GitHub/moto-9609/android_kernel_motorola_exynos9610.git
10 years agolibiscsi, iser: Adjust data_length to include protection information
Sagi Grimberg [Wed, 11 Jun 2014 09:09:58 +0000 (12:09 +0300)]
libiscsi, iser: Adjust data_length to include protection information

In case protection information exists over the wire
iscsi header data length is required to include it.
Use protection information aware scsi helpers to set
the correct transfer length.

In order to avoid breakage, remove iser transfer length
checks for each task as they are not always true and
somewhat redundant anyway.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
Acked-by: Mike Christie <michaelc@cs.wisc.edu>
Cc: stable@vger.kernel.org # 3.15+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoscsi_cmnd: Introduce scsi_transfer_length helper
Sagi Grimberg [Wed, 11 Jun 2014 09:09:57 +0000 (12:09 +0300)]
scsi_cmnd: Introduce scsi_transfer_length helper

In case protection information exists on the wire
scsi transports should include it in the transfer
byte count (even if protection information does not
exist in the host memory space). This helper will
compute the total transfer length from the scsi
command data length and protection attributes.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: stable@vger.kernel.org # 3.15+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget: Report correct response length for some commands
Roland Dreier [Tue, 10 Jun 2014 18:07:47 +0000 (11:07 -0700)]
target: Report correct response length for some commands

When an initiator sends an allocation length bigger than what its
command consumes, the target should only return the actual response data
and set the residual length to the unused part of the allocation length.

Add a helper function that command handlers (INQUIRY, READ CAPACITY,
etc) can use to do this correctly, and use this code to get the correct
residual for commands that don't use the full initiator allocation in the
handlers for READ CAPACITY, READ CAPACITY(16), INQUIRY, MODE SENSE and
REPORT LUNS.

This addresses a handful of failures as reported by Christophe with
the Windows Certification Kit:

  http://permalink.gmane.org/gmane.linux.scsi.target.devel/6515

Signed-off-by: Roland Dreier <roland@purestorage.com>
Tested-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget/sbc: Check that the LBA and number of blocks are correct in VERIFY
Christophe Vu-Brugier [Tue, 10 Jun 2014 15:53:22 +0000 (17:53 +0200)]
target/sbc: Check that the LBA and number of blocks are correct in VERIFY

This patch extracts LBA + sectors for VERIFY, and adds a goto check_lba
to perform the end-of-device checking.

(Update patch to drop lba_check usage - nab)

Signed-off-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget/sbc: Remove sbc_check_valid_sectors()
Christophe Vu-Brugier [Tue, 10 Jun 2014 15:53:21 +0000 (17:53 +0200)]
target/sbc: Remove sbc_check_valid_sectors()

A similar check is performed at the end of sbc_parse_cdb() and is now
enforced if the SYNCHRONIZE CACHE command's backend supports
->execute_sync_cache().

(Add check_lba goto to avoid *_max_sectors checks - nab)

Signed-off-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iscsi: Fix sendtargets response pdu for iser transport
Sagi Grimberg [Tue, 10 Jun 2014 15:27:59 +0000 (18:27 +0300)]
Target/iscsi: Fix sendtargets response pdu for iser transport

In case the transport is iser we should not include the
iscsi target info in the sendtargets text response pdu.
This causes sendtargets response to include the target
info twice.

Modify iscsit_build_sendtargets_response to filter
transport types that don't match.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Reported-by: Slava Shwartsman <valyushash@gmail.com>
Cc: stable@vger.kernel.org # 3.11+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iser: Fix a wrong dereference in case discovery session is over iser
Sagi Grimberg [Tue, 10 Jun 2014 10:41:41 +0000 (13:41 +0300)]
Target/iser: Fix a wrong dereference in case discovery session is over iser

In case the discovery session is carried over iser, we can't
access the assumed network portal since the default portal is
used. In this case we don't really need to allocate the fastreg
pool, just prepare to the text pdu that will follow.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Reported-by: Alex Tabachnik <alext@mellanox.com>
Cc: stable@vger.kernel.org # 3.15+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoiscsi-target: Fix ABORT_TASK + connection reset iscsi_queue_req memory leak
Nicholas Bellinger [Tue, 10 Jun 2014 04:03:54 +0000 (04:03 +0000)]
iscsi-target: Fix ABORT_TASK + connection reset iscsi_queue_req memory leak

This patch fixes a iscsi_queue_req memory leak when ABORT_TASK response
has been queued by TFO->queue_tm_rsp() -> lio_queue_tm_rsp() after a
long standing I/O completes, but the connection has already reset and
waiting for cleanup to complete in iscsit_release_commands_from_conn()
-> transport_generic_free_cmd() -> transport_wait_for_tasks() code.

It moves iscsit_free_queue_reqs_for_conn() after the per-connection command
list has been released, so that the associated se_cmd tag can be completed +
released by target-core before freeing any remaining iscsi_queue_req memory
for the connection generated by lio_queue_tm_rsp().

Cc: Thomas Glanzmann <thomas@glanzmann.de>
Cc: Charalampos Pournaris <charpour@gmail.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget: Use complete_all for se_cmd->t_transport_stop_comp
Nicholas Bellinger [Mon, 9 Jun 2014 23:36:51 +0000 (23:36 +0000)]
target: Use complete_all for se_cmd->t_transport_stop_comp

This patch fixes a bug where multiple waiters on ->t_transport_stop_comp
occurs due to a concurrent ABORT_TASK and session reset both invoking
transport_wait_for_tasks(), while waiting for the associated se_cmd
descriptor backend processing to complete.

For this case, complete_all() should be invoked in order to wake up
both waiters in core_tmr_abort_task() + transport_generic_free_cmd()
process contexts.

Cc: Thomas Glanzmann <thomas@glanzmann.de>
Cc: Charalampos Pournaris <charpour@gmail.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget: Set CMD_T_ACTIVE bit for Task Management Requests
Nicholas Bellinger [Mon, 9 Jun 2014 23:13:20 +0000 (23:13 +0000)]
target: Set CMD_T_ACTIVE bit for Task Management Requests

This patch fixes a bug where se_cmd descriptors associated with a
Task Management Request (TMR) where not setting CMD_T_ACTIVE before
being dispatched into target_tmr_work() process context.

This is required in order for transport_generic_free_cmd() ->
transport_wait_for_tasks() to wait on se_cmd->t_transport_stop_comp
if a session reset event occurs while an ABORT_TASK is outstanding
waiting for another I/O to complete.

Cc: Thomas Glanzmann <thomas@glanzmann.de>
Cc: Charalampos Pournaris <charpour@gmail.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget: cleanup some boolean tests
Christophe Vu-Brugier [Fri, 6 Jun 2014 15:15:16 +0000 (17:15 +0200)]
target: cleanup some boolean tests

Convert "x == true" to "x" and "x == false" to "!x".

Signed-off-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget/spc: Simplify INQUIRY EVPD=0x80
Christophe Vu-Brugier [Fri, 6 Jun 2014 15:15:15 +0000 (17:15 +0200)]
target/spc: Simplify INQUIRY EVPD=0x80

Signed-off-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotcm_fc: Generate TASK_SET_FULL status for response failures
Nicholas Bellinger [Thu, 5 Jun 2014 23:37:38 +0000 (16:37 -0700)]
tcm_fc: Generate TASK_SET_FULL status for response failures

This patch changes ft_queue_status() to set SAM_STAT_TASK_SET_FULL
status upon lport->tt.seq_send( failure, and return -EAGAIN to notify
target-core to attempt to requeue the response.

It also does the same for a fc_frame_alloc() failures, in order to
signal the initiator that it should try to reduce it's current
queue_depth, to lower the number of outstanding I/Os on the wire.

Reported-by: Vasu Dev <vasu.dev@linux.intel.com>
Reviewed-by: Vasu Dev <vasu.dev@linux.intel.com>
Cc: Jun Wu <jwu@stormojo.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotcm_fc: Generate TASK_SET_FULL status for DataIN failures
Nicholas Bellinger [Thu, 5 Jun 2014 23:27:53 +0000 (16:27 -0700)]
tcm_fc: Generate TASK_SET_FULL status for DataIN failures

This patch changes ft_queue_data_in() to set SAM_STAT_TASK_SET_FULL
status upon a lport->tt.seq_send() failure, where it will now stop
sending subsequent DataIN, and immediately attempt to send the
response with exception status.

Sending a response with SAM_STAT_TASK_SET_FULL status is useful in
order to signal the initiator that it should try to reduce it's
current queue_depth, to lower the number of outstanding I/Os on
the wire.

Also, add a check to skip sending DataIN if TASK_SET_FULL status
has already been set due to a response lport->tt.seq_send()
failure, that has asked target-core to requeue a response.

Reported-by: Vasu Dev <vasu.dev@linux.intel.com>
Reviewed-by: Vasu Dev <vasu.dev@linux.intel.com>
Cc: Jun Wu <jwu@stormojo.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoiscsi-target: Reject mutual authentication with reflected CHAP_C
Nicholas Bellinger [Fri, 6 Jun 2014 01:08:57 +0000 (18:08 -0700)]
iscsi-target: Reject mutual authentication with reflected CHAP_C

This patch adds an explicit check in chap_server_compute_md5() to ensure
the CHAP_C value received from the initiator during mutual authentication
does not match the original CHAP_C provided by the target.

This is in line with RFC-3720, section 8.2.1:

   Originators MUST NOT reuse the CHAP challenge sent by the Responder
   for the other direction of a bidirectional authentication.
   Responders MUST check for this condition and close the iSCSI TCP
   connection if it occurs.

Reported-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com>
Cc: stable@vger.kernel.org # 3.1+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoiscsi-target: Remove no-op from iscsit_tpg_del_portal_group
Nicholas Bellinger [Wed, 4 Jun 2014 01:28:25 +0000 (18:28 -0700)]
iscsi-target: Remove no-op from iscsit_tpg_del_portal_group

This patch removes a no-op iscsit_clear_tpg_np_login_threads() call
in iscsit_tpg_del_portal_group(), which is unnecessary because
iscsit_tpg_del_portal_group() can only ever be removed from configfs
once all of the child network portals have been released.

Also, go ahed and make iscsit_clear_tpg_np_login_threads() declared
as static.

Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoiscsi-target: Fix CHAP_A parameter list handling
Tejas Vaykole [Fri, 30 May 2014 05:43:47 +0000 (11:13 +0530)]
iscsi-target: Fix CHAP_A parameter list handling

The target is failing to handle list of CHAP_A key-value pair form
initiator.The target is expecting CHAP_A=5 always. In other cases,
where initiator sends list (for example) CHAP_A=6,5 target is failing
the security negotiation. Which is incorrect.

