Felix Fietkau [Mon, 14 Jan 2013 09:50:15 +0000 (10:50 +0100)]
ath9k: remove sc->rx.rxbuflock to fix a deadlock
The commit "ath9k: fix rx flush handling" added a deadlock that happens
because ath_rx_tasklet is called in a section that has already taken the
rx buffer lock.
It seems that the only purpose of the rxbuflock was a band-aid fix to the
reset vs rx tasklet race, which has been properly fixed in the commit
"ath9k: add a better fix for the rx tasklet vs rx flush race".
Now that the fix is in, we can safely remove the lock to avoid such issues.
Cc: stable@vger.kernel.org
Reported-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Piotr Haber [Thu, 10 Jan 2013 10:20:48 +0000 (11:20 +0100)]
brcmsmac: increase timer reference count for new timers only
On hardware reintialization reference count of
already existing timers would be increased again.
This leads to problems on module unloading.
Cc: stable@vger.kernel.org
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Wed, 9 Jan 2013 15:16:56 +0000 (16:16 +0100)]
ath9k: fix rx flush handling
Right now the rx flush is not doing anything useful on AR9003+, as it only
works if the buffers in the rx FIFO have not been purged yet, as is done
by ath_stoprecv.
To fix this, always call ath_flushrecv from within ath_stoprecv before
the FIFO is emptied, but still after the hw receive path has been stopped.
This ensures that frames received (and ACKed by the hardware) shortly before
a reset will be seen by the software, which should improve A-MPDU session
stability.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Wed, 9 Jan 2013 15:16:55 +0000 (16:16 +0100)]
ath9k: add a better fix for the rx tasklet vs rx flush race
Ensure that the rx tasklet is no longer running when entering the reset path.
Also remove the distinction between flush and no-flush frame processing.
If a frame has been received and ACKed by the hardware, the stack needs to see
it, so that the BA receive window does not go out of sync.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Wed, 9 Jan 2013 15:16:54 +0000 (16:16 +0100)]
ath9k: remove the WARN_ON that triggers if generating a beacon fails
During teardown, mac80211 will not return a new beacon. This is normal and
handled properly in the driver, so there's no need to spam the user with a kernel
warning here.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Wed, 9 Jan 2013 15:16:53 +0000 (16:16 +0100)]
ath9k: fix double-free bug on beacon generate failure
When the next beacon is sent, the ath_buf from the previous run is reused.
If getting a new beacon from mac80211 fails, bf->bf_mpdu is not reset, yet
the skb is freed, leading to a double-free on the next beacon tx attempt,
resulting in a system crash.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Wed, 9 Jan 2013 15:16:52 +0000 (16:16 +0100)]
ath9k: do not link receive buffers during flush
On AR9300 the rx FIFO needs to be empty during reset to ensure that no
further DMA activity is generated, otherwise it might lead to memory
corruption issues.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Sujith Manoharan [Wed, 9 Jan 2013 10:37:48 +0000 (16:07 +0530)]
ath9k_htc: Fix memory leak
SKBs that are allocated in the HTC layer do not have callbacks
registered and hence ended up not being freed, Fix this by freeing
them properly in the TX completion routine.
Cc: <stable@vger.kernel.org>
Reported-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Wed, 9 Jan 2013 01:53:11 +0000 (17:53 -0800)]
mwifiex: correct config_bands handling for ibss network
BAND_G is implicit when BAND_GN is present.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Wed, 9 Jan 2013 01:53:10 +0000 (17:53 -0800)]
mwifiex: update config_bands during infra association
Currently "adapter->config_bands" is updated during infra
association only if channel is provided by user in "iw connect"
command. config_bands is used while preparing association
request to calculate supported rates by intersecting our rates
with the rates advertised by AP.
There is corner case in which we include zero rates in
supported rates TLV based on previous IBSS network history,
which leads to association failure.
This patch fixes the problem by correctly updating config_bands.
Cc: "3.7.y" <stable@vger.kernel.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Gustavo Padovan [Thu, 3 Jan 2013 21:59:28 +0000 (19:59 -0200)]
Bluetooth: Check if the hci connection exists in SCO shutdown
Checking only for sco_conn seems to not be enough and lead to NULL
dereferences in the code, check for hcon instead.
<1>[11340.226404] BUG: unable to handle kernel NULL pointer dereference at
0000000
8
<4>[11340.226619] EIP is at __sco_sock_close+0xe8/0x1a0
<4>[11340.226629] EAX:
f063a740 EBX:
00000000 ECX:
f58f4544 EDX:
00000000
<4>[11340.226640] ESI:
dec83e00 EDI:
5f9a081f EBP:
e0fdff38 ESP:
e0fdff1c
<0>[11340.226674] Stack:
<4>[11340.226682]
c184db87 c1251028 dec83e00 e0fdff38 c1754aef dec83e00
00000000
e0fdff5c
<4>[11340.226718]
c184f587 e0fdff64 e0fdff68 5f9a081f e0fdff5c c1751852
d7813800
62262f10
<4>[11340.226752]
e0fdff70 c1753c00 00000000 00000001 0000000d e0fdffac
c175425c
00000041
<0>[11340.226793] Call Trace:
<4>[11340.226813] [<
c184db87>] ? sco_sock_clear_timer+0x27/0x60
<4>[11340.226831] [<
c1251028>] ? local_bh_enable+0x68/0xd0
<4>[11340.226846] [<
c1754aef>] ? lock_sock_nested+0x4f/0x60
<4>[11340.226862] [<
c184f587>] sco_sock_shutdown+0x67/0xb0
<4>[11340.226879] [<
c1751852>] ? sockfd_lookup_light+0x22/0x80
<4>[11340.226897] [<
c1753c00>] sys_shutdown+0x30/0x60
<4>[11340.226912] [<
c175425c>] sys_socketcall+0x1dc/0x2a0
<4>[11340.226929] [<
c149ba78>] ? trace_hardirqs_on_thunk+0xc/0x10
<4>[11340.226944] [<
c18860f1>] syscall_call+0x7/0xb
<4>[11340.226960] [<
c1880000>] ? restore_cur+0x5e/0xd7
<0>[11340.226969] Code: <f0> ff 4b 08 0f 94 c0 84 c0 74 20 80 7b 19 01 74
2f b8 0a 00 00
Reported-by: Chuansheng Liu <chuansheng.liu@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Jaganath Kanakkassery [Thu, 10 Jan 2013 04:58:35 +0000 (10:28 +0530)]
Bluetooth: Fix authentication if acl data comes before remote feature evt
If remote device sends l2cap info request before read_remote_ext_feature
completes then mgmt_connected will be sent in hci_acldata_packet() and
remote name request wont be sent and eventually authentication wont happen
Hcidump log of the issue
< HCI Command: Create Connection (0x01|0x0005) plen 13
bdaddr BC:85:1F:74:7F:29 ptype 0xcc18 rswitch 0x01 clkoffset 0x4bf7 (valid)
Packet type: DM1 DM3 DM5 DH1 DH3 DH5
> HCI Event: Command Status (0x0f) plen 4
Create Connection (0x01|0x0005) status 0x00 ncmd 1
> HCI Event: Connect Complete (0x03) plen 11
status 0x00 handle 12 bdaddr BC:85:1F:74:7F:29 type ACL encrypt 0x00
< HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2
handle 12
> HCI Event: Command Status (0x0f) plen 4
Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 1
> HCI Event: Read Remote Supported Features (0x0b) plen 11
status 0x00 handle 12
Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
> HCI Event: Max Slots Change (0x1b) plen 3
handle 12 slots 5
< HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3
handle 12 page 1
> HCI Event: Command Status (0x0f) plen 4
Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1
> ACL data: handle 12 flags 0x02 dlen 10
L2CAP(s): Info req: type 2
< ACL data: handle 12 flags 0x00 dlen 16
L2CAP(s): Info rsp: type 2 result 0
Extended feature mask 0x00b8
Enhanced Retransmission mode
Streaming mode
FCS Option
Fixed Channels
> HCI Event: Read Remote Extended Features (0x23) plen 13
status 0x00 handle 12 page 1 max 1
Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> ACL data: handle 12 flags 0x02 dlen 10
L2CAP(s): Info req: type 3
< ACL data: handle 12 flags 0x00 dlen 20
L2CAP(s): Info rsp: type 3 result 0
Fixed channel list 0x00000002
L2CAP Signalling Channel
> HCI Event: Number of Completed Packets (0x13) plen 5
handle 12 packets 2
This patch moves sending mgmt_connected from hci_acldata_packet() to
l2cap_connect_req() since this code is to handle the scenario remote
device sends l2cap connect req too fast
Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Sergio Cambra [Thu, 10 Jan 2013 00:06:55 +0000 (01:06 +0100)]
Bluetooth device 04ca:3008 should use ath3k
Output of /sys/kernel/debug/usb/devices
T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 6 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04ca ProdID=3008 Rev= 0.02
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Sergio Cambra <sergio@programatica.es>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Anderson Lizardo [Sun, 6 Jan 2013 22:28:53 +0000 (18:28 -0400)]
Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()
The length parameter should be sizeof(req->name) - 1 because there is no
guarantee that string provided by userspace will contain the trailing
'\0'.
Can be easily reproduced by manually setting req->name to 128 non-zero
bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on
input subsystem:
$ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name
AAAAAA[...]
AAAAAAAAf0:af:f0:af:f0:af
("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys"
field in struct hid_device due to overflow.)
Cc: stable@vger.kernel.org
Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
AceLan Kao [Thu, 3 Jan 2013 04:25:00 +0000 (12:25 +0800)]
Bluetooth: Add support for Foxconn / Hon Hai [0489:e056]
Add support for the AR9462 chip
T: Bus=01 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e056 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
Signed-off-by: AceLan Kao <acelan.kao@canonical.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
AceLan Kao [Thu, 3 Jan 2013 04:24:59 +0000 (12:24 +0800)]
Bluetooth: Add support for Foxconn / Hon Hai [0489:e04e]
Add support for the AR9462 chip
T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e04e Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
Signed-off-by: AceLan Kao <acelan.kao@canonical.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Daniel Schaal [Sat, 29 Dec 2012 10:14:34 +0000 (11:14 +0100)]
Bluetooth: Add support for GC-WB300D PCIe [04ca:3006] to ath3k.
T: Bus=02 Lev=02 Prnt=02 Port=06 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04ca ProdID=3006 Rev= 0.02
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Daniel Schaal <farbing@web.de>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
AceLan Kao [Tue, 11 Dec 2012 03:41:20 +0000 (11:41 +0800)]
Bluetooth: Add support for IMC Networks [13d3:3393]
Add support for the AR9462 chip
T: Bus=02 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3393 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
Signed-off-by: AceLan Kao <acelan.kao@canonical.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Szymon Janc [Tue, 11 Dec 2012 07:51:19 +0000 (08:51 +0100)]
Bluetooth: Fix sending HCI commands after reset
After sending reset command wait for its command complete event before
sending next command. Some chips sends CC event for command received
before reset if reset was send before chip replied with CC.
This is also required by specification that host shall not send
additional HCI commands before receiving CC for reset.
< HCI Command: Reset (0x03|0x0003) plen 0 [hci0] 18.404612
> HCI Event: Command Complete (0x0e) plen 4 [hci0] 18.405850
Write Extended Inquiry Response (0x03|0x0052) ncmd 1
Status: Success (0x00)
< HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 [hci0] 18.406079
> HCI Event: Command Complete (0x0e) plen 4 [hci0] 18.407864
Reset (0x03|0x0003) ncmd 1
Status: Success (0x00)
< HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 [hci0] 18.408062
> HCI Event: Command Complete (0x0e) plen 12 [hci0] 18.408835
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Cc: stable@vger.kernel.org
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Larry Finger [Thu, 20 Dec 2012 21:55:01 +0000 (15:55 -0600)]
b43: Fix firmware loading when driver is built into the kernel
Recent versions of udev cause synchronous firmware loading from the
probe routine to fail because the request to user space would time
out. The original fix for b43 (commit 6b6fa58) moved the firmware
load from the probe routine to a work queue, but it still used synchronous
firmware loading. This method is OK when b43 is built as a module;
however, it fails when the driver is compiled into the kernel.
This version changes the code to load the initial firmware file
using request_firmware_nowait(). A completion event is used to
hold the work queue until that file is available. This driver
reads several firmware files - the remainder can be read synchronously.
On some test systems, the async read fails; however, a following synch
read works, thus the async failure falls through to the sync try.
Reported-and-Tested by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org> (V3.4+)
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Chen Gang [Mon, 7 Jan 2013 04:42:46 +0000 (12:42 +0800)]
drivers/net/wireless/iwlegacy: use strlcpy instead of strncpy
The fields must be null-terminated, or simple_strtoul will cause issue.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Nickolai Zeldovich [Mon, 7 Jan 2013 01:27:22 +0000 (20:27 -0500)]
drivers/net/wireless/mwl8k.c: avoid use-after-free
Do not dereference p->station_id after kfree(cmd) because p
points into the cmd data structure.
Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Julian Wollrath [Wed, 2 Jan 2013 14:21:56 +0000 (15:21 +0100)]
rtlwifi: Fix typo in debug output of rtl8192c and rtl8723ae
Signed-off-by: Julian Wollrath <jwollrath@web.de>
Acked-by: Larry Finger <Larry.finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Vladimir Kondratiev [Thu, 20 Dec 2012 21:13:19 +0000 (13:13 -0800)]
wireless: add new wil6210 802.11ad 60GHz driver
This adds support for the 60 GHz 802.11ad Wilocity card
through a new driver, wil6210. Wilocity implemented the
firmware, QCA maintains the device driver.
