_tree.c: tree will leak memory when failure occurs in audit_trim_trees()
Chen Gang [Mon, 29 Apr 2013 22:05:19 +0000 (15:05 -0700)]
kernel/audit_tree.c: tree will leak memory when failure occurs in audit_trim_trees()

commit 12b2f117f3bf738c1a00a6f64393f1953a740bd4 upstream.

audit_trim_trees() calls get_tree().  If a failure occurs we must call

[ run put_tree() before mutex_lock() for small scalability improvement]
Signed-off-by: Chen Gang <>
Cc: Al Viro <>
Cc: Eric Paris <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Jonghwan Choi <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoNFSv4.x: Fix handling of partially delegated locks
Trond Myklebust [Tue, 30 Apr 2013 16:43:42 +0000 (12:43 -0400)]
NFSv4.x: Fix handling of partially delegated locks

commit c5a2a15f8146fdfe45078df7873a6dc1006b3869 upstream.

If a NFS client receives a delegation for a file after it has taken
a lock on that file, we can currently end up in a situation where
we mistakenly skip unlocking that file.

The following patch swaps an erroneous check in nfs4_proc_unlck for
whether or not the file has a delegation to one which checks whether
or not we hold a lock stateid for that file.

Reported-by: Chuck Lever <>
Signed-off-by: Trond Myklebust <>
Tested-by: Chuck Lever <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoEDAC: Don't give write permission to read-only files
Srivatsa S. Bhat [Tue, 30 Apr 2013 09:47:16 +0000 (15:17 +0530)]
EDAC: Don't give write permission to read-only files

commit c8c64d165ccfd2274058ac84e0c680f9b48c4ec1 upstream.

I get the following warning on boot:

------------[ cut here ]------------
WARNING: at drivers/base/core.c:575 device_create_file+0x9a/0xa0()
Hardware name:  -[8737R2A]-
Write permission without 'store'

Drilling down, this is related to dynamic channel ce_count attribute
files sporting a S_IWUSR mode without a ->store() function. Looking
around, it appears that they aren't supposed to have a ->store()
function. So remove the bogus write permission to get rid of the

Signed-off-by: Srivatsa S. Bhat <>
Cc: Mauro Carvalho Chehab <>
[ shorten commit message ]
Signed-off-by: Borislav Petkov <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoBtrfs: fix extent logging with O_DIRECT into prealloc
Josef Bacik [Wed, 24 Apr 2013 20:32:55 +0000 (16:32 -0400)]
Btrfs: fix extent logging with O_DIRECT into prealloc

commit eb384b55ae9c2055ea00c5cc87971e182d47aefa upstream.

This is the same as the fix from commit

Btrfs: fix bad extent logging

but for O_DIRECT.  I missed this when I fixed the problem originally, we were
still using the em for the orig_start and orig_block_len, which would be the
merged extent.  We need to use the actual extent from the on disk file extent
item, which we have to lookup to make sure it's ok to nocow anyway so just pass
in some pointers to hold this info.  Thanks,

Signed-off-by: Josef Bacik <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoBtrfs: compare relevant parts of delayed tree refs
Josef Bacik [Tue, 2 Apr 2013 00:36:28 +0000 (20:36 -0400)]
Btrfs: compare relevant parts of delayed tree refs

commit 41b0fc42800569f63e029549b75c4c9cb63f2dfd upstream.

A user reported a panic while running a balance.  What was happening was he was
relocating a block, which added the reference to the relocation tree.  Then
relocation would walk through the relocation tree and drop that reference and
free that block, and then it would walk down a snapshot which referenced the
same block and add another ref to the block.  The problem is this was all
happening in the same transaction, so the parent block was free'ed up when we
drop our reference which was immediately available for allocation, and then it
was used _again_ to add a reference for the same block from a different
snapshot.  This resulted in something like this in the delayed ref tree

add ref to 90234880, parent=2067398656, ref_root 1766, level 1
del ref to 90234880, parent=2067398656, ref_root 18446744073709551608, level 1
add ref to 90234880, parent=2067398656, ref_root 1767, level 1

as you can see the ref_root's don't match, because when we inc the ref we use
the header owner, which is the original tree the block belonged to, instead of
the data reloc tree.  Then when we remove the extent we use the reloc tree
objectid.  But none of this matters, since it is a shared reference which means
only the parent matters.  When the delayed ref stuff runs it adds all the
increments first, and then does all the drops, to make sure that we don't delete
the ref if we net a positive ref count.  But tree blocks aren't allowed to have
multiple refs from the same block, so this panics when it tries to add the
second ref.  We need the add and the drop to cancel each other out in memory so
we only do the final add.

So to fix this we need to adjust how the delayed refs are added to the tree.
Only the ref_root matters when it is a normal backref, and only the parent
matters when it is a shared backref.  So make our decision based on what ref
type we have.  This allows us to keep the ref_root in memory in case anybody
wants to use it for something else, and it allows the delayed refs to be merged
properly so we don't end up with this panic.

With this patch the users image no longer panics on mount, and it has a clean
fsck after a normal mount/umount cycle.  Thanks,

Reported-by: Roman Mamedov <>
Signed-off-by: Josef Bacik <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agotracing: Fix ftrace_dump()
Steven Rostedt (Red Hat) [Fri, 15 Mar 2013 17:10:35 +0000 (13:10 -0400)]
tracing: Fix ftrace_dump()

commit 7fe70b579c9e3daba71635e31b6189394e7b79d3 upstream.

ftrace_dump() had a lot of issues. What ftrace_dump() does, is when
ftrace_dump_on_oops is set (via a kernel parameter or sysctl), it
will dump out the ftrace buffers to the console when either a oops,
panic, or a sysrq-z occurs.

This was written a long time ago when ftrace was fragile to recursion.
But it wasn't written well even for that.

There's a possible deadlock that can occur if a ftrace_dump() is happening
and an NMI triggers another dump. This is because it grabs a lock
before checking if the dump ran.

It also totally disables ftrace, and tracing for no good reasons.

As the ring_buffer now checks if it is read via a oops or NMI, where
there's a chance that the buffer gets corrupted, it will disable
itself. No need to have ftrace_dump() do the same.

ftrace_dump() is now cleaned up where it uses an atomic counter to
make sure only one dump happens at a time. A simple atomic_inc_return()
is enough that is needed for both other CPUs and NMIs. No need for
a spinlock, as if one CPU is running the dump, no other CPU needs
to do it too.

The tracing_on variable is turned off and not turned on. The original
code did this, but it wasn't pretty. By just disabling this variable
we get the result of not seeing traces that happen between crashes.

For sysrq-z, it doesn't get turned on, but the user can always write
a '1' to the tracing_on file. If they are using sysrq-z, then they should
know about tracing_on.

The new code is much easier to read and less error prone. No more
deadlock possibility when an NMI triggers here.

Reported-by: zhangwei(Jovi) <>
Cc: Thomas Gleixner <>
Cc: Peter Zijlstra <>
Cc: Frederic Weisbecker <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: fix handling of v6 power tables
Alex Deucher [Wed, 1 May 2013 18:34:54 +0000 (14:34 -0400)]
drm/radeon: fix handling of v6 power tables

commit 441e76ca83ac604eaf0f046def96d8e3a27eea28 upstream.

The code was mis-handling variable sized arrays.

Reported-by: Sylvain BERTRAND <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: add new richland pci ids
Alex Deucher [Thu, 25 Apr 2013 18:06:05 +0000 (14:06 -0400)]
drm/radeon: add new richland pci ids

commit 62d1f92e06aef9665d71ca7e986b3047ecf0b3c7 upstream.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: fix possible segfault when parsing pm tables
Alex Deucher [Thu, 25 Apr 2013 13:29:17 +0000 (09:29 -0400)]
drm/radeon: fix possible segfault when parsing pm tables

commit f8e6bfc2ce162855fa4f9822a45659f4b542c960 upstream.

If we have a empty power table, bail early and allocate
the default power state.

Should fix:

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: fix endian bugs in atom_allocate_fb_scratch()
Alex Deucher [Wed, 24 Apr 2013 18:39:31 +0000 (14:39 -0400)]
drm/radeon: fix endian bugs in atom_allocate_fb_scratch()

commit beb71fc61c2cad64e347f164991b8ef476529e64 upstream.

Reviwed-by: Michel Dänzer <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: disable the crtcs in mc_stop (r5xx-r7xx) (v2)
Alex Deucher [Wed, 17 Apr 2013 13:35:39 +0000 (09:35 -0400)]
drm/radeon: disable the crtcs in mc_stop (r5xx-r7xx) (v2)

commit e884fc640ccbdb6f94b9bdb57cfb8464b6688f4c upstream.

Just disabling the mem requests should be enough, but
that doesn't seem to work correctly on efi systems.

v2: blank displays first, then disable.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: Always flush the VM
Jerome Glisse [Tue, 16 Apr 2013 16:20:15 +0000 (12:20 -0400)]
drm/radeon: Always flush the VM

commit 466476dfdcafbb4286ffa232a3a792731b9dc852 upstream.

This is slightly cleaned up version of Jerome's patch.
There seems to be an issue tracking the last flush of
the VM which results in hangs in certain cases when
VM is used.  For now just flush the VM for every IB.


Signed-off-by: Jerome Glisse <>
Reviewed-by: Christian König <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: fix typo in si_select_se_sh()
Alex Deucher [Thu, 18 Apr 2013 20:26:36 +0000 (16:26 -0400)]
drm/radeon: fix typo in si_select_se_sh()

commit 79b52d6a7085a3e430c6de450a5847fdbe04159b upstream.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: fix hdmi mode enable on RS600/RS690/RS740
Alex Deucher [Thu, 18 Apr 2013 13:36:42 +0000 (09:36 -0400)]
drm/radeon: fix hdmi mode enable on RS600/RS690/RS740

commit dcb852905772416e322536ced5cb3c796d176af5 upstream.

These chips were previously skipped since they are

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: cleanup properly if mmio mapping fails
Alex Deucher [Fri, 12 Apr 2013 23:15:52 +0000 (19:15 -0400)]
drm/radeon: cleanup properly if mmio mapping fails

commit 0cd9cb76ae26a19df21abc6f94f5fff141e689c7 upstream.