This patch handles the case (RFC 3720 section 11.1.4).
where in the initiator may send list of CHAP_A values and target replies
with appropriate CHAP_A value in response

(Drop whitespaces + rename to chap_check_algorithm + save original
 pointer + add explicit check for CHAP_A key - nab)

Signed-off-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoiscsi-target: Put length of failed allocation in error message
Roland Dreier [Thu, 29 May 2014 20:32:29 +0000 (13:32 -0700)]
iscsi-target: Put length of failed allocation in error message

If the message "Unable to allocate…" pops up, it's useful to know
whether the problem is that the system is genuinely out of memory, or
that some bug has led to a crazy allocation length.

In particular this helped debug a corruption of login headers in
iscsi_login_non_zero_tsih_s1().

Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoiscsi-target: Reject zero-length payloads during SecurityNegotiation
Nicholas Bellinger [Wed, 28 May 2014 19:07:40 +0000 (12:07 -0700)]
iscsi-target: Reject zero-length payloads during SecurityNegotiation

This patch changes iscsi_target_handle_csg_zero() to explicitly
reject login requests in SecurityNegotiation with a zero-length
payload, following the language in RFC-3720 Section 8.2:

  Whenever an iSCSI target gets a response whose keys, or their
  values, are not according to the step definition, it MUST answer
  with a Login reject with the "Initiator Error" or "Missing Parameter"
  status.

Previously when a zero-length login request in CSG=0 was received,
the target would send a login response with CSG=0 + T_BIT=0 asking
the initiator to complete authentication, and not fail the login
until MAX_LOGIN_PDUS was reached.  This change will now immediately
fail the login attempt with ISCSI_STATUS_CLS_INITIATOR_ERR status.

Reported-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoqla2xxx: Convert to percpu_ida session tag pre-allocation
Nicholas Bellinger [Fri, 23 May 2014 09:00:56 +0000 (02:00 -0700)]
qla2xxx: Convert to percpu_ida session tag pre-allocation

This patch converts qla2xxx target code to use generic percpu_ida
tag allocation provided by target-core, thus removing the original
kmem_cache_zalloc() for each struct qla_tgt_cmd descriptor in the
incoming ATIO packet fast-path.

This includes the conversion of qlt_handle_cmd_for_atio() to perform
qla_tgt_sess lookup before dispatching a command descriptor into
qla_tgt_wq process context, along with handling the case where no
active session exists, and subsequently kicking off a seperate
process context for qlt_create_sess_from_atio() to create a new one.

It also includes moving tag allocation into generic code within
qlt_get_tag(), so that the same logic can be shared between
qlt_handle_cmd_for_atio() + qlt_create_sess_from_atio() contexts.
Also, __qlt_do_work() has been made generic between both normal
process context in qlt_do_work() + qlt_create_sess_from_atio().

Next, update qlt_free_cmd() to release the percpu-ida tags, and
drop the now-unused global qla_tgt_cmd_cachep.

Finally in tcm_qla2xxx code, tcm_qla2xxx_check_initiator_node_acl()
has been updated to use transport_init_session_tags() along with a
hardcoded TCM_QLA2XXX_DEFAULT_TAGS=2088 as the number of qla_tgt_cmd
descriptors to pre-allocate per qla_tgt_sess instance.

(Use ha->fw_xcb_count if available to calculate num_tags, and
 also factor in extra pad tags - Quinn)

Cc: Saurav Kashyap <saurav.kashyap@qlogic.com>
Cc: Quinn Tran <quinn.tran@qlogic.com>
Cc: Giridhar Malavali <giridhar.malavali@qlogic.com>
Cc: Chad Dupuis <chad.dupuis@qlogic.com>
Cc: Roland Dreier <roland@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agovirtio-scsi: Enable DIF/DIX modes in SCSI host LLD
Nicholas Bellinger [Sun, 23 Feb 2014 02:23:33 +0000 (18:23 -0800)]
virtio-scsi: Enable DIF/DIX modes in SCSI host LLD

This patch updates virtscsi_probe() to setup necessary Scsi_Host
level protection resources. (currently hardcoded to 1)

It changes virtscsi_add_cmd() to attach outgoing / incoming
protection SGLs preceeding the data payload, and is using the
new virtio_scsi_cmd_req_pi->pi_bytes[out,in] field to signal
to signal to vhost/scsi bytes to expect for protection data.

(Add missing #include <linux/blkdev.h> for blk_integrity - sfr + nab)

Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Sagi Grimberg <sagig@dev.mellanox.co.il>
Cc: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agovhost/scsi: Enable T10 PI IOV -> SGL memory mapping
Nicholas Bellinger [Sun, 23 Feb 2014 02:22:31 +0000 (18:22 -0800)]
vhost/scsi: Enable T10 PI IOV -> SGL memory mapping

This patch updates vhost_scsi_handle_vq() to check for the existance
of virtio_scsi_cmd_req_pi comparing vq->iov[0].iov_len in order to
calculate seperate data + protection SGLs from data_num.

Also update tcm_vhost_submission_work() to pass the pre-allocated
cmd->tvc_prot_sgl[] memory into target_submit_cmd_map_sgls(), and
update vhost_scsi_get_tag() parameters to accept scsi_tag, lun, and
task_attr.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Sagi Grimberg <sagig@dev.mellanox.co.il>
Cc: H. Peter Anvin <hpa@zytor.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agovhost/scsi: Add T10 PI IOV -> SGL memory mapping logic
Nicholas Bellinger [Sun, 23 Feb 2014 02:34:43 +0000 (18:34 -0800)]
vhost/scsi: Add T10 PI IOV -> SGL memory mapping logic

This patch adds vhost_scsi_map_iov_to_prot() to perform the mapping of
T10 data integrity memory between virtio iov + struct scatterlist using
get_user_pages_fast() following existing code.

As with vhost_scsi_map_iov_to_sgl(), this does sanity checks against the
total prot_sgl_count vs. pre-allocated SGLs, and loops across protection
iovs using vhost_scsi_map_to_sgl() to perform the actual memory mapping.

Also update tcm_vhost_release_cmd() to release associated tvc_prot_sgl[]
struct page.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Sagi Grimberg <sagig@dev.mellanox.co.il>
Cc: H. Peter Anvin <hpa@zytor.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agovhost/scsi: Add preallocation of protection SGLs
Nicholas Bellinger [Sun, 23 Feb 2014 02:08:24 +0000 (18:08 -0800)]
vhost/scsi: Add preallocation of protection SGLs

This patch updates tcm_vhost_make_nexus() to pre-allocate per descriptor
tcm_vhost_cmd->tvc_prot_sgl[] used to expose protection SGLs from within
virtio-scsi guest memory to vhost-scsi.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agovhost/scsi: Move sanity check into vhost_scsi_map_iov_to_sgl
Nicholas Bellinger [Sun, 23 Feb 2014 02:34:08 +0000 (18:34 -0800)]
vhost/scsi: Move sanity check into vhost_scsi_map_iov_to_sgl

Move the overflow check for sgl_count > TCM_VHOST_PREALLOC_SGLS into
vhost_scsi_map_iov_to_sgl() so that it's based on the total number
of SGLs for all IOVs, instead of single IOVs.

Also, rename TCM_VHOST_PREALLOC_PAGES -> TCM_VHOST_PREALLOC_UPAGES
to better describe pointers to user-space pages.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agovirtio-scsi.h: Add virtio_scsi_cmd_req_pi + VIRTIO_SCSI_F_T10_PI bits
Nicholas Bellinger [Sun, 16 Mar 2014 21:51:35 +0000 (14:51 -0700)]
virtio-scsi.h: Add virtio_scsi_cmd_req_pi + VIRTIO_SCSI_F_T10_PI bits

This patch adds a virtio_scsi_cmd_req_pi header as recommened by
Paolo that contains pi_bytesout + pi_bytesin elements used for
signaling when protection information buffers (in bytes) are
expected to preceed the data payload buffers.

Also add new VIRTIO_SCSI_F_T10_PI feature bit to be used to signal
host support.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Sagi Grimberg <sagig@dev.mellanox.co.il>
Cc: H. Peter Anvin <hpa@zytor.com>
Acked-by: Rusty Russell <rusty@rustcorp.com.au>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iser: Gracefully reject T10-PI enabled connect request if not supported
Sagi Grimberg [Tue, 20 May 2014 10:28:11 +0000 (13:28 +0300)]
Target/iser: Gracefully reject T10-PI enabled connect request if not supported

In case user chose to set T10-PI enable on the target while
the IB device does not support it, gracefully reject the request.

Reported-by: Slava Shwartsman <valyushash@gmail.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.15+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iser: Wait for proper cleanup before unloading
Sagi Grimberg [Mon, 19 May 2014 14:44:25 +0000 (17:44 +0300)]
Target/iser: Wait for proper cleanup before unloading

disconnected_handler works are scheduled on system_wq.
When attempting to unload, first make sure all works
have cleaned up.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iser: Improve cm events handling
Sagi Grimberg [Mon, 19 May 2014 14:44:24 +0000 (17:44 +0300)]
Target/iser: Improve cm events handling

There are 4 RDMA_CM events that all basically mean that
the user should teardown the IB connection:
- DISCONNECTED
- ADDR_CHANGE
- DEVICE_REMOVAL
- TIMEWAIT_EXIT

Only in DISCONNECTED/ADDR_CHANGE it makes sense to
call rdma_disconnect (send DREQ/DREP to our initiator).
So we keep the same teardown handler for all of them
but only indicate calling rdma_disconnect for the relevant
events.

This patch also removes redundant debug prints for each single
event.

v2 changes:
 - Call isert_disconnected_handler() for DEVICE_REMOVAL (Or + Sag)

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iser: Fix hangs in connection teardown
Sagi Grimberg [Mon, 19 May 2014 14:44:23 +0000 (17:44 +0300)]
Target/iser: Fix hangs in connection teardown

In ungraceful teardowns isert close flows seem racy such that
isert_wait_conn hangs as RDMA_CM_EVENT_DISCONNECTED never
gets invoked (no one called rdma_disconnect).

Both graceful and ungraceful teardowns will have rx flush errors
(isert posts a batch once connection is established). Once all
flush errors are consumed we invoke isert_wait_conn and it will
be responsible for calling rdma_disconnect. This way it can be
sure that rdma_disconnect was called and it won't wait forever.

This patch also removes the logout_posted indicator. either the
logout completion was consumed and no problem decrementing the
post_send_buf_count, or it was consumed as a flush error. no point
of keeping it for isert_wait_conn as there is no danger that
isert_conn will be accidentally removed while it is running.