Currently supported:
- STA: with security
- AP: limited to 1 connected STA, security disabled
- Monitor: due to a hardware/firmware limitation
either control or non-control frames are monitored
Using a STA and AP with this drive, one can assemble
a fully functional BSS. Throughput of 1.2Gbps is achieved
with iperf.
The wil6210 cards have on-board flash memory for the
firmware, the cards comes pre-flashed and no firmware
download is required.
For more details see:
http://wireless.kernel.org/en/users/Drivers/wil6210
Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Thu, 3 Jan 2013 01:32:19 +0000 (17:32 -0800)]
mwifiex: fix typo in setting up ibss network parameters
commit 683b6d3... "cfg80211: pass a channel definition struct"
accidentally changed "==" to "!=".
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bing Zhao [Thu, 3 Jan 2013 00:07:35 +0000 (16:07 -0800)]
mwifiex: check wait_event_interruptible return value
wait_event_interruptible function returns -ERESTARTSYS if it's
interrupted by a signal. Driver should check the return value
and handle this case properly.
In mwifiex_wait_queue_complete() routine, as we are now checking
wait_event_interruptible return value, the condition check is not
required. Also, we have removed mwifiex_cancel_pending_ioctl()
call to avoid a chance of sending second command to FW by other path
as soon as we clear current command node. FW can not handle two
commands simultaneously.
Cc: "3.6+" <stable@vger.kernel.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Fri, 4 Jan 2013 21:06:11 +0000 (16:06 -0500)]
Merge branch 'for-john' of git://git./linux/kernel/git/iwlwifi/iwlwifi-fixes
John W. Linville [Fri, 4 Jan 2013 21:05:14 +0000 (16:05 -0500)]
Merge branch 'for-john' of git://git./linux/kernel/git/jberg/mac80211
Vladimir Kondratiev [Thu, 3 Jan 2013 08:31:19 +0000 (10:31 +0200)]
ath9k: Fix Kconfig for ATH9K_HTC
Ath9k consists of 2 different sub-modules: ATH9K and ATH9K_HTC.
Both uses common Atheros code from ath.ko and need ATH_COMMON.
However, while ATH9K selects ATH_COMMON, ATH9K_HTC does not.
As result, if ATH9K_HTC is the only Atheros card selected, compilation fails with
unresolved symbols.
This patch moves ATH_COMMON selection to the common part for both
ATH9K and ATH9K_HTC
Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Emmanuel Grumbach [Mon, 31 Dec 2012 07:26:10 +0000 (09:26 +0200)]
iwlwifi: fix the reclaimed packet tracking upon flush queue
There's a bug in the currently released firmware version,
the sequence control in the Tx response isn't updated in
all cases. Take it from the packet as a workaround.
Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Thu, 27 Dec 2012 20:37:04 +0000 (21:37 +0100)]
iwlwifi: fix PCIe interrupt handle return value
By accident, commit
eb6476441bc2fecf6232a87d0313a85f8e3da7f4
("iwlwifi: protect use_ict with irq_lock") changed the return
value of the iwl_pcie_isr() function in case it handles an
interrupt -- it now returns IRQ_NONE instead of IRQ_HANDLED.
Put back the correct return value.
Cc: stable@vger.kernel.org
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Chaitanya [Fri, 21 Dec 2012 11:45:17 +0000 (17:15 +0530)]
mac80211: fix maximum MTU
The maximum MTU shouldn't take the headers into account,
the maximum MSDU size is exactly the maximum MTU.
Signed-off-by: T Krishna Chaitanya <chaitanyatk@posedge.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Mon, 10 Dec 2012 14:38:14 +0000 (16:38 +0200)]
mac80211: fix dtim_period in hidden SSID AP association
When AP's SSID is hidden the BSS can appear several times in
cfg80211's BSS list: once with a zero-length SSID that comes
from the beacon, and once for each SSID from probe reponses.
Since the mac80211 stores its data in ieee80211_bss which
is embedded into cfg80211_bss, mac80211's data will be
duplicated too.
This becomes a problem when a driver needs the dtim_period
since this data exists only in the beacon's instance in
cfg80211 bss table which isn't the instance that is used
when associating.
Remove the DTIM period from the BSS table and track it
explicitly to avoid this problem.
Cc: stable@vger.kernel.org
Tested-by: Efi Tubul <efi.tubul@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Thu, 13 Dec 2012 22:08:52 +0000 (23:08 +0100)]
mac80211: use del_timer_sync for final sta cleanup timer deletion
This is a very old bug, but there's nothing that prevents the
timer from running while the module is being removed when we
only do del_timer() instead of del_timer_sync().
The timer should normally not be running at this point, but
it's not clearly impossible (or we could just remove this.)
Cc: stable@vger.kernel.org
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Thu, 13 Dec 2012 21:54:58 +0000 (22:54 +0100)]
mac80211: fix station destruction in AP/mesh modes
Unfortunately, commit
b22cfcfcae5b, intended to speed up roaming
by avoiding the synchronize_rcu() broke AP/mesh modes as it moved
some code into that work item that will still call into the driver
at a time where it's no longer expected to handle this: after the
AP or mesh has been stopped.
To fix this problem remove the per-station work struct, maintain a
station cleanup list instead and flush this list when stations are
flushed. To keep this patch smaller for stable, do this when the
stations are flushed (sta_info_flush()). This unfortunately brings
back the original roaming delay; I'll fix that again in a separate
patch.
Also, Ben reported that the original commit could sometimes (with
many interfaces) cause long delays when an interface is set down,
due to blocking on flush_workqueue(). Since we now maintain the
cleanup list, this particular change of the original patch can be
reverted.
Cc: stable@vger.kernel.org [3.7]
Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Thomas Pedersen [Tue, 18 Dec 2012 02:41:57 +0000 (18:41 -0800)]
mac80211: RMC buckets are just list heads
The array of rmc_entrys is redundant since only the
list_head is used. Make this an array of list_heads
instead and save ~6k per vif at runtime :D
Signed-off-by: Thomas Pedersen <thomas@cozybit.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Tue, 11 Dec 2012 19:38:41 +0000 (20:38 +0100)]
mac80211: assign VLAN channel contexts
Make AP_VLAN type interfaces track the AP master channel
context so they have one assigned for the various lookups.
Don't give them their own refcount etc. since they're just
slaves to the AP master.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Felix Fietkau [Mon, 10 Dec 2012 19:02:34 +0000 (20:02 +0100)]
mac80211: flush AP_VLAN stations when tearing down the BSS AP
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
[change to flush stations with AP flush in second loop]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stanislaw Gruszka [Tue, 11 Dec 2012 09:48:23 +0000 (10:48 +0100)]
mac80211: fix ibss scanning
Do not scan on no-IBSS and disabled channels in IBSS mode. Doing this
can trigger Microcode errors on iwlwifi and iwlegacy drivers.
Also rename ieee80211_request_internal_scan() function since it is only
used in IBSS mode and simplify calling it from ieee80211_sta_find_ibss().
