commit fa6e20ce66acf0a63e139059041c9ef8da2bfab4
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jun 5 21:17:26 2017 +0100
Linux 3.16.44
commit 55c51263ff43e3bf5deb1425f4221696f94db1be
Author: Eric Dumazet <edumazet@google.com>
Date: Fri May 19 14:17:48 2017 -0700
ipv6: fix out of bound writes in __ip6_append_data()
commit 232cd35d0804cc241eb887bb8d4d9b3b9881c64a upstream.
Andrey Konovalov and idaifish@gmail.com reported crashes caused by
one skb shared_info being overwritten from __ip6_append_data()
Andrey program lead to following state :
copy -4200 datalen 2000 fraglen 2040
maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
fraggap, 0); is overwriting skb->head and skb_shared_info
Since we apparently detect this rare condition too late, move the
code earlier to even avoid allocating skb and risking crashes.
Once again, many thanks to Andrey and syzkaller team.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: <idaifish@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 53d48f98b800059504da76d12bf0074581aa0fe2
Author: WANG Cong <xiyou.wangcong@gmail.com>
Date: Tue May 9 16:59:54 2017 -0700
ipv6/dccp: do not inherit ipv6_mc_list from parent
commit 83eaddab4378db256d00d295bda6ca997cd13a52 upstream.
Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 60e7579f4b71e2e8b252d2f1b3ef5ffb3b971a4e
Author: Eric Dumazet <edumazet@google.com>
Date: Wed May 17 07:16:40 2017 -0700
sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
commit fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 upstream.
SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
ipv6_mc_list from parent"), otherwise bad things can happen.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 7ccac51c850f0c5dfebf6a3b3fec5760c6887ef0
Author: David S. Miller <davem@davemloft.net>
Date: Wed May 17 22:54:11 2017 -0400
ipv6: Check ip6_find_1stfragopt() return value properly.
commit 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 upstream.
Do not use unsigned variables to see if it returns a negative
error or not.
Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3bff722de601acaf593a1ade13fbbee54b688e9b
Author: Craig Gallek <kraig@google.com>
Date: Tue May 16 14:36:23 2017 -0400
ipv6: Prevent overrun when parsing v6 header options
commit 2423496af35d94a87156b063ea5cedffc10a70a1 upstream.
The KASAN warning repoted below was discovered with a syzkaller
program. The reproducer is basically:
int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
send(s, &one_byte_of_data, 1, MSG_MORE);
send(s, &more_than_mtu_bytes_data, 2000, 0);
The socket() call sets the nexthdr field of the v6 header to
NEXTHDR_HOP, the first send call primes the payload with a non zero
byte of data, and the second send call triggers the fragmentation path.
The fragmentation code tries to parse the header options in order
to figure out where to insert the fragment option. Since nexthdr points
to an invalid option, the calculation of the size of the network header
can made to be much larger than the linear section of the skb and data
is read outside of it.
This fix makes ip6_find_1stfrag return an error if it detects
running out-of-bounds.
[ 42.361487] ==================================================================
[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
[ 42.366469]
[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
[ 42.368824] Call Trace:
[ 42.369183] dump_stack+0xb3/0x10b
[ 42.369664] print_address_description+0x73/0x290
[ 42.370325] kasan_report+0x252/0x370
[ 42.370839] ? ip6_fragment+0x11c8/0x3730
[ 42.371396] check_memory_region+0x13c/0x1a0
[ 42.371978] memcpy+0x23/0x50
[ 42.372395] ip6_fragment+0x11c8/0x3730
[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
[ 42.374263] ? ip6_forward+0x2e30/0x2e30
[ 42.374803] ip6_finish_output+0x584/0x990
[ 42.375350] ip6_output+0x1b7/0x690
[ 42.375836] ? ip6_finish_output+0x990/0x990
[ 42.376411] ? ip6_fragment+0x3730/0x3730
[ 42.376968] ip6_local_out+0x95/0x160
[ 42.377471] ip6_send_skb+0xa1/0x330
[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
[ 42.379633] ? _copy_from_user+0x84/0xe0
[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
[ 42.380878] ? ___sys_sendmsg+0x162/0x930
[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
[ 42.382074] ? sock_has_perm+0x1f6/0x290
[ 42.382614] ? ___sys_sendmsg+0x167/0x930
[ 42.383173] ? lock_downgrade+0x660/0x660
[ 42.383727] inet_sendmsg+0x123/0x500
[ 42.384226] ? inet_sendmsg+0x123/0x500
[ 42.384748] ? inet_recvmsg+0x540/0x540
[ 42.385263] sock_sendmsg+0xca/0x110
[ 42.385758] SYSC_sendto+0x217/0x380
[ 42.386249] ? SYSC_connect+0x310/0x310
[ 42.386783] ? __might_fault+0x110/0x1d0
[ 42.387324] ? lock_downgrade+0x660/0x660
[ 42.387880] ? __fget_light+0xa1/0x1f0
[ 42.388403] ? __fdget+0x18/0x20
[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
[ 42.389472] ? SyS_setsockopt+0x17f/0x260
[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
[ 42.390650] SyS_sendto+0x40/0x50
[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.391731] RIP: 0033:0x7fbbb711e383
[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
[ 42.397257]
[ 42.397411] Allocated by task 3789:
[ 42.397702] save_stack_trace+0x16/0x20
[ 42.398005] save_stack+0x46/0xd0
[ 42.398267] kasan_kmalloc+0xad/0xe0
[ 42.398548] kasan_slab_alloc+0x12/0x20
[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
[ 42.399654] __alloc_skb+0xf8/0x580
[ 42.400003] sock_wmalloc+0xab/0xf0
[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
[ 42.400813] ip6_append_data+0x1a8/0x2f0
[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
[ 42.401505] inet_sendmsg+0x123/0x500
[ 42.401860] sock_sendmsg+0xca/0x110
[ 42.402209] ___sys_sendmsg+0x7cb/0x930
[ 42.402582] __sys_sendmsg+0xd9/0x190
[ 42.402941] SyS_sendmsg+0x2d/0x50
[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.403718]
[ 42.403871] Freed by task 1794:
[ 42.404146] save_stack_trace+0x16/0x20
[ 42.404515] save_stack+0x46/0xd0
[ 42.404827] kasan_slab_free+0x72/0xc0
[ 42.405167] kfree+0xe8/0x2b0
[ 42.405462] skb_free_head+0x74/0xb0
[ 42.405806] skb_release_data+0x30e/0x3a0
[ 42.406198] skb_release_all+0x4a/0x60
[ 42.406563] consume_skb+0x113/0x2e0
[ 42.406910] skb_free_datagram+0x1a/0xe0
[ 42.407288] netlink_recvmsg+0x60d/0xe40
[ 42.407667] sock_recvmsg+0xd7/0x110
[ 42.408022] ___sys_recvmsg+0x25c/0x580
[ 42.408395] __sys_recvmsg+0xd6/0x190
[ 42.408753] SyS_recvmsg+0x2d/0x50
[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.409513]
[ 42.409665] The buggy address belongs to the object at ffff88000969e780
[ 42.409665] which belongs to the cache kmalloc-512 of size 512
[ 42.410846] The buggy address is located 24 bytes inside of
[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
[ 42.411941] The buggy address belongs to the page:
[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 42.413298] flags: 0x100000000008100(slab|head)
[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
[ 42.415074] page dumped because: kasan: bad access detected
[ 42.415604]
[ 42.415757] Memory state around the buggy address:
[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 42.418273] ^
[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.419882] ==================================================================
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Craig Gallek <kraig@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit e766215595e90b7a307cc7c7054ff43e96340731
Author: Johan Hovold <johan@kernel.org>
Date: Mon Mar 6 17:36:38 2017 +0100
USB: serial: omninet: fix reference leaks at open
commit 30572418b445d85fcfe6c8fe84c947d2606767d8 upstream.
This driver needlessly took another reference to the tty on open, a
reference which was then never released on close. This lead to not just
a leak of the tty, but also a driver reference leak that prevented the
driver from being unloaded after a port had once been opened.
Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f7287278eea268132ab71b30a0425ccf3a13a323
Author: Johan Hovold <johan@kernel.org>
Date: Mon Mar 6 17:36:40 2017 +0100
USB: serial: io_ti: fix information leak in completion handler
commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream.
Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that can be triggered by a malicious device.
This avoids leaking 128 kB of memory content from after the URB transfer
buffer to user space.
Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit e4d8daa3b0d195c8aead116dd70aad8124be60c3
Author: Eric Dumazet <edumazet@google.com>
Date: Tue May 9 06:29:19 2017 -0700
dccp/tcp: do not inherit mc_list from parent
commit 657831ffc38e30092a2d5f03d385d710eb88b09a upstream.
syzkaller found a way to trigger double frees from ip_mc_drop_socket()
It turns out that leave a copy of parent mc_list at accept() time,
which is very bad.
Very similar to commit 8b485ce69876 ("tcp: do not inherit
fastopen_req from parent")
Initial report from Pray3r, completed by Andrey one.
Thanks a lot to them !
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Pray3r <pray3r.z@gmail.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit bb0ea8af0b69259f5ea1d2fcff52948c98129c5e
Author: J. Bruce Fields <bfields@redhat.com>
Date: Fri Apr 21 15:26:30 2017 -0400
nfsd: stricter decoding of write-like NFSv2/v3 ops
commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 upstream.
The NFSv2/v3 code does not systematically check whether we decode past
the end of the buffer. This generally appears to be harmless, but there
are a few places where we do arithmetic on the pointers involved and
don't account for the possibility that a length could be negative. Add
checks to catch these.
Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 77ce4cdc2b3d60b49d915eba7351115d332817cb
Author: J. Bruce Fields <bfields@redhat.com>
Date: Tue Apr 25 16:21:34 2017 -0400
nfsd4: minor NFSv2/v3 write decoding cleanup
commit db44bac41bbfc0c0d9dd943092d8bded3c9db19b upstream.
Use a couple shortcuts that will simplify a following bugfix.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
[bwh: Backported to 3.16: in nfs3svc_decode_writeargs(), dlen doesn't include
tail]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 1d4ab03084d4bace93b1573c57a309e954d05c09
Author: J. Bruce Fields <bfields@redhat.com>
Date: Fri Apr 21 16:10:18 2017 -0400
nfsd: check for oversized NFSv2/v3 arguments
commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream.
A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.
Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply. This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE). But a client that sends an incorrectly long reply
can violate those assumptions. This was observed to cause crashes.
Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.
So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.
As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.
We may also consider rejecting calls that have any extra garbage
appended. That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.
Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c64988b55a19fc5c85f85c433976d6e5210f54dc
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue May 2 13:58:53 2017 +0300
ipx: call ipxitf_put() in ioctl error path
commit ee0d8d8482345ff97a75a7d747efc309f13b0d80 upstream.
We should call ipxitf_put() if the copy_to_user() fails.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a1141b19b23a0605d46f3fab63fd2d76207096c4
Author: Amey Telawane <ameyt@codeaurora.org>
Date: Wed May 3 15:41:14 2017 +0530
tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
commit e09e28671cda63e6308b31798b997639120e2a21 upstream.
Strcpy is inherently not safe, and strlcpy() should be used instead.
__trace_find_cmdline() uses strcpy() because the comms saved must have a
terminating nul character, but it doesn't hurt to add the extra protection
of using strlcpy() instead of strcpy().
Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org
Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
[ Updated change log and removed the "- 1" from len parameter ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 69e3721d5a8cb61b35929a997d237a3adae5f56c
Author: Lee, Chun-Yi <joeyli.kernel@gmail.com>
Date: Thu Nov 3 08:18:52 2016 +0800
platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event
commit 98d610c3739ac354319a6590b915f4624d9151e6 upstream.
The accelerometer event relies on the ACERWMID_EVENT_GUID notify.
So, this patch changes the codes to setup accelerometer input device
when detected ACERWMID_EVENT_GUID. It avoids that the accel input
device created on every Acer machines.
In addition, patch adds a clearly parsing logic of accelerometer hid
to acer_wmi_get_handle_cb callback function. It is positive matching
the "SENR" name with "BST0001" device to avoid non-supported hardware.
Reported-by: Bjørn Mork <bjorn@mork.no>
Cc: Darren Hart <dvhart@infradead.org>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
[andy: slightly massage commit message]
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit db44ef1d87f8423341e62b292032aca8d144a4d6
Author: Mantas M <grawity@gmail.com>
Date: Fri Dec 16 10:30:59 2016 +0200
net: ipv6: check route protocol when deleting routes
commit c2ed1880fd61a998e3ce40254a99a2ad000f1a7d upstream.
The protocol field is checked when deleting IPv4 routes, but ignored for
IPv6, which causes problems with routing daemons accidentally deleting
externally set routes (observed by multiple bird6 users).