(Drop unnecessary sleep_on_conn_wait_comp check in
 isert_cq_rx_comp_err - nab)

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iser: Bail from accept_np if np_thread is trying to close
Sagi Grimberg [Mon, 19 May 2014 14:44:22 +0000 (17:44 +0300)]
Target/iser: Bail from accept_np if np_thread is trying to close

In case np_thread state is in RESET/SHUTDOWN/EXIT states,
no point for isert to stall there as we may get a hang in
case no one will wake it up later.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget: fix memory leak on XCOPY
Mikulas Patocka [Sat, 17 May 2014 10:49:22 +0000 (06:49 -0400)]
target: fix memory leak on XCOPY

On each processed XCOPY command, two "kmalloc-512" memory objects are
leaked. These represent two allocations of struct xcopy_pt_cmd in
target_core_xcopy.c.

The reason for the memory leak is that the cmd_kref field is not
initialized (thus, it is zero because the allocations were done with
kzalloc). When we decrement zero kref in target_put_sess_cmd, the result
is not zero, thus target_release_cmd_kref is not called.

This patch fixes the bug by moving kref initialization from
target_get_sess_cmd to transport_init_se_cmd (this function is called from
target_core_xcopy.c, so it will correctly initialize cmd_kref). It can be
easily verified that all code that calls target_get_sess_cmd also calls
transport_init_se_cmd earlier, thus moving kref_init shouldn't introduce
any new problems.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org # 3.12+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget: Don't allow setting WC emulation if device doesn't support
Andy Grover [Wed, 14 May 2014 22:48:06 +0000 (15:48 -0700)]
target: Don't allow setting WC emulation if device doesn't support

Just like for pSCSI, if the transport sets get_write_cache, then it is
not valid to enable write cache emulation for it. Return an error.

see https://bugzilla.redhat.com/show_bug.cgi?id=1082675

Reviewed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Andy Grover <agrover@redhat.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoiscsi-target: Disable Immediate + Unsolicited Data with ISER Protection
Nicholas Bellinger [Wed, 14 May 2014 20:54:26 +0000 (20:54 +0000)]
iscsi-target: Disable Immediate + Unsolicited Data with ISER Protection

This patch explicitly disables Immediate + Unsolicited Data for ISER
connections during login in iscsi_login_zero_tsih_s2() when protection
has been enabled for the session by the underlying hardware.

This is currently required because protection / signature memory regions
(MRs) expect T10 PI to occur on RDMA READs + RDMA WRITEs transfers, and
not on a immediate data payload associated with ISCSI_OP_SCSI_CMD, or
unsolicited data-out associated with a ISCSI_OP_SCSI_DATA_OUT.

v2 changes:
  - Add TARGET_PROT_DOUT_INSERT check (Sagi)
  - Add pr_debug noisemaker (Sagi)
  - Add goto to avoid early return from MRDSL check (nab)

Cc: Sagi Grimberg <sagig@mellanox.com>
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotcm_fc: Fix free-after-use regression in ft_free_cmd
Nicholas Bellinger [Mon, 12 May 2014 19:18:32 +0000 (12:18 -0700)]
tcm_fc: Fix free-after-use regression in ft_free_cmd

This patch fixes a free-after-use regression in ft_free_cmd(), where
ft_sess_put() is called with cmd->sess after percpu_ida_free() has
already released the tag.

Fix this bug by saving the ft_sess pointer ahead of percpu_ida_free(),
and pass it directly to ft_sess_put().

The regression was originally introduced in v3.13-rc1 commit:

  commit 5f544cfac956971099e906f94568bc3fd1a7108a
  Author: Nicholas Bellinger <nab@daterainc.com>
  Date:   Mon Sep 23 12:12:42 2013 -0700

      tcm_fc: Convert to per-cpu command map pre-allocation of ft_cmd

Reported-by: Jun Wu <jwu@stormojo.com>
Cc: Mark Rustad <mark.d.rustad@intel.com>
Cc: Robert Love <robert.w.love@intel.com>
Cc: <stable@vger.kernel.org> #3.13+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoiscsi-target: Change BUG_ON to REJECT in iscsit_process_nop_out
Nicholas Bellinger [Thu, 1 May 2014 20:44:56 +0000 (13:44 -0700)]
iscsi-target: Change BUG_ON to REJECT in iscsit_process_nop_out

This patch changes an incorrect use of BUG_ON to instead generate a
REJECT + PROTOCOL_ERROR in iscsit_process_nop_out() code.  This case
can occur with traditional TCP where a flood of zeros in the data
stream can reach this block for what is presumed to be a NOP-OUT with
a solicited reply, but without a valid iscsi_cmd pointer.

This incorrect BUG_ON was introduced during the v3.11-rc timeframe
with the following commit:

commit 778de368964c5b7e8100cde9f549992d521e9c89
Author: Nicholas Bellinger <nab@linux-iscsi.org>
Date:   Fri Jun 14 16:07:47 2013 -0700

    iscsi/isert-target: Refactor ISCSI_OP_NOOP RX handling

Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com>
Cc: stable@vger.kernel.org # 3.11+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iscsi,iser: Avoid accepting transport connections during stop stage
Sagi Grimberg [Tue, 29 Apr 2014 10:13:47 +0000 (13:13 +0300)]
Target/iscsi,iser: Avoid accepting transport connections during stop stage

When the target is in stop stage, iSER transport initiates RDMA disconnects.
The iSER initiator may wish to establish a new connection over the
still existing network portal. In this case iSER transport should not
accept and resume new RDMA connections. In order to learn that, iscsi_np
is added with enabled flag so the iSER transport can check when deciding
weather to accept and resume a new connection request.

The iscsi_np is enabled after successful transport setup, and disabled
before iscsi_np login threads are cleaned up.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iser: Fix iscsit_accept_np and rdma_cm racy flow
Sagi Grimberg [Tue, 29 Apr 2014 10:13:45 +0000 (13:13 +0300)]
Target/iser: Fix iscsit_accept_np and rdma_cm racy flow

RDMA CM and iSCSI target flows are asynchronous and completely
uncorrelated. Relying on the fact that iscsi_accept_np will be called
after CM connection request event and will wait for it is a mistake.

When attempting to login to a few targets this flow is racy and
unpredictable, but for parallel login to dozens of targets will
race and hang every time.

The correct synchronizing mechanism in this case is pending on
a semaphore rather than a wait_for_event. We keep the pending
interruptible for iscsi_np cleanup stage.

(Squash patch to remove dead code into parent - nab)

Reported-by: Slava Shwartsman <valyushash@gmail.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoTarget/iser: Fix wrong connection requests list addition
Sagi Grimberg [Tue, 29 Apr 2014 10:13:44 +0000 (13:13 +0300)]
Target/iser: Fix wrong connection requests list addition

Should be adding list_add_tail($new, $head) and not
the other way around.

Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agotarget: Allow non-supporting backends to set pi_prot_type to 0
Andy Grover [Tue, 15 Apr 2014 21:13:12 +0000 (14:13 -0700)]
target: Allow non-supporting backends to set pi_prot_type to 0

Userspace tools assume if a value is read from configfs, it is valid
and will not cause an error if the same value is written back. The only
valid value for pi_prot_type for backends not supporting DIF is 0, so allow
this particular value to be set without returning an error.

Reported-by: Krzysztof Chojnowski <frirajder@gmail.com>
Signed-off-by: Andy Grover <agrover@redhat.com>
Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
Cc: stable@vger.kernel.org # 3.14+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
10 years agoLinux 3.15-rc3
Linus Torvalds [Mon, 28 Apr 2014 02:29:27 +0000 (19:29 -0700)]
Linux 3.15-rc3

10 years agoword-at-a-time: avoid undefined behaviour in zero_bytemask macro
Will Deacon [Wed, 23 Apr 2014 16:52:52 +0000 (17:52 +0100)]
word-at-a-time: avoid undefined behaviour in zero_bytemask macro

The asm-generic, big-endian version of zero_bytemask creates a mask of
bytes preceding the first zero-byte by left shifting ~0ul based on the
position of the first zero byte.

Unfortunately, if the first (top) byte is zero, the output of
prep_zero_mask has only the top bit set, resulting in undefined C
behaviour as we shift left by an amount equal to the width of the type.
As it happens, GCC doesn't manage to spot this through the call to fls(),
but the issue remains if architectures choose to implement their shift
instructions differently.

An example would be arch/arm/ (AArch32), where LSL Rd, Rn, #32 results
in Rd == 0x0, whilst on arch/arm64 (AArch64) LSL Xd, Xn, #64 results in
Xd == Xn.

Rather than check explicitly for the problematic shift, this patch adds
an extra shift by 1, replacing fls with __fls. Since zero_bytemask is
never called with a zero argument (has_zero() is used to check the data
first), we don't need to worry about calling __fls(0), which is
undefined.

Cc: <stable@vger.kernel.org>
Cc: Victor Kamensky <victor.kamensky@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
10 years agoMerge branch 'safe-dirty-tlb-flush'
Linus Torvalds [Sun, 27 Apr 2014 22:08:12 +0000 (15:08 -0700)]
Merge branch 'safe-dirty-tlb-flush'

This merges the patch to fix possible loss of dirty bit on munmap() or
madvice(DONTNEED).  If there are concurrent writers on other CPU's that
have the unmapped/unneeded page in their TLBs, their writes to the page
could possibly get lost if a third CPU raced with the TLB flush and did
a page_mkclean() before the page was fully written.

Admittedly, if you unmap() or madvice(DONTNEED) an area _while_ another
thread is still busy writing to it, you deserve all the lost writes you
could get.  But we kernel people hold ourselves to higher quality
standards than "crazy people deserve to lose", because, well, we've seen
people do all kinds of crazy things.

So let's get it right, just because we can, and we don't have to worry
about it.