This patch should address:
https://bugzilla.redhat.com/show_bug.cgi?id=883414
https://bugzilla.kernel.org/show_bug.cgi?id=49411
Reported-by: Jesse Kahtava <jesse_kahtava@f-m.fm>
Reported-by: Mikko Rapeli <mikko.rapeli@iki.fi>
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Hante Meuleman [Wed, 2 Jan 2013 14:12:39 +0000 (15:12 +0100)]
brcmfmac: fix parsing rsn ie for ap mode.
RSN IEs got incorrectly parsed and therefore ap mode using WPA2
security was not working.
Cc: stable@vger.kernel.org
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Arend van Spriel [Wed, 2 Jan 2013 14:12:38 +0000 (15:12 +0100)]
brcmsmac: add copyright information for Canonical
Patches from Canonical involved the introduction of new source
files debug.[ch]. That coincided with other patches from Broadcom
introducing the same files.
Cc: Seth Forshee <seth.forshee@canonical.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Larry Finger [Thu, 27 Dec 2012 16:37:32 +0000 (10:37 -0600)]
rtlwifi: rtl8723ae: Fix warning for unchecked pci_map_single() call
Kernel 3.8 implements checking of all DMA mapping calls and issues
a WARNING for the first it finds that is not checked.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Larry Finger [Thu, 27 Dec 2012 16:37:31 +0000 (10:37 -0600)]
rtlwifi: rtl8192se: Fix warning for unchecked pci_map_single() call
Kernel 3.8 implements checking of all DMA mapping calls and issues
a WARNING for the first it finds that is not checked.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Larry Finger [Thu, 27 Dec 2012 16:37:30 +0000 (10:37 -0600)]
rtlwifi: rtl8192de: Fix warning for unchecked pci_map_single() call
Kernel 3.8 implements checking of all DMA mapping calls and issues
a WARNING for the first it finds that is not checked.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Larry Finger [Thu, 27 Dec 2012 16:37:29 +0000 (10:37 -0600)]
rtlwifi: rtl8192ce: Fix warning for unchecked pci_map_single() call
Kernel 3.8 implements checking of all DMA mapping calls and issues
a WARNING for the first it finds that is not checked.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Larry Finger [Thu, 27 Dec 2012 16:37:28 +0000 (10:37 -0600)]
rtlwifi: Fix warning for unchecked pci_map_single() call
Kernel 3.8 implements checking of all DMA mapping calls and issues
a WARNING for the first it finds that is not checked.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Christian Lamparter [Thu, 27 Dec 2012 14:18:20 +0000 (15:18 +0100)]
p54usb: add USBIDs for two more p54usb devices
This patch adds USBIDs for:
- DrayTek Vigor 530
- Zoom 4410a
It also adds a note about Gemtek WUBI-100GW
and SparkLAN WL-682 USBID conflict [WUBI-100GW
is a ISL3886+NET2280 (LM86 firmare) solution,
whereas WL-682 is a ISL3887 (LM87 firmware)]
device.
Source: <http://www.wikidevi.com/wiki/Intersil/p54/usb/windows>
Cc: <stable@vger.kernel.org>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Jesper Juhl [Wed, 26 Dec 2012 20:51:12 +0000 (21:51 +0100)]
rtlwifi: Don't leak on error in _rtl_usb_receive()
We fail to release 'urb' if '_rtl_prep_rx_urb()' fails in
_rtl_usb_receive().
This patch should take care of the leak.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Sujith Manoharan [Wed, 26 Dec 2012 06:57:39 +0000 (12:27 +0530)]
ath9k_hw: Fix RX gain initvals for AR9485
Populate iniModesRxGain with the correct initvals
array for AR9485 v1.1
Cc: stable@vger.kernel.org
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Rafał Miłecki [Tue, 25 Dec 2012 21:34:22 +0000 (22:34 +0100)]
bcma: correct M25P32 serial flash ID
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Niels Ole Salscheider [Mon, 24 Dec 2012 12:07:36 +0000 (13:07 +0100)]
brcmsmac: Use udelay instead of usleep_range
wlc_lcnphy_rx_iq_cal_gain is called during initialization, i. e. when
executing brcms_up.
But brcms_up is called from brcms_ops_start while the latter holds a spin lock.
Thus, we cannot use usleep_range but have to use udelay.
This fixes:
BUG: scheduling while atomic: NetworkManager/1652/0x00000200
[...]
Call Trace:
[<
ffffffff81582522>] __schedule_bug+0x48/0x54
[<
ffffffff815892b6>] __schedule+0x596/0x6d0
[<
ffffffff81589719>] schedule+0x29/0x70
[<
ffffffff8158893c>] schedule_hrtimeout_range_clock+0xfc/0x140
[<
ffffffff81060f10>] ? update_rmtp+0x70/0x70
[<
ffffffff81588993>] schedule_hrtimeout_range+0x13/0x20
[<
ffffffff810495e0>] usleep_range+0x40/0x50
[<
ffffffffa05dedcb>] wlc_lcnphy_rx_iq_cal.constprop.10+0x59b/0xa90 [brcmsmac]
[<
ffffffffa05df4ce>] wlc_lcnphy_periodic_cal+0x20e/0x220 [brcmsmac]
[<
ffffffffa05dce8d>] ? wlc_lcnphy_set_tx_pwr_ctrl+0x21d/0x3c0 [brcmsmac]
[<
ffffffffa05e0cfc>] wlc_phy_init_lcnphy+0xacc/0x1100 [brcmsmac]
[<
ffffffffa05e0230>] ? wlc_phy_txpower_recalc_target_lcnphy+0x90/0x90 [brcmsmac]
[<
ffffffffa05d7c7d>] wlc_phy_init+0xcd/0x170 [brcmsmac]
[<
ffffffffa05c9dfe>] brcms_b_bsinit.isra.65+0x12e/0x310 [brcmsmac]
[<
ffffffffa05d061b>] brcms_c_init+0x8fb/0x1170 [brcmsmac]
[<
ffffffffa05c3a0a>] brcms_init+0x5a/0x70 [brcmsmac]
[<
ffffffffa05ce76c>] brcms_c_up+0x1ac/0x4a0 [brcmsmac]
[<
ffffffffa05c3c65>] brcms_up+0x25/0x30 [brcmsmac]
[<
ffffffffa05c44c0>] brcms_ops_start+0xd0/0x100 [brcmsmac]
[...]
Signed-off-by: Niels Ole Salscheider <niels_ole@salscheider-online.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Tomasz Guszkowski [Sat, 22 Dec 2012 17:30:01 +0000 (18:30 +0100)]
p54usb: add USB ID for T-Com Sinus 154 data II
Added USB ID for T-Com Sinus 154 data II.