If we fail to map the mmio BAR, skip driver tear down
that requires mmio.

Should fix:

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon/evergreen+: don't enable HPD interrupts on eDP/LVDS
Alex Deucher [Thu, 11 Apr 2013 16:45:34 +0000 (12:45 -0400)]
drm/radeon/evergreen+: don't enable HPD interrupts on eDP/LVDS

commit 2e97be73e5f74a317232740ae82eb8f95326a660 upstream.

Avoids potential interrupt storms when the display is disabled.

May fix:

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: add some new SI PCI ids
Alex Deucher [Thu, 25 Apr 2013 17:55:15 +0000 (13:55 -0400)]
drm/radeon: add some new SI PCI ids

commit 18932a28419596bc9403770f5d8a108c5433fe59 upstream.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: disable the crtcs in mc_stop (evergreen+) (v2)
Alex Deucher [Wed, 10 Apr 2013 23:08:14 +0000 (19:08 -0400)]
drm/radeon: disable the crtcs in mc_stop (evergreen+) (v2)

commit abf1457bbbe4c62066bd03c6d31837dea28644dc upstream.

Just disabling the mem requests should be enough, but
that doesn't seem to work correctly on efi systems.

May fix:

v2: blank displays first, then disable.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: update wait_for_vblank for r1xx-r4xx
Alex Deucher [Tue, 9 Apr 2013 22:32:01 +0000 (18:32 -0400)]
drm/radeon: update wait_for_vblank for r1xx-r4xx

commit 2b48b968c0d00aa5ab520b65a15a4f374cda7dda upstream.

Properly wait for the next vblank region.  The previous
code didn't always wait long enough depending on the timing.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: properly lock disp in mc_stop/resume for r5xx-r7xx
Alex Deucher [Wed, 10 Apr 2013 13:47:05 +0000 (09:47 -0400)]
drm/radeon: properly lock disp in mc_stop/resume for r5xx-r7xx

commit 2f86e2ede39a98650c2d465857405ef1c51372b1 upstream.

Need to wait for the new addresses to take affect before
re-enabling the MC.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: properly lock disp in mc_stop/resume for evergreen+
Alex Deucher [Wed, 10 Apr 2013 13:58:42 +0000 (09:58 -0400)]
drm/radeon: properly lock disp in mc_stop/resume for evergreen+

commit 968c01664ccbe0e46c19a1af662c4c266a904203 upstream.

Need to wait for the new addresses to take affect before
re-enabling the MC.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: update wait_for_vblank for evergreen+
Alex Deucher [Tue, 9 Apr 2013 22:49:59 +0000 (18:49 -0400)]
drm/radeon: update wait_for_vblank for evergreen+

commit 10257a6d8359c41407eb26b7ad7bf710a7e00155 upstream.

Properly wait for the next vblank region.  The previous
code didn't always wait long enough depending on the timing.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: update wait_for_vblank for r5xx-r7xx
Alex Deucher [Tue, 9 Apr 2013 22:41:15 +0000 (18:41 -0400)]
drm/radeon: update wait_for_vblank for r5xx-r7xx

commit bea5497bfc1067620c8c8e9d37a42e0bb6d7d7fa upstream.

Properly wait for the next vblank region.  The previous
code didn't always wait long enough depending on the timing.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon/dce6: add missing display reg for tiling setup
Alex Deucher [Fri, 5 Apr 2013 14:28:08 +0000 (10:28 -0400)]
drm/radeon/dce6: add missing display reg for tiling setup

commit 7c1c7c18fc752b2a1d07597286467ef186312463 upstream.

A new tiling config register for the display blocks was
added on DCE6.

May fix:

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: fix typo in rv515_mc_resume()
Alex Deucher [Thu, 4 Apr 2013 18:59:35 +0000 (14:59 -0400)]
drm/radeon: fix typo in rv515_mc_resume()

commit 367cbe2fec9b57b72605e2ac4cfd4f2fa823a256 upstream.

Doesn't affect anything as the same address gets written
in both cases.

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: use frac fb div on RS780/RS880
Alex Deucher [Mon, 1 Apr 2013 20:06:25 +0000 (16:06 -0400)]
drm/radeon: use frac fb div on RS780/RS880

commit 411678288d61ba17afe1f8afed92200be6bbc65d upstream.

Monitors seem to prefer it.  Fixes:

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/radeon: don't use get_engine_clock() on APUs
Alex Deucher [Mon, 18 Mar 2013 21:12:50 +0000 (17:12 -0400)]
drm/radeon: don't use get_engine_clock() on APUs

commit bf05d9985111f85ed6922c134567b96eb789283b upstream.

It doesn't work reliably.  Just report back the currently
selected engine clock.

Partially fixes:

Signed-off-by: Alex Deucher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: Fall back to bit banging mode for DVO transmitter detection
David Müller [Fri, 19 Apr 2013 08:41:50 +0000 (10:41 +0200)]
drm/i915: Fall back to bit banging mode for DVO transmitter detection

commit e4bfff54ed3f5de88f5358504c78c2cb037813aa upstream.

As discussed in this thread
GMBUS based DVO transmitter detection seems to be unreliable which could
result in an unusable DVO port.

The attached patch fixes this by falling back to bit banging mode for
the time DVO transmitter detection is in progress.

Signed-off-by: David Müller <>
Tested-by: David Müller <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: Fixup Oops in the pipe config computation
Daniel Vetter [Fri, 12 Apr 2013 16:48:43 +0000 (18:48 +0200)]
drm/i915: Fixup Oops in the pipe config computation

commit b6c5164d7bf624f3e1b750787ddb983150c5117c upstream.

Yet again our current confusion between doing the modeset globally,
but only having the new parameters for one crtc at a time.

So that intel_set_mode essentially already does a global modeset:
intel_modeset_affected_pipes compares the current state with where we
want to go to (which is carefully set up by intel_crtc_set_config) and
then goes through the modeset sequence for any crtc which needs

Now the issue is that the actual interface with the remaining code
still only works on one crtc, and so we only pass in one fb and one
mode. In intel_set_mode we also only compute one intel_crtc_config
(which should be the one for the crtc we're doing a modeset on).

The reason for that mismatch is twofold:
- We want to eventually do all modeset as global state changes, so
it's just infrastructure prep.
- But even the old semantics can change more than one crtc when you
e.g. move a connector from crtc A to crtc B, then both crtc A and B
need to be updated. Usually that means one pipe is disabled and the
other enabled. This is also the reason why the hack doesn't touch the
disable_pipes mask.

Now hilarity ensued in our kms config restore paths when we actually
try to do a modeset on all crtcs: If the first crtc should be off and
the second should be on, then the call on the first crtc will notice
that the 2nd one should be switched on and so tries to compute the
pipe_config. But due to a lack of passed-in fb (crtc 1 should be off
after all) it only results in tears.

This case is ridiculously easy to hit on gen2/3 where the lvds output
is restricted to pipe B. Note that before the pipe_config bpp rework
gen2/3 didn't care really about the fb->depth, so this is a regression
brought to light with

commit 4e53c2e010e531b4a014692199e978482d471c7e
Author: Daniel Vetter <>
Date:   Wed Mar 27 00:44:58 2013 +0100

    drm/i915: precompute pipe bpp before touching the hw

But apparently Ajax also managed to blow up pch platforms, probably
with some randomized configs, and pch platforms trip up over the lack
of an fb even in the old code. So this actually goes back to the first
introduction of the new modeset restore code in

commit 45e2b5f640b3766da3eda48f6c35f088155c06f3
Author: Daniel Vetter <>
Date:   Fri Nov 23 18:16:34 2012 +0100

    drm/i915: force restore on lid open

Fix this mess by now by justing shunting all the cool new global
modeset logic in intel_modeset_affected_pipes.

v2: Improve commit message and clean up all the comments in
intel_modeset_affected_pipes - since the introduction of the modeset
restore code they've been a bit outdated.

Tested-by: Richard Cochran <>
Reviewed-by: Chris Wilson <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: ensure single initialization and cleanup of backlight device
Jani Nikula [Fri, 12 Apr 2013 12:18:38 +0000 (15:18 +0300)]
drm/i915: ensure single initialization and cleanup of backlight device

commit dc652f90e088798bfa31f496ba994ddadd5d5680 upstream.

Backlight cleanup in the eDP connector destroy callback caused the
backlight device to be removed on some systems that first initialized LVDS
and then attempted to initialize eDP. Prevent multiple backlight
initializations, and ensure backlight cleanup is only done once by moving
it to modeset cleanup.

A small wrinkle is the introduced asymmetry in backlight
setup/cleanup. This could be solved by adding refcounting, but it seems
overkill considering that there should only ever be one backlight device.

Signed-off-by: Jani Nikula <>
Tested-by: Peter Verthez <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: set CPT FDI RX polarity bits based on VBT
Paulo Zanoni [Mon, 8 Apr 2013 18:48:07 +0000 (15:48 -0300)]
drm/i915: set CPT FDI RX polarity bits based on VBT

commit 3f704fa2778d3fe45e6529825a5c7a8bcbc686f4 upstream.

Check the VBT to see if the machine has inverted FDI RX polarity on
CPT. Based on this bit, set the appropriate bit on the TRANS_CHICKEN2

This should fix some machines that were showing black screens on all

Signed-off-by: Paulo Zanoni <>
Reviewed-by: Imre Deak <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: Use MLC (l3$) for context objects
Chris Wilson [Mon, 8 Apr 2013 13:28:40 +0000 (14:28 +0100)]
drm/i915: Use MLC (l3$) for context objects

commit 4615d4c9e27eda42c3e965f208a4b4065841498c upstream.

Enabling context support increases SwapBuffers latency by about 20%
(measured on an i7-3720qm). We can offset that loss slightly by enabling
faster caching for the contexts. As they are not backed by any
particular cache (such as the sampler or render caches) our only option
is to select the generic mid-level cache. This reduces the latency of
the swap by about 5%.