* safe-dirty-tlb-flush:
  mm: split 'tlb_flush_mmu()' into tlb flushing and memory freeing parts

10 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux...
Linus Torvalds [Sun, 27 Apr 2014 20:26:28 +0000 (13:26 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mason/linux-btrfs

Pull btrfs fixes from Chris Mason.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: limit the path size in send to PATH_MAX
  Btrfs: correctly set profile flags on seqlock retry
  Btrfs: use correct key when repeating search for extent item
  Btrfs: fix inode caching vs tree log
  Btrfs: fix possible memory leaks in open_ctree()
  Btrfs: avoid triggering bug_on() when we fail to start inode caching task
  Btrfs: move btrfs_{set,clear}_and_info() to ctree.h
  btrfs: replace error code from btrfs_drop_extents
  btrfs: Change the hole range to a more accurate value.
  btrfs: fix use-after-free in mount_subvol()

10 years agoMerge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Linus Torvalds [Sun, 27 Apr 2014 19:55:04 +0000 (12:55 -0700)]
Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm

Pull arm fixes from Russell King:
 "A number of fixes for the PJ4/iwmmxt changes which arm-soc forced me
  to take during the merge window.  This stuff should have been better
  tested and sorted out *before* the merge window"

* 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
  ARM: 8042/1: iwmmxt: allow to build iWMMXt on Marvell PJ4B
  ARM: 8041/1: pj4: fix cpu_is_pj4 check
  ARM: 8040/1: pj4: properly detect existence of iWMMXt coprocessor
  ARM: 8039/1: pj4: enable iWMMXt only if CONFIG_IWMMXT is set
  ARM: 8038/1: iwmmxt: explicitly check for supported architectures

10 years agoMerge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Linus Torvalds [Sun, 27 Apr 2014 19:54:05 +0000 (12:54 -0700)]
Merge tag 'arm64-fixes' of git://git./linux/kernel/git/arm64/linux

Pull arm64 fixes from Catalin Marinas:
 - compat renameat2 syscall wiring and __NR_compat_syscalls fix
 - TLB fix for transparent huge pages following switch to generic
   mmu_gather
 - spinlock initialisation for init_mm's context
 - move of_clk_init() earlier
 - Kconfig duplicate entry fix

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: init: Move of_clk_init to time_init
  arm64: initialize spinlock for init_mm's context
  arm64: debug: remove noisy, pointless warning
  arm64: mm: Add THP TLB entries to general mmu_gather
  arm64: add renameat2 compat syscall
  ARM64: Remove duplicated Kconfig entry for "kernel/power/Kconfig"
  arm64: __NR_compat_syscalls fix

10 years agoMerge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 27 Apr 2014 18:21:03 +0000 (11:21 -0700)]
Merge branch 'irq-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull irq fixes from Thomas Gleixner:
 "A slighlty large fix for a subtle issue in the CPU hotplug code of
  certain ARM SoCs, where the not yet online cpu needs to setup the cpu
  local timer and needs to set the interrupt affinity to itself.
  Setting interrupt affinity to a not online cpu is prohibited and
  therefor the timer interrupt ends up on the wrong cpu, which leads to
  nasty complications.

  The SoC folks tried to hack around that in the SoC code in some more
  than nasty ways.  The proper solution is to have a way to enforce the
  affinity setting to a not online cpu.  The core patch to the genirq
  code provides that facility and the follow up patches make use of it
  in the GIC interrupt controller and the exynos timer driver.

  The change to the core code has no implications to existing users,
  except for the rename of the locked function and therefor the
  necessary fixup in mips/cavium.  Aside of that, no runtime impact is
  possible, as none of the existing interrupt chips implements anything
  which depends on the force argument of the irq_set_affinity()
  callback"

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  clocksource: Exynos_mct: Register clock event after request_irq()
  clocksource: Exynos_mct: Use irq_force_affinity() in cpu bringup
  irqchip: Gic: Support forced affinity setting
  genirq: Allow forcing cpu affinity of interrupts

10 years agoMerge tag 'tty-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Linus Torvalds [Sun, 27 Apr 2014 17:39:09 +0000 (10:39 -0700)]
Merge tag 'tty-3.15-rc3' of git://git./linux/kernel/git/gregkh/tty

Pull tty/serial fixes from Greg KH:
 "Here are a few tty/serial fixes for 3.15-rc3 that resolve a number of
  reported issues in the 8250 and samsung serial drivers, as well as a
  character loss fix for the tty core that was caused by the lock
  removal patches a release ago"

* tag 'tty-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  serial_core: fix uart PORT_UNKNOWN handling
  serial: samsung: Change barrier() to cpu_relax() in console output
  serial: samsung: don't check config for every character
  serial: samsung: Use the passed in "port", fixing kgdb w/ no console
  serial: 8250: Fix thread unsafe __dma_tx_complete function
  8250_core: Fix unwanted TX chars write
  tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc

10 years agoMerge tag 'staging-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh...
Linus Torvalds [Sun, 27 Apr 2014 17:34:29 +0000 (10:34 -0700)]
Merge tag 'staging-3.15-rc3' of git://git./linux/kernel/git/gregkh/staging

Pull staging / IIO driver fixes from Greg KH:
 "Here are some small staging and IIO driver fixes for 3.15-rc3.

  Nothing major at all, just some assorted issues that people have
  reported"

* tag 'staging-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: comedi: usbdux: bug fix for accessing 'ao_chanlist' in private data
  iio: adc: mxs-lradc: fix warning when buidling on avr32
  iio: cm36651: Fix i2c client leak and possible NULL pointer dereference
  iio: querying buffer scan_mask should return 0/1
  staging:iio:ad2s1200 fix a missing break
  iio: adc: at91_adc: correct default shtim value
  ARM: at91: at91sam9260: change at91_adc name
  ARM: at91: at91sam9g45: change at91_adc name
  iio: cm32181: Fix read integration time function
  iio: adc: at91_adc: Repair broken platform_data support

10 years agoMerge tag 'driver-core-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sun, 27 Apr 2014 17:28:34 +0000 (10:28 -0700)]
Merge tag 'driver-core-3.15-rc3' of git://git./linux/kernel/git/gregkh/driver-core

Pull driver core fixes from Greg KH:
 "Here are some kernfs fixes for 3.15-rc3 that resolve some reported
  problems.  Nothing huge, but all needed"

* tag 'driver-core-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  s390/ccwgroup: Fix memory corruption
  kernfs: add back missing error check in kernfs_fop_mmap()
  kernfs: fix a subdir count leak

10 years agoMerge tag 'usb-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Linus Torvalds [Sun, 27 Apr 2014 17:24:17 +0000 (10:24 -0700)]
Merge tag 'usb-3.15-rc3' of git://git./linux/kernel/git/gregkh/usb

Pull USB fixes from Greg KH:
 "Here are a number of USB fixes for 3.15-rc3.  The majority are gadget
  fixes, as we didn't get any of those in for 3.15-rc2.  The others are
  all over the place, and there's a number of new device id addtions as
  well."

* tag 'usb-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (35 commits)
  usb: option: add and update a number of CMOTech devices
  usb: option: add Alcatel L800MA
  usb: option: add Olivetti Olicard 500
  usb: qcserial: add Sierra Wireless MC7305/MC7355
  usb: qcserial: add Sierra Wireless MC73xx
  usb: qcserial: add Sierra Wireless EM7355
  USB: io_ti: fix firmware download on big-endian machines
  usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM
  xhci: extend quirk for Renesas cards
  xhci: Switch Intel Lynx Point ports to EHCI on shutdown.
  usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb
  phy: core: make NULL a valid phy reference if !CONFIG_GENERIC_PHY
  phy: fix kernel oops in phy_lookup()
  phy: restore OMAP_CONTROL_PHY dependencies
  phy: exynos: fix building as a module
  USB: serial: fix sysfs-attribute removal deadlock
  usb: wusbcore: fix panic in wusbhc_chid_set
  usb: wusbcore: convert nested lock to use spin_lock instead of spin_lock_irq
  uwb: don't call spin_unlock_irq in a USB completion handler
  usb: chipidea: coordinate usb phy initialization for different phy type
  ...

10 years agoMerge tag 'pm+acpi-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael...
Linus Torvalds [Sun, 27 Apr 2014 17:19:06 +0000 (10:19 -0700)]
Merge tag 'pm+acpi-3.15-rc3' of git://git./linux/kernel/git/rafael/linux-pm

Pull ACPI and power management fixes from Rafael Wysocki:
 "These include a fix for a recent ACPI regression related to device
  notifications, intel_idle fix related to IvyTown support, fix for a
  buffer size issue in ACPICA, PM core fix related to the "freeze" sleep
  state, four fixes for various types of breakage in cpufreq drivers, a
  PNP workaround for a wrong memory region size in ACPI tables, and a
  fix and cleanup for the ACPI tools Makefile.

  Specifics:

   - Fix for broken ACPI notifications on some systems caused by a
     recent ACPI hotplug commit that blocked the propagation of unknown
     type notifications to device drivers inadvertently.

   - intel_idle fix to make the IvyTown C-states handling (added
     recently) work as intended which now is broken due to missing
     braces.  From Christoph Jaeger.

   - ACPICA fix to make it allocate buffers of the right sizes for the
     Generic Serial Bus operation region access.  From Lv Zheng.

   - PM core fix unblocking cpuidle before entering the "freeze" sleep
     state which causes that state to be able to actually save more
     energy than runtime idle.

   - Configuration and build fixes for the highbank and powernv cpufreq
     drivers from Kefeng Wang and Srivatsa S Bhat.

   - Coccinelle warning fix related to error pointers for the unicore32
     cpufreq driver from Duan Jiong.

   - Integer overflow fix for the ppc-corenet cpufreq driver from Geert
     Uytterhoeven.

   - Workaround for BIOSes that don't report the entire Intel MCH area
     in their ACPI tables from Bjorn Helgaas.

   - ACPI tools Makefile fix and cleanup from Thomas Renninger"

* tag 'pm+acpi-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI / notify: Do not block unknown type notifications in root handler
  PNP: Work around BIOS defects in Intel MCH area reporting
  cpufreq: highbank: fix ARM_HIGHBANK_CPUFREQ dependency warning
  cpufreq: ppc: Fix integer overflow in expression
  cpufreq, powernv: Fix build failure on UP
  cpufreq: unicore32: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO
  PM / suspend: Make cpuidle work in the "freeze" state
  intel_idle: fix IVT idle state table setting
  ACPICA: Fix buffer allocation issue for generic_serial_bus region accesses.
  tools/power/acpi: Minor bugfixes

10 years agoBtrfs: limit the path size in send to PATH_MAX
Chris Mason [Sat, 26 Apr 2014 12:02:03 +0000 (05:02 -0700)]
Btrfs: limit the path size in send to PATH_MAX

fs_path_ensure_buf is used to make sure our path buffers for
send are big enough for the path names as we construct them.
The buffer size is limited to 32K by the length field in
the struct.

But bugs in the path construction can end up trying to build
a huge buffer, and we'll do invalid memmmoves when the
buffer length field wraps.

This patch is step one, preventing the overflows.