This can be verified using `ip -6 route del <prefix> proto something`.
Signed-off-by: Mantas Mikulėnas <grawity@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 86222aa6b2ff9e5ba81d272d809b7401144548f0
Author: Omar Sandoval <osandov@fb.com>
Date: Wed Feb 1 00:02:27 2017 -0800
virtio-console: avoid DMA from stack
commit c4baad50297d84bde1a7ad45e50c73adae4a2192 upstream.
put_chars() stuffs the buffer it gets into an sg, but that buffer may be
on the stack. This breaks with CONFIG_VMAP_STACK=y (for me, it
manifested as printks getting turned into NUL bytes).
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 522182342410708c54eb2b33ff36e85f0b045a6d
Author: Arnd Bergmann <arnd@arndb.de>
Date: Thu Feb 2 12:36:01 2017 -0200
dvb-usb-v2: avoid use-after-free
commit 005145378c9ad7575a01b6ce1ba118fb427f583a upstream.
I ran into a stack frame size warning because of the on-stack copy of
the USB device structure:
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect':
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
Copying a device structure like this is wrong for a number of other reasons
too aside from the possible stack overflow. One of them is that the
dev_info() call will print the name of the device later, but AFAICT
we have only copied a pointer to the name earlier and the actual name
has been freed by the time it gets printed.
This removes the on-stack copy of the device and instead copies the
device name using kstrdup(). I'm ignoring the possible failure here
as both printk() and kfree() are able to deal with NULL pointers.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 13af702256f8b7d9bb51b86c982fe08e96c589c8
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Mon Apr 10 17:27:57 2017 +0800
crypto: ahash - Fix EINPROGRESS notification callback
commit ef0579b64e93188710d48667cb5e014926af9f1b upstream.
The ahash API modifies the request's callback function in order
to clean up after itself in some corner cases (unaligned final
and missing finup).
When the request is complete ahash will restore the original
callback and everything is fine. However, when the request gets
an EBUSY on a full queue, an EINPROGRESS callback is made while
the request is still ongoing.
In this case the ahash API will incorrectly call its own callback.
This patch fixes the problem by creating a temporary request
object on the stack which is used to relay EINPROGRESS back to
the original completion function.
This patch also adds code to preserve the original flags value.
Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...")
Reported-by: Sabrina Dubroca <sd@queasysnail.net>
Tested-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 4474624a1a496e4dc93a2cd49ea915d9c90d80e9
Author: Chris Salls <salls@cs.ucsb.edu>
Date: Fri Apr 7 23:48:11 2017 -0700
mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
commit cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 upstream.
In the case that compat_get_bitmap fails we do not want to copy the
bitmap to the user as it will contain uninitialized stack data and leak
sensitive data.
Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f7ce1014bc5e4bb42d6b9f5afb308f59534067ea
Author: Eric Biggers <ebiggers@google.com>
Date: Tue Apr 18 15:31:09 2017 +0100
KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
commit c9f838d104fed6f2f61d68164712e3204bf5271b upstream.
This fixes CVE-2017-7472.
Running the following program as an unprivileged user exhausts kernel
memory by leaking thread keyrings:
#include <keyutils.h>
int main()
{
for (;;)
keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
}
Fix it by only creating a new thread keyring if there wasn't one before.
To make things more consistent, make install_thread_keyring_to_cred()
and install_process_keyring_to_cred() both return 0 if the corresponding
keyring is already present.
Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 7bb3f26487e578c2cb0567196ce93c008967a269
Author: Andrey Konovalov <andreyknvl@google.com>
Date: Wed Mar 29 16:11:22 2017 +0200
net/packet: fix overflow in check for tp_reserve
commit bcc5364bdcfe131e6379363f089e7b4108d35b70 upstream.
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
Fix by checking that tp_reserve <= INT_MAX on assign.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a318bc0bcec7f7867f1f1d8cef5ae6f25aa169a7
Author: Andrey Konovalov <andreyknvl@google.com>
Date: Wed Mar 29 16:11:21 2017 +0200
net/packet: fix overflow in check for tp_frame_nr
commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b upstream.
When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.
Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
Since frames_per_block <= tp_block_size, the expression would
never overflow.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a481ab4edd87bc2dc6f1fa9029866dd69c86fc5c
Author: Andrey Konovalov <andreyknvl@google.com>
Date: Wed Mar 29 16:11:20 2017 +0200
net/packet: fix overflow in check for priv area size
commit 2b6867c2ce76c596676bec7d2d525af525fdc6e2 upstream.
Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).
Compare them as is instead.
Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 629655f798b92fd309fdde494a3cfb8a37f807ad
Author: Li Qiang <liq3ea@gmail.com>
Date: Mon Mar 27 20:10:53 2017 -0700
drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
commit e7e11f99564222d82f0ce84bd521e57d78a6b678 upstream.
In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
'req->mip_levels' array. This array can be assigned any value from
the user space. As both the 'num_sizes' and the array is uint32_t,
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
used as the loop count. This can lead an oob write. Add the check of
'req->mip_levels' to avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 61cabe967321767052498032178d56a1ea03a7bc
Author: Murray McAllister <murray.mcallister@insomniasec.com>
Date: Mon Mar 27 11:12:53 2017 +0200
drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
commit 36274ab8c596f1240c606bb514da329add2a1bcd upstream.
Before memory allocations vmw_surface_define_ioctl() checks the
upper-bounds of a user-supplied size, but does not check if the
supplied size is 0.
Add check to avoid NULL pointer dereferences.
Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit fda265baa45b630675359db3699bb68350c4b907
Author: Andy Whitcroft <apw@canonical.com>
Date: Thu Mar 23 07:45:44 2017 +0000
xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.
Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues. To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 811f5600db1a0a9c4f1abad5017e09f43d7088f3
Author: Andy Whitcroft <apw@canonical.com>
Date: Wed Mar 22 07:29:31 2017 +0000
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
commit 677e806da4d916052585301785d847c3b3e6186a upstream.
When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer. However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call. There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents. We do
not at this point check that the replay_window is within the allocated
memory. This leads to out-of-bounds reads and writes triggered by
netlink packets. This leads to memory corruption and the potential for
priviledge escalation.
We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn. It however does not check the replay_window
remains within that buffer. Add validation of the contained
replay_window.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c3f18d2a809b563ef078130ab3758899625e4cfb
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Mar 24 19:36:13 2017 -0700
ping: implement proper locking
commit 43a6684519ab0a6c52024b5e25322476cabad893 upstream.
We got a report of yet another bug in ping
http://www.openwall.com/lists/oss-security/2017/03/24/6
->disconnect() is not called with socket lock held.
Fix this by acquiring ping rwlock earlier.
Thanks to Daniel, Alexander and Andrey for letting us know this problem.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
Reported-by: Solar Designer <solar@openwall.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 41bd08bfce7c33e0d383e7678e6d6c7e8e041524
Author: David Howells <dhowells@redhat.com>
Date: Tue Apr 18 15:31:07 2017 +0100
KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
commit ee8f844e3c5a73b999edf733df1c529d6503ec2f upstream.
This fixes CVE-2016-9604.
Keyrings whose name begin with a '.' are special internal keyrings and so
userspace isn't allowed to create keyrings by this name to prevent
shadowing. However, the patch that added the guard didn't fix
KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,
it can also subscribe to them as a session keyring if they grant SEARCH
permission to the user.
This, for example, allows a root process to set .builtin_trusted_keys as
its session keyring, at which point it has full access because now the
possessor permissions are added. This permits root to add extra public
keys, thereby bypassing module verification.
This also affects kexec and IMA.
This can be tested by (as root):
keyctl session .builtin_trusted_keys
keyctl add user a a @s
keyctl list @s
which on my test box gives me:
2 keys in keyring:
180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
801382539: --alswrv 0 0 user: a
Fix this by rejecting names beginning with a '.' in the keyctl.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
cc: linux-ima-devel@lists.sourceforge.net
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9ebd407c4356509aafb04e7263804bd3e7a92a2a
Author: David Howells <dhowells@redhat.com>
Date: Tue Sep 16 17:29:03 2014 +0100
KEYS: Reinstate EPERM for a key type name beginning with a '.'
commit 54e2c2c1a9d6cbb270b0999a38545fa9a69bee43 upstream.
Reinstate the generation of EPERM for a key type name beginning with a '.' in
a userspace call. Types whose name begins with a '.' are internal only.
The test was removed by:
commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Thu May 22 14:02:23 2014 -0400
Subject: KEYS: special dot prefixed keyring name bug fix
I think we want to keep the restriction on type name so that userspace can't
add keys of a special internal type.
Note that removal of the test causes several of the tests in the keyutils
testsuite to fail.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5544295830c2335efe45fa94885a31d6da15f08f
Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Thu May 22 14:02:23 2014 -0400
KEYS: special dot prefixed keyring name bug fix
commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d upstream.
Dot prefixed keyring names are supposed to be reserved for the
kernel, but add_key() calls key_get_type_from_user(), which
incorrectly verifies the 'type' field, not the 'description' field.
This patch verifies the 'description' field isn't dot prefixed,
when creating a new keyring, and removes the dot prefix test in
key_get_type_from_user().
Changelog v6:
- whitespace and other cleanup
Changelog v5:
- Only prevent userspace from creating a dot prefixed keyring, not
regular keys - Dmitry
Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit d2d603cf8fd51f0da5e4bc809d17824faa7630f7
Author: Johan Hovold <johan@kernel.org>
Date: Tue Mar 7 16:11:03 2017 +0100
USB: iowarrior: fix NULL-deref at probe
commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream.
Make sure to check for the required interrupt-in endpoint to avoid
dereferencing a NULL-pointer should a malicious device lack such an
endpoint.
Note that a fairly recent change purported to fix this issue, but added
an insufficient test on the number of endpoints only, a test which can
now be removed.
Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 174e03cdb2c314d76d76c93abbc3eef94db30f9a
Author: Hari Vyas <hariv@broadcom.com>
Date: Thu Mar 2 17:59:57 2017 -0500
net: ethernet: bgmac: mac address change bug
commit fa42245dff4a5f2f8f208da542acbd80c22f7c65 upstream.
ndo_set_mac_address() passes struct sockaddr * as 2nd parameter to
bgmac_set_mac_address() but code assumed u8 *. This caused two bytes
chopping and the wrong mac address was configured.
Signed-off-by: Hari Vyas <hariv@broadcom.com>
Signed-off-by: Jon Mason <jon.mason@broadcom.com>
Fixes: 4e209001b86 ("bgmac: write mac address to hardware in ndo_set_mac_address")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 454b5e15d9c0dcf9ead4f52e02de8d46d7f789b3
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Thu Mar 2 12:03:40 2017 +0100
can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
commit 7c42631376306fb3f34d51fda546b50a9b6dd6ec upstream.
The priv->cmd_msg_buffer is allocated in the probe function, but never
kfree()ed. This patch converts the kzalloc() to resource-managed
kzalloc.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 1dcf51b84cf9c90e1bf88defc431b01f3e096cb4
Author: Eric Dumazet <edumazet@google.com>
Date: Wed Mar 1 14:28:39 2017 -0800
net: net_enable_timestamp() can be called from irq contexts
commit 13baa00ad01bb3a9f893e3a08cbc2d072fc0c15d upstream.
It is now very clear that silly TCP listeners might play with
enabling/disabling timestamping while new children are added
to their accept queue.
Meaning net_enable_timestamp() can be called from BH context
while current state of the static key is not enabled.
Lets play safe and allow all contexts.
The work queue is scheduled only under the problematic cases,
which are the static key enable/disable transition, to not slow down
critical paths.
This extends and improves what we did in commit 5fa8bbda38c6 ("net: use
a work queue to defer net_disable_timestamp() work")
Fixes: b90e5794c5bd ("net: dont call jump_label_dec from irq context")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 0331b8df8465955329d55a419ddbe4532be53de6
Author: Peter Zijlstra <peterz@infradead.org>
Date: Fri Jul 24 15:03:40 2015 +0200
locking/static_keys: Add static_key_{en,dis}able() helpers
commit e33886b38cc82a9fc3b2d655dfc7f50467594138 upstream.
Add two helpers to make it easier to treat the refcount as boolean.
Suggested-by: Jason Baron <jasonbaron0@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 03117f5e31c0938286e064d11b553337a36fca6f
Author: Max Filippov <jcmvbkbc@gmail.com>
Date: Tue Jan 3 09:37:34 2017 -0800
xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD
commit 4ab18701c66552944188dbcd0ce0012729baab84 upstream.
FDT tag parsing is not related to whether BLK_DEV_INITRD is configured
or not, move it out of the corresponding #ifdef/#endif block.