Oddly this effect can be observed running smokin-guns on IVB at
Using BLT copies for swaps: 151.67 fps
Using Render copies for swaps (unpatched):  141.70 fps
With contexts disabled: 150.23 fps
With contexts in L3$: 150.77 fps

Signed-off-by: Chris Wilson <>
Cc: Ben Widawsky <>
Cc: Kenneth Graunke <>
Reviewed-by: Kenneth Graunke <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: Workaround incoherence between fences and LLC across multiple CPUs
Chris Wilson [Thu, 4 Apr 2013 20:31:03 +0000 (21:31 +0100)]
drm/i915: Workaround incoherence between fences and LLC across multiple CPUs

commit 25ff1195f8a0b3724541ae7bbe331b4296de9c06 upstream.

In order to fully serialize access to the fenced region and the update
to the fence register we need to take extreme measures on SNB+, and
manually flush writes to memory prior to writing the fence register in
conjunction with the memory barriers placed around the register write.

Fixes i-g-t/gem_fence_thrash

v2: Bring a bigger gun
v3: Switch the bigger gun for heavier bullets (Arjan van de Ven)
v4: Remove changes for working generations.
v5: Reduce to a per-cpu wbinvd() call prior to updating the fences.
v6: Rewrite comments to ellide forgotten history.

Signed-off-by: Chris Wilson <>
Cc: Jon Bloomfield <>
Tested-by: Jon Bloomfield <> (v2)
Reviewed-by: Jesse Barnes <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: Fix SDVO connector and encoder get_hw_state functions
Egbert Eich [Thu, 4 Apr 2013 20:04:02 +0000 (16:04 -0400)]
drm/i915: Fix SDVO connector and encoder get_hw_state functions

commit 7a7d1fb79fb581553f4830498045de774a9659f8 upstream.

The connector associated with the encoder is considered active when the
output associtated with this connector is active on the encoder. The
encoder itself is considered active when either there is an active
output on  it or the  respective SDVO channel is active.
Having active outputs when the SDVO channel is inactive seems to be
inconsistent: such states can be found when intel_modeset_setup_hw_state()
collects the hardware state set by the BIOS.
This inconsistency will be fixed in intel_sanitize_crtc()
(when intel_crtc_update_dpms() is called), this however only happens
when the encoder is associated with a crtc.

This patch also reverts:

     commit bd6946e87a98fea11907b2a47368e13044458a35
     Author: Daniel Vetter <>
     Date:   Tue Apr 2 21:30:34 2013 +0200

         drm/i915: Fix sdvo connector get_hw_state function

Signed-off-by: Egbert Eich <>
Suggested-by: Daniel Vetter <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: Add no-lvds quirk for Fujitsu Esprimo Q900
Christian Lamparter [Wed, 3 Apr 2013 12:34:11 +0000 (14:34 +0200)]
drm/i915: Add no-lvds quirk for Fujitsu Esprimo Q900

commit 9e9dd0e889c76c786e8f2e164c825c3c06dea30c upstream.

The "Mobile Sandy Bridge CPUs" in the Fujitsu Esprimo Q900
mini desktop PCs are probably misleading the LVDS detection
code in intel_lvds_supported. Nothing is connected to the
LVDS ports in these systems.

Signed-off-by: Christian Lamparter <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: Fix sdvo connector get_hw_state function
Daniel Vetter [Tue, 2 Apr 2013 19:30:34 +0000 (21:30 +0200)]
drm/i915: Fix sdvo connector get_hw_state function

commit bd6946e87a98fea11907b2a47368e13044458a35 upstream.

The active output is only the currently selected one, which does not
imply that it's actually enabled. Since we don't use the sdvo encoder
side dpms support, we need to check whether the chip-side sdvo port is
enabled instead.

v2: Fix up Bugzilla links.

v3: Simplify logic a bit (Chris).

Cc: Egbert Eich <>
Cc: Chris Wilson <>
Tested-by: Egbert Eich <> (v2)
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/i915: Fix detection of base of stolen memory
Chris Wilson [Thu, 15 Nov 2012 11:32:18 +0000 (11:32 +0000)]
drm/i915: Fix detection of base of stolen memory

commit e12a2d53ae45a69aea499b64f75e7222cca0f12f upstream.

The routine to query the base of stolen memory was using the wrong
registers and the wrong encodings on virtually every platform.

It was not until the G33 refresh, that a PCI config register was
introduced that explicitly said where the stolen memory was. Prior to
865G there was not even a register that said where the end of usable
low memory was and where the stolen memory began (or ended depending
upon chipset). Before then, one has to look at the BIOS memory maps to
find the Top of Memory. Alas that is not exported by arch/x86 and so we
have to resort to disabling stolen memory on gen2 for the time being.

Then SandyBridge enlarged the PCI register to a full 32-bits and change
the encoding of the address, so even though we happened to be querying
the right register, we read the wrong bits and ended up using address 0
for our stolen data, i.e. notably FBC.

Signed-off-by: Chris Wilson <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/ast: deal with bo reserve fail in dirty update path
Dave Airlie [Thu, 2 May 2013 06:40:25 +0000 (02:40 -0400)]
drm/ast: deal with bo reserve fail in dirty update path

commit 306373b645d80625335b8e684fa09b14ba460cec upstream.

Port over the mgag200 fix to ast as it suffers the same issue.

    On F19 testing, it was noticed we get a lot of errors in dmesg
    about being unable to reserve the buffer when plymouth starts,
    this is due to the buffer being in the process of migrating,
    so it makes sense we can't reserve it.

    In order to deal with it, this adds delayed updates for the dirty
    updates, when the bo is unreservable, in the normal console case
    this shouldn't ever happen, its just when plymouth or X is
    pushing the console bo to system memory.

Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/prime: keep a reference from the handle to exported dma-buf (v6)
Dave Airlie [Sun, 21 Apr 2013 23:54:36 +0000 (09:54 +1000)]
drm/prime: keep a reference from the handle to exported dma-buf (v6)

commit 219b47339ced80ca580bb6ce7d1636166984afa7 upstream.

Currently we have a problem with this:
1. i915: create gem object
2. i915: export gem object to prime
3. radeon: import gem object
4. close prime fd
5. radeon: unref object
6. i915: unref object

i915 has an imported object reference in its file priv, that isn't
cleaned up properly until fd close. The reference gets added at step 2,
but at step 6 we don't have enough info to clean it up.

The solution is to take a reference on the dma-buf when we export it,
and drop the reference when the gem handle goes away.

So when we export a dma_buf from a gem object, we keep track of it
with the handle, we take a reference to the dma_buf. When we close
the handle (i.e. userspace is finished with the buffer), we drop
the reference to the dma_buf, and it gets collected.

This patch isn't meant to fix any other problem or bikesheds, and it doesn't
fix any races with other scenarios.

v1.1: move export symbol line back up.

v2: okay I had to do a bit more, as the first patch showed a leak
on one of my tests, that I found using the dma-buf debugfs support,
the problem case is exporting a buffer twice with the same handle,
we'd add another export handle for it unnecessarily, however
we now fail if we try to export the same object with a different gem handle,
however I'm not sure if that is a case I want to support, and I've
gotten the code to WARN_ON if we hit something like that.

v2.1: rebase this patch, write better commit msg.
v3: cleanup error handling, track import vs export in linked list,
these two patches were separate previously, but seem to work better
like this.
v4: danvet is correct, this code is no longer useful, since the buffer
better exist, so remove it.
v5: always take a reference to the dma buf object, import or export.
(Imre Deak contributed this originally)
v6: square the circle, remove import vs export tracking now
that there is no difference

Reviewed-by: Daniel Vetter <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/gma500: fix backlight hotkeys behaviour on netbooks
Anisse Astier [Wed, 24 Apr 2013 15:36:01 +0000 (17:36 +0200)]
drm/gma500: fix backlight hotkeys behaviour on netbooks

commit e127dc28cc3057575da0216cde85687153ca180f upstream.

Backlight hotkeys weren't working before on certain cedartrail laptops.

The source of this problem is that the hotkeys' ASLE opregion interrupts
were simply ignored. Driver seemed to expect the interrupt to be
associated with a pipe, but it wasn't.

Accepting the ASLE interrupt without an associated pipe event flag fixes
the issue, the backlight code is called when needed, making the
brightness keys work properly.

[patrik: This patch affects irq handling on any netbook with opregion support]

Signed-off-by: Anisse Astier <>
Signed-off-by: Patrik Jakobsson <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/mgag200: deal with bo reserve fail in dirty update path
Dave Airlie [Thu, 2 May 2013 04:52:01 +0000 (00:52 -0400)]
drm/mgag200: deal with bo reserve fail in dirty update path

commit 641719599528d806e00de8ae8c8453361266a312 upstream.

On F19 testing, it was noticed we get a lot of errors in dmesg
about being unable to reserve the buffer when plymouth starts,
this is due to the buffer being in the process of migrating,
so it makes sense we can't reserve it.

In order to deal with it, this adds delayed updates for the dirty
updates, when the bo is unreservable, in the normal console case
this shouldn't ever happen, its just when plymouth or X is
pushing the console bo to system memory.

Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agodrm/cirrus: deal with bo reserve fail in dirty update path
Dave Airlie [Thu, 2 May 2013 06:45:02 +0000 (02:45 -0400)]
drm/cirrus: deal with bo reserve fail in dirty update path

commit f3b2bbdc8a87a080ccd23d27fca4b87d61340dd4 upstream.

Port over the mgag200 fix to cirrus as it suffers the same issue.

    On F19 testing, it was noticed we get a lot of errors in dmesg
    about being unable to reserve the buffer when plymouth starts,
    this is due to the buffer being in the process of migrating,
    so it makes sense we can't reserve it.

    In order to deal with it, this adds delayed updates for the dirty
    updates, when the bo is unreservable, in the normal console case
    this shouldn't ever happen, its just when plymouth or X is
    pushing the console bo to system memory.

Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoblock: fix max discard sectors limit
James Bottomley [Wed, 24 Apr 2013 14:52:50 +0000 (08:52 -0600)]
block: fix max discard sectors limit

commit 871dd9286e25330c8a581e5dacfa8b1dfe1dd641 upstream.

linux-v3.8-rc1 and later support for plug for blkdev_issue_discard with
commit 0cfbcafcae8b7364b5fa96c2b26ccde7a3a296a9
(block: add plug for blkdev_issue_discard )

For example,
1) DISCARD rq-1 with size size 4GB
2) DISCARD rq-2 with size size 1GB

If these 2 discard requests get merged, final request size will be 5GB.