Signed-off-by: Chris Mason <clm@fb.com>
10 years agomm: split 'tlb_flush_mmu()' into tlb flushing and memory freeing parts
Linus Torvalds [Fri, 25 Apr 2014 23:05:40 +0000 (16:05 -0700)]
mm: split 'tlb_flush_mmu()' into tlb flushing and memory freeing parts

The mmu-gather operation 'tlb_flush_mmu()' has done two things: the
actual tlb flush operation, and the batched freeing of the pages that
the TLB entries pointed at.

This splits the operation into separate phases, so that the forced
batched flushing done by zap_pte_range() can now do the actual TLB flush
while still holding the page table lock, but delay the batched freeing
of all the pages to after the lock has been dropped.

This in turn allows us to avoid a race condition between
set_page_dirty() (as called by zap_pte_range() when it finds a dirty
shared memory pte) and page_mkclean(): because we now flush all the
dirty page data from the TLB's while holding the pte lock,
page_mkclean() will be held up walking the (recently cleaned) page
tables until after the TLB entries have been flushed from all CPU's.

Reported-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Tested-by: Dave Hansen <dave.hansen@intel.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
Cc: Tony Luck <tony.luck@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
10 years agoMerge branches 'pnp' and 'acpi-hotplug'
Rafael J. Wysocki [Fri, 25 Apr 2014 22:40:25 +0000 (00:40 +0200)]
Merge branches 'pnp' and 'acpi-hotplug'

* pnp:
  PNP: Work around BIOS defects in Intel MCH area reporting

* acpi-hotplug:
  ACPI / notify: Do not block unknown type notifications in root handler

10 years agoMerge tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck...
Linus Torvalds [Fri, 25 Apr 2014 20:12:25 +0000 (13:12 -0700)]
Merge tag 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:
 - ltc2945: Don't unecessarily crash kernel on implementation error
 - vexpress: Fix 'name' and 'label' attributes

* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (ltc2945) Don't crash the kernel unnecessarily
  hwmon: (vexpress) Avoid creating non-existing attributes
  hwmon: (vexpress) Use legal hwmon device names

10 years agoMerge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Linus Torvalds [Fri, 25 Apr 2014 20:07:24 +0000 (13:07 -0700)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "This is a set of seven fixes, three (hpsa) and free'd command
  references correcting bugs in the last round of updates and the
  remaining four correcting problems within the SCSI error handler that
  was causing a deadlock within USB"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  [SCSI] More USB deadlock fixes
  [SCSI] Fix USB deadlock caused by SCSI error handling
  [SCSI] Fix command result state propagation
  [SCSI] Fix spurious request sense in error handling
  [SCSI] don't reference freed command in scsi_prep_return
  [SCSI] don't reference freed command in scsi_init_sgtable
  [SCSI] hpsa: fix NULL dereference in hpsa_put_ctlr_into_performant_mode()

10 years agoMerge tag 'fixes-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Linus Torvalds [Fri, 25 Apr 2014 20:02:02 +0000 (13:02 -0700)]
Merge tag 'fixes-3.15-rc3' of git://git./linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Arnd Bergmann:
 "Since we didn't get around to collect fixes in time for -rc2 over the
  easter vacation, this one is unfortunately a bit larger than we'd like
  for an -rc3 merge.

  A large set of the changes is in the device tree sources, so I'm
  splitting out the description between code changes and DT changes.
  Aside from omap and versatile express, the actual code bugs are and
  trivial.  Here is an overview:

  imx:
   - fix video clock settings
   - fix one clock refcounting bug

  omap:
   - update defconfig for renamed USB PHY driver
   - fix error handling in gpmc
   - fix N900 video initialization regression
   - fix reression in hwmod code from missing braces
   - fix am43xx and omap3 clocks
   - remove bogus write to voltage control register

  pxa:
   - fix build regression from 3.13 header cleanup

  rockchip:
   - fix a misleading printk string

  shmobile:
   - fix incorrect sound setting on multiple machines

  spear:
   - remove incorrect __init section annotation

  tegra:
   - remove a stale Kconfig entry

  u300:
   - update defconfig

  ux500:
   - enable common wireless and sensor drivers in defconfig
   - more defconfig updates

  vexpress:
   - fix voltage calculation for opp
   - fix reboot hang and warning
   - fix out-of-bounds array access
   - improve error handling in clock driver

  overall:
   - always select CLKSRC_OF in multiplatform builds

  And these are the devicetree related changes:

  imx:
   - add missing #clock-cell properties
   - fix pinctrl setting in imx6sl-evk
   - fix video endpoint on imx53
   - remove obsolete lvds-channel nodes (multiple patches)
   - add missing second stmpe node
   - fix usb host mode on dmo-edmqmx6 (multiple patches)
   - fix gic node #address-cells to match usage
   - add missing legacy IRQ map for PCIe
   - fix microsom pincontrol setting for rgmii
   - fix fatal typo in touchscreen DT usage for mx5
   - list all RAM present on m53evk and mx53qsb

  omap:
   - fix bug in DT handling of gpmc external bus
   - add DT for older revision of beagleboard
   - fix regression after DT node name fixes
   - remove obsolete properties for gpmc
   - fix pinmux comment to match DT it refers to
   - fix newly added dra7xx clock node data
   - add missing clock for USB PHY

  mvebu:
   - add missing clock for mdio node
   - fix nonstandard vendor prefixes on i2c nodes

  rockchip:
   - fix pin control setting for uart

  shmobile:
   - fix typo in DT data for pin control (multiple patches)
   - fix gic node #address-cells to match usage

  tegra:
   - fix clock and uart DT representation to match hardware

  zynq:
   - add DT nodes for newly added driver
   - add DT properties required for cpufreq-ondemand

  overall:
   - restore alphabetic order in Makefile
   - grammar fixes in bindings"

* tag 'fixes-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (66 commits)
  ARM: vexpress/TC2: Convert OPP voltage to uV before storing
  power/reset: vexpress: Fix restart/power off operation
  dt: tegra: remove non-existent clock IDs
  clk: tegra: remove non-existent clocks
  ARM: tegra: remove UART5/UARTE from tegra124.dtsi
  ARM: tegra: remove TEGRA_EMC_SCALING_ENABLE
  ARM: Tidy up DTB Makefile entries
  ARM: fix missing CLKSRC_OF on multi-platform
  ARM: spear: add __init to spear_clocksource_init()
  ARM: pxa: hx4700.h: include "irqs.h" for PXA_NR_BUILTIN_GPIO
  arm/mach-vexpress: array accessed out of bounds
  clk: vexpress: NULL dereference on error path
  ARM: OMAP2+: Fix GPMC remap for devices using an offset
  ARM: zynq: dt: Add I2C nodes to Zynq device tree
  ARM: zynq: DT: Add 'clock-latency' property
  ARM: OMAP2+: Fix oops for GPMC free
  ARM: dts: Add support for the BeagleBoard xM A/B
  ARM: dts: Grammar /that will/it will/
  ARM: dts: Grammar /is uses/ is used/
  ARM: OMAP2+: Fix config name for USB3 PHY
  ...

10 years agoMerge tag 'locks-v3.15-2' of git://git.samba.org/jlayton/linux
Linus Torvalds [Fri, 25 Apr 2014 19:40:32 +0000 (12:40 -0700)]
Merge tag 'locks-v3.15-2' of git://git.samba.org/jlayton/linux

Pull file locking fixes from Jeff Layton:
 "File locking related bugfixes for v3.15 (pile #2)

   - fix for a long-standing bug in __break_lease that can cause soft
     lockups
   - renaming of file-private locks to "open file description" locks,
     and the command macros to more visually distinct names

  The fix for __break_lease is also in the pile of patches for which
  Bruce sent a pull request, but I assume that your merge procedure will
  handle that correctly.

  For the other patches, I don't like the fact that we need to rename
  this stuff at this late stage, but it should be settled now
  (hopefully)"

* tag 'locks-v3.15-2' of git://git.samba.org/jlayton/linux:
  locks: rename FL_FILE_PVT and IS_FILE_PVT to use "*_OFDLCK" instead
  locks: rename file-private locks to "open file description locks"
  locks: allow __break_lease to sleep even when break_time is 0

10 years agoMerge branch 'for-3.15' of git://linux-nfs.org/~bfields/linux
Linus Torvalds [Fri, 25 Apr 2014 19:39:05 +0000 (12:39 -0700)]
Merge branch 'for-3.15' of git://linux-nfs.org/~bfields/linux

Pull nfsd bugfixes from Bruce Fields:
 "Three small nfsd bugfixes (including one locks.c fix for a bug
  triggered only from nfsd).

  Jeff's patches are for long-existing problems that became easier to
  trigger since the addition of vfs delegation support"

* 'for-3.15' of git://linux-nfs.org/~bfields/linux:
  Revert "nfsd4: fix nfs4err_resource in 4.1 case"
  nfsd: set timeparms.to_maxval in setup_callback_client
  locks: allow __break_lease to sleep even when break_time is 0

10 years agos390/ccwgroup: Fix memory corruption
Christian Borntraeger [Wed, 23 Apr 2014 18:58:45 +0000 (20:58 +0200)]
s390/ccwgroup: Fix memory corruption

commit 0b60f9ead5d4816e7e3d6e28f4a0d22d4a1b2513 (s390: use
device_remove_file_self() instead of device_schedule_callback())

caused random memory corruption on my s390 box. Turns out that the
last element of the ccwgroup structure is of dynamic size, so we
must move the newly introduced work structure _before_ the zero
length array.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
CC: Tejun Heo <tj@kernel.org>
CC: Martin Schwidefsky <schwidefsky@de.ibm.com>
CC: Heiko Carstens <heiko.carstens@de.ibm.com>
CC: Sebastian Ott <sebott@linux.vnet.ibm.com>
CC: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agokernfs: add back missing error check in kernfs_fop_mmap()
Tejun Heo [Sun, 20 Apr 2014 12:29:21 +0000 (08:29 -0400)]
kernfs: add back missing error check in kernfs_fop_mmap()

While updating how mmap enabled kernfs files are handled by lockdep,
9b2db6e18945 ("sysfs: bail early from kernfs_file_mmap() to avoid
spurious lockdep warning") inadvertently dropped error return check
from kernfs_file_mmap().  The intention was just dropping "if
(ops->mmap)" check as the control won't reach the point if the mmap
callback isn't implemented, but I mistakenly removed the error return
check together with it.