Cc: <stable@vger.kernel.org>
Signed-off-by: Tomasz Guszkowski <tsg@o2.pl>
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Christian Lamparter [Sat, 22 Dec 2012 03:35:24 +0000 (04:35 +0100)]
carl9170: fix -EINVAL bailout during init with !CONFIG_MAC80211_MESH
Sean reported that as of 3.7, his AR9170 device no longer works
because the driver fails during initialization. He noted this
is due to:
"In carl9170/fw.c, ar->hw->wiphy is tagged with
NL80211_IFTYPE_MESH_POINT support if the firmware has Content
after Beacon Queuing. This is both in interface_modes and the
only iface_combinations entry.
If CONFIG_MAC80211_MESH is not set, ieee80211_register_hw
removes NL80211_IFTYPE_MESH_POINT from interface_modes, but
not iface_combinations.
wiphy_register then checks to see if every interface type in
every interface combination is in interface_modes.
NL80211_IFTYPE_MESH_POINT was removed, so you get a WARN_ON
warning and it returns -EINVAL, giving up."
Unfortunately, the iface_combination (types) feature bitmap
in ieee80211_iface_limit is part of a const member in the
ieee80211_iface_combination struct. Hence, the MESH_POINT
feature flag can't be masked by wiphy_register in the
same way as interface_modes in ieee80211_register_hw.
Cc: <stable@vger.kernel.org>
Reported-by: Sean Patrick Santos <quantheory@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Tested-by: Sean Patrick Santos <quantheory@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Jussi Kivilinna [Thu, 20 Dec 2012 14:24:43 +0000 (16:24 +0200)]
rtlwifi: fix incorrect use of usb_alloc_coherent with usb_control_msg
Incorrect use of usb_alloc_coherent memory as input buffer to usb_control_msg
can cause problems in arch DMA code, for example kernel BUG at
'arch/arm/include/asm/dma-mapping.h:321' on ARM (linux-3.4).
Change _usb_writeN_sync use kmalloc'd buffer instead.
Cc: stable@vger.kernel.org
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Sujith Manoharan [Thu, 20 Dec 2012 03:08:00 +0000 (08:38 +0530)]
ath9k: Fix compilation breakage
Since ath9k makes use of mac80211's debugfs hooks to
maintain station statistics, make ATH9K_DEBUGFS
select MAC80211_DEBUGFS. This fixes the issue reported by
Fengguang Wu:
drivers/net/wireless/ath/ath9k/debug.c: In function 'ath9k_sta_add_debugfs':
drivers/net/wireless/ath/ath9k/debug.c:1589:4: error: 'struct ath_node' has no member named 'node_stat'
drivers/net/wireless/ath/ath9k/debug.c: In function 'ath9k_sta_remove_debugfs':
drivers/net/wireless/ath/ath9k/debug.c:1599:19: error: 'struct ath_node' has no member named 'node_stat'
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Geert Uytterhoeven [Sun, 16 Dec 2012 15:35:36 +0000 (16:35 +0100)]
ssb: SSB_DRIVER_GPIO should depend on GPIOLIB instead of selecting it
Commit
ec43b08b5733494ad88aa618ecdf534320dd8207 ("ssb: add GPIO driver")
added SSB_DRIVER_GPIO, which unconditionally selects GPIOLIB, causing
a Kconfig warning:
warning: (ARCH_REQUIRE_GPIOLIB && SSB_DRIVER_GPIO && BCMA_DRIVER_GPIO && MFD_TC6393XB && FB_VIA) selects GPIOLIB which has unmet direct dependencies (ARCH_WANT_OPTIONAL_GPIOLIB || ARCH_REQUIRE_GPIOLIB)
and build failure for m68k/allmodconfig:
In file included from drivers/ssb/ssb_private.h:5,
from drivers/ssb/main.c:12:
include/linux/ssb/ssb.h:440: error: field ‘gpio’ has incomplete type
make[4]: *** [drivers/ssb/main.o] Error 1
make[3]: *** [drivers/ssb/] Error 2
Turn the select into a dependency to fix this.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Geert Uytterhoeven [Sun, 16 Dec 2012 15:35:35 +0000 (16:35 +0100)]
bcma: BCMA_DRIVER_GPIO should depend on GPIOLIB instead of selecting it
Commit
cf0936b06d8e98a157630e99f647e2ff6d29d7ad ("bcma: add GPIO driver")
added BCMA_DRIVER_GPIO, which unconditionally selects GPIOLIB, causing
a Kconfig warning:
warning: (ARCH_REQUIRE_GPIOLIB && SSB_DRIVER_GPIO && BCMA_DRIVER_GPIO && MFD_TC6393XB && FB_VIA) selects GPIOLIB which has unmet direct dependencies (ARCH_WANT_OPTIONAL_GPIOLIB || ARCH_REQUIRE_GPIOLIB)
and build failure for m68k/allmodconfig:
In file included from include/linux/bcma/bcma.h:8,
from drivers/bcma/bcma_private.h:9,
from drivers/bcma/main.c:9:
include/linux/bcma/bcma_driver_chipcommon.h:582: error: field ‘gpio’ has incomplete type
In file included from include/linux/bcma/bcma.h:12,
from drivers/bcma/bcma_private.h:9,
from drivers/bcma/main.c:9:
include/linux/ssb/ssb.h:440: error: field ‘gpio’ has incomplete type
make[4]: *** [drivers/bcma/main.o] Error 1
make[3]: *** [drivers/bcma/] Error 2
Turn the select into a dependency to fix this.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Linus Torvalds [Sat, 22 Dec 2012 01:19:00 +0000 (17:19 -0800)]
Linux 3.8-rc1
Linus Torvalds [Sat, 22 Dec 2012 01:10:29 +0000 (17:10 -0800)]
Merge git://www.linux-watchdog.org/linux-watchdog
Pull watchdog updates from Wim Van Sebroeck:
"This includes some fixes and code improvements (like
clk_prepare_enable and clk_disable_unprepare), conversion from the
omap_wdt and twl4030_wdt drivers to the watchdog framework, addition
of the SB8x0 chipset support and the DA9055 Watchdog driver and some
OF support for the davinci_wdt driver."
* git://www.linux-watchdog.org/linux-watchdog: (22 commits)
watchdog: mei: avoid oops in watchdog unregister code path
watchdog: Orion: Fix possible null-deference in orion_wdt_probe
watchdog: sp5100_tco: Add SB8x0 chipset support
watchdog: davinci_wdt: add OF support
watchdog: da9052: Fix invalid free of devm_ allocated data
watchdog: twl4030_wdt: Change TWL4030_MODULE_PM_RECEIVER to TWL_MODULE_PM_RECEIVER
watchdog: remove depends on CONFIG_EXPERIMENTAL
watchdog: Convert dev_printk(KERN_<LEVEL> to dev_<level>(
watchdog: DA9055 Watchdog driver
watchdog: omap_wdt: eliminate goto
watchdog: omap_wdt: delete redundant platform_set_drvdata() calls
watchdog: omap_wdt: convert to devm_ functions
watchdog: omap_wdt: convert to new watchdog core
watchdog: WatchDog Timer Driver Core: fix comment
watchdog: s3c2410_wdt: use clk_prepare_enable and clk_disable_unprepare
watchdog: imx2_wdt: Select the driver via ARCH_MXC
watchdog: cpu5wdt.c: add missing del_timer call
watchdog: hpwdt.c: Increase version string
watchdog: Convert twl4030_wdt to watchdog core
davinci_wdt: preparation for switch to common clock framework
...