In this case, request's __data_len field may overflow as it can store
max 4GB(unsigned int).

This issue was observed while doing mkfs.f2fs on 5GB SD card:

Info: sector size = 512
Info: total sectors = 11370496 (in 512bytes)
Info: zone aligned segment0 blkaddr: 512
[  257.789764] blk_update_request: bio idx 0 >= vcnt 0

mkfs process gets stuck in D state and I see the following in the dmesg:

[  257.789733] __end_that: dev mmcblk0: type=1, flags=122c8081
[  257.789764]   sector 4194304, nr/cnr 2981888/4294959104
[  257.789764]   bio df3840c0, biotail df3848c0, buffer   (null), len
[  257.789764] blk_update_request: bio idx 0 >= vcnt 0
[  257.794921] request botched: dev mmcblk0: type=1, flags=122c8081
[  257.794921]   sector 4194304, nr/cnr 2981888/4294959104
[  257.794921]   bio df3840c0, biotail df3848c0, buffer   (null), len

This patch fixes this issue.

Reported-by: Max Filippov <>
Signed-off-by: James Bottomley <>
Signed-off-by: Namjae Jeon <>
Tested-by: Max Filippov <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoarm64: Ignore the 'write' ESR flag on cache maintenance faults
Catalin Marinas [Tue, 7 May 2013 15:57:06 +0000 (16:57 +0100)]
arm64: Ignore the 'write' ESR flag on cache maintenance faults

commit 0e7f7bcc3fc87489cda5aa6aff8ce40eed912279 upstream.

ESR.WnR bit is always set on data cache maintenance faults even though
the page is not required to have write permission. If a translation
fault (page not yet mapped) happens for read-only user address range,
Linux incorrectly assumes a permission fault. This patch adds the check
of the ESR.CM bit during the page fault handling to ignore the 'write'

Signed-off-by: Catalin Marinas <>
Reported-by: Tim Northover <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoRDMA/cxgb4: Fix SQ allocation when on-chip SQ is disabled
Thadeu Lima de Souza Cascardo [Mon, 1 Apr 2013 20:13:39 +0000 (20:13 +0000)]
RDMA/cxgb4: Fix SQ allocation when on-chip SQ is disabled

commit 5b0c275926b8149c555da874bb4ec258ea3292aa upstream.

Commit c079c28714e4 ("RDMA/cxgb4: Fix error handling in create_qp()")
broke SQ allocation.  Instead of falling back to host allocation when
on-chip allocation fails, it tries to allocate both.  And when it
does, and we try to free the address from the genpool using the host
address, we hit a BUG and the system crashes as below.

We create a new function that has the previous behavior and properly
propagate the error, as intended.

    kernel BUG at /usr/src/packages/BUILD/kernel-ppc64-3.0.68/linux-3.0/lib/genalloc.c:340!
    Oops: Exception in kernel mode, sig: 5 [#1]
    SMP NR_CPUS=1024 NUMA pSeries
    Modules linked in: rdma_ucm rdma_cm ib_addr ib_cm iw_cm ib_sa ib_mad ib_uverbs iw_cxgb4 ib_core ip6t_LOG xt_tcpudp xt_pkttype ipt_LOG xt_limit ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_raw xt_NOTRACK ipt_REJECT xt_state iptable_raw iptable_filter ip6table_mangle nf_conntrack_netbios_ns nf_conntrack_broadcast nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 ip_tables ip6table_filter ip6_tables x_tables fuse loop dm_mod ipv6 ipv6_lib sr_mod cdrom ibmveth(X) cxgb4 sg ext3 jbd mbcache sd_mod crc_t10dif scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh_rdac scsi_dh ibmvscsic(X) scsi_transport_srp scsi_tgt scsi_mod
    Supported: Yes
    NIP: c00000000037d41c LR: d000000003913824 CTR: c00000000037d3b0
    REGS: c0000001f350ae50 TRAP: 0700   Tainted: G            X  (3.0.68-0.9-ppc64)
    MSR: 8000000000029032 <EE,ME,CE,IR,DR>  CR: 24042482  XER: 00000001
    TASK = c0000001f6f2a840[3616] 'rping' THREAD: c0000001f3508000 CPU: 0
    GPR00: c0000001f6e875c8 c0000001f350b0d0 c000000000fc9690 c0000001f6e875c0
    GPR04: 00000000000c0000 0000000000010000 0000000000000000 c0000000009d482a
    GPR08: 000000006a170000 0000000000100000 c0000001f350b140 c0000001f6e875c8
    GPR12: d000000003915dd0 c000000003f40000 000000003e3ecfa8 c0000001f350bea0
    GPR16: c0000001f350bcd0 00000000003c0000 0000000000040100 c0000001f6e74a80
    GPR20: d00000000399a898 c0000001f6e74ac8 c0000001fad91600 c0000001f6e74ab0
    GPR24: c0000001f7d23f80 0000000000000000 0000000000000002 000000006a170000
    GPR28: 000000000000000c c0000001f584c8d0 d000000003925180 c0000001f6e875c8
    NIP [c00000000037d41c] .gen_pool_free+0x6c/0xf8
    LR [d000000003913824] .c4iw_ocqp_pool_free+0x8c/0xd8 [iw_cxgb4]
    Call Trace:
    [c0000001f350b0d0] [c0000001f350b180] 0xc0000001f350b180 (unreliable)
    [c0000001f350b170] [d000000003913824] .c4iw_ocqp_pool_free+0x8c/0xd8 [iw_cxgb4]
    [c0000001f350b210] [d00000000390fd70] .dealloc_sq+0x90/0xb0 [iw_cxgb4]
    [c0000001f350b280] [d00000000390fe08] .destroy_qp+0x78/0xf8 [iw_cxgb4]
    [c0000001f350b310] [d000000003912738] .c4iw_destroy_qp+0x208/0x2d0 [iw_cxgb4]
    [c0000001f350b460] [d000000003861874] .ib_destroy_qp+0x5c/0x130 [ib_core]
    [c0000001f350b510] [d0000000039911bc] .ib_uverbs_cleanup_ucontext+0x174/0x4f8 [ib_uverbs]
    [c0000001f350b5f0] [d000000003991568] .ib_uverbs_close+0x28/0x70 [ib_uverbs]
    [c0000001f350b670] [c0000000001e7b2c] .__fput+0xdc/0x278
    [c0000001f350b720] [c0000000001a9590] .remove_vma+0x68/0xd8
    [c0000001f350b7b0] [c0000000001a9720] .exit_mmap+0x120/0x160
    [c0000001f350b8d0] [c0000000000af330] .mmput+0x80/0x160
    [c0000001f350b960] [c0000000000b5d0c] .exit_mm+0x1ac/0x1e8
    [c0000001f350ba10] [c0000000000b8154] .do_exit+0x1b4/0x4b8
    [c0000001f350bad0] [c0000000000b84b0] .do_group_exit+0x58/0xf8
    [c0000001f350bb60] [c0000000000ce9f4] .get_signal_to_deliver+0x2f4/0x5d0
    [c0000001f350bc60] [c000000000017ee4] .do_signal_pending+0x6c/0x3e0
    [c0000001f350bdb0] [c0000000000182cc] .do_signal+0x74/0x78
    [c0000001f350be30] [c000000000009e74] do_work+0x24/0x28

Signed-off-by: Thadeu Lima de Souza Cascardo <>
Cc: Emil Goode <>
Acked-by: Steve Wise <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agor8169: fix 8168evl frame padding.
Stefan Bader [Fri, 26 Apr 2013 13:49:32 +0000 (13:49 +0000)]
r8169: fix 8168evl frame padding.

commit e5195c1f31f399289347e043d6abf3ffa80f0005 upstream.

Signed-off-by: Stefan Bader <>
Acked-by: Francois Romieu <>
Cc: hayeswang <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoext4: add check for inodes_count overflow in new resize ioctl
Theodore Ts'o [Mon, 22 Apr 2013 02:56:32 +0000 (22:56 -0400)]
ext4: add check for inodes_count overflow in new resize ioctl

commit 3f8a6411fbada1fa482276591e037f3b1adcf55b upstream.

Addresses-Red-Hat-Bugzilla: #913245

Reported-by: Eric Sandeen <>
Signed-off-by: "Theodore Ts'o" <>
Reviewed-by: Carlos Maiolino <>
Signed-off-by: Lingzhu Xiang <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonetfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
Matthias Schiffer [Sat, 30 Mar 2013 10:23:12 +0000 (10:23 +0000)]
netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths

commit 906b1c394d0906a154fbdc904ca506bceb515756 upstream.

The bitmask used for the prefix mangling was being calculated
incorrectly, leading to the wrong part of the address being replaced
when the prefix length wasn't a multiple of 32.

Signed-off-by: Matthias Schiffer <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonetfilter: xt_rpfilter: skip locally generated broadcast/multicast, too
Florian Westphal [Wed, 17 Apr 2013 22:45:24 +0000 (22:45 +0000)]
netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too

commit f83a7ea2075ca896f2dbf07672bac9cf3682ff74 upstream.

Alex Efros reported rpfilter module doesn't match following packets:
IN=br.qemu SRC= DST= [ .. ]
(netfilter bugzilla #814).

Problem is that network stack arranges for the locally generated broadcasts
to appear on the interface they were sent out, so the IFF_LOOPBACK check
doesn't trigger.

As -m rpfilter is restricted to PREROUTING, we can check for existing
rtable instead, it catches locally-generated broad/multicast case, too.

Signed-off-by: Florian Westphal <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonetfilter: ctnetlink: don't permit ct creation with random tuple
Florian Westphal [Mon, 11 Feb 2013 23:22:38 +0000 (23:22 +0000)]
netfilter: ctnetlink: don't permit ct creation with random tuple

commit 442fad9423b78319e0019a7f5047eddf3317afbc upstream.

Userspace can cause kernel panic by not specifying orig/reply
tuple: kernel will create a tuple with random stack values.

Problem is that tuple.dst.dir will be random, too, which
causes nf_ct_tuplehash_to_ctrack() to return garbage.