This led to Xorg crash on i810 which was reported and bisected to the
commit and then to the specific change by Tobias.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-bisected-by: Tobias Powalowski <tobias.powalowski@googlemail.com>
Tested-by: Tobias Powalowski <tobias.powalowski@googlemail.com>
References: http://lkml.kernel.org/g/533D01BD.1010200@googlemail.com
Cc: stable <stable@vger.kernel.org> # 3.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agokernfs: fix a subdir count leak
Jianyu Zhan [Thu, 17 Apr 2014 09:52:10 +0000 (17:52 +0800)]
kernfs: fix a subdir count leak

Currently kernfs_link_sibling() increates parent->dir.subdirs before
adding the node into parent's chidren rb tree.

Because it is possible that kernfs_link_sibling() couldn't find
a suitable slot and bail out, this leads to a mismatch between
elevated subdir count with actual children node numbers.

This patches fix this problem, by moving the subdir accouting
after the actual addtion happening.

Signed-off-by: Jianyu Zhan <nasa4836@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agousb: option: add and update a number of CMOTech devices
Bjørn Mork [Fri, 25 Apr 2014 16:49:20 +0000 (18:49 +0200)]
usb: option: add and update a number of CMOTech devices

A number of older CMOTech modems are based on Qualcomm
chips.  The blacklisted interfaces are QMI/wwan.

Reported-by: Lars Melin <larsm17@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agousb: option: add Alcatel L800MA
Bjørn Mork [Fri, 25 Apr 2014 16:49:19 +0000 (18:49 +0200)]
usb: option: add Alcatel L800MA

Device interface layout:
0: ff/ff/ff - serial
1: ff/00/00 - serial AT+PPP
2: ff/ff/ff - QMI/wwan
3: 08/06/50 - storage

Cc: <stable@vger.kernel.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agousb: option: add Olivetti Olicard 500
Bjørn Mork [Fri, 25 Apr 2014 16:49:18 +0000 (18:49 +0200)]
usb: option: add Olivetti Olicard 500

Device interface layout:
0: ff/ff/ff - serial
1: ff/ff/ff - serial AT+PPP
2: 08/06/50 - storage
3: ff/ff/ff - serial
4: ff/ff/ff - QMI/wwan

Cc: <stable@vger.kernel.org>
Reported-by: Julio Araujo <julio.araujo@wllctel.com.br>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agousb: qcserial: add Sierra Wireless MC7305/MC7355
Bjørn Mork [Fri, 25 Apr 2014 16:49:17 +0000 (18:49 +0200)]
usb: qcserial: add Sierra Wireless MC7305/MC7355

Cc: <stable@vger.kernel.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agousb: qcserial: add Sierra Wireless MC73xx
Bjørn Mork [Fri, 25 Apr 2014 16:49:16 +0000 (18:49 +0200)]
usb: qcserial: add Sierra Wireless MC73xx

Cc: <stable@vger.kernel.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agousb: qcserial: add Sierra Wireless EM7355
Bjørn Mork [Fri, 25 Apr 2014 16:49:15 +0000 (18:49 +0200)]
usb: qcserial: add Sierra Wireless EM7355

Cc: <stable@vger.kernel.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoarm64: init: Move of_clk_init to time_init
Chanho Min [Mon, 14 Apr 2014 07:38:53 +0000 (08:38 +0100)]
arm64: init: Move of_clk_init to time_init

Clock providers should be initialized before clocksource_of_init.
If not, Clock source initialization can be fail to get the clock.

Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Chanho Min <chanho.min@lge.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
10 years agoUSB: io_ti: fix firmware download on big-endian machines
Johan Hovold [Fri, 25 Apr 2014 13:23:03 +0000 (15:23 +0200)]
USB: io_ti: fix firmware download on big-endian machines

During firmware download the device expects memory addresses in
big-endian byte order. As the wIndex parameter which hold the address is
sent in little-endian byte order regardless of host byte order, we need
to use swab16 rather than cpu_to_be16.

Also make sure to handle the struct ti_i2c_desc size parameter which is
returned in little-endian byte order.

Reported-by: Ludovic Drolez <ldrolez@debian.org>
Tested-by: Ludovic Drolez <ldrolez@debian.org>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agousb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM
David Cohen [Fri, 25 Apr 2014 16:20:16 +0000 (19:20 +0300)]
usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM

When CONFIG_PCI and CONFIG_PM are not selected, xhci.c gets this
warning:
drivers/usb/host/xhci.c:409:13: warning: ‘xhci_msix_sync_irqs’ defined
but not used [-Wunused-function]

Instead of creating nested #ifdefs, this patch fixes it by defining the
xHCI PCI stubs as inline.

This warning has been in since 3.2 kernel and was
caused by commit 421aa841a134f6a743111cf44d0c6d3b45e3cf8c
"usb/xhci: hide MSI code behind PCI bars", but wasn't noticed
until 3.13 when a configuration with these options was tried

Signed-off-by: David Cohen <david.a.cohen@linux.intel.com>
Cc: stable@vger.kernel.org # 3.2
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoxhci: extend quirk for Renesas cards
Igor Gnatenko [Fri, 25 Apr 2014 16:20:15 +0000 (19:20 +0300)]
xhci: extend quirk for Renesas cards

After suspend another Renesas PCI-X USB 3.0 card doesn't work.
[root@fedora-20 ~]# lspci -vmnnd 1912:
Device: 03:00.0
Class: USB controller [0c03]
Vendor: Renesas Technology Corp. [1912]
Device: uPD720202 USB 3.0 Host Controller [0015]
SVendor: Renesas Technology Corp. [1912]
SDevice: uPD720202 USB 3.0 Host Controller [0015]
Rev: 02
ProgIf: 30

This patch should be applied to stable kernel 3.14 that contain
the commit 1aa9578c1a9450fb21501c4f549f5b1edb557e6d
"xhci: Fix resume issues on Renesas chips in Samsung laptops"

Reported-and-tested-by: Anatoly Kharchenko <rfr-bugs@yandex.ru>
Reference: http://redmine.russianfedora.pro/issues/1315
Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>
Cc: stable@vger.kernel.org # 3.14
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoxhci: Switch Intel Lynx Point ports to EHCI on shutdown.
Denis Turischev [Fri, 25 Apr 2014 16:20:14 +0000 (19:20 +0300)]
xhci: Switch Intel Lynx Point ports to EHCI on shutdown.

The same issue like with Panther Point chipsets. If the USB ports are
switched to xHCI on shutdown, the xHCI host will send a spurious interrupt,
which will wake the system. Some BIOS have work around for this, but not all.
One example is Compulab's mini-desktop, the Intense-PC2.

The bug can be avoided if the USB ports are switched back to EHCI on
shutdown.

This patch should be backported to stable kernels as old as 3.12,
that contain the commit 638298dc66ea36623dbc2757a24fc2c4ab41b016
"xhci: Fix spurious wakeups after S5 on Haswell"

Signed-off-by: Denis Turischev <denis@compulab.co.il>
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agousb: xhci: Prefer endpoint context dequeue pointer over stopped_trb
Julius Werner [Fri, 25 Apr 2014 16:20:13 +0000 (19:20 +0300)]
usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb

We have observed a rare cycle state desync bug after Set TR Dequeue
Pointer commands on Intel LynxPoint xHCs (resulting in an endpoint that
doesn't fetch new TRBs and thus an unresponsive USB device). It always
triggers when a previous Set TR Dequeue Pointer command has set the
pointer to the final Link TRB of a segment, and then another URB gets
enqueued and cancelled again before it can be completed. Further
investigation showed that the xHC had returned the Link TRB in the TRB
Pointer field of the Transfer Event (CC == Stopped -- Length Invalid),
but when xhci_find_new_dequeue_state() later accesses the Endpoint
Context's TR Dequeue Pointer field it is set to the first TRB of the
next segment.

The driver expects those two values to be the same in this situation,
and uses the cycle state of the latter together with the address of the
former. This should be fine according to the XHCI specification, since
the endpoint ring should be stopped when returning the Transfer Event
and thus should not advance over the Link TRB before it gets restarted.
However, real-world XHCI implementations apparently don't really care
that much about these details, so the driver should follow a more
defensive approach to try to work around HC spec violations.

This patch removes the stopped_trb variable that had been used to store
the TRB Pointer from the last Transfer Event of a stopped TRB. Instead,
xhci_find_new_dequeue_state() now relies only on the Endpoint Context,
requiring a small amount of additional processing to find the virtual
address corresponding to the TR Dequeue Pointer. Some other parts of the
function were slightly rearranged to better fit into this model.

This patch should be backported to kernels as old as 2.6.31 that contain
the commit ae636747146ea97efa18e04576acd3416e2514f5 "USB: xhci: URB
cancellation support."

Signed-off-by: Julius Werner <jwerner@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoarm64: initialize spinlock for init_mm's context
Leo Yan [Wed, 16 Apr 2014 12:26:35 +0000 (13:26 +0100)]
arm64: initialize spinlock for init_mm's context

ARM64 has defined the spinlock for init_mm's context, so need initialize
the spinlock structure; otherwise during the suspend flow it will dump
the info for spinlock's bad magic warning as below:

[   39.084394] Disabling non-boot CPUs ...
[   39.092871] BUG: spinlock bad magic on CPU#1, swapper/1/0
[   39.092896]  lock: init_mm+0x338/0x3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
[   39.092907] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G           O 3.10.33 #125
[   39.092912] Call trace:
[   39.092927] [<ffffffc000087e64>] dump_backtrace+0x0/0x16c
[   39.092934] [<ffffffc000087fe0>] show_stack+0x10/0x1c
[   39.092947] [<ffffffc000765334>] dump_stack+0x1c/0x28
[   39.092953] [<ffffffc0007653b8>] spin_dump+0x78/0x88
[   39.092960] [<ffffffc0007653ec>] spin_bug+0x24/0x34
[   39.092971] [<ffffffc000300a28>] do_raw_spin_lock+0x98/0x17c
[   39.092979] [<ffffffc00076cf08>] _raw_spin_lock_irqsave+0x4c/0x60
[   39.092990] [<ffffffc000094044>] set_mm_context+0x1c/0x6c
[   39.092996] [<ffffffc0000941c8>] __new_context+0x94/0x10c
[   39.093007] [<ffffffc0000d63d4>] idle_task_exit+0x104/0x1b0
[   39.093014] [<ffffffc00008d91c>] cpu_die+0x14/0x74
[   39.093021] [<ffffffc000084f74>] arch_cpu_idle_dead+0x8/0x14
[   39.093030] [<ffffffc0000e7f18>] cpu_startup_entry+0x1ec/0x258
[   39.093036] [<ffffffc00008d810>] secondary_start_kernel+0x114/0x124

Signed-off-by: Leo Yan <leoy@marvell.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
10 years agoarm64: debug: remove noisy, pointless warning
Will Deacon [Thu, 17 Apr 2014 11:37:14 +0000 (12:37 +0100)]
arm64: debug: remove noisy, pointless warning

Sending a SIGTRAP to a user task after execution of a BRK instruction at
EL0 is fundamental to the way in which software breakpoints work and
doesn't deserve a warning to be logged in dmesg. Whilst the warning can
be justified from EL1, do_debug_exception will already do the right thing,
so simply remove the code altogether.