Linus Torvalds [Sat, 22 Dec 2012 01:09:07 +0000 (17:09 -0800)]
Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6
Pull CIFS fixes from Steve French:
"Misc small cifs fixes"
* 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
cifs: eliminate cifsERROR variable
cifs: don't compare uniqueids in cifs_prime_dcache unless server inode numbers are in use
cifs: fix double-free of "string" in cifs_parse_mount_options
Linus Torvalds [Sat, 22 Dec 2012 01:08:06 +0000 (17:08 -0800)]
Merge tag 'dm-3.8-fixes' of git://git./linux/kernel/git/agk/linux-dm
Pull dm update from Alasdair G Kergon:
"Miscellaneous device-mapper fixes, cleanups and performance
improvements.
Of particular note:
- Disable broken WRITE SAME support in all targets except linear and
striped. Use it when kcopyd is zeroing blocks.
- Remove several mempools from targets by moving the data into the
bio's new front_pad area(which dm calls 'per_bio_data').
- Fix a race in thin provisioning if discards are misused.
- Prevent userspace from interfering with the ioctl parameters and
use kmalloc for the data buffer if it's small instead of vmalloc.
- Throttle some annoying error messages when I/O fails."
* tag 'dm-3.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm: (36 commits)
dm stripe: add WRITE SAME support
dm: remove map_info
dm snapshot: do not use map_context
dm thin: dont use map_context
dm raid1: dont use map_context
dm flakey: dont use map_context
dm raid1: rename read_record to bio_record
dm: move target request nr to dm_target_io
dm snapshot: use per_bio_data
dm verity: use per_bio_data
dm raid1: use per_bio_data
dm: introduce per_bio_data
dm kcopyd: add WRITE SAME support to dm_kcopyd_zero
dm linear: add WRITE SAME support
dm: add WRITE SAME support
dm: prepare to support WRITE SAME
dm ioctl: use kmalloc if possible
dm ioctl: remove PF_MEMALLOC
dm persistent data: improve improve space map block alloc failure message
dm thin: use DMERR_LIMIT for errors
...
J. Bruce Fields [Sat, 22 Dec 2012 00:48:59 +0000 (19:48 -0500)]
Revert "nfsd: warn on odd reply state in nfsd_vfs_read"
This reverts commit
79f77bf9a4e3dd5ead006b8f17e7c4ff07d8374e.
This is obviously wrong, and I have no idea how I missed seeing the
warning in testing: I must just not have looked at the right logs. The
caller bumps rq_resused/rq_next_page, so it will always be hit on a
large enough read.
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Sat, 22 Dec 2012 00:40:26 +0000 (16:40 -0800)]
Merge tag 'rdma-for-linus' of git://git./linux/kernel/git/roland/infiniband
Pull more infiniband changes from Roland Dreier:
"Second batch of InfiniBand/RDMA changes for 3.8:
- cxgb4 changes to fix lookup engine hash collisions
- mlx4 changes to make flow steering usable
- fix to IPoIB to avoid pinning dst reference for too long"
* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
RDMA/cxgb4: Fix bug for active and passive LE hash collision path
RDMA/cxgb4: Fix LE hash collision bug for passive open connection
RDMA/cxgb4: Fix LE hash collision bug for active open connection
mlx4_core: Allow choosing flow steering mode
mlx4_core: Adjustments to Flow Steering activation logic for SR-IOV
mlx4_core: Fix error flow in the flow steering wrapper
mlx4_core: Add QPN enforcement for flow steering rules set by VFs
cxgb4: Add LE hash collision bug fix path in LLD driver
cxgb4: Add T4 filter support
IPoIB: Call skb_dst_drop() once skb is enqueued for sending
Linus Torvalds [Sat, 22 Dec 2012 00:39:08 +0000 (16:39 -0800)]
Merge tag 'asm-generic' of git://git./linux/kernel/git/arnd/asm-generic
Pull asm-generic cleanup from Arnd Bergmann:
"These are a few cleanups for asm-generic:
- a set of patches from Lars-Peter Clausen to generalize asm/mmu.h
and use it in the architectures that don't need any special
handling.
- A patch from Will Deacon to remove the {read,write}s{b,w,l} as
discussed during the arm64 review
- A patch from James Hogan that helps with the meta architecture
series."
* tag 'asm-generic' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic:
xtensa: Use generic asm/mmu.h for nommu
h8300: Use generic asm/mmu.h
c6x: Use generic asm/mmu.h
asm-generic/mmu.h: Add support for FDPIC
asm-generic/mmu.h: Remove unused vmlist field from mm_context_t
asm-generic: io: remove {read,write} string functions
asm-generic/io.h: remove asm/cacheflush.h include
Kukjin Kim [Fri, 21 Dec 2012 18:02:13 +0000 (10:02 -0800)]
ARM: dts: fix duplicated build target and alphabetical sort out for exynos
Commit
db5b0ae00712 ("Merge tag 'dt' of git://git.kernel.org/.../arm-soc")
causes a duplicated build target. This patch fixes it and sorts out the
build target alphabetically so that we can recognize something wrong
easily.
Cc: Olof Johansson <olof@lixom.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Mike Snitzer [Fri, 21 Dec 2012 20:23:41 +0000 (20:23 +0000)]
dm stripe: add WRITE SAME support
Rename stripe_map_discard to stripe_map_range and reuse it for WRITE
SAME bio processing.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:41 +0000 (20:23 +0000)]
dm: remove map_info
This patch removes map_info from bio-based device mapper targets.
map_info is still used for request-based targets.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:41 +0000 (20:23 +0000)]
dm snapshot: do not use map_context
Eliminate struct map_info from dm-snap.
map_info->ptr was used in dm-snap to indicate if the bio was tracked.
If map_info->ptr was non-NULL, the bio was linked in tracked_chunk_hash.
This patch removes the use of map_info->ptr. We determine if the bio was
tracked based on hlist_unhashed(&c->node). If hlist_unhashed is true,
the bio is not tracked, if it is false, the bio is tracked.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:40 +0000 (20:23 +0000)]
dm thin: dont use map_context
This patch removes endio_hook_pool from dm-thin and uses per-bio data instead.