Signed-off-by: Florian Westphal <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonetfilter: nf_ct_helper: don't discard helper if it is actually the same
Florian Westphal [Tue, 12 Feb 2013 05:59:53 +0000 (05:59 +0000)]
netfilter: nf_ct_helper: don't discard helper if it is actually the same

commit 6e2f0aa8cf8892868bf2c19349cb5d7c407f690d upstream.

commit (32f5376 netfilter: nf_ct_helper: disable automatic helper
re-assignment of different type) broke transparent proxy scenarios.

For example, initial helper lookup might yield "ftp" (dport 21),
while re-lookup after REDIRECT yields "ftp-2121".

This causes the autoassign code to toss the ftp helper, even
though these are just different instances of the same helper.

Change the test to check for the helper function address instead
of the helper address, as suggested by Pablo.

Signed-off-by: Florian Westphal <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonetfilter: ipset: "Directory not empty" error message
Jozsef Kadlecsik [Thu, 21 Feb 2013 10:12:40 +0000 (11:12 +0100)]
netfilter: ipset: "Directory not empty" error message

commit dd82088dab3646ed28e4aa43d1a5b5d5ffc2afba upstream.

When an entry flagged with "nomatch" was tested by ipset, it
returned the error message "Kernel error received:
Directory not empty" instead of "<element> is NOT in set <setname>"
(reported by John Brendler).

The internal error code was not properly transformed before returning
to userspace, fixed.

Signed-off-by: Jozsef Kadlecsik <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonetfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet
Patrick McHardy [Fri, 5 Apr 2013 08:13:30 +0000 (08:13 +0000)]
netfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet

commit 3a7b21eaf4fb3c971bdb47a98f570550ddfe4471 upstream.

Some Cisco phones create huge messages that are spread over multiple packets.
After calculating the offset of the SIP body, it is validated to be within
the packet and the packet is dropped otherwise. This breaks operation of
these phones. Since connection tracking is supposed to be passive, just let
those packets pass unmodified and untracked.

Signed-off-by: Patrick McHardy <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonetfilter: ipset: list:set: fix reference counter update
Jozsef Kadlecsik [Tue, 9 Apr 2013 08:57:19 +0000 (08:57 +0000)]
netfilter: ipset: list:set: fix reference counter update

commit 02f815cb6d3f57914228be84df9613ee5a01c2e6 upstream.

The last element can be replaced or pushed off and in both
cases the reference counter must be updated.

Signed-off-by: Jozsef Kadlecsik <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonetfilter: nf_nat: fix race when unloading protocol modules
Florian Westphal [Thu, 11 Apr 2013 04:22:39 +0000 (04:22 +0000)]
netfilter: nf_nat: fix race when unloading protocol modules

commit c2d421e171868586939c328dfb91bab840fe4c49 upstream.

following oops was reported:
RIP: 0010:[<ffffffffa03227f2>]  [<ffffffffa03227f2>] nf_nat_cleanup_conntrack+0x42/0x70 [nf_nat]
RSP: 0018:ffff880202c63d40  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8801ac7bec28 RCX: ffff8801d0eedbe0
RDX: dead000000200200 RSI: 0000000000000011 RDI: ffffffffa03265b8
Call Trace:
 [<ffffffffa02febed>] destroy_conntrack+0xbd/0x110 [nf_conntrack]

Happens when a conntrack timeout expires right after first part
of the nat cleanup has completed (bysrc hash removal), but before
part 2 has completed (re-initialization of nat area).

[ destroy callback tries to delete bysrc again ]

Patrick suggested to just remove the affected conntracks -- the
connections won't work properly anyway without nat transformation.

So, lets do that.

Reported-by: CAI Qian <>
Cc: Patrick McHardy <>
Signed-off-by: Florian Westphal <>
Acked-by: Patrick McHardy <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoipvs: ip_vs_sip_fill_param() BUG: bad check of return value
Hans Schillstrom [Sat, 27 Apr 2013 18:06:14 +0000 (20:06 +0200)]
ipvs: ip_vs_sip_fill_param() BUG: bad check of return value

commit f7a1dd6e3ad59f0cfd51da29dfdbfd54122c5916 upstream.

The reason for this patch is crash in kmemdup
caused by returning from get_callid with uniialized
matchoff and matchlen.

Removing Zero check of matchlen since it's done by ct_sip_get_header()

BUG: unable to handle kernel paging request at ffff880457b5763f
IP: [<ffffffff810df7fc>] kmemdup+0x2e/0x35
PGD 27f6067 PUD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: xt_state xt_helper nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle xt_connmark xt_conntrack ip6_tables nf_conntrack_ftp ip_vs_ftp nf_nat xt_tcpudp iptable_mangle xt_mark ip_tables x_tables ip_vs_rr ip_vs_lblcr ip_vs_pe_sip ip_vs nf_conntrack_sip nf_conntrack bonding igb i2c_algo_bit i2c_core
Pid: 0, comm: swapper/5 Not tainted 3.9.0-rc5+ #5                  /S1200KP
RIP: 0010:[<ffffffff810df7fc>]  [<ffffffff810df7fc>] kmemdup+0x2e/0x35
RSP: 0018:ffff8803fea03648  EFLAGS: 00010282
RAX: ffff8803d61063e0 RBX: 0000000000000003 RCX: 0000000000000003
RDX: 0000000000000003 RSI: ffff880457b5763f RDI: ffff8803d61063e0
RBP: ffff8803fea03658 R08: 0000000000000008 R09: 0000000000000011
R10: 0000000000000011 R11: 00ffffffff81a8a3 R12: ffff880457b5763f
R13: ffff8803d67f786a R14: ffff8803fea03730 R15: ffffffffa0098e90
FS:  0000000000000000(0000) GS:ffff8803fea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff880457b5763f CR3: 0000000001a0c000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper/5 (pid: 0, threadinfo ffff8803ee18c000, task ffff8803ee18a480)
 ffff8803d822a080 000000000000001c ffff8803fea036c8 ffffffffa000937a
 ffffffff81f0d8a0 000000038135fdd5 ffff880300000014 ffff880300110000
 ffffffff150118ac ffff8803d7e8a000 ffff88031e0118ac 0000000000000000
Call Trace:

 [<ffffffffa000937a>] ip_vs_sip_fill_param+0x13a/0x187 [ip_vs_pe_sip]
 [<ffffffffa007b209>] ip_vs_sched_persist+0x2c6/0x9c3 [ip_vs]
 [<ffffffff8107dc53>] ? __lock_acquire+0x677/0x1697
 [<ffffffff8100972e>] ? native_sched_clock+0x3c/0x7d
 [<ffffffff8100972e>] ? native_sched_clock+0x3c/0x7d
 [<ffffffff810649bc>] ? sched_clock_cpu+0x43/0xcf
 [<ffffffffa007bb1e>] ip_vs_schedule+0x181/0x4ba [ip_vs]

Signed-off-by: Hans Schillstrom <>
Acked-by: Julian Anastasov <>
Signed-off-by: Simon Horman <>
Signed-off-by: David S. Miller <>
Cc: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoxhci: Don't warn on empty ring for suspended devices.
Sarah Sharp [Mon, 18 Mar 2013 17:19:51 +0000 (10:19 -0700)]
xhci: Don't warn on empty ring for suspended devices.

commit a83d6755814e4614ba77e15d82796af0f695c6b8 upstream.

When a device attached to the roothub is suspended, the endpoint rings
are stopped.  The host may generate a completion event with the
completion code set to 'Stopped' or 'Stopped Invalid' when the ring is
halted.  The current xHCI code prints a warning in that case, which can
be really annoying if the USB device is coming into and out of suspend.

Remove the unnecessary warning.

Signed-off-by: Sarah Sharp <>
Tested-by: Stephen Hemminger <>
Cc: Luis Henriques <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoe1000e: fix accessing to suspended device
Konstantin Khlebnikov [Wed, 8 May 2013 08:10:25 +0000 (12:10 +0400)]
e1000e: fix accessing to suspended device

commit e60b22c5b7e59db09a7c9490b1e132c7e49ae904 upstream.

This patch fixes some annoying messages like 'Error reading PHY register' and
'Hardware Erorr' and saves several seconds on reboot.

Signed-off-by: Konstantin Khlebnikov <>
Cc: Bruce Allan <>
Acked-by: Rafael J. Wysocki <>
Tested-by: Borislav Petkov <>
Tested-by: Aaron Brown <>
Signed-off-by: Jeff Kirsher <>
Tested-by: Tóth Attila <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoe1000e: fix runtime power management transitions
Konstantin Khlebnikov [Wed, 8 May 2013 08:10:21 +0000 (12:10 +0400)]
e1000e: fix runtime power management transitions

commit 66148babe728f3e00e13c56f6b0ecf325abd80da upstream.

This patch removes redundant actions from driver and fixes its interaction
with actions in pci-bus runtime power management code.

It removes pci_save_state() from __e1000_shutdown() for normal adapters,
PCI bus callbacks pci_pm_*() will do all this for us. Now __e1000_shutdown()
switches to D3-state only quad-port adapters, because they needs quirk for
clearing false-positive error from downsteam pci-e port.

pci_save_state() now called after clearing bus-master bit, thus __e1000_resume()
and e1000_io_slot_reset() must set it back after restoring configuration space.

This patch set get_link_status before calling pm_runtime_put() in e1000_open()
to allow e1000_idle() get real link status and schedule first runtime suspend.

This patch also enables wakeup for device if management mode is enabled
(like for WoL) as result pci_prepare_to_sleep() would setup wakeup without
special actions like custom 'enable_wakeup' sign.

Signed-off-by: Konstantin Khlebnikov <>
Cc: Bruce Allan <>
Acked-by: Rafael J. Wysocki <>
Tested-by: Borislav Petkov <>
Tested-by: Aaron Brown <>
Signed-off-by: Jeff Kirsher <>
Tested-by: Tóth Attila <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoPCI/PM: Clear state_saved during suspend
Rafael J. Wysocki [Wed, 8 May 2013 08:10:18 +0000 (12:10 +0400)]
PCI/PM: Clear state_saved during suspend

commit 82fee4d67ab86d6fe5eb0f9a9e988ca9d654d765 upstream.

This patch clears pci_dev->state_saved at the beginning of suspending.
PCI config state may be saved long before that.  Some drivers call
pci_save_state() from the ->probe() callback to get snapshot of sane
configuration space to use in the ->slot_reset() callback.