Cc: Sandeepa Prabhu <sandeepa.prabhu@linaro.org>
Reported-by: Kyrylo Tkachov <kyrylo.tkachov@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
10 years agoarm64: mm: Add THP TLB entries to general mmu_gather
Steve Capper [Thu, 24 Apr 2014 14:33:21 +0000 (15:33 +0100)]
arm64: mm: Add THP TLB entries to general mmu_gather

When arm64 moved over to the core mmu_gather, it lost the logic to
flush THP TLB entries (tlb_remove_pmd_tlb_entry was removed and the
core implementation only signals that the mmu_gather needs a flush).

This patch ensures that tlb_add_flush is called for THP TLB entries.

Signed-off-by: Steve Capper <steve.capper@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
10 years agoARM: 8042/1: iwmmxt: allow to build iWMMXt on Marvell PJ4B
Sebastian Hesselbarth [Thu, 24 Apr 2014 21:58:30 +0000 (22:58 +0100)]
ARM: 8042/1: iwmmxt: allow to build iWMMXt on Marvell PJ4B

Some Marvell PJ4B CPUs also implement iWMMXt extensions. With a
proper check for iWMMXt coprocessors now in place, enable it by
default on PJ4B. While at it, also allow to manually select
the corresponding Kconfig option.

Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Tested-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
10 years agoARM: 8041/1: pj4: fix cpu_is_pj4 check
Sebastian Hesselbarth [Thu, 24 Apr 2014 21:58:00 +0000 (22:58 +0100)]
ARM: 8041/1: pj4: fix cpu_is_pj4 check

Commit fdb487f5c961b94486a78fa61fa28b8eff1954ab
  ("ARM: 8015/1: Add cpu_is_pj4 to distinguish PJ4 because it
    has some differences with V7")
introduced a cpuid check for Marvell PJ4 processors to fix a
regression caused by adding PJ4 based Marvell Dove into
multi_v7.

Unfortunately, this check is too narrow to catch PJ4 used on
Dove itself and breaks iWMMXt support.

This patch therefore relaxes the cpuid mask to match both PJ4
and PJ4B. Also, rework the given comment about PJ4/PJ4B
modifications to be a little bit more specific about the
differences.

Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Tested-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
10 years agoARM: 8040/1: pj4: properly detect existence of iWMMXt coprocessor
Sebastian Hesselbarth [Thu, 24 Apr 2014 21:57:25 +0000 (22:57 +0100)]
ARM: 8040/1: pj4: properly detect existence of iWMMXt coprocessor

commit fdb487f5c961b94486a78fa61fa28b8eff1954ab
  ("ARM: 8015/1: Add cpu_is_pj4 to distinguish PJ4 because it
    has some differences with V7")
introduced a fix for checking PJ4 cpuid to not use PJ4 specific
coprocessor access on non-PJ4 platforms.

Unfortunately, this in turn broke Marvell Armada 370/XP, both
comprising Marvell PJ4B CPUs without iWMMXt extension. Instead
of only checking for cpuid, which may not be sufficient to
determine iWMMXt support, the presence of iWMMXt coprocessors
can be checked by enabling and reading the Coprocessor ID
register (wCID, register 0 of CP1).

Therefore this adds an explicit check for the presence and correct
wCID value, before enabling iWMMXt capabilities. As a bonus, also
print the iWMMXt version of a detected coprocessor.

This has been tested to properly detect iWMMXt presence/absence on:
- PJ4,  CPUID 0x560f5815, wCID 0x56052001: Marvell Dove, iWMMXt v2
- PJ4B, CPUID 0x561f5811: Marvell Armada 370, no iWMMXt
- PJ4B, CPUID 0x562f5841, wCID 0x56052001: Marvell Armada 1500, iWMMXt v2
- PJ4B, CPUID 0x562f5842: Marvell Armada XP, no iWMMXt

Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Tested-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
10 years agoARM: 8039/1: pj4: enable iWMMXt only if CONFIG_IWMMXT is set
Sebastian Hesselbarth [Thu, 24 Apr 2014 21:56:43 +0000 (22:56 +0100)]
ARM: 8039/1: pj4: enable iWMMXt only if CONFIG_IWMMXT is set

This fixes PJ4 coprocessor init to only expose iWMMXt capabilities,
if the corresponding kernel support for iWMMXt is enabled.

Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Tested-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
10 years agoARM: 8038/1: iwmmxt: explicitly check for supported architectures
Sebastian Hesselbarth [Thu, 24 Apr 2014 21:54:58 +0000 (22:54 +0100)]
ARM: 8038/1: iwmmxt: explicitly check for supported architectures

iwmmxt.S requires special treatment of coprocessor access registers
for PJ4 and XScale-based CPUs. It only checks for CPU_PJ4 and drops
down to XScale-based treatment on all other architectures.

As some PJ4B also come with iWMMXt and also need PJ4 treatment,
rework the corresponding preprocessor directives to explicitly
check for supported architectures and fail on unsupported ones.

Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Tested-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
10 years agoMerge tag 'zynq-dt-fixes-for-3.15' of git://git.xilinx.com/linux-xlnx into fixes
Arnd Bergmann [Fri, 25 Apr 2014 09:22:20 +0000 (11:22 +0200)]
Merge tag 'zynq-dt-fixes-for-3.15' of git://git.xilinx.com/linux-xlnx into fixes

arm: Xilinx Zynq DT fixes for v3.15

- Enable Zynq I2c
- Fix cpufreq DT binding

* tag 'zynq-dt-fixes-for-3.15' of git://git.xilinx.com/linux-xlnx:
  ARM: zynq: dt: Add I2C nodes to Zynq device tree
  ARM: zynq: DT: Add 'clock-latency' property

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
10 years agoBtrfs: correctly set profile flags on seqlock retry
Filipe Manana [Thu, 24 Apr 2014 14:15:29 +0000 (15:15 +0100)]
Btrfs: correctly set profile flags on seqlock retry

If we had to retry on the profiles seqlock (due to a concurrent write), we
would set bits on the input flags that corresponded both to the current
profile and to previous values of the profile.

Signed-off-by: Filipe David Borba Manana <fdmanana@gmail.com>
Signed-off-by: Chris Mason <clm@fb.com>
10 years agoBtrfs: use correct key when repeating search for extent item
Filipe Manana [Thu, 24 Apr 2014 14:15:28 +0000 (15:15 +0100)]
Btrfs: use correct key when repeating search for extent item

If skinny metadata is enabled and our first tree search fails to find a
skinny extent item, we may repeat a tree search for a "fat" extent item
(if the previous item in the leaf is not the "fat" extent we're looking
for). However we were not setting the new key's objectid to the right
value, as we previously used the same key variable to peek at the previous
item in the leaf, which has a different objectid. So just set the right
objectid to avoid modifying/deleting a wrong item if we repeat the tree
search.

Signed-off-by: Filipe David Borba Manana <fdmanana@gmail.com>
Signed-off-by: Chris Mason <clm@fb.com>
10 years agoBtrfs: fix inode caching vs tree log
Miao Xie [Wed, 23 Apr 2014 11:33:36 +0000 (19:33 +0800)]
Btrfs: fix inode caching vs tree log

Currently, with inode cache enabled, we will reuse its inode id immediately
after unlinking file, we may hit something like following:

|->iput inode
|->return inode id into inode cache
|->create dir,fsync
|->power off

An easy way to reproduce this problem is:

mkfs.btrfs -f /dev/sdb
mount /dev/sdb /mnt -o inode_cache,commit=100
dd if=/dev/zero of=/mnt/data bs=1M count=10 oflag=sync
inode_id=`ls -i /mnt/data | awk '{print $1}'`
rm -f /mnt/data

i=1
while [ 1 ]
do
        mkdir /mnt/dir_$i
        test1=`stat /mnt/dir_$i | grep Inode: | awk '{print $4}'`
        if [ $test1 -eq $inode_id ]
        then
dd if=/dev/zero of=/mnt/dir_$i/data bs=1M count=1 oflag=sync
echo b > /proc/sysrq-trigger
fi
sleep 1
        i=$(($i+1))
done

mount /dev/sdb /mnt
umount /dev/sdb
btrfs check /dev/sdb

We fix this problem by adding unlinked inode's id into pinned tree,
and we can not reuse them until committing transaction.

Cc: stable@vger.kernel.org
Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
Signed-off-by: Chris Mason <clm@fb.com>
10 years agoBtrfs: fix possible memory leaks in open_ctree()
Wang Shilong [Wed, 23 Apr 2014 11:33:35 +0000 (19:33 +0800)]
Btrfs: fix possible memory leaks in open_ctree()

Fix possible memory leaks in the following error handling paths:

read_tree_block()
btrfs_recover_log_trees
btrfs_commit_super()
btrfs_find_orphan_roots()
btrfs_cleanup_fs_roots()

Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
Signed-off-by: Chris Mason <clm@fb.com>
10 years agoBtrfs: avoid triggering bug_on() when we fail to start inode caching task
Wang Shilong [Wed, 23 Apr 2014 11:33:34 +0000 (19:33 +0800)]
Btrfs: avoid triggering bug_on() when we fail to start inode caching task

When running stress test(including snapshots,balance,fstress), we trigger
the following BUG_ON() which is because we fail to start inode caching task.