This fixes passing external FDT to the kernel configured w/o
BLK_DEV_INITRD support.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit b062afbe20f28efbc5897bbf4ccef10e194db298
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Feb 28 15:02:15 2017 +0300
net/mlx4: && vs & typo
commit b2d0fe35471d1a71471f99147ffb5986bd60e744 upstream.
Bitwise & was obviously intended here.
Fixes: 745d8ae4622c ("net/mlx4: Spoofcheck and zero MAC can't coexist")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit d4f438d24ee26daa223f5f34546d49709a1f0c19
Author: Takashi Iwai <tiwai@suse.de>
Date: Tue Feb 28 22:15:51 2017 +0100
ALSA: seq: Fix link corruption by event error handling
commit f3ac9f737603da80c2da3e84b89e74429836bb6d upstream.
The sequencer FIFO management has a bug that may lead to a corruption
(shortage) of the cell linked list. When a sequencer client faces an
error at the event delivery, it tries to put back the dequeued cell.
When the first queue was put back, this forgot the tail pointer
tracking, and the link will be screwed up.
Although there is no memory corruption, the sequencer client may stall
forever at exit while flushing the pending FIFO cells in
snd_seq_pool_done(), as spotted by syzkaller.
This patch addresses the missing tail pointer tracking at
snd_seq_fifo_cell_putback(). Also the patch makes sure to clear the
cell->enxt pointer at snd_seq_fifo_event_in() for avoiding a similar
mess-up of the FIFO linked list.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 750db9f5b31aaf623a7ceeed530b5c9e50b5a3e2
Author: Takashi Iwai <tiwai@suse.de>
Date: Tue Feb 28 17:16:48 2017 +0100
ALSA: ctxfi: Fallback DMA mask to 32bit
commit 15c75b09f8d190f89ab4db463b87d411ca349dfe upstream.
Currently ctxfi driver tries to set only the 64bit DMA mask on 64bit
architectures, and bails out if it fails. This causes a problem on
some platforms since the 64bit DMA isn't always guaranteed. We should
fall back to the default 32bit DMA when 64bit DMA fails.
Fixes: 6d74b86d3c0f ("ALSA: ctxfi - Allow 64bit DMA")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16:
- Old code was using PCI DMA mask functions
- Deleted error message was different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f99588fa758bb9959ec3e95e6446e5eb5bb8c68c
Author: Takashi Iwai <tiwai@suse.de>
Date: Tue Feb 28 14:49:07 2017 +0100
ALSA: timer: Reject user params with too small ticks
commit 71321eb3f2d0df4e6c327e0b936eec4458a12054 upstream.
When a user sets a too small ticks with a fine-grained timer like
hrtimer, the kernel tries to fire up the timer irq too frequently.
This may lead to the condensed locks, eventually the kernel spinlock
lockup with warnings.
For avoiding such a situation, we define a lower limit of the
resolution, namely 1ms. When the user passes a too small tick value
that results in less than that, the kernel returns -EINVAL now.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 812c9cd9790dfa0bd10f12b0e1f36e8259ea769b
Author: Y.C. Chen <yc_chen@aspeedtech.com>
Date: Thu Feb 23 15:52:33 2017 +0800
drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS
commit 3856081eede297b617560b85e948cfb00bb395ec upstream.
The current POST code for the AST2300/2400 family doesn't work properly
if the chip hasn't been initialized previously by either the BMC own FW
or the VBIOS. This fixes it.
Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Tested-by: Y.C. Chen <yc_chen@aspeedtech.com>
Acked-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit e07fa0fec52c892bc76b57c9fdb9ad17556abfb7
Author: Matt Chen <matt.chen@intel.com>
Date: Sun Jan 22 02:16:58 2017 +0800
mac80211: flush delayed work when entering suspend
commit a9e9200d8661c1a0be8c39f93deb383dc940de35 upstream.
The issue was found when entering suspend and resume.
It triggers a warning in:
mac80211/key.c: ieee80211_enable_keys()
...
WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt ||
sdata->crypto_tx_tailroom_pending_dec);
...
It points out sdata->crypto_tx_tailroom_pending_dec isn't cleaned up successfully
in a delayed_work during suspend. Add a flush_delayed_work to fix it.
Signed-off-by: Matt Chen <matt.chen@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit bfa3a03f915ae4aec8130a44885f7e5f987aaba3
Author: Roman Mashak <mrv@mojatatu.com>
Date: Fri Feb 24 11:00:32 2017 -0500
net sched actions: decrement module reference count after table flush.
commit edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2 upstream.
When tc actions are loaded as a module and no actions have been installed,
flushing them would result in actions removed from the memory, but modules
reference count not being decremented, so that the modules would not be
unloaded.
Following is example with GACT action:
% sudo modprobe act_gact
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions ls action gact
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 1
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 2
% sudo rmmod act_gact
rmmod: ERROR: Module act_gact is in use
....
After the fix:
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions add action pass index 1
% sudo tc actions add action pass index 2
% sudo tc actions add action pass index 3
% lsmod
Module Size Used by
act_gact 16384 3
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 0
% sudo rmmod act_gact
% lsmod
Module Size Used by
%
Fixes: f97017cdefef ("net-sched: Fix actions flushing")
Signed-off-by: Roman Mashak <mrv@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f7a81466fb9c92e7c334d9ce69f31a0b5aecac0d
Author: Julian Anastasov <ja@ssi.bg>
Date: Sun Feb 26 17:14:35 2017 +0200
ipv4: mask tos for input route
commit 6e28099d38c0e50d62c1afc054e37e573adf3d21 upstream.
Restore the lost masking of TOS in input route code to
allow ip rules to match it properly.
Problem [1] noticed by Shmulik Ladkani <shmulik.ladkani@gmail.com>
[1] http://marc.info/?t=137331755300040&r=1&w=2
Fixes: 89aef8921bfb ("ipv4: Delete routing cache.")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 1c38d1cd062ab7b76e37e35df7b23e0ca593dddc
Author: Minchan Kim <minchan@kernel.org>
Date: Fri Feb 24 14:59:59 2017 -0800
mm: do not access page->mapping directly on page_endio
commit dd8416c47715cf324c9a16f13273f9fda87acfed upstream.
With rw_page, page_endio is used for completing IO on a page and it
propagates write error to the address space if the IO fails. The
problem is it accesses page->mapping directly which might be okay for
file-backed pages but it shouldn't for anonymous page. Otherwise, it
can corrupt one of field from anon_vma under us and system goes panic
randomly.
swap_writepage
bdev_writepage
ops->rw_page
I encountered the BUG during developing new zram feature and it was
really hard to figure it out because it made random crash, somtime
mmap_sem lockdep, sometime other places where places never related to
zram/zsmalloc, and not reproducible with some configuration.
When I consider how that bug is subtle and people do fast-swap test with
brd, it's worth to add stable mark, I think.
Fixes: dd6bd0d9c7db ("swap: use bdev_read_page() / bdev_write_page()")
Signed-off-by: Minchan Kim <minchan@kernel.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 8c338cd1301c72ff7667f00a131c98da3ca2c995
Author: Vinayak Menon <vinmenon@codeaurora.org>
Date: Fri Feb 24 14:59:39 2017 -0800
mm: vmpressure: fix sending wrong events on underflow
commit e1587a4945408faa58d0485002c110eb2454740c upstream.
At the end of a window period, if the reclaimed pages is greater than
scanned, an unsigned underflow can result in a huge pressure value and
thus a critical event. Reclaimed pages is found to go higher than
scanned because of the addition of reclaimed slab pages to reclaimed in
shrink_node without a corresponding increment to scanned pages.
Minchan Kim mentioned that this can also happen in the case of a THP
page where the scanned is 1 and reclaimed could be 512.
Link: http://lkml.kernel.org/r/1486641577-11685-1-git-send-email-vinmenon@codeaurora.org
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Acked-by: Minchan Kim <minchan@kernel.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Rik van Riel <riel@redhat.com>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: Anton Vorontsov <anton.vorontsov@linaro.org>
Cc: Shiraz Hashim <shashim@codeaurora.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 8e2e30a0a03555bbf5c98aa4d14472a747043989
Author: Gavin Shan <gwshan@linux.vnet.ibm.com>
Date: Fri Feb 24 14:59:33 2017 -0800
mm/page_alloc: fix nodes for reclaim in fast path
commit e02dc017c3032dcdce1b993af0db135462e1b4b7 upstream.
When @node_reclaim_node isn't 0, the page allocator tries to reclaim
pages if the amount of free memory in the zones are below the low
watermark. On Power platform, none of NUMA nodes are scanned for page
reclaim because no nodes match the condition in zone_allows_reclaim().
On Power platform, RECLAIM_DISTANCE is set to 10 which is the distance
of Node-A to Node-A. So the preferred node even won't be scanned for
page reclaim.
__alloc_pages_nodemask()
get_page_from_freelist()
zone_allows_reclaim()
Anton proposed the test code as below:
# cat alloc.c
:
int main(int argc, char *argv[])
{
void *p;
unsigned long size;
unsigned long start, end;
start = time(NULL);
size = strtoul(argv[1], NULL, 0);
printf("To allocate %ldGB memory\n", size);
size <<= 30;
p = malloc(size);
assert(p);
memset(p, 0, size);
end = time(NULL);
printf("Used time: %ld seconds\n", end - start);
sleep(3600);
return 0;
}
The system I use for testing has two NUMA nodes. Both have 128GB
memory. In below scnario, the page caches on node#0 should be reclaimed
when it encounters pressure to accommodate request of allocation.
# echo 2 > /proc/sys/vm/zone_reclaim_mode; \
sync; \
echo 3 > /proc/sys/vm/drop_caches; \
# taskset -c 0 cat file.32G > /dev/null; \
grep FilePages /sys/devices/system/node/node0/meminfo
Node 0 FilePages: 33619712 kB
# taskset -c 0 ./alloc 128
# grep FilePages /sys/devices/system/node/node0/meminfo
Node 0 FilePages: 33619840 kB
# grep MemFree /sys/devices/system/node/node0/meminfo
Node 0 MemFree: 186816 kB
With the patch applied, the pagecache on node-0 is reclaimed when its
free memory is running out. It's the expected behaviour.
# echo 2 > /proc/sys/vm/zone_reclaim_mode; \
sync; \
echo 3 > /proc/sys/vm/drop_caches
# taskset -c 0 cat file.32G > /dev/null; \
grep FilePages /sys/devices/system/node/node0/meminfo
Node 0 FilePages: 33605568 kB
# taskset -c 0 ./alloc 128
# grep FilePages /sys/devices/system/node/node0/meminfo
Node 0 FilePages: 1379520 kB
# grep MemFree /sys/devices/system/node/node0/meminfo
Node 0 MemFree: 317120 kB
Fixes: 5f7a75acdb24 ("mm: page_alloc: do not cache reclaim distances")
Link: http://lkml.kernel.org/r/1486532455-29613-1-git-send-email-gwshan@linux.vnet.ibm.com
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Anton Blanchard <anton@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c67e72d44634dcaf8cda07833c417faa8e37b837
Author: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Thu Feb 23 17:19:41 2017 +0100
vxlan: correctly validate VXLAN ID against VXLAN_N_VID
commit 4e37d6911f36545b286d15073f6f2222f840e81c upstream.
The incorrect check caused an off-by-one error: the maximum VID 0xffffff
was unusable.
Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Acked-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ebfe63171b30e2a1dd0d5075519949179b7ed019
Author: Weston Andros Adamson <dros@primarydata.com>
Date: Thu Feb 23 14:54:21 2017 -0500
NFSv4: fix getacl ERANGE for some ACL buffer sizes
commit ed92d8c137b7794c2c2aa14479298b9885967607 upstream.
We're not taking into account that the space needed for the (variable
length) attr bitmap, with the result that we'd sometimes get a spurious
ERANGE when the ACL data got close to the end of a page.
Just add in an extra page to make sure.
Signed-off-by: Weston Andros Adamson <dros@primarydata.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 4613c3d22982d8000d30e077a51fd4cdc0bef934
Author: J. Bruce Fields <bfields@redhat.com>
Date: Thu Feb 23 14:53:39 2017 -0500
NFSv4: fix getacl head length estimation
commit 6682c14bbe505a8b912c57faf544f866777ee48d upstream.
Bitmap and attrlen follow immediately after the op reply header. This
was an oversight from commit bf118a342f.
Consequences of this are just minor efficiency (extra calls to
xdr_shrink_bufhead).