Signed-off-by: Konstantin Khlebnikov <> # add comment
Signed-off-by: Bjorn Helgaas <>
Tested-by: Tóth Attila <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoperf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
Peter Zijlstra [Fri, 3 May 2013 12:11:25 +0000 (14:11 +0200)]
perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL

commit 7cc23cd6c0c7d7f4bee057607e7ce01568925717 upstream.

We should always have proper privileges when requesting kernel

Signed-off-by: Peter Zijlstra <>
Cc: Andi Kleen <>
[ Fix build error reported by, propagate error code back. ]
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoperf/x86/intel/lbr: Fix LBR filter
Peter Zijlstra [Fri, 3 May 2013 12:11:24 +0000 (14:11 +0200)]
perf/x86/intel/lbr: Fix LBR filter

commit 6e15eb3ba6c0249c9e8c783517d131b47db995ca upstream.

The LBR 'from' adddress is under full userspace control; ensure
we validate it before reading from it.

Note: is_module_text_address() can potentially be quite
expensive; for those running into that with high overhead
in modules optimize it using an RCU backed rb-tree.

Reported-by: Andi Kleen <>
Signed-off-by: Peter Zijlstra <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoperf/x86/intel: Fix unintended variable name reuse
Jan-Simon Möller [Tue, 30 Apr 2013 10:02:33 +0000 (12:02 +0200)]
perf/x86/intel: Fix unintended variable name reuse

commit 1b0dac2ac6debdbf1541e15f2cede03613cf4465 upstream.

The variable name events_group is already in used and led to a
compilation error when using clang to build the Linux Kernel .
The fix is just to rename the var. No functional change. Please

Fix suggested in discussion by PaX Team <>

Signed-off-by: Jan-Simon Möller <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoperf/x86/intel: Add support for IvyBridge model 58 Uncore
Vince Weaver [Mon, 29 Apr 2013 19:52:27 +0000 (15:52 -0400)]
perf/x86/intel: Add support for IvyBridge model 58 Uncore

commit 9a6bc14350b130427725f33e371e86212fa56c85 upstream.

According to Intel Vol3b 18.9, the IvyBridge model 58 uncore is
the same as that of SandyBridge.

I've done some simple tests and with this patch things seem to
work on my mac-mini.

Signed-off-by: Vince Weaver <>
Cc: Peter Zijlstra <>
Cc: Paul Mackerras <>
Cc: Arnaldo Carvalho de Melo <>
Cc: Stephane Eranian <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonet/eth/ibmveth: Fixup retrieval of MAC address
Benjamin Herrenschmidt [Fri, 3 May 2013 17:19:01 +0000 (17:19 +0000)]
net/eth/ibmveth: Fixup retrieval of MAC address

commit 13f85203e1060da83d9ec1c1c5a63343eaab8de4 upstream.

Some ancient pHyp versions used to create a 8 bytes local-mac-address
property in the device-tree instead of a 6 bytes one for veth.

The Linux driver code to deal with that is an insane hack which also
happens to break with some choices of MAC addresses in qemu by testing
for a bit in the address rather than just looking at the size of the

Sanitize this by doing the latter instead.

Signed-off-by: Benjamin Herrenschmidt <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoiommu/amd: Properly initialize irq-table lock
Joerg Roedel [Tue, 9 Apr 2013 19:14:08 +0000 (21:14 +0200)]
iommu/amd: Properly initialize irq-table lock

commit 197887f03daecdb3ae21bafeb4155412abad3497 upstream.

Fixes a lockdep warning.

Reviewed-by: Shuah Khan <>
Signed-off-by: Joerg Roedel <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agohugetlbfs: fix mmap failure in unaligned size request
Naoya Horiguchi [Tue, 7 May 2013 23:18:13 +0000 (16:18 -0700)]
hugetlbfs: fix mmap failure in unaligned size request

commit af73e4d9506d3b797509f3c030e7dcd554f7d9c4 upstream.

The current kernel returns -EINVAL unless a given mmap length is
"almost" hugepage aligned.  This is because in sys_mmap_pgoff() the
given length is passed to vm_mmap_pgoff() as it is without being aligned
with hugepage boundary.

This is a regression introduced in commit 40716e29243d ("hugetlbfs: fix
alignment of huge page requests"), where alignment code is pushed into
hugetlb_file_setup() and the variable len in caller side is not changed.

To fix this, this patch partially reverts that commit, and adds
alignment code in caller side.  And it also introduces hstate_sizelog()
in order to get proper hstate to specified hugepage size.


[ fix warning when CONFIG_HUGETLB_PAGE=n]
Signed-off-by: Naoya Horiguchi <>
Signed-off-by: Johannes Weiner <>
Reported-by: <>
Cc: Steven Truelove <>
Cc: Jianguo Wu <>
Cc: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoautofs - remove autofs dentry mount check
David Jeffery [Mon, 6 May 2013 05:49:30 +0000 (13:49 +0800)]
autofs - remove autofs dentry mount check

commit ce8a5dbdf9e709bdaf4618d7ef8cceb91e8adc69 upstream.

When checking if an autofs mount point is busy it isn't sufficient to
only check if it's a mount point.

For example, if the mount of an offset mountpoint in a tree is denied
for this host by its export and the dentry becomes a process working
directory the check incorrectly returns the mount as not in use at

This can happen since the default when mounting within a tree is
nostrict, which means ingnore mount fails on mounts within the tree and
continue.  The nostrict option is meant to allow mounting in this case.

Signed-off-by: David Jeffery <>
Signed-off-by: Ian Kent <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agopwm: spear: Fix checking return value of clk_enable() and clk_prepare()
Axel Lin [Sat, 30 Mar 2013 12:43:22 +0000 (20:43 +0800)]
pwm: spear: Fix checking return value of clk_enable() and clk_prepare()

commit 563861cd633ae52932843477bb6ca3f1c9e2f78b upstream.

The logic to check return value of clk_enable() and clk_prepare() is reversed,
fix it.

Signed-off-by: Axel Lin <>
Acked-by: Viresh Kumar <>
Signed-off-by: Thierry Reding <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agopowerpc: fix numa distance for form0 device tree
Vaidyanathan Srinivasan [Fri, 22 Mar 2013 05:49:35 +0000 (05:49 +0000)]
powerpc: fix numa distance for form0 device tree

commit 7122beeee7bc1757682049780179d7c216dd1c83 upstream.

The following commit breaks numa distance setup for old powerpc
systems that use form0 encoding in device tree.

commit 41eab6f88f24124df89e38067b3766b7bef06ddb
powerpc/numa: Use form 1 affinity to setup node distance

Device tree node /rtas/ibm,associativity-reference-points would
index into /cpus/PowerPCxxxx/ibm,associativity based on form0 or
form1 encoding detected by ibm,architecture-vec-5 property.

All modern systems use form1 and current kernel code is correct.
However, on older systems with form0 encoding, the numa distance
will get hard coded as LOCAL_DISTANCE for all nodes.  This causes
task scheduling anomaly since scheduler will skip building numa
level domain (topmost domain with all cpus) if all numa distances
are same.  (value of 'level' in sched_init_numa() will remain 0)

Prior to the above commit:

Restoring compatible behavior with this patch for old powerpc systems
with device tree where numa distance are encoded as form0.

Signed-off-by: Vaidyanathan Srinivasan <>
Signed-off-by: Michael Ellerman <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agopowerpc: Emulate non privileged DSCR read and write
Anton Blanchard [Wed, 1 May 2013 20:06:33 +0000 (20:06 +0000)]
powerpc: Emulate non privileged DSCR read and write

commit 73d2fb758e678c93bc76d40876c2359f0729b0ef upstream.

POWER8 allows read and write of the DSCR in userspace. We added
kernel emulation so applications could always use the instructions
regardless of the CPU type.

Unfortunately there are two SPRs for the DSCR and we only added
emulation for the privileged one. Add code to match the non
privileged one.

A simple test was created to verify the fix:

Without the patch we get a SIGILL and it passes with the patch.

Signed-off-by: Anton Blanchard <>
Signed-off-by: Benjamin Herrenschmidt <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoxen/arm: actually pass a non-NULL percpu pointer to request_percpu_irq
Stefano Stabellini [Thu, 25 Apr 2013 13:53:09 +0000 (13:53 +0000)]
xen/arm: actually pass a non-NULL percpu pointer to request_percpu_irq

commit 2798ba7d19aed645663398a21ec4006bfdbb1ef3 upstream.

Signed-off-by: Stefano Stabellini <>
Reviewed-by: Ian Campbell <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoLinux 3.8.12 v3.8.12
Greg Kroah-Hartman [Wed, 8 May 2013 03:33:25 +0000 (20:33 -0700)]
Linux 3.8.12

7 years agomfd: adp5520: Restore mode bits on resume
Lars-Peter Clausen [Tue, 19 Feb 2013 10:51:22 +0000 (11:51 +0100)]
mfd: adp5520: Restore mode bits on resume

commit c6cc25fda58da8685ecef3f179adc7b99c8253b2 upstream.

The adp5520 unfortunately also clears the BL_EN bit when the nSTNDBY bit is
cleared. So we need to make sure to restore it during resume if it was set
before suspend.

Signed-off-by: Lars-Peter Clausen <>
Acked-by: Michael Hennerich <>
Signed-off-by: Samuel Ortiz <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agorcutrace: single_open() leaks
Al Viro [Sun, 5 May 2013 04:16:35 +0000 (00:16 -0400)]
rcutrace: single_open() leaks

commit 7ee2b9e56495c56dcaffa2bab19b39451d9fdc8a upstream.

Signed-off-by: Al Viro <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agommc: atmel-mci: pio hang on block errors
Terry Barnaby [Mon, 8 Apr 2013 16:05:47 +0000 (12:05 -0400)]
mmc: atmel-mci: pio hang on block errors

commit bdbc5d0c60f3e9de3eeccf1c1a18bdc11dca62cc upstream.

The driver is doing, by default, multi-block reads. When a block error
occurs, card/block.c instigates a single block read: "mmcblk0: retrying
using single block read".  It leaves the sg chain intact and just changes
the length attribute for the first sg entry and the overall sg_len
parameter.  When atmci_read_data_pio is called to read the single block
of data it ignores the sg_len and expects to read more than 512 bytes as
it sees there are multiple items in the sg list. No more data comes as
the controller has only been commanded to get one block.