[  181.131945] kernel BUG at fs/btrfs/inode-map.c:179!
[  181.137963] invalid opcode: 0000 [#1] SMP
[  181.217096] CPU: 11 PID: 2532 Comm: btrfs Not tainted 3.14.0 #1
[  181.240521] task: ffff88013b621b30 ti: ffff8800b6ada000 task.ti: ffff8800b6ada000
[  181.367506] Call Trace:
[  181.371107]  [<ffffffffa036c1be>] btrfs_return_ino+0x9e/0x110 [btrfs]
[  181.379191]  [<ffffffffa038082b>] btrfs_evict_inode+0x46b/0x4c0 [btrfs]
[  181.387464]  [<ffffffff810b5a70>] ? autoremove_wake_function+0x40/0x40
[  181.395642]  [<ffffffff811dc5fe>] evict+0x9e/0x190
[  181.401882]  [<ffffffff811dcde3>] iput+0xf3/0x180
[  181.408025]  [<ffffffffa03812de>] btrfs_orphan_cleanup+0x1ee/0x430 [btrfs]
[  181.416614]  [<ffffffffa03a6abd>] btrfs_mksubvol.isra.29+0x3bd/0x450 [btrfs]
[  181.425399]  [<ffffffffa03a6cd6>] btrfs_ioctl_snap_create_transid+0x186/0x190 [btrfs]
[  181.435059]  [<ffffffffa03a6e3b>] btrfs_ioctl_snap_create_v2+0xeb/0x130 [btrfs]
[  181.444148]  [<ffffffffa03a9656>] btrfs_ioctl+0xf76/0x2b90 [btrfs]
[  181.451971]  [<ffffffff8117e565>] ? handle_mm_fault+0x475/0xe80
[  181.459509]  [<ffffffff8167ba0c>] ? __do_page_fault+0x1ec/0x520
[  181.467046]  [<ffffffff81185b35>] ? do_mmap_pgoff+0x2f5/0x3c0
[  181.474393]  [<ffffffff811d4da8>] do_vfs_ioctl+0x2d8/0x4b0
[  181.481450]  [<ffffffff811d5001>] SyS_ioctl+0x81/0xa0
[  181.488021]  [<ffffffff81680b69>] system_call_fastpath+0x16/0x1b

We should avoid triggering BUG_ON() here, instead, we output warning messages
and clear inode_cache option.

Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
Signed-off-by: Chris Mason <clm@fb.com>
10 years agoBtrfs: move btrfs_{set,clear}_and_info() to ctree.h
Wang Shilong [Wed, 23 Apr 2014 11:33:33 +0000 (19:33 +0800)]
Btrfs: move btrfs_{set,clear}_and_info() to ctree.h

Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
Signed-off-by: Chris Mason <clm@fb.com>
10 years agobtrfs: replace error code from btrfs_drop_extents
David Sterba [Tue, 15 Apr 2014 16:50:17 +0000 (18:50 +0200)]
btrfs: replace error code from btrfs_drop_extents

There's a case which clone does not handle and used to BUG_ON instead,
(testcase xfstests/btrfs/035), now returns EINVAL. This error code is
confusing to the ioctl caller, as it normally signifies errorneous
arguments.

Change it to ENOPNOTSUPP which allows a fall back to copy instead of
clone. This does not affect the common reflink operation.

Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
10 years agobtrfs: Change the hole range to a more accurate value.
Qu Wenruo [Tue, 15 Apr 2014 02:41:00 +0000 (10:41 +0800)]
btrfs: Change the hole range to a more accurate value.

Commit 3ac0d7b96a268a98bd474cab8bce3a9f125aaccf fixed the btrfs expanding
write problem but the hole punched is sometimes too large for some
iovec, which has unmapped data ranges.
This patch will change to hole range to a more accurate value using the
counts checked by the write check routines.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: Chris Mason <clm@fb.com>
10 years agoserial_core: fix uart PORT_UNKNOWN handling
Thomas Pfaff [Wed, 23 Apr 2014 10:33:22 +0000 (12:33 +0200)]
serial_core: fix uart PORT_UNKNOWN handling

While porting a RS485 driver from 2.6.29 to 3.14, i noticed that the serial tty
driver could break it by using uart ports that it does not own :

1. uart_change_pm ist called during uart_open and calls the uart pm function
   without checking for PORT_UNKNOWN.
   The fix is to move uart_change_pm from uart_open to uart_port_startup.
2. The return code from the uart request_port call in uart_set_info is not
   handled properly, leading to the situation that the serial driver also
   thinks it owns the uart ports.
   This can triggered by doing following actions :

   setserial /dev/ttyS0 uart none    # release the uart ports
   modprobe lirc-serial              # or any other device that uses the uart
   setserial /dev/ttyS0 uart 16550   # gives no error and the uart tty driver
                                     # can use the ports as well

Signed-off-by: Thomas Pfaff <tpfaff@pcs.com>
Reviewed-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoserial: samsung: Change barrier() to cpu_relax() in console output
Doug Anderson [Mon, 21 Apr 2014 16:40:36 +0000 (09:40 -0700)]
serial: samsung: Change barrier() to cpu_relax() in console output

The two functions to write out to the console (one used in normal
console mode and one in polling console mode) were slightly different.
One used a barrier() in its loop and the other a cpu_relax().  The
barrier() really doesn't do anything since we're using rd_regl() to
read the port anyway.  Switch it to cpu_relax() to make things
consistent.

No known bugs / issues are fixed by this change--it just makes things
more consistent.

Signed-off-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoserial: samsung: don't check config for every character
Doug Anderson [Mon, 21 Apr 2014 16:40:35 +0000 (09:40 -0700)]
serial: samsung: don't check config for every character

The s3c24xx_serial_console_putchar() is _only_ ever used by
s3c24xx_serial_console_write() and is called in a loop (indirectly
through uart_console_write()).  There's no reason to call
s3c24xx_port_configured() for every iteration through the loop.  Move
it outside the loop.

Signed-off-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoserial: samsung: Use the passed in "port", fixing kgdb w/ no console
Doug Anderson [Mon, 21 Apr 2014 16:40:34 +0000 (09:40 -0700)]
serial: samsung: Use the passed in "port", fixing kgdb w/ no console

The two functions in the samsung serial driver used for writing
characters out to the port were inconsistent about whether they used
the passed in "port" or the global "cons_uart".  There was no reason
to use the global and the use of the global in
s3c24xx_serial_put_poll_char() caused a crash in the case where you
used the serial port for kgdboc but not for console.

Fix it so we used the passed in variable.

Note that this doesn't fix all problems with the samsung serial
driver.  Specifically:
* s3c24xx_serial_console_putchar() is still 99% identical to
  s3c24xx_serial_put_poll_char() (the function signature is different,
  but that's about it).  A future patch will make them slightly less
  identical and judging by other serial drivers we may need yet more
  differences eventually.
* The samsung serial driver still doesn't allow you to have more than
  one console port since it still uses the global cons_uart in
  s3c24xx_serial_console_write().

Signed-off-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoserial: 8250: Fix thread unsafe __dma_tx_complete function
Loic Poulain [Thu, 24 Apr 2014 09:34:48 +0000 (11:34 +0200)]
serial: 8250: Fix thread unsafe __dma_tx_complete function

__dma_tx_complete is not protected against concurrent
call of serial8250_tx_dma. it can lead to circular tail
index corruption or parallel call of serial_tx_dma on the
same data portion.

This patch fixes this issue by holding the port lock.

Signed-off-by: Loic Poulain <loic.poulain@intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years ago8250_core: Fix unwanted TX chars write
Loic Poulain [Thu, 24 Apr 2014 09:38:56 +0000 (11:38 +0200)]
8250_core: Fix unwanted TX chars write

On transmit-hold-register empty, serial8250_tx_chars
should be called only if we don't use DMA.
DMA has its own tx cycle.

Signed-off-by: Loic Poulain <loic.poulain@intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agotty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc
Manfred Schlaegl [Tue, 8 Apr 2014 12:42:04 +0000 (14:42 +0200)]
tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc

The race was introduced while development of linux-3.11 by
e8437d7ecbc50198705331449367d401ebb3181f and
e9975fdec0138f1b2a85b9624e41660abd9865d4.
Originally it was found and reproduced on linux-3.12.15 and
linux-3.12.15-rt25, by sending 500 byte blocks with 115kbaud to the
target uart in a loop with 100 milliseconds delay.

In short:
 1. The consumer flush_to_ldisc is on to remove the head tty_buffer.
 2. The producer adds a number of bytes, so that a new tty_buffer must
be allocated and added by __tty_buffer_request_room.
 3. The consumer removes the head tty_buffer element, without handling
newly committed data.

Detailed example:
 * Initial buffer:
   * Head, Tail -> 0: used=250; commit=250; read=240; next=NULL
 * Consumer: ''flush_to_ldisc''
   * consumed 10 Byte
   * buffer:
     * Head, Tail -> 0: used=250; commit=250; read=250; next=NULL
{{{
count = head->commit - head->read; // count = 0
if (!count) { // enter
// INTERRUPTED BY PRODUCER ->
if (head->next == NULL)
break;
buf->head = head->next;
tty_buffer_free(port, head);
continue;
}
}}}
 * Producer: tty_insert_flip_... 10 bytes + tty_flip_buffer_push
   * buffer:
     * Head, Tail -> 0: used=250; commit=250; read=250; next=NULL
   * added 6 bytes: head-element filled to maximum.
     * buffer:
       * Head, Tail -> 0: used=256; commit=250; read=250; next=NULL
   * added 4 bytes: __tty_buffer_request_room is called
     * buffer:
       * Head -> 0: used=256; commit=256; read=250; next=1
       * Tail -> 1: used=4; commit=0; read=250 next=NULL
   * push (tty_flip_buffer_push)
     * buffer:
       * Head -> 0: used=256; commit=256; read=250; next=1
       * Tail -> 1: used=4; commit=4; read=250 next=NULL
 * Consumer
{{{
count = head->commit - head->read;
if (!count) {
// INTERRUPTED BY PRODUCER <-
if (head->next == NULL) // -> no break
break;
buf->head = head->next;
tty_buffer_free(port, head);
// ERROR: tty_buffer head freed -> 6 bytes lost
continue;
}
}}}

This patch reintroduces a spin_lock to protect this case. Perhaps later
a lock-less solution could be found.

Signed-off-by: Manfred Schlaegl <manfred.schlaegl@gmx.at>
Cc: stable <stable@vger.kernel.org> # 3.11
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoMerge tag 'vexpress/fixes-for-3.15' of git://git.linaro.org/people/pawel.moll/linux...
Arnd Bergmann [Thu, 24 Apr 2014 21:46:58 +0000 (23:46 +0200)]
Merge tag 'vexpress/fixes-for-3.15' of git://git.linaro.org/people/pawel.moll/linux into fixes

ARM Versatile Express fixes for 3.15

This series contains straight-forward fixes for different
Versatile Express infrastructure drivers:

- NULL pointer dereference on the error path in the clk driver
- out of boundary array access in the dcscb driver
- broken restart/power off implementation
- mis-interpreted voltage unit in the spc driver

* tag 'vexpress/fixes-for-3.15' of git://git.linaro.org/people/pawel.moll/linux:
  ARM: vexpress/TC2: Convert OPP voltage to uV before storing
  power/reset: vexpress: Fix restart/power off operation
  arm/mach-vexpress: array accessed out of bounds
  clk: vexpress: NULL dereference on error path

Includes an update to 3.15-rc2

Signed-off-by: Arnd Bergmann <arnd@arndb.de>