Fixes: bf118a342f10 "NFSv4: include bitmap in nfsv4 get acl data"
Reviewed-by: Kinglong Mee <kinglongmee@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f417a02fe6d3286467ddabc8720c4885a3e56094
Author: Hou Pengyang <houpengyang@huawei.com>
Date: Thu Feb 16 12:34:31 2017 +0000
f2fs: add ovp valid_blocks check for bg gc victim to fg_gc
commit e93b9865251a0503d83fd570e7d5a7c8bc351715 upstream.
For foreground gc, greedy algorithm should be adapted, which makes
this formula work well:
(2 * (100 / config.overprovision + 1) + 6)
But currently, we fg_gc have a prior to select bg_gc victim segments to gc
first, these victims are selected by cost-benefit algorithm, we can't guarantee
such segments have the small valid blocks, which may destroy the f2fs rule, on
the worstest case, would consume all the free segments.
This patch fix this by add a filter in check_bg_victims, if segment's has # of
valid blocks over overprovision ratio, skip such segments.
Signed-off-by: Hou Pengyang <houpengyang@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[bwh: Backported to 3.16:
- In get_victim_by_default(), use continue rather than goto
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9d38c630f587aa407780ca51ded7278c2ebc7bfc
Author: Chao Yu <chao2.yu@samsung.com>
Date: Mon Aug 4 10:10:07 2014 +0800
f2fs: use for_each_set_bit to simplify the code
commit b65ee14818e67127aa242fe1dbd3711b9c095cc0 upstream.
This patch uses for_each_set_bit to simplify some codes in f2fs.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 0ae2dd2595a30324f9fb9a678bb1e8b45c70c8a5
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Feb 23 12:02:45 2017 +0200
net/mlx4_en: Use __skb_fill_page_desc()
commit 7f0137e2ef9f32143df623001a96f7aab61a9595 upstream.
Or we might miss the fact that a page was allocated from memory reserves.
Fixes: dceeab0e5258 ("mlx4: support __GFP_MEMALLOC for rx")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 361c34a1e5121395e88a9e7550500b7b42e6cf47
Author: Majd Dibbiny <majd@mellanox.com>
Date: Thu Feb 23 12:02:43 2017 +0200
net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs
commit 95f1ba9a24af9769f6e20dfe9a77c863f253f311 upstream.
In the VF driver, module parameter mlx4_log_num_mgm_entry_size was
mistakenly overwritten -- and in a manner which overrode the
device-managed flow steering option encoded in the parameter.
log_num_mgm_entry_size is a global module parameter which
affects all ConnectX-3 PFs installed on that host.
If a VF changes log_num_mgm_entry_size, this will affect all PFs
which are probed subsequent to the change (by disabling DMFS for
those PFs).
Fixes: 3c439b5586e9 ("mlx4_core: Allow choosing flow steering mode")
Signed-off-by: Majd Dibbiny <majd@mellanox.com>
Reviewed-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 914bacc3d55dc9f9f6e16f058362bfebd76e6277
Author: Eugenia Emantayev <eugenia@mellanox.com>
Date: Thu Feb 23 12:02:42 2017 +0200
net/mlx4: Spoofcheck and zero MAC can't coexist
commit 745d8ae4622c6808b22e33a944c7decb30074be4 upstream.
Spoofcheck can't be enabled if VF MAC is zero.
Vice versa, can't zero MAC if spoofcheck is on.
Fixes: 8f7ba3ca12f6 ('net/mlx4: Add set VF mac address support')
Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 81339c5c06376cd40d22775f50fa9cb75f125272
Author: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Date: Mon Feb 20 14:52:58 2017 +0100
s390/chsc: Add exception handler for CHSC instruction
commit 77759137248f34864a8f7a58bbcebfcf1047504a upstream.
Prevent kernel crashes due to unhandled exceptions raised by the CHSC
instruction which may for example be triggered by invalid ioctl data.
Fixes: 64150adf89df ("s390/cio: Introduce generic synchronous CHSC IOCTL")
Signed-off-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Reviewed-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 179d24052ed075150a167dfb5510327d714d041a
Author: Randy Dunlap <rdunlap@infradead.org>
Date: Wed Feb 22 15:46:48 2017 -0800
mm: fix <linux/pagemap.h> stray kernel-doc notation
commit 083fb8edda0487d192e8c117f625563b920cf7a4 upstream.
Delete stray (second) function description in find_lock_page()
kernel-doc notation.
Note: scripts/kernel-doc just ignores the second function description.
Fixes: 2457aec63745e ("mm: non-atomically mark page accessed during page cache allocation where possible")
Link: http://lkml.kernel.org/r/b037e9a3-516c-ec02-6c8e-fa5479747ba6@infradead.org
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Matthew Wilcox <mawilcox@microsoft.com>
Cc: Mel Gorman <mgorman@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 57ce1261b6eeca518b583806eabf3ee1cadfc73c
Author: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Date: Thu Feb 16 12:51:21 2017 -0800
scsi: aacraid: Reorder Adapter status check
commit c421530bf848604e97d0785a03b3fe2c62775083 upstream.
The driver currently checks the SELF_TEST_FAILED first and then
KERNEL_PANIC next. Under error conditions(boot code failure) both
SELF_TEST_FAILED and KERNEL_PANIC can be set at the same time.
The driver has the capability to reset the controller on an KERNEL_PANIC,
but not on SELF_TEST_FAILED.
Fixed by first checking KERNEL_PANIC and then the others.
Fixes: e8b12f0fb835223752 ([SCSI] aacraid: Add new code for PMC-Sierra's SRC base controller family)
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: David Carroll <David.Carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 7544d4028a4b5ab56e369d83a7fe7e7ebcf81c88
Author: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Date: Thu Feb 16 12:51:14 2017 -0800
scsi: aacraid: Fix memory leak in fib init path
commit 1bff5abca65d4b9761fcc992ab6288243220003d upstream.
aac_fib_map_free frees misaligned fib dma memory, additionally it does not
free up the whole memory.
Fixed by changing the code to free up the correct and full memory
allocation.
Fixes: e8b12f0fb835223 ([SCSI] aacraid: Add new code for PMC-Sierra's SRC based controller family)
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: David Carroll <David.Carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: s/max_cmd_size/max_fib_size/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ba618caab5c21a012f38943e04fa498f5c1938e8
Author: Alexey Kodanev <alexey.kodanev@oracle.com>
Date: Wed Feb 22 13:23:56 2017 +0300
tcp: account for ts offset only if tsecr not zero
commit eee2faabc63d863a129000b698a2bca54dff643d upstream.
We can get SYN with zero tsecr, don't apply offset in this case.
Fixes: ee684b6f2830 ("tcp: send packets with a socket timestamp")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 77a6e76e6fc01db4ce64489ea2a7b54f921fb9f5
Author: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date: Wed Feb 22 12:35:27 2017 +0300
net/dccp: fix use after free in tw_timer_handler()
commit ec7cb62d18d854ea09df8b7194e7e710985f8b9a upstream.
DCCP doesn't purge timewait sockets on network namespace shutdown.
So, after net namespace destroyed we could still have an active timer
which will trigger use after free in tw_timer_handler():
BUG: KASAN: use-after-free in tw_timer_handler+0x4a/0xa0 at addr ffff88010e0d1e10
Read of size 8 by task swapper/1/0
Call Trace:
__asan_load8+0x54/0x90
tw_timer_handler+0x4a/0xa0
call_timer_fn+0x127/0x480
expire_timers+0x1db/0x2e0
run_timer_softirq+0x12f/0x2a0
__do_softirq+0x105/0x5b4
irq_exit+0xdd/0xf0
smp_apic_timer_interrupt+0x57/0x70
apic_timer_interrupt+0x90/0xa0
Object at ffff88010e0d1bc0, in cache net_namespace size: 6848
Allocated:
save_stack_trace+0x1b/0x20
kasan_kmalloc+0xee/0x180
kasan_slab_alloc+0x12/0x20
kmem_cache_alloc+0x134/0x310
copy_net_ns+0x8d/0x280
create_new_namespaces+0x23f/0x340
unshare_nsproxy_namespaces+0x75/0xf0
SyS_unshare+0x299/0x4f0
entry_SYSCALL_64_fastpath+0x18/0xad
Freed:
save_stack_trace+0x1b/0x20
kasan_slab_free+0xae/0x180
kmem_cache_free+0xb4/0x350
net_drop_ns+0x3f/0x50
cleanup_net+0x3df/0x450
process_one_work+0x419/0xbb0
worker_thread+0x92/0x850
kthread+0x192/0x1e0
ret_from_fork+0x2e/0x40
Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
timewait sockets on net namespace destruction and prevent above issue.
Fixes: f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: pass twdr parameter to inet_twsk_purge()
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f7c534f0df537da7d76098b7dae9d2fc4f32a827
Author: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
Date: Wed Feb 22 14:59:49 2017 +1300
l2tp: Avoid schedule while atomic in exit_net
commit 12d656af4e3d2781b9b9f52538593e1717e7c979 upstream.
While destroying a network namespace that contains a L2TP tunnel a
"BUG: scheduling while atomic" can be observed.
Enabling lockdep shows that this is happening because l2tp_exit_net()
is calling l2tp_tunnel_closeall() (via l2tp_tunnel_delete()) from
within an RCU critical section.
l2tp_exit_net() takes rcu_read_lock_bh()
<< list_for_each_entry_rcu() >>
l2tp_tunnel_delete()
l2tp_tunnel_closeall()
__l2tp_session_unhash()
synchronize_rcu() << Illegal inside RCU critical section >>
BUG: sleeping function called from invalid context
in_atomic(): 1, irqs_disabled(): 0, pid: 86, name: kworker/u16:2
INFO: lockdep is turned off.
CPU: 2 PID: 86 Comm: kworker/u16:2 Tainted: G W O 4.4.6-at1 #2
Hardware name: Xen HVM domU, BIOS 4.6.1-xs125300 05/09/2016
Workqueue: netns cleanup_net
0000000000000000 ffff880202417b90 ffffffff812b0013 ffff880202410ac0
ffffffff81870de8 ffff880202417bb8 ffffffff8107aee8 ffffffff81870de8
0000000000000c51 0000000000000000 ffff880202417be0 ffffffff8107b024
Call Trace:
[<ffffffff812b0013>] dump_stack+0x85/0xc2
[<ffffffff8107aee8>] ___might_sleep+0x148/0x240
[<ffffffff8107b024>] __might_sleep+0x44/0x80
[<ffffffff810b21bd>] synchronize_sched+0x2d/0xe0
[<ffffffff8109be6d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff8105c7bb>] ? __local_bh_enable_ip+0x6b/0xc0
[<ffffffff816a1b00>] ? _raw_spin_unlock_bh+0x30/0x40
[<ffffffff81667482>] __l2tp_session_unhash+0x172/0x220
[<ffffffff81667397>] ? __l2tp_session_unhash+0x87/0x220
[<ffffffff8166888b>] l2tp_tunnel_closeall+0x9b/0x140
[<ffffffff81668c74>] l2tp_tunnel_delete+0x14/0x60
[<ffffffff81668dd0>] l2tp_exit_net+0x110/0x270
[<ffffffff81668d5c>] ? l2tp_exit_net+0x9c/0x270
[<ffffffff815001c3>] ops_exit_list.isra.6+0x33/0x60
[<ffffffff81501166>] cleanup_net+0x1b6/0x280
...
This bug can easily be reproduced with a few steps:
$ sudo unshare -n bash # Create a shell in a new namespace
# ip link set lo up
# ip addr add 127.0.0.1 dev lo
# ip l2tp add tunnel remote 127.0.0.1 local 127.0.0.1 tunnel_id 1 \
peer_tunnel_id 1 udp_sport 50000 udp_dport 50000
# ip l2tp add session name foo tunnel_id 1 session_id 1 \
peer_session_id 1
# ip link set foo up
# exit # Exit the shell, in turn exiting the namespace
$ dmesg
...
[942121.089216] BUG: scheduling while atomic: kworker/u16:3/13872/0x00000200
...
To fix this, move the call to l2tp_tunnel_closeall() out of the RCU
critical section, and instead call it from l2tp_tunnel_del_work(), which
is running from the l2tp_wq workqueue.
Fixes: 2b551c6e7d5b ("l2tp: close sessions before initiating tunnel delete")
Signed-off-by: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit edf8cc534c92abc57367603fbdfdfcf288703825
Author: Steve Wise <swise@opengridcomputing.com>
Date: Tue Feb 21 11:21:57 2017 -0800
rdma_cm: fail iwarp accepts w/o connection params
commit f2625f7db4dd0bbd16a9c7d2950e7621f9aa57ad upstream.
cma_accept_iw() needs to return an error if conn_params is NULL.
Since this is coming from user space, we can crash.