Signed-off-by: Terry Barnaby <>
Acked-by: Ludovic Desroches <>
Signed-off-by: Chris Ball <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agommc: core: Fix bit width test failing on old eMMC cards
Philip Rakity [Thu, 4 Apr 2013 19:18:11 +0000 (20:18 +0100)]
mmc: core: Fix bit width test failing on old eMMC cards

commit 836dc2fe89c968c10cada87e0dfae6626f8f9da3 upstream.

PARTITION_SUPPORT needs to be set before doing the compare on version
number so the bit width test does not get invalid data.  Before this
patch, a Sandisk iNAND eMMC card would detect 1-bit width although
the hardware supports 4-bit.

Only affects old emmc devices - pre 4.4 devices.

Reported-by: Elad Yi <>
Signed-off-by: Philip Rakity <>
Signed-off-by: Chris Ball <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agox86: Eliminate irq_mis_count counted in arch_irq_stat
Li Fei [Fri, 26 Apr 2013 12:50:11 +0000 (20:50 +0800)]
x86: Eliminate irq_mis_count counted in arch_irq_stat

commit f7b0e1055574ce06ab53391263b4e205bf38daf3 upstream.

With the current implementation, kstat_cpu(cpu).irqs_sum is also
increased in case of irq_mis_count increment.

So there is no need to count irq_mis_count in arch_irq_stat,
otherwise irq_mis_count will be counted twice in the sum of

Reported-by: Liu Chuansheng <>
Signed-off-by: Li Fei <>
Acked-by: Liu Chuansheng <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoKVM: X86 emulator: fix source operand decoding for 8bit mov[zs]x instructions
Gleb Natapov [Wed, 24 Apr 2013 10:38:36 +0000 (13:38 +0300)]
KVM: X86 emulator: fix source operand decoding for 8bit mov[zs]x instructions

commit 660696d1d16a71e15549ce1bf74953be1592bcd3 upstream.

Source operand for one byte mov[zs]x is decoded incorrectly if it is in
high byte register. Fix that.

Signed-off-by: Gleb Natapov <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoGive the OID registry file module info to avoid kernel tainting
David Howells [Sat, 4 May 2013 07:48:27 +0000 (08:48 +0100)]
Give the OID registry file module info to avoid kernel tainting

commit 9e6879460c8edb0cd3c24c09b83d06541b5af0dc upstream.

Give the OID registry file module information so that it doesn't taint the
kernel when compiled as a module and loaded.

Reported-by: Dros Adamson <>
Signed-off-by: David Howells <>
cc: Trond Myklebust <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agommc: at91/avr32/atmel-mci: fix DMA-channel leak on module unload
Johan Hovold [Wed, 13 Mar 2013 16:11:59 +0000 (17:11 +0100)]
mmc: at91/avr32/atmel-mci: fix DMA-channel leak on module unload

commit 91cf54feecf815bec0b6a8d6d9dbd0e219f2f2cc upstream.

Fix regression introduced by commit 796211b7953 ("mmc: atmel-mci: add
pdc support and runtime capabilities detection") which removed the need
for CONFIG_MMC_ATMELMCI_DMA but kept the Kconfig-entry as well as the
compile guards around dma_release_channel() in remove(). Consequently,
DMA is always enabled (if supported), but the DMA-channel is not
released on module unload unless the DMA-config option is selected.

Remove the no longer used CONFIG_MMC_ATMELMCI_DMA option completely.

Signed-off-by: Johan Hovold <>
Acked-by: Ludovic Desroches <>
Signed-off-by: Chris Ball <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoext4: fix Kconfig documentation for CONFIG_EXT4_DEBUG
Theodore Ts'o [Mon, 22 Apr 2013 00:32:03 +0000 (20:32 -0400)]
ext4: fix Kconfig documentation for CONFIG_EXT4_DEBUG

commit 7f3e3c7cfcec148ccca9c0dd2dbfd7b00b7ac10f upstream.

Fox the Kconfig documentation for CONFIG_EXT4_DEBUG to match the
change made by commit a0b30c1229: ext4: use module parameters instead
of debugfs for mballoc_debug

Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoext4: fix online resizing for ext3-compat file systems
Theodore Ts'o [Mon, 22 Apr 2013 00:19:43 +0000 (20:19 -0400)]
ext4: fix online resizing for ext3-compat file systems

commit c5c72d814cf0f650010337c73638b25e6d14d2d4 upstream.

Commit fb0a387dcdc restricts block allocations for indirect-mapped
files to block groups less than s_blockfile_groups.  However, the
online resizing code wasn't setting s_blockfile_groups, so the newly
added block groups were not available for non-extent mapped files.

Reported-by: Eric Sandeen <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoext4: fix big-endian bug in metadata checksum calculations
Dmitry Monakhov [Wed, 10 Apr 2013 03:56:48 +0000 (23:56 -0400)]
ext4: fix big-endian bug in metadata checksum calculations

commit 171a7f21a76a0958c225b97c00a97a10390d40ee upstream.

Signed-off-by: Dmitry Monakhov <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoext4: fix journal callback list traversal
Dmitry Monakhov [Thu, 4 Apr 2013 02:08:52 +0000 (22:08 -0400)]
ext4: fix journal callback list traversal

commit 5d3ee20855e28169d711b394857ee608a5023094 upstream.

It is incorrect to use list_for_each_entry_safe() for journal callback
traversial because ->next may be removed by other task:

This results in the following issue:

WARNING: at lib/list_debug.c:62 __list_del_entry+0x1c0/0x250()
Hardware name:
list_del corruption. prev->next should be ffff88019a4ec198, but was 6b6b6b6b6b6b6b6b
Modules linked in: cpufreq_ondemand acpi_cpufreq freq_table mperf coretemp kvm_intel kvm crc32c_intel ghash_clmulni_intel microcode sg xhci_hcd button sd_mod crc_t10dif aesni_intel ablk_helper cryptd lrw aes_x86_64 xts gf128mul ahci libahci pata_acpi ata_generic dm_mirror dm_region_hash dm_log dm_mod
Pid: 16400, comm: jbd2/dm-1-8 Tainted: G        W    3.8.0-rc3+ #107
Call Trace:
 [<ffffffff8106fb0d>] warn_slowpath_common+0xad/0xf0
 [<ffffffff8106fc06>] warn_slowpath_fmt+0x46/0x50
 [<ffffffff813637e9>] ? ext4_journal_commit_callback+0x99/0xc0
 [<ffffffff8148cae0>] __list_del_entry+0x1c0/0x250
 [<ffffffff813637bf>] ext4_journal_commit_callback+0x6f/0xc0
 [<ffffffff813ca336>] jbd2_journal_commit_transaction+0x23a6/0x2570
 [<ffffffff8108aa42>] ? try_to_del_timer_sync+0x82/0xa0
 [<ffffffff8108b491>] ? del_timer_sync+0x91/0x1e0
 [<ffffffff813d3ecf>] kjournald2+0x19f/0x6a0
 [<ffffffff810ad630>] ? wake_up_bit+0x40/0x40
 [<ffffffff813d3d30>] ? bit_spin_lock+0x80/0x80
 [<ffffffff810ac6be>] kthread+0x10e/0x120
 [<ffffffff810ac5b0>] ? __init_kthread_worker+0x70/0x70
 [<ffffffff818ff6ac>] ret_from_fork+0x7c/0xb0
 [<ffffffff810ac5b0>] ? __init_kthread_worker+0x70/0x70

This patch fix the issue as follows:
- ext4_journal_commit_callback() make list truly traversial safe
  simply by always starting from list_head
- fix race between two ext4_journal_callback_del() and

Signed-off-by: Dmitry Monakhov <>
Signed-off-by: "Theodore Ts'o" <>
Reviewed-by: Jan Kara <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agojbd2: fix race between jbd2_journal_remove_checkpoint and ->j_commit_callback
Dmitry Monakhov [Thu, 4 Apr 2013 02:06:52 +0000 (22:06 -0400)]
jbd2: fix race between jbd2_journal_remove_checkpoint and ->j_commit_callback

commit 794446c6946513c684d448205fbd76fa35f38b72 upstream.

The following race is possible:

[kjournald2]                              other_task
  j_state = T_FINISHED;
  ->j_commit_callback(journal, transaction);

WARNING: at lib/list_debug.c:62 __list_del_entry+0x1c0/0x250()
Hardware name:
list_del corruption. prev->next should be ffff88019a4ec198, but was 6b6b6b6b6b6b6b6b
Modules linked in: cpufreq_ondemand acpi_cpufreq freq_table mperf coretemp kvm_intel kvm crc32c_intel ghash_clmulni_intel microcode sg xhci_hcd button sd_mod crc_t10dif aesni_intel ablk_helper cryptd lrw aes_x86_64 xts gf128mul ahci libahci pata_acpi ata_generic dm_mirror dm_region_hash dm_log dm_mod
Pid: 16400, comm: jbd2/dm-1-8 Tainted: G        W    3.8.0-rc3+ #107
Call Trace:
 [<ffffffff8106fb0d>] warn_slowpath_common+0xad/0xf0
 [<ffffffff8106fc06>] warn_slowpath_fmt+0x46/0x50
 [<ffffffff813637e9>] ? ext4_journal_commit_callback+0x99/0xc0
 [<ffffffff8148cae0>] __list_del_entry+0x1c0/0x250
 [<ffffffff813637bf>] ext4_journal_commit_callback+0x6f/0xc0
 [<ffffffff813ca336>] jbd2_journal_commit_transaction+0x23a6/0x2570
 [<ffffffff8108aa42>] ? try_to_del_timer_sync+0x82/0xa0
 [<ffffffff8108b491>] ? del_timer_sync+0x91/0x1e0
 [<ffffffff813d3ecf>] kjournald2+0x19f/0x6a0
 [<ffffffff810ad630>] ? wake_up_bit+0x40/0x40
 [<ffffffff813d3d30>] ? bit_spin_lock+0x80/0x80
 [<ffffffff810ac6be>] kthread+0x10e/0x120
 [<ffffffff810ac5b0>] ? __init_kthread_worker+0x70/0x70
 [<ffffffff818ff6ac>] ret_from_fork+0x7c/0xb0
 [<ffffffff810ac5b0>] ? __init_kthread_worker+0x70/0x70

In order to demonstrace this issue one should mount ext4 with mount -o
discard option on SSD disk.  This makes callback longer and race
window becomes wider.