This patch removes any use of map_info in preparation for the next patch
that removes map_info from bio-based device mapper.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:40 +0000 (20:23 +0000)]
dm raid1: dont use map_context
Don't use map_info any more in dm-raid1.
map_info was used for writes to hold the region number. For this purpose
we add a new field dm_bio_details to dm_raid1_bio_record.
map_info was used for reads to hold a pointer to dm_raid1_bio_record (if
the pointer was non-NULL, bio details were saved; if the pointer was
NULL, bio details were not saved). We use
dm_raid1_bio_record.details->bi_bdev for this purpose. If bi_bdev is
NULL, details were not saved, if bi_bdev is non-NULL, details were
saved.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:39 +0000 (20:23 +0000)]
dm flakey: dont use map_context
Replace map_info with a per-bio structure "struct per_bio_data" in dm-flakey.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:39 +0000 (20:23 +0000)]
dm raid1: rename read_record to bio_record
Rename struct read_record to bio_record in dm-raid1.
In the following patch, the structure will be used for both read and
write bios, so rename it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:39 +0000 (20:23 +0000)]
dm: move target request nr to dm_target_io
This patch moves target_request_nr from map_info to dm_target_io and
makes it accessible with dm_bio_get_target_request_nr.
This patch is a preparation for the next patch that removes map_info.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:38 +0000 (20:23 +0000)]
dm snapshot: use per_bio_data
Replace tracked_chunk_pool with per_bio_data in dm-snap.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:38 +0000 (20:23 +0000)]
dm verity: use per_bio_data
Replace io_mempool with per_bio_data in dm-verity.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:38 +0000 (20:23 +0000)]
dm raid1: use per_bio_data
Replace read_record_pool with per_bio_data in dm-raid1.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:38 +0000 (20:23 +0000)]
dm: introduce per_bio_data
Introduce a field per_bio_data_size in struct dm_target.
Targets can set this field in the constructor. If a target sets this
field to a non-zero value, "per_bio_data_size" bytes of auxiliary data
are allocated for each bio submitted to the target. These data can be
used for any purpose by the target and help us improve performance by
removing some per-target mempools.
Per-bio data is accessed with dm_per_bio_data. The
argument data_size must be the same as the value per_bio_data_size in
dm_target.
If the target has a pointer to per_bio_data, it can get a pointer to
the bio with dm_bio_from_per_bio_data() function (data_size must be the
same as the value passed to dm_per_bio_data).
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:37 +0000 (20:23 +0000)]
dm kcopyd: add WRITE SAME support to dm_kcopyd_zero
Add WRITE SAME support to dm-io and make it accessible to
dm_kcopyd_zero(). dm_kcopyd_zero() provides an asynchronous interface
whereas the blkdev_issue_write_same() interface is synchronous.
WRITE SAME is a SCSI command that can be leveraged for more efficient
zeroing of a specified logical extent of a device which supports it.
Only a single zeroed logical block is transfered to the target for each
WRITE SAME and the target then writes that same block across the
specified extent.
The dm thin target uses this.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:37 +0000 (20:23 +0000)]
dm linear: add WRITE SAME support
The linear target can already support WRITE SAME requests so signal
this by setting num_write_same_requests to 1.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:37 +0000 (20:23 +0000)]
dm: add WRITE SAME support
WRITE SAME bios have a payload that contain a single page. When
cloning WRITE SAME bios DM has no need to modify the bi_io_vec
attributes (and doing so would be detrimental). DM need only alter the
start and end of the WRITE SAME bio accordingly.
Rather than duplicate __clone_and_map_discard, factor out a common
function that is also used by __clone_and_map_write_same.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:36 +0000 (20:23 +0000)]
dm: prepare to support WRITE SAME
Allow targets to opt in to WRITE SAME support by setting
'num_write_same_requests' in the dm_target structure.
A dm device will only advertise WRITE SAME support if all its
targets and all its underlying devices support it.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:36 +0000 (20:23 +0000)]
dm ioctl: use kmalloc if possible
If the parameter buffer is small enough, try to allocate it with kmalloc()
rather than vmalloc().
vmalloc is noticeably slower than kmalloc because it has to manipulate
page tables.
In my tests, on PA-RISC this patch speeds up activation 13 times.
On Opteron this patch speeds up activation by 5%.
This patch introduces a new function free_params() to free the
parameters and this uses new flags that record whether or not vmalloc()
was used and whether or not the input buffer must be wiped after use.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:36 +0000 (20:23 +0000)]
dm ioctl: remove PF_MEMALLOC
When allocating memory for the userspace ioctl data, set some
appropriate GPF flags directly instead of using PF_MEMALLOC.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Joe Thornber [Fri, 21 Dec 2012 20:23:36 +0000 (20:23 +0000)]
dm persistent data: improve improve space map block alloc failure message
Improve space map error message when unable to allocate a new
metadata block.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:34 +0000 (20:23 +0000)]
dm thin: use DMERR_LIMIT for errors
Throttle all errors logged from the IO path by dm thin.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:34 +0000 (20:23 +0000)]
dm persistent data: use DMERR_LIMIT for errors
Nearly all of persistent-data is in the IO path so throttle error
messages with DMERR_LIMIT to limit the amount logged when
something has gone wrong.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:34 +0000 (20:23 +0000)]
dm block manager: reinstate message when validator fails
Reinstate a useful error message when the block manager buffer validator fails.
This was mistakenly eliminated when the block manager was converted to use
dm-bufio.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Jonathan Brassow [Fri, 21 Dec 2012 20:23:33 +0000 (20:23 +0000)]
dm raid: round region_size to power of two
If the user does not supply a bitmap region_size to the dm raid target,
a reasonable size is computed automatically. If this is not a power of 2,
the md code will report an error later.
This patch catches the problem early and rounds the region_size to the
next power of two.
Signed-off-by: Jonathan Brassow <jbrassow@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Joe Thornber [Fri, 21 Dec 2012 20:23:33 +0000 (20:23 +0000)]
dm thin: cleanup dead code
Remove unused @data_block parameter from cell_defer.
Change thin_bio_map to use many returns rather than setting a variable.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Joe Thornber [Fri, 21 Dec 2012 20:23:33 +0000 (20:23 +0000)]
dm thin: rename cell_defer_except to cell_defer_no_holder
Rename cell_defer_except() to cell_defer_no_holder() which describes
its function more clearly.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:33 +0000 (20:23 +0000)]
dm snapshot: optimize track_chunk
track_chunk is always called with interrupts enabled. Consequently, we
do not need to save and restore interrupt state in "flags" variable.
This patch changes spin_lock_irqsave to spin_lock_irq and
spin_unlock_irqrestore to spin_unlock_irq.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:32 +0000 (20:23 +0000)]
dm raid: use DM_ENDIO_INCOMPLETE
Use a defined macro DM_ENDIO_INCOMPLETE instead of a numeric constant.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mikulas Patocka [Fri, 21 Dec 2012 20:23:32 +0000 (20:23 +0000)]
dm raid1: remove impossible mempool_alloc error test
mempool_alloc can't fail if __GFP_WAIT is specified, so the condition
that tests if read_record is non-NULL is always true.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:32 +0000 (20:23 +0000)]
dm thin: emit ignore_discard in status when discards disabled
If "ignore_discard" is specified when creating the thin pool device then
discard support is disabled for that device. The pool device's status
should reflect this fact rather than stating "no_discard_passdown"
(which implies discards are enabled but passdown is disabled).
Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Joe Thornber [Fri, 21 Dec 2012 20:23:32 +0000 (20:23 +0000)]
dm persistent data: fix nested btree deletion
When deleting nested btrees, the code forgets to delete the innermost
btree. The thin-metadata code serendipitously compensates for this by
claiming there is one extra layer in the tree.
This patch corrects both problems.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Joe Thornber [Fri, 21 Dec 2012 20:23:31 +0000 (20:23 +0000)]
dm thin: wake worker when discard is prepared
When discards are prepared it is best to directly wake the worker that
will process them. The worker will be woken anyway, via periodic
commit, but there is no reason to not wake_worker here.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Joe Thornber [Fri, 21 Dec 2012 20:23:31 +0000 (20:23 +0000)]
dm thin: fix race between simultaneous io and discards to same block
There is a race when discard bios and non-discard bios are issued
simultaneously to the same block.
Discard support is expensive for all thin devices precisely because you
have to be careful to quiesce the area you're discarding. DM thin must
handle this conflicting IO pattern (simultaneous non-discard vs discard)
even though a sane application shouldn't be issuing such IO.
The race manifests as follows:
1. A non-discard bio is mapped in thin_bio_map.
This doesn't lock out parallel activity to the same block.
2. A discard bio is issued to the same block as the non-discard bio.
3. The discard bio is locked in a dm_bio_prison_cell in process_discard
to lock out parallel activity against the same block.
4. The non-discard bio's mapping continues and its all_io_entry is
incremented so the bio is accounted for in the thin pool's all_io_ds
which is a dm_deferred_set used to track time locality of non-discard IO.
5. The non-discard bio is finally locked in a dm_bio_prison_cell in
process_bio.
The race can result in deadlock, leaving the block layer hanging waiting
for completion of a discard bio that never completes, e.g.:
INFO: task ruby:15354 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
ruby D
ffffffff8160f0e0 0 15354 15314 0x00000000
ffff8802fb08bc58 0000000000000082 ffff8802fb08bfd8 0000000000012900
ffff8802fb08a010 0000000000012900 0000000000012900 0000000000012900
ffff8802fb08bfd8 0000000000012900 ffff8803324b9480 ffff88032c6f14c0
Call Trace:
[<
ffffffff814e5a19>] schedule+0x29/0x70
[<
ffffffff814e3d85>] schedule_timeout+0x195/0x220
[<
ffffffffa06b9bc1>] ? _dm_request+0x111/0x160 [dm_mod]
[<
ffffffff814e589e>] wait_for_common+0x11e/0x190
[<
ffffffff8107a170>] ? try_to_wake_up+0x2b0/0x2b0
[<
ffffffff814e59ed>] wait_for_completion+0x1d/0x20
[<
ffffffff81233289>] blkdev_issue_discard+0x219/0x260
[<
ffffffff81233e79>] blkdev_ioctl+0x6e9/0x7b0
[<
ffffffff8119a65c>] block_ioctl+0x3c/0x40
[<
ffffffff8117539c>] do_vfs_ioctl+0x8c/0x340
[<
ffffffff8119a547>] ? block_llseek+0x67/0xb0
[<
ffffffff811756f1>] sys_ioctl+0xa1/0xb0
[<
ffffffff810561f6>] ? sys_rt_sigprocmask+0x86/0xd0
[<
ffffffff814ef099>] system_call_fastpath+0x16/0x1b
The thinp-test-suite's test_discard_random_sectors reliably hits this
deadlock on fast SSD storage.
The fix for this race is that the all_io_entry for a bio must be
incremented whilst the dm_bio_prison_cell is held for the bio's
associated virtual and physical blocks. That cell locking wasn't
occurring early enough in thin_bio_map. This patch fixes this.
Care is taken to always call the new function inc_all_io_entry() with
the relevant cells locked, but they are generally unlocked before
calling issue() to try to avoid holding the cells locked across
generic_submit_request.
Also, now that thin_bio_map may lock bios in a cell, process_bio() is no
longer the only thread that will do so. Because of this we must be sure
to use cell_defer_except() to release all non-holder entries, that
were added by the other thread, because they must be deferred.
This patch depends on "dm thin: replace dm_cell_release_singleton with
cell_defer_except".
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Cc: stable@vger.kernel.org
Joe Thornber [Fri, 21 Dec 2012 20:23:31 +0000 (20:23 +0000)]
dm thin: replace dm_cell_release_singleton with cell_defer_except
Change existing users of the function dm_cell_release_singleton to share
cell_defer_except instead, and then remove the now-unused function.
Everywhere that calls dm_cell_release_singleton, the bio in question
is the holder of the cell.
If there are no non-holder entries in the cell then cell_defer_except
behaves exactly like dm_cell_release_singleton. Conversely, if there
*are* non-holder entries then dm_cell_release_singleton must not be used
because those entries would need to be deferred.
Consequently, it is safe to replace use of dm_cell_release_singleton
with cell_defer_except.
This patch is a pre-requisite for "dm thin: fix race between
simultaneous io and discards to same block".
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Mike Snitzer [Fri, 21 Dec 2012 20:23:30 +0000 (20:23 +0000)]
dm: disable WRITE SAME
WRITE SAME bios are not yet handled correctly by device-mapper so
disable their use on device-mapper devices by setting
max_write_same_sectors to zero.
As an example, a ciphertext device is incompatible because the data
gets changed according to the location at which it written and so the
dm crypt target cannot support it.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
Cc: Milan Broz <mbroz@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Alasdair G Kergon [Fri, 21 Dec 2012 20:23:30 +0000 (20:23 +0000)]
dm ioctl: prevent unsafe change to dm_ioctl data_size
Abort dm ioctl processing if userspace changes the data_size parameter
after we validated it but before we finished copying the data buffer
from userspace.
The dm ioctl parameters are processed in the following sequence:
1. ctl_ioctl() calls copy_params();
2. copy_params() makes a first copy of the fixed-sized portion of the
userspace parameters into the local variable "tmp";
3. copy_params() then validates tmp.data_size and allocates a new
structure big enough to hold the complete data and copies the whole
userspace buffer there;
4. ctl_ioctl() reads userspace data the second time and copies the whole
buffer into the pointer "param";
5. ctl_ioctl() reads param->data_size without any validation and stores it
in the variable "input_param_size";
6. "input_param_size" is further used as the authoritative size of the
kernel buffer.
The problem is that userspace code could change the contents of user
memory between steps 2 and 4. In particular, the data_size parameter
can be changed to an invalid value after the kernel has validated it.
This lets userspace force the kernel to access invalid kernel memory.
The fix is to ensure that the size has not changed at step 4.
This patch shouldn't have a security impact because CAP_SYS_ADMIN is
required to run this code, but it should be fixed anyway.
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Cc: stable@kernel.org