Reported-by: Shaobo He <shaobo@cs.utah.edu>
Acked-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 7b5736f6b0378cc8ec9ec5888153300112a5b057
Author: Miklos Szeredi <mszeredi@redhat.com>
Date: Wed Feb 22 20:08:25 2017 +0100
fuse: add missing FR_FORCE
commit 2e38bea99a80eab408adee27f873a188d57b76cb upstream.
fuse_file_put() was missing the "force" flag for the RELEASE request when
sending synchronously (fuseblk).
If this flag is not set, then a sync request may be interrupted before it
is dequeued by the userspace filesystem. In this case the OPEN won't be
balanced with a RELEASE.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 5a18ec176c93 ("fuse: fix hang of single threaded fuseblk filesystem")
[bwh: Backported to 3.16:
- "force" flag is a bitfield
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5da99487e97c80c5dfc9f98d372f9ba72d094f25
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Sun Feb 19 16:08:29 2017 -0500
NFSv4: Fix the underestimation of delegation XDR space reservation
commit 5a1f6d9e9b803003271b40b67786ff46fa4eda01 upstream.
Account for the "space_limit" field in struct open_write_delegation4.
Fixes: 2cebf82883f4 ("NFSv4: Fix the underestimate of NFSv4 open request size")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 72ffee66e25564619a5d60d516a45d5d36971353
Author: Nicolai Hähnle <nicolai.haehnle@amd.com>
Date: Sat Feb 18 22:59:56 2017 +0100
drm/ttm: fix use-after-free races in vm fault handling
commit 3089c1df10e2931b1d72d2ffa7d86431084c86b3 upstream.
The vm fault handler relies on the fact that the VMA owns a reference
to the BO. However, once mmap_sem is released, other tasks are free to
destroy the VMA, which can lead to the BO being freed. Fix two code
paths where that can happen, both related to vm fault retries.
Found via a lock debugging warning which flagged &bo->wu_mutex as
locked while being destroyed.
Fixes: cbe12e74ee4e ("drm/ttm: Allow vm fault retries")
Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9bbd855ae3fc71410ba6eef67e29871d888ce3aa
Author: Linus Lüssing <linus.luessing@c0d3.blue>
Date: Mon Feb 13 20:44:31 2017 +0100
batman-adv: Fix transmission of final, 16th fragment
commit 51c6b429c0c95e67edd1cb0b548c5cf6a6604763 upstream.
Trying to split and transmit a unicast packet in 16 parts will fail for
the final fragment: After having sent the 15th one with a frag_packet.no
index of 14, we will increase the the index to 15 - and return with an
error code immediately, even though one more fragment is due for
transmission and allowed.
Fixing this issue by moving the check before incrementing the index.
While at it, adding an unlikely(), because the check is actually more of
an assertion.
Fixes: ee75ed88879a ("batman-adv: Fragment and send skbs larger than mtu")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16: don't return an error code]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 38b09ab6686f9855a1d69355e7c95592aeedfe54
Author: Sven Eckelmann <sven@narfation.org>
Date: Sun Feb 12 11:26:33 2017 +0100
batman-adv: Fix double free during fragment merge error
commit 248e23b50e2da0753f3b5faa068939cbe9f8a75a upstream.
The function batadv_frag_skb_buffer was supposed not to consume the skbuff
on errors. This was followed in the helper function
batadv_frag_insert_packet when the skb would potentially be inserted in the
fragment queue. But it could happen that the next helper function
batadv_frag_merge_packets would try to merge the fragments and fail. This
results in a kfree_skb of all the enqueued fragments (including the just
inserted one). batadv_recv_frag_packet would detect the error in
batadv_frag_skb_buffer and try to free the skb again.
The behavior of batadv_frag_skb_buffer (and its helper
batadv_frag_insert_packet) must therefore be changed to always consume the
skbuff to have a common behavior and avoid the double kfree_skb.
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
- Update batadv_recv_frag_packet() as advised by Sven
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit cc4d5dc73841b98d33cdfb9822d70b0aac4beca5
Author: Christoph Hellwig <hch@lst.de>
Date: Mon Feb 20 07:21:33 2017 +0100
nfsd: special case truncates some more
commit 783112f7401ff449d979530209b3f6c2594fdb4e upstream.
Both the NFS protocols and the Linux VFS use a setattr operation with a
bitmap of attributes to set to set various file attributes including the
file size and the uid/gid.
The Linux syscalls never mix size updates with unrelated updates like
the uid/gid, and some file systems like XFS and GFS2 rely on the fact
that truncates don't update random other attributes, and many other file
systems handle the case but do not update the other attributes in the
same transaction. NFSD on the other hand passes the attributes it gets
on the wire more or less directly through to the VFS, leading to updates
the file systems don't expect. XFS at least has an assert on the
allowed attributes, which caught an unusual NFS client setting the size
and group at the same time.
To handle this issue properly this splits the notify_change call in
nfsd_setattr into two separate ones.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 24d8167113803f8b9196f8131cbc97d49c6179ef
Author: Christoph Hellwig <hch@lst.de>
Date: Mon Feb 20 17:04:42 2017 -0500
nfsd: minor nfsd_setattr cleanup
commit 758e99fefe1d9230111296956335cd35995c0eaf upstream.
Simplify exit paths, size_change use.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 7cf01c94a5c33bf2a8bc13eb4fae691ec487f9dd
Author: Christoph Hellwig <hch@lst.de>
Date: Sun Sep 7 12:15:52 2014 -0700
nfsd: update mtime on truncate
commit f0c63124a6165792f6e37e4b5983792d009e1ce8 upstream.
This fixes a failure in xfstests generic/313 because nfs doesn't update
mtime on a truncate. The protocol requires this to be done implicity
for a size changing setattr.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 51d1922991d08e8ea5e54cb425032f544f6337bc
Author: Chao Peng <chao.p.peng@linux.intel.com>
Date: Tue Feb 21 03:50:01 2017 -0500
KVM: VMX: use correct vmcs_read/write for guest segment selector/base
commit 96794e4ed4d758272c486e1529e431efb7045265 upstream.
Guest segment selector is 16 bit field and guest segment base is natural
width field. Fix two incorrect invocations accordingly.
Without this patch, build fails when aggressive inlining is used with ICC.
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: drop change in kvm_flush_pml_buffers()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3959fd3508e2df61a57827100b73334db2e66704
Author: Eric Dumazet <edumazet@google.com>
Date: Sat Feb 18 10:34:18 2017 -0800
mlx4: reduce OOM risk on arches with large pages
commit 3608b13ccc51d06e499dfe12b27f134de1286e28 upstream.
Since mlx4 NIC are used on PowerPC with 64K pages, we need to adapt
MLX4_EN_ALLOC_PREFER_ORDER definition.
Otherwise, a fragment sitting in an out of order TCP queue can hold
0.5 Mbytes and it is a serious OOM risk.
Fixes: 51151a16a60f ("mlx4: allow order-0 memory allocations in RX path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5f328a5b41b83dc675392c149ae754eb477eed31
Author: John Keeping <john@metanate.com>
Date: Thu Feb 16 17:21:50 2017 +0000
PM / QoS: Fix memory leak on resume_latency.notifiers
commit e84b4a84e52d4cd8770b4242cd09df0133333f63 upstream.
Since commit 2d984ad132a8 (PM / QoS: Introcuce latency tolerance device
PM QoS type) we reassign "c" to point at qos->latency_tolerance before
freeing c->notifiers, but the notifiers field of latency_tolerance is
never used.
Restore the original behaviour of freeing the notifiers pointer on
qos->resume_latency, which is used, and fix the following kmemleak
warning.
unreferenced object 0xed9dba00 (size 64):
comm "kworker/0:1", pid 36, jiffies 4294670128 (age 15202.983s)
hex dump (first 32 bytes):
00 00 00 00 04 ba 9d ed 04 ba 9d ed 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<c06f6084>] kmemleak_alloc+0x74/0xb8
[<c011c964>] kmem_cache_alloc_trace+0x170/0x25c
[<c035f448>] dev_pm_qos_constraints_allocate+0x3c/0xe4
[<c035f574>] __dev_pm_qos_add_request+0x84/0x1a0
[<c035f6cc>] dev_pm_qos_add_request+0x3c/0x54
[<c03c3fc4>] usb_hub_create_port_device+0x110/0x2b8
[<c03b2a60>] hub_probe+0xadc/0xc80
[<c03bb050>] usb_probe_interface+0x1b4/0x260
[<c035773c>] driver_probe_device+0x198/0x40c
[<c0357b14>] __device_attach_driver+0x8c/0x98
[<c0355bbc>] bus_for_each_drv+0x8c/0x9c
[<c0357494>] __device_attach+0x98/0x138
[<c0357c64>] device_initial_probe+0x14/0x18
[<c03569dc>] bus_probe_device+0x30/0x88
[<c0354c54>] device_add+0x430/0x554
[<c03b92d8>] usb_set_configuration+0x660/0x6fc
Fixes: 2d984ad132a8 (PM / QoS: Introcuce latency tolerance device PM QoS type)
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f0626c8780ce2d879a35839e5c9c519ff89ed8bf
Author: Peter Dunning <pdunning@solarflare.com>
Date: Fri Feb 17 15:50:43 2017 +0000
sfc: do not device_attach if a reset is pending
commit 9c568fd8844ec3986eb19b0b5d97536243d10d46 upstream.
efx_start_all can return without initialising queues as a reset is pending.
This means that when netif_device_attach is called, the kernel can start
sending traffic without having an initialised TX queue to send to.
This patch avoids this by not calling netif_device_attach if there is a
pending reset.
Fixes: e283546c0465 ("sfc:On MCDI timeout, issue an FLR (and mark MCDI to fail-fast)")
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Drop changes in ef10.c and ef10_sriov.c
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 8287542f06ce1fb41b457424d6a281491e8c0955
Author: Mirko Parthey <mirko.parthey@web.de>
Date: Wed Feb 15 23:31:30 2017 +0100
MIPS: BCM47XX: Fix button inversion for Asus WL-500W
commit bdfdaf1a016ef09cb941f2edad485a713510b8d5 upstream.
The Asus WL-500W buttons are active high, but the software treats them
as active low. Fix the inverted logic.
Fixes: 3be972556fa1 ("MIPS: BCM47XX: Import buttons database from OpenWrt")
Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
Acked-by: Rafał Miłecki <rafal@milecki.pl>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15295/
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit e5040ecefcb525978f82e40825c2bef8b773802b
Author: Arnd Bergmann <arnd@arndb.de>
Date: Fri Feb 3 17:43:50 2017 +0100
MIPS: ip27: Disable qlge driver in defconfig
commit b617649468390713db1515ea79fc772d2eb897a8 upstream.
One of the last remaining failures in kernelci.org is for a gcc bug:
drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: error: insn does not satisfy its constraints:
drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: internal compiler error: in extract_constrain_insn, at recog.c:2190
This is apparently broken in gcc-6 but fixed in gcc-7, and I cannot
reproduce the problem here. However, it is clear that ip27_defconfig
does not actually need this driver as the platform has only PCI-X but
not PCIe, and the qlge adapter in turn is PCIe-only.
The driver was originally enabled in 2010 along with lots of other
drivers.
Fixes: 59d302b342e5 ("MIPS: IP27: Make defconfig useful again.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/15197/
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5d41c3a13ae82cd605718d668cee5864c641be23
Author: James Cowgill <James.Cowgill@imgtec.com>
Date: Mon Jan 9 16:52:28 2017 +0000
MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
commit 884b426917e4b3c85f33b382c792a94305dfdd62 upstream.
If copy_from_user is called with a large buffer (>= 128 bytes) and the
userspace buffer refers partially to unreadable memory, then it is
possible for Octeon's copy_from_user to report the wrong number of bytes
have been copied. In the case where the buffer size is an exact multiple
of 128 and the fault occurs in the last 64 bytes, copy_from_user will
report that all the bytes were copied successfully but leave some
garbage in the destination buffer.
The bug is in the main __copy_user_common loop in octeon-memcpy.S where
in the middle of the loop, src and dst are incremented by 128 bytes. The
l_exc_copy fault handler is used after this but that assumes that
"src < THREAD_BUADDR($28)". This is not the case if src has already been
incremented.
Fix by adding an extra fault handler which rewinds the src and dst
pointers 128 bytes before falling though to l_exc_copy.
Thanks to the pwritev test from the strace test suite for originally
highlighting this bug!
Fixes: 5b3b16880f40 ("MIPS: Add Cavium OCTEON processor support ...")
Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
Acked-by: David Daney <david.daney@cavium.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14978/
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 617a73ef57bd7e638ce6b68c96bb81166cefc78f
Author: Ralf Baechle <ralf@linux-mips.org>
Date: Thu Jan 26 02:16:47 2017 +0100
MIPS: Fix special case in 64 bit IP checksumming.
commit 66fd848cadaa6be974a8c780fbeb328f0af4d3bd upstream.
For certain arguments such as saddr = 0xc0a8fd60, daddr = 0xc0a8fda1,
len = 80, proto = 17, sum = 0x7eae049d there will be a carry when
folding the intermediate 64 bit checksum to 32 bit but the code doesn't
add the carry back to the one's complement sum, thus an incorrect result
will be generated.
Reported-by: Mark Zhang <bomb.zhang@gmail.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 12984626c78535f50f8b481f32211613f571eb48
Author: Chris Brandt <chris.brandt@renesas.com>
Date: Tue Feb 14 11:08:05 2017 -0500
clk: renesas: mstp: ensure register writes complete
commit f59de563358eb9351b7f8f0ba2d3be2ebb70b93d upstream.
When there is no status bit, it is possible for the clock enable/disable
operation to have not completed by the time the driver code resumes
execution. This is due to the fact that write operations are sometimes
queued and delayed internally. Doing a read ensures the write operations
has completed.
Fixes: b6face404f38 ("ARM: shmobile: r7s72100: add essential clock nodes to dtsi")
Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
[bwh: Backported to 3.16:
- Use barrier() instead of barrier_data()
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit be1aa88a64393289a11ba401de6b2bcfa8d9c503
Author: Joe Thornber <ejt@redhat.com>
Date: Thu Feb 9 11:46:18 2017 -0500
dm cache: fix corruption seen when using cache > 2TB
commit ca763d0a53b264a650342cee206512bc92ac7050 upstream.
A rounding bug due to compiler generated temporary being 32bit was found
in remap_to_cache(). A localized cast in remap_to_cache() fixes the
corruption but this preferred fix (changing from uint32_t to sector_t)
eliminates potential for future rounding errors elsewhere.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 553601b859c064e042fb7ca1b5e38129d800d6e4
Author: Dmitry Tunin <hanipouspilot@gmail.com>
Date: Thu Jan 5 13:19:53 2017 +0300
Bluetooth: Add another AR3012 04ca:3018 device
commit 441ad62d6c3f131f1dbd7dcdd9cbe3f74dbd8501 upstream.
T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04ca ProdID=3018 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 6b7fe46673aec6dae69d11548a6f0a902cbc371e
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Wed Feb 15 11:11:51 2017 +0100
goldfish: Sanitize the broken interrupt handler
commit 6cf18e6927c0b224f972e3042fb85770d63cb9f8 upstream.
This interrupt handler is broken in several ways:
- It loops forever when the op code is not decodeable
- It never returns IRQ_HANDLED because the only way to exit the loop
returns IRQ_NONE unconditionally.
The whole concept of this is broken. Creating devices in an interrupt
handler is beyond any point of sanity.
Make it at least behave halfways sane so accidental users do not have to
deal with a hard to debug lockup.
Fixes: e809c22b8fb028 ("goldfish: add the goldfish virtual bus")
Reported-by: Gabriel C <nix.or.die@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 843fd93d1e83adb30a7bc39d5c89f680247ba82e
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Wed Feb 15 11:11:50 2017 +0100
x86/platform/goldfish: Prevent unconditional loading
commit 47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb upstream.
The goldfish platform code registers the platform device unconditionally
which causes havoc in several ways if the goldfish_pdev_bus driver is
enabled:
- Access to the hardcoded physical memory region, which is either not
available or contains stuff which is completely unrelated.
- Prevents that the interrupt of the serial port can be requested
- In case of a spurious interrupt it goes into a infinite loop in the
interrupt handler of the pdev_bus driver (which needs to be fixed
seperately).
Add a 'goldfish' command line option to make the registration opt-in when
the platform is compiled in.
I'm seriously grumpy about this engineering trainwreck, which has seven
SOBs from Intel developers for 50 lines of code. And none of them figured
out that this is broken. Impressive fail!
Fixes: ddd70cf93d78 ("goldfish: platform device for x86")
Reported-by: Gabriel C <nix.or.die@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit d602d73a1ee9a537c0f0478fa578ff06a2bdae5a
Author: Christian Lamparter <chunkeey@googlemail.com>
Date: Tue Feb 14 20:10:30 2017 +0100
ath9k: use correct OTP register offsets for the AR9340 and AR9550
commit c9f1e32600816d695f817477d56490bfc2ba43c6 upstream.
This patch fixes the OTP register definitions for the AR934x and AR9550
WMAC SoC.
Previously, the ath9k driver was unable to initialize the integrated
WMAC on an Aerohive AP121:
| ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
| ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
| ath: phy0: Unable to initialize hardware; initialization status: -5
| ath9k ar934x_wmac: failed to initialize device
| ath9k: probe of ar934x_wmac failed with error -5
It turns out that the AR9300_OTP_STATUS and AR9300_OTP_DATA
definitions contain a typo.
Cc: Gabor Juhos <juhosg@openwrt.org>
Fixes: add295a4afbdf5852d0 "ath9k: use correct OTP register offsets for AR9550"
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 8a37188fcf4d1215ae484b33c613c570df772879
Author: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Date: Tue Nov 22 14:55:59 2016 +0530
powerpc/xmon: Fix data-breakpoint
commit c21a493a2b44650707d06741601894329486f2ad upstream.
Currently xmon data-breakpoint feature is broken.
Whenever there is a watchpoint match occurs, hw_breakpoint_handler will
be called by do_break via notifier chains mechanism. If watchpoint is
registered by xmon, hw_breakpoint_handler won't find any associated
perf_event and returns immediately with NOTIFY_STOP. Similarly, do_break
also returns without notifying to xmon.
Solve this by returning NOTIFY_DONE when hw_breakpoint_handler does not
find any perf_event associated with matched watchpoint, rather than
NOTIFY_STOP, which tells the core code to continue calling the other
breakpoint handlers including the xmon one.
Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 6cc435bb47841104995c8668de8f5839d0040357
Author: Theodore Ts'o <tytso@mit.edu>
Date: Wed Feb 15 01:26:39 2017 -0500
ext4: fix fencepost in s_first_meta_bg validation
commit 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream.
It is OK for s_first_meta_bg to be equal to the number of block group
descriptor blocks. (It rarely happens, but it shouldn't cause any
problems.)
https://bugzilla.kernel.org/show_bug.cgi?id=194567
Fixes: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit b6d98c338b05e18945f9650e15798d41c91be503
Author: Leon Romanovsky <leonro@mellanox.com>
Date: Wed Jan 18 14:10:31 2017 +0200
IB/mlx5: Return error for unsupported signature type
commit 12bbf1ea7e3b35892dbb8636b978160bc9576b61 upstream.
In case of unsupported singature, we returned positive
value, while the better approach is to return -EINVAL.
In addition, in this change, the error print is enriched
to provide an actual supplied signature type.
Fixes: e6631814fb3a ("IB/mlx5: Support IB_WR_REG_SIG_MR")
Cc: Sagi Grimberg <sagi@grimberg.me>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 633eb2ae856cc0faeb9b47b0d1671fcabe66fbfd
Author: Leon Romanovsky <leonro@mellanox.com>
Date: Wed Jan 18 14:10:30 2017 +0200
IB/mlx5: Fix out-of-bound access
commit 0fd27a88c2e4f548937fd7d93fc6e65c4ad7c278 upstream.
When we initialize buffer to create SRQ in kernel,
the number of pages was less than actually used in
following mlx5_fill_page_array().
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit bdf0863011d5d23857b61d2d41372fee53e91b0e
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Sat Feb 11 10:37:38 2017 -0500
nlm: Ensure callback code also checks that the files match
commit 251af29c320d86071664f02c76f0d063a19fefdf upstream.
It is not sufficient to just check that the lock pids match when
granting a callback, we also need to ensure that we're granting
the callback on the right file.
Reported-by: Pankaj Singh <psingh.ait@gmail.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 249bb2131b376ff59eae4ecaa2eb3875c6d0beb9
Author: NeilBrown <neilb@suse.com>
Date: Mon Feb 6 13:41:39 2017 +1100
md: ensure md devices are freed before module is unloaded.
commit 9356863c9409efc79029c01a85d015efae977e69 upstream.
Commit: cbd199837750 ("md: Fix unfortunate interaction with evms")
change mddev_put() so that it would not destroy an md device while
->ctime was non-zero.
Unfortunately, we didn't make sure to clear ->ctime when unloading
the module, so it is possible for an md device to remain after
module unload. An attempt to open such a device will trigger
an invalid memory reference in:
get_gendisk -> kobj_lookup -> exact_lock -> get_disk
when tring to access disk->fops, which was in the module that has
been removed.
So ensure we clear ->ctime in md_exit(), and explain how that is useful,
as it isn't immediately obvious when looking at the code.
Fixes: cbd199837750 ("md: Fix unfortunate interaction with evms")
Tested-by: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 80e4a627b90d6c7ba6c766ce1d632b5925a8b99c
Author: colyli@suse.de <colyli@suse.de>
Date: Sat Jan 28 21:11:49 2017 +0800
md linear: fix a race between linear_add() and linear_congested()
commit 03a9e24ef2aaa5f1f9837356aed79c860521407a upstream.
Recently I receive a bug report that on Linux v3.0 based kerenl, hot add
disk to a md linear device causes kernel crash at linear_congested(). From
the crash image analysis, I find in linear_congested(), mddev->raid_disks
contains value N, but conf->disks[] only has N-1 pointers available. Then
a NULL pointer deference crashes the kernel.
There is a race between linear_add() and linear_congested(), RCU stuffs
used in these two functions cannot avoid the race. Since Linuv v4.0
RCU code is replaced by introducing mddev_suspend(). After checking the
upstream code, it seems linear_congested() is not called in
generic_make_request() code patch, so mddev_suspend() cannot provent it
from being called. The possible race still exists.
Here I explain how the race still exists in current code. For a machine
has many CPUs, on one CPU, linear_add() is called to add a hard disk to a
md linear device; at the same time on other CPU, linear_congested() is
called to detect whether this md linear device is congested before issuing
an I/O request onto it.
Now I use a possible code execution time sequence to demo how the possible
race happens,
seq linear_add() linear_congested()
0 conf=mddev->private
1 oldconf=mddev->private
2 mddev->raid_disks++
3 for (i=0; i<mddev->raid_disks;i++)
4 bdev_get_queue(conf->disks[i].rdev->bdev)
5 mddev->private=newconf
In linear_add() mddev->raid_disks is increased in time seq 2, and on
another CPU in linear_congested() the for-loop iterates conf->disks[i] by
the increased mddev->raid_disks in time seq 3,4. But conf with one more
element (which is a pointer to struct dev_info type) to conf->disks[] is
not updated yet, accessing its structure member in time seq 4 will cause a
NULL pointer deference fault.
To fix this race, there are 2 parts of modification in the patch,
1) Add 'int raid_disks' in struct linear_conf, as a copy of
mddev->raid_disks. It is initialized in linear_conf(), always being
consistent with pointers number of 'struct dev_info disks[]'. When
iterating conf->disks[] in linear_congested(), use conf->raid_disks to
replace mddev->raid_disks in the for-loop, then NULL pointer deference
will not happen again.
2) RCU stuffs are back again, and use kfree_rcu() in linear_add() to
free oldconf memory. Because oldconf may be referenced as mddev->private
in linear_congested(), kfree_rcu() makes sure that its memory will not
be released until no one uses it any more.
Also some code comments are added in this patch, to make this modification
to be easier understandable.
This patch can be applied for kernels since v4.0 after commit:
3be260cc18f8 ("md/linear: remove rcu protections in favour of
suspend/resume"). But this bug is reported on Linux v3.0 based kernel, for
people who maintain kernels before Linux v4.0, they need to do some back
back port to this patch.
Changelog:
- V3: add 'int raid_disks' in struct linear_conf, and use kfree_rcu() to
replace rcu_call() in linear_add().
- v2: add RCU stuffs by suggestion from Shaohua and Neil.
- v1: initial effort.
Signed-off-by: Coly Li <colyli@suse.de>
Cc: Shaohua Li <shli@fb.com>
Cc: Neil Brown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
[bwh: Backported to 3.16: no need to restore RCU protections]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f9b8eb52c48b3e4582ab62ddea0191ef03e49ca4
Author: Ravikumar Kattekola <rk@ti.com>
Date: Mon Jan 30 15:41:58 2017 +0530
mmc: host: omap_hsmmc: avoid possible overflow of timeout value
commit a53210f56d7f3f75d1edc1b3a069ddb87b72a919 upstream.
Fixes: a45c6cb81647 ("[ARM] 5369/1: omap mmc: Add new omap
hsmmc controller for 2430 and 34xx, v3")
when using really large timeout (up to 4*60*1000 ms for bkops)
there is a possibility of data overflow using
unsigned int so use 64 bit unsigned long long.
Signed-off-by: Ravikumar Kattekola <rk@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16: drop change in omap_hsmmc_prepare_data()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 0b95c2aa96ac14171f2f886cad040018f6a4bf8f
Author: Peter Rosin <peda@axentia.se>
Date: Wed Feb 1 21:40:57 2017 +0100
iio: pressure: mpl115: do not rely on structure field ordering
commit 6a6e1d56a0769795a36c0461c64bf5e5b9bbb4c0 upstream.
Fixes a regression triggered by a change in the layout of
struct iio_chan_spec, but the real bug is in the driver which assumed
a specific structure layout in the first place. Hint: the three bits were
not OR:ed together as implied by the indentation prior to this patch,
there was a comma between the first two, which accidentally moved the
..._SCALE and ..._OFFSET bits to the next structure field. That field
was .info_mask_shared_by_type before the _available attributes was added
by commit 51239600074b ("iio:core: add a callback to allow drivers to
provide _available attributes") and .info_mask_separate_available
afterwards, and the regression happened.
info_mask_shared_by_type is actually a better choice than the originally
intended info_mask_separate for the ..._SCALE and ..._OFFSET bits since
a constant is returned from mpl115_read_raw for the scale/offset. Using
info_mask_shared_by_type also preserves the behavior from before the
regression and is therefore less likely to cause other interesting side
effects.
The above mentioned regression causes unintended sysfs attibutes to
show up that are not backed by code, in turn causing a NULL pointer
defererence to happen on access.
Fixes: 3017d90e8931 ("iio: Add Freescale MPL115A2 pressure / temperature sensor driver")
Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes")
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a19f5fd2a5e8fa99baabece0dc09df12585a2eb3
Author: Peter Rosin <peda@axentia.se>
Date: Wed Feb 1 21:40:56 2017 +0100
iio: pressure: mpl3115: do not rely on structure field ordering
commit 9cf6cdba586ced75c69b8314b88b2d2f5ce9b3ed upstream.
Fixes a regression triggered by a change in the layout of
struct iio_chan_spec, but the real bug is in the driver which assumed
a specific structure layout in the first place. Hint: the two bits were
not OR:ed together as implied by the indentation prior to this patch,
there was a comma between them, which accidentally moved the ..._SCALE
bit to the next structure field. That field was .info_mask_shared_by_type
before the _available attributes was added by commit 51239600074b
("iio:core: add a callback to allow drivers to provide _available
attributes") and .info_mask_separate_available afterwards, and the
regression happened.
info_mask_shared_by_type is actually a better choice than the originally
intended info_mask_separate for the ..._SCALE bit since a constant is
returned from mpl3115_read_raw for the scale. Using
info_mask_shared_by_type also preserves the behavior from before the
regression and is therefore less likely to cause other interesting side
effects.
The above mentioned regression causes an unintended sysfs attibute to
show up that is not backed by code, in turn causing the following NULL
pointer defererence to happen on access.
Segmentation fault
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ecc3c000
[00000000] *pgd=87f91831
Internal error: Oops: 80000007 [#1] SMP ARM
Modules linked in:
CPU: 1 PID: 1051 Comm: cat Not tainted 4.10.0-rc5-00009-gffd8858-dirty #3
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
task: ed54ec00 task.stack: ee2bc000
PC is at 0x0
LR is at iio_read_channel_info_avail+0x40/0x280
pc : [<00000000>] lr : [<c06fbc1c>] psr: a0070013
sp : ee2bdda8 ip : 00000000 fp : ee2bddf4
r10: c0a53c74 r9 : ed79f000 r8 : ee8d1018
r7 : 00001000 r6 : 00000fff r5 : ee8b9a00 r4 : ed79f000
r3 : ee2bddc4 r2 : ee2bddbc r1 : c0a86dcc r0 : ee8d1000
Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 3cc3c04a DAC: 00000051
Process cat (pid: 1051, stack limit = 0xee2bc210)
Stack: (0xee2bdda8 to 0xee2be000)
dda0: ee2bddc0 00000002 c016d720 c016d394 ed54ec00 00000000
ddc0: 60070013 ed413780 00000001 edffd480 ee8b9a00 00000fff 00001000 ee8d1018
dde0: ed79f000 c0a53c74 ee2bde0c ee2bddf8 c0513c58 c06fbbe8 edffd480 edffd540
de00: ee2bde3c ee2bde10 c0293474 c0513c40 c02933e4 ee2bde60 00000001 ed413780
de20: 00000001 ed413780 00000000 edffd480 ee2bde4c ee2bde40 c0291d00 c02933f0
de40: ee2bde9c ee2bde50 c024679c c0291ce0 edffd4b0 b6e37000 00020000 ee2bdf78
de60: 00000000 00000000 ed54ec00 ed013200 00000817 c0a111fc edffd540 ed413780
de80: b6e37000 00020000 00020000 ee2bdf78 ee2bded4 ee2bdea0 c0292890 c0246604
dea0: c0117940 c016ba50 00000025 c0a111fc b6e37000 ed413780 ee2bdf78 00020000
dec0: ee2bc000 b6e37000 ee2bdf44 ee2bded8 c021d158 c0292770 c0117764 b6e36004
dee0: c0f0d7c4 ee2bdfb0 b6f89228 00021008 ee2bdfac ee2bdf00 c0101374 c0117770
df00: 00000000 00000000 ee2bc000 00000000 ee2bdf34 ee2bdf20 c016ba04 c0171080
df20: 00000000 00020000 ed413780 b6e37000 00000000 ee2bdf78 ee2bdf74 ee2bdf48
df40: c021e7a0 c021d130 c023e300 c023e280 ee2bdf74 00000000 00000000 ed413780
df60: ed413780 00020000 ee2bdfa4 ee2bdf78 c021e870 c021e71c 00000000 00000000
df80: 00020000 00020000 b6e37000 00000003 c0108084 00000000 00000000 ee2bdfa8
dfa0: c0107ee0 c021e838 00020000 00020000 00000003 b6e37000 00020000 0001a2b4
dfc0: 00020000 00020000 b6e37000 00000003 7fffe000 00000000 00000000 00020000
dfe0: 00000000 be98eb4c 0000c740 b6f1985c 60070010 00000003 00000000 00000000
Backtrace:
[<c06fbbdc>] (iio_read_channel_info_avail) from [<c0513c58>] (dev_attr_show+0x24/0x50)
r10:c0a53c74 r9:ed79f000 r8:ee8d1018 r7:00001000 r6:00000fff r5:ee8b9a00
r4:edffd480
[<c0513c34>] (dev_attr_show) from [<c0293474>] (sysfs_kf_seq_show+0x90/0x110)
r5:edffd540 r4:edffd480
[<c02933e4>] (sysfs_kf_seq_show) from [<c0291d00>] (kernfs_seq_show+0x2c/0x30)
r10:edffd480 r9:00000000 r8:ed413780 r7:00000001 r6:ed413780 r5:00000001
r4:ee2bde60 r3:c02933e4
[<c0291cd4>] (kernfs_seq_show) from [<c024679c>] (seq_read+0x1a4/0x4e0)
[<c02465f8>] (seq_read) from [<c0292890>] (kernfs_fop_read+0x12c/0x1cc)
r10:ee2bdf78 r9:00020000 r8:00020000 r7:b6e37000 r6:ed413780 r5:edffd540
r4:c0a111fc
[<c0292764>] (kernfs_fop_read) from [<c021d158>] (__vfs_read+0x34/0x118)
r10:b6e37000 r9:ee2bc000 r8:00020000 r7:ee2bdf78 r6:ed413780 r5:b6e37000
r4:c0a111fc
[<c021d124>] (__vfs_read) from [<c021e7a0>] (vfs_read+0x90/0x11c)
r8:ee2bdf78 r7:00000000 r6:b6e37000 r5:ed413780 r4:00020000
[<c021e710>] (vfs_read) from [<c021e870>] (SyS_read+0x44/0x90)
r8:00020000 r7:ed413780 r6:ed413780 r5:00000000 r4:00000000
[<c021e82c>] (SyS_read) from [<c0107ee0>] (ret_fast_syscall+0x0/0x1c)
r10:00000000 r8:c0108084 r7:00000003 r6:b6e37000 r5:00020000 r4:00020000
Code: bad PC value
---[ end trace 9c4938ccd0389004 ]---
Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver")
Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes")
Reported-by: Ken Lin <ken.lin@advantech.com>
Tested-by: Ken Lin <ken.lin@advantech.com>
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 43506f192fac83d06f6f8d78ceaccf4128cc6df9
Author: K. Y. Srinivasan <kys@microsoft.com>
Date: Wed Feb 8 18:30:56 2017 -0700
drivers: hv: Turn off write permission on the hypercall page
commit 372b1e91343e657a7cc5e2e2bcecd5140ac28119 upstream.
The hypercall page only needs to be executable but currently it is setup to
be writable as well. Fix the issue.
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reported-by: Stephen Hemminger <stephen@networkplumber.org>
Tested-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit b324f30944811716d304158cf1dc2178a041afe2
Author: Jan Kiszka <jan.kiszka@siemens.com>
Date: Wed Feb 8 17:09:04 2017 +0100
serial: exar: Fix initialization of EXAR registers for ports > 0
commit 5b5f252d67afd7bd5b923c664206d60800bf5054 upstream.
So far, pci_xr17v35x_setup always initialized 8XMODE, FCTR & Co. for
port 0 because it used the address of that port instead of moving the
pointer according to the port number. Fix this and remove the unneeded
temporary ioremap by moving default_setup up and reusing the membase it
fills into the port structure.
Fixes: 14faa8cce88e ("tty/8250 Add support for Commtech's Fastcom Async-335 and Fastcom Async-PCIe cards")
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Adjust filename, context
- Add 'ret' variable]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 1ccc2276105701d13ceb48a51ec26558e0bf3bda
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu Feb 9 17:17:52 2017 +0000
KEYS: Fix an error code in request_master_key()
commit 57cb17e764ba0aaa169d07796acce54ccfbc6cae upstream.
This function has two callers and neither are able to handle a NULL
return. Really, -EINVAL is the correct thing return here anyway. This
fixes some static checker warnings like:
security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
error: uninitialized symbol 'master_key'.
Fixes: 7e70cb497850 ("keys: add new key-type encrypted")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 6f7c08b2168bb13c5936cdf62c93fe826e5b5e03
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
Date: Thu Feb 9 14:48:46 2017 -0300
perf tests: Avoid possible truncation with dirent->d_name + snprintf
commit 2e2bbc039fad9eabad6c4c1a473c8b2554cdd2d4 upstream.
Addressing a few cases spotted by a new warning in gcc 7:
tests/parse-events.c: In function 'test_pmu_events':
tests/parse-events.c:1790:39: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 90 [-Werror=format-truncation=]
snprintf(name, MAX_NAME, "cpu/event=%s/u", ent->d_name);
^~
In file included from /usr/include/stdio.h:939:0,
from /git/linux/tools/perf/util/map.h:9,
from /git/linux/tools/perf/util/symbol.h:7,
from /git/linux/tools/perf/util/evsel.h:10,
from tests/parse-events.c:3:
/usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 13 and 268 bytes into a destination of size 100
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tests/parse-events.c:1798:29: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 100 [-Werror=format-truncation=]
snprintf(name, MAX_NAME, "%s:u,cpu/event=%s/u", ent->d_name, ent->d_name);
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes: 945aea220bb8 ("perf tests: Move test objects into 'tests' directory")
Link: http://lkml.kernel.org/n/tip-ty4q2p8zp1dp3mskvubxskm5@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: only one snprintf() call needs fixing]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5f1c2e6aa322c4a885d9a99c2a27054848740e77
Author: Chris Brandt <chris.brandt@renesas.com>
Date: Tue Feb 7 21:41:22 2017 -0500
i2c: riic: correctly finish transfers
commit 71ccea095ea1d4efd004dab971be6d599e06fc3f upstream.
This fixes the condition where the controller has not fully completed its
final transfer and leaves the bus and controller in a undesirable state.
At the end of the last transmitted byte, the existing driver would just
signal for a STOP condition to be transmitted then immediately signal
completion. However, the full STOP procedure might not have fully taken
place by the time the runtime PM shuts off the peripheral clock, leaving
the bus in a suspended state.
Alternatively, the STOP condition on the bus may have completed, but when
the next transaction is requested by the upper layer, not all the
necessary register cleanup was finished from the last transfer which made
the driver return BUS BUSY when it really wasn't.
This patch now makes all transmit and receive transactions wait for the
STOP condition to fully complete before signaling a completed transaction.
With this new method, runtime PM no longer seems to be an issue.
Fixes: 310c18a41450 ("i2c: riic: add driver")
Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 0d5d98c4fc14646cf6114074a57125bc210cd38d
Author: Peter Rosin <peda@axentia.se>
Date: Tue Feb 7 22:41:55 2017 +0100
i2c: i2c-mux-gpio: rename i2c-gpio-mux to i2c-mux-gpio
commit 6b66a6f27e799d9441ef2c0b1e00913a6a070fa5 upstream.
The rename did the wrong thing for this documentation file all those
years ago. Fix that as well as the neglected rename of the platform
data structure.
Fixes: e7065e20d9a6 ("i2c: Rename last mux driver to standard pattern")
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3d9ff65abde148b52ecf85fe585f79bb48e0d5e7
Author: Johan Hovold <johan@kernel.org>
Date: Thu Feb 9 12:11:41 2017 +0100
USB: serial: mos7840: fix another NULL-deref at open
commit 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e upstream.
Fix another NULL-pointer dereference at open should a malicious device
lack an interrupt-in endpoint.
Note that the driver has a broken check for an interrupt-in endpoint
which means that an interrupt URB has never even been submitted.
Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a5a095239ba69fd33fee9624cfd949efcb9e2eea
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Feb 7 16:19:06 2017 +0300
cpufreq: s3c2416: double free on driver init error path
commit a69261e4470d680185a15f748d9cdafb37c57a33 upstream.
The "goto err_armclk;" error path already does a clk_put(s3c_freq->hclk);
so this is a double free.
Fixes: 34ee55075265 ([CPUFREQ] Add S3C2416/S3C2450 cpufreq driver)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3653ac439c5e384df9e881690088916a7be44c6a
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Wed Feb 8 11:29:46 2017 -0500
NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
commit a974deee477af89411e0f80456bfb344ac433c98 upstream.
If we exit because the file access check failed, we currently
leak the struct nfs4_state. We need to attach it to the
open context before returning.
Fixes: 3efb9722475e ("NFSv4: Refactor _nfs4_open_and_get_state..")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a517a95ddafc1b0ae64357fe380e220f9b5b41e5
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date: Tue Feb 7 12:05:25 2017 -0500
ktest: Fix child exit code processing
commit 32677207dcc5e594254b7fb4fb2352b1755b1d5b upstream.
The child_exit errno needs to be shifted by 8 bits to compare against the
return values for the bisect variables.
Fixes: c5dacb88f0a64 ("ktest: Allow overriding bisect test results")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 662f7372f0e5d0408667f0c518f75e1a7426a042
Author: Felix Fietkau <nbd@nbd.name>
Date: Thu Feb 2 10:14:52 2017 +0100
ath9k: fix race condition in enabling/disabling IRQs
commit 3a5e969bb2f6692a256352649355d56d018d6b88 upstream.
The code currently relies on refcounting to disable IRQs from within the
IRQ handler and re-enabling them again after the tasklet has run.
However, due to race conditions sometimes the IRQ handler might be
called twice, or the tasklet may not run at all (if interrupted in the
middle of a reset).
This can cause nasty imbalances in the irq-disable refcount which will
get the driver permanently stuck until the entire radio has been stopped
and started again (ath_reset will not recover from this).
Instead of using this fragile logic, change the code to ensure that
running the irq handler during tasklet processing is safe, and leave the
refcount untouched.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9bf8b28e23516dfc02ec440755a84a79b269e18e
Author: Ganapathi Bhat <gbhat@marvell.com>
Date: Fri Feb 3 18:30:22 2017 +0530
mwifiex: Avoid skipping WEP key deletion for AP
commit a5b60de6972decc6b50a39abb376077c3c3621c8 upstream.
This patch fixes the issue specific to AP. AP is started with WEP
security and external station is connected to it. Data path works
in this case. Now if AP is restarted with WPA/WPA2 security,
station is able to connect but ping fails.
Driver skips the deletion of WEP keys if interface type is AP.
Removing that redundant check resolves the issue.
Fixes: e57f1734d87a ("mwifiex: add key material v2 support")
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ecc8fadef567c21934452fcfc076dd497a711599
Author: Johan Hovold <johan@kernel.org>
Date: Mon Feb 6 16:28:14 2017 +0100
USB: serial: sierra: fix bogus alternate-setting assumption
commit 16620b483eaf7750413bae472f4363b6b959fcaa upstream.
Interface numbers do not change when enabling alternate settings as
comment and code in this driver suggested.
Remove the confusing comment and redundant retrieval of the interface
number in probe, while simplifying and renaming the interface-number
helper.
Fixes: 4db2299da213 ("sierra: driver interface blacklisting")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 2eee28818de1ac5e0b2756b84eb2fc9ae6679b6e
Author: Johan Hovold <johan@kernel.org>
Date: Thu Feb 2 17:38:35 2017 +0100
USB: serial: ftdi_sio: fix line-status over-reporting
commit a6bb1e17a39818b01b55d8e6238b4b5f06d55038 upstream.
FTDI devices use a receive latency timer to periodically empty the
receive buffer and report modem and line status (also when the buffer is
empty).
When a break or error condition is detected the corresponding status
flags will be set on a packet with nonzero data payload and the flags
are not updated until the break is over or further characters are
received.
In order to avoid over-reporting break and error conditions, these flags
must therefore only be processed for packets with payload.
This specifically fixes the case where after an overrun, the error
condition is continuously reported and NULL-characters inserted until
further data is received.
Reported-by: Michael Walle <michael@walle.cc>
Fixes: 72fda3ca6fc1 ("USB: serial: ftd_sio: implement sysrq handling on
break")
Fixes: 166ceb690750 ("USB: ftdi_sio: clean up line-status handling")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ddadbae79c32e5aea63ca8dc8d8ae28354e5401c
Author: Janosch Frank <frankja@linux.vnet.ibm.com>
Date: Thu Feb 2 16:39:31 2017 +0100
KVM: s390: Disable dirty log retrieval for UCONTROL guests
commit e1e8a9624f7ba8ead4f056ff558ed070e86fa747 upstream.
User controlled KVM guests do not support the dirty log, as they have
no single gmap that we can check for changes.
As they have no single gmap, kvm->arch.gmap is NULL and all further
referencing to it for dirty checking will result in a NULL
dereference.
Let's return -EINVAL if a caller tries to sync dirty logs for a
UCONTROL guest.
Fixes: 15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.")
Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
Reported-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9279ffd6685cb8f0ba79451ed814d1f0fce1b9e8
Author: Ken Lin <yungching0725@gmail.com>
Date: Sat Feb 4 04:00:24 2017 +0800
USB: serial: cp210x: add new IDs for GE Bx50v3 boards
commit 9a593656def0dc2f6c227851e8e602077267a5f1 upstream.
Add new USB IDs for cp2104/5 devices on Bx50v3 boards due to the design
change.
Signed-off-by: Ken Lin <yungching0725@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 2da8304606559e18bc62fab22ef1f6f0fc0b86aa
Author: Ian Abbott <abbotti@mev.co.uk>
Date: Fri Feb 3 20:25:00 2017 +0000
serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
commit 1c9c858e2ff8ae8024a3d75d2ed080063af43754 upstream.
The MKS Instruments SCOM-0800 and SCOM-0801 cards (originally by Tenta
Technologies) are 3U CompactPCI serial cards with 4 and 8 serial ports,
respectively. The first 4 ports are implemented by an OX16PCI954 chip,
and the second 4 ports are implemented by an OX16C954 chip on a local
bus, bridged by the second PCI function of the OX16PCI954. The ports
are jumper-selectable as RS-232 and RS-422/485, and the UARTs use a
non-standard oscillator frequency of 20 MHz (base_baud = 1250000).
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit db3f208f65d29d8195913aad3edfd7d48f22d6fb
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sun Feb 5 01:26:48 2017 -0500
ext4: return EROFS if device is r/o and journal replay is needed
commit 4753d8a24d4588657bc0a4cd66d4e282dff15c8c upstream.
If the file system requires journal recovery, and the device is
read-ony, return EROFS to the mount system call. This allows xfstests
generic/050 to pass.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5093d3749646a6baf634a7f8b681ce4cd29e0525
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sat Feb 4 23:38:06 2017 -0500
ext4: preserve the needs_recovery flag when the journal is aborted
commit 97abd7d4b5d9c48ec15c425485f054e1c15e591b upstream.
If the journal is aborted, the needs_recovery feature flag should not
be removed. Otherwise, it's the journal might not get replayed and
this could lead to more data getting lost.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 38b812d435a34e65a37edf7bb5d20b7ebdfdcf3c
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sat Feb 4 23:14:19 2017 -0500
jbd2: don't leak modified metadata buffers on an aborted journal
commit e112666b4959b25a8552d63bc564e1059be703e8 upstream.
If the journal has been aborted, we shouldn't mark the underlying
buffer head as dirty, since that will cause the metadata block to get
modified. And if the journal has been aborted, we shouldn't allow
this since it will almost certainly lead to a corrupted file system.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f5623c19f2928d78ad50fa13ac357106bb3d737a
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sat Feb 4 23:04:00 2017 -0500
ext4: fix inline data error paths
commit eb5efbcb762aee4b454b04f7115f73ccbcf8f0ef upstream.
The write_end() function must always unlock the page and drop its ref
count, even on an error.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ec6d08f3a2e9f2e3a177704ae79396d19fbbf8dd
Author: Nikola Pajkovsky <npajkovsky@suse.cz>
Date: Tue Nov 15 09:47:49 2016 +0100
x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0
commit 68dee8e2f2cacc54d038394e70d22411dee89da2 upstream.
commit 8fd524b355da ("x86: Kill bad_dma_address variable") has killed
bad_dma_address variable and used instead of macro DMA_ERROR_CODE
which is always zero. Since dma_addr is unsigned, the statement
dma_addr >= DMA_ERROR_CODE
is always true, and not needed.
arch/x86/kernel/pci-calgary_64.c: In function ‘iommu_free’:
arch/x86/kernel/pci-calgary_64.c:299:2: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits]
if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) {
Fixes: 8fd524b355da ("x86: Kill bad_dma_address variable")
Signed-off-by: Nikola Pajkovsky <npajkovsky@suse.cz>
Cc: iommu@lists.linux-foundation.org
Cc: Jon Mason <jdmason@kudzu.us>
Cc: Muli Ben-Yehuda <mulix@mulix.org>
Link: http://lkml.kernel.org/r/7612c0f9dd7c1290407dbf8e809def922006920b.1479161177.git.npajkovsky@suse.cz
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 0955e5f9cee020d9086b46e7c07ea62cc32908ab
Author: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Date: Mon Nov 21 13:37:48 2016 +0100
s390/qdio: clear DSCI prior to scanning multiple input queues
commit 1e4a382fdc0ba8d1a85b758c0811de3a3631085e upstream.
For devices with multiple input queues, tiqdio_call_inq_handlers()
iterates over all input queues and clears the device's DSCI
during each iteration. If the DSCI is re-armed during one
of the later iterations, we therefore do not scan the previous
queues again.
The re-arming also raises a new adapter interrupt. But its
handler does not trigger a rescan for the device, as the DSCI
has already been erroneously cleared.
This can result in queue stalls on devices with multiple
input queues.
Fix it by clearing the DSCI just once, prior to scanning the queues.
As the code is moved in front of the loop, we also need to access
the DSCI directly (ie irq->dsci) instead of going via each queue's
parent pointer to the same irq. This is not a functional change,
and a follow-up patch will clean up the other users.
In practice, this bug only affects CQ-enabled HiperSockets devices,
ie. devices with sysfs-attribute "hsuid" set. Setting a hsuid is
needed for AF_IUCV socket applications that use HiperSockets
communication.
Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
Reviewed-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a49e4992461f70f340717a24f89b8e6ad8cf7965
Author: Colin Ian King <colin.king@canonical.com>
Date: Thu Feb 2 11:51:48 2017 +0000
usb: misc: adutux: remove redundant error check on copy_to_user return code
commit 453785c64e090d9b4169636b7276fcd6d7489d33 upstream.
The 2nd check for a non-zero return from copy_to_user is redundant as
it is has already been made a few lines earlier. This check was made
redundant because of previous fix to the copy_to_user error return
check.
Detected by CoverityScan, CID#114347 ("Logically Dead Code")
Fixes: 1865a9c382ede ("USB: adutux: fix misuse of return value of copy_to_user()")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a8f1e91ff57b0fbcbd9ca5da3531383b695c4748
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 31 17:17:29 2017 +0100
USB: serial: keyspan_pda: fix receive sanity checks
commit c528fcb116e61afc379a2e0a0f70906b937f1e2c upstream.
Make sure to check for short transfers before parsing the receive buffer
to avoid acting on stale data.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit fd4836