In order to fix this we should mark transaction as finished only after
callbacks have completed

Signed-off-by: Dmitry Monakhov <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoext4/jbd2: don't wait (forever) for stale tid caused by wraparound
Theodore Ts'o [Thu, 4 Apr 2013 02:02:52 +0000 (22:02 -0400)]
ext4/jbd2: don't wait (forever) for stale tid caused by wraparound

commit d76a3a77113db020d9bb1e894822869410450bd9 upstream.

In the case where an inode has a very stale transaction id (tid) in
i_datasync_tid or i_sync_tid, it's possible that after a very large
(2**31) number of transactions, that the tid number space might wrap,
causing tid_geq()'s calculations to fail.

Commit deeeaf13 "jbd2: fix fsync() tid wraparound bug", later modified
by commit e7b04ac0 "jbd2: don't wake kjournald unnecessarily",
attempted to fix this problem, but it only avoided kjournald spinning
forever by fixing the logic in jbd2_log_start_commit().

Unfortunately, in the codepaths in fs/ext4/fsync.c and fs/ext4/inode.c
that might call jbd2_log_start_commit() with a stale tid, those
functions will subsequently call jbd2_log_wait_commit() with the same
stale tid, and then wait for a very long time.  To fix this, we
replace the calls to jbd2_log_start_commit() and
jbd2_log_wait_commit() with a call to a new function,
jbd2_complete_transaction(), which will correctly handle stale tid's.

As a bonus, jbd2_complete_transaction() will avoid locking
j_state_lock for writing unless a commit needs to be started.  This
should have a small (but probably not measurable) improvement for
ext4's scalability.

Signed-off-by: "Theodore Ts'o" <>
Reported-by: Ben Hutchings <>
Reported-by: George Barnett <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoixgbe: fix EICR write in ixgbe_msix_other
Jacob Keller [Sat, 2 Mar 2013 07:51:42 +0000 (07:51 +0000)]
ixgbe: fix EICR write in ixgbe_msix_other

commit d87d830720a1446403ed38bfc2da268be0d356d1 upstream.

Previously, the ixgbe_msix_other was writing the full 32bits of the set
interrupts, instead of only the ones which the ixgbe_msix_other is
handling. This resulted in a loss of performance when the X540's PPS feature is
enabled due to sometimes clearing queue interrupts which resulted in the driver
not getting the interrupt for cleaning the q_vector rings often enough. The fix
is to simply mask the lower 16bits off so that this handler does not write them
in the EICR, which causes them to remain high and be properly handled by the
clean_rings interrupt routine as normal.

Signed-off-by: Jacob Keller <>
Tested-by: Phil Schmitt <>
Signed-off-by: Jeff Kirsher <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoipc: sysv shared memory limited to 8TiB
Robin Holt [Wed, 1 May 2013 02:15:54 +0000 (19:15 -0700)]
ipc: sysv shared memory limited to 8TiB

commit d69f3bad4675ac519d41ca2b11e1c00ca115cecd upstream.

Trying to run an application which was trying to put data into half of
memory using shmget(), we found that having a shmall value below 8EiB-8TiB
would prevent us from using anything more than 8TiB.  By setting
kernel.shmall greater than 8EiB-8TiB would make the job work.

In the newseg() function, ns->shm_tot which, at 8TiB is INT_MAX.

 458 static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
 459 {
 465         int numpages = (size + PAGE_SIZE -1) >> PAGE_SHIFT;
 474         if (ns->shm_tot + numpages > ns->shm_ctlall)
 475                 return -ENOSPC;

[ make ipc/shm.c:newseg()'s numpages size_t, not int]
Signed-off-by: Robin Holt <>
Reported-by: Alex Thorlton <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agowireless: regulatory: fix channel disabling race condition
Johannes Berg [Tue, 16 Apr 2013 12:32:26 +0000 (14:32 +0200)]
wireless: regulatory: fix channel disabling race condition

commit 990de49f74e772b6db5208457b7aa712a5f4db86 upstream.

When a full scan 2.4 and 5 GHz scan is scheduled, but then the 2.4 GHz
part of the scan disables a 5.2 GHz channel due to, e.g. receiving
country or frequency information, that 5.2 GHz channel might already
be in the list of channels to scan next. Then, when the driver checks
if it should do a passive scan, that will return false and attempt an
active scan. This is not only wrong but can also lead to the iwlwifi
device firmware crashing since it checks regulatory as well.

Fix this by not setting the channel flags to just disabled but rather
OR'ing in the disabled flag. That way, even if the race happens, the
channel will be scanned passively which is still (mostly) correct.

Signed-off-by: Johannes Berg <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonfsd: Decode and send 64bit time values
Bryan Schumaker [Fri, 19 Apr 2013 20:09:38 +0000 (16:09 -0400)]
nfsd: Decode and send 64bit time values

commit bf8d909705e9d9bac31d9b8eac6734d2b51332a7 upstream.

The seconds field of an nfstime4 structure is 64bit, but we are assuming
that the first 32bits are zero-filled.  So if the client tries to set
atime to a value before the epoch (touch -t 196001010101), then the
server will save the wrong value on disk.

Signed-off-by: Bryan Schumaker <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonfsd: don't run get_file if nfs4_preprocess_stateid_op return error
fanchaoting [Mon, 1 Apr 2013 13:07:22 +0000 (21:07 +0800)]
nfsd: don't run get_file if nfs4_preprocess_stateid_op return error

commit b022032e195ffca83d7002d6b84297d796ed443b upstream.

we should return error status directly when nfs4_preprocess_stateid_op
return error.

Signed-off-by: fanchaoting <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agonfsd4: don't close read-write opens too soon
J. Bruce Fields [Fri, 29 Mar 2013 00:37:14 +0000 (20:37 -0400)]
nfsd4: don't close read-write opens too soon

commit 0c7c3e67ab91ec6caa44bdf1fc89a48012ceb0c5 upstream.

Don't actually close any opens until we don't need them at all.

This means being left with write access when it's not really necessary,
but that's better than putting a file that might still have posix locks
held on it, as we have been.

Reported-by: Toralf Förster <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoNFSv4: Handle NFS4ERR_DELAY and NFS4ERR_GRACE in nfs4_open_delegation_recall
Trond Myklebust [Mon, 1 Apr 2013 19:34:05 +0000 (15:34 -0400)]
NFSv4: Handle NFS4ERR_DELAY and NFS4ERR_GRACE in nfs4_open_delegation_recall

commit 8b6cc4d6f841d31f72fe7478453759166d366274 upstream.

A server shouldn't normally return NFS4ERR_GRACE if the client holds a
delegation, since no conflicting lock reclaims can be granted, however
the spec does not require the server to grant the open in this

Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoMD: ignore discard request for hard disks of hybid raid1/raid10 array
Shaohua Li [Sun, 28 Apr 2013 10:26:38 +0000 (18:26 +0800)]
MD: ignore discard request for hard disks of hybid raid1/raid10 array

commit 32f9f570d04461a41bdcd5c1d93b41ebc5ce182a upstream.

In SSD/hard disk hybid storage, discard request should be ignored for hard
disk. We used to be doing this way, but the unplug path forgets it.

This is suitable for stable tree since v3.6.

Reported-and-tested-by: Markus <>
Signed-off-by: Shaohua Li <>
Signed-off-by: NeilBrown <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agomd: bad block list should default to disabled.
NeilBrown [Wed, 24 Apr 2013 01:42:44 +0000 (11:42 +1000)]
md: bad block list should default to disabled.

commit 486adf72ccc0c235754923d47a2270c5dcb0c98b upstream.

Maintenance of a bad-block-list currently defaults to 'enabled'
and is then disabled when it cannot be supported.
This is backwards and causes problem for dm-raid which didn't know
to disable it.

So fix the defaults, and only enabled for v1.x metadata which
explicitly has bad blocks enabled.

The problem with dm-raid has been present since badblock support was
added in v3.1, so this patch is suitable for any -stable from 3.1

Reported-by: Jonathan Brassow <>
Signed-off-by: NeilBrown <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoLOCKD: Ensure that nlmclnt_block resets block->b_status after a server reboot
Trond Myklebust [Sun, 21 Apr 2013 22:01:06 +0000 (18:01 -0400)]
LOCKD: Ensure that nlmclnt_block resets block->b_status after a server reboot

commit 1dfd89af8697a299e7982ae740d4695ecd917eef upstream.

After a server reboot, the reclaimer thread will recover all the existing
locks. For locks that are blocked, however, it will change the value
of block->b_status to nlm_lck_denied_grace_period in order to signal that
they need to wake up and resend the original blocking lock request.

Due to a bug, however, the block->b_status never gets reset after the
blocked locks have been woken up, and so the process goes into an
infinite loop of resends until the blocked lock is satisfied.

Reported-by: Marc Eshel <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
7 years agoexec: do not abuse ->cred_guard_mutex in threadgroup_lock()
Oleg Nesterov [Tue, 30 Apr 2013 22:28:20 +0000 (15:28 -0700)]
exec: do not abuse ->cred_guard_mutex in threadgroup_lock()

commit e56fb2874015370e3b7f8d85051f6dce26051df9 upstream.

threadgroup_lock() takes signal->cred_guard_mutex to ensure that
thread_group_leader() is stable.  This doesn't look nice, the scope of
this lock in do_execve() is huge.

And as Dave pointed out this can lead to deadlock, we have the
following dependencies:

do_execve: cred_guard_mutex -> i_mutex
cgroup_mount: i_mutex -> cgroup_mutex
attach_task_by_pid: cgroup_mutex -> cred_guard_mutex

Change de_thread() to take threadgroup_change_begin() around the
switch-the-leader code and change threadgroup_lock() to avoid

Note that de_thread() can't sleep with ->group_rwsem held, this can
obviously deadlock with the exiting leader if the writer is active, so it
does threadgroup_change_end() before schedule().

Reported-by: Dave Jones <>
Acked-by: Tejun Heo <>
Acked-by: Li Zefan <>
Signed-off-by: Oleg Nesterov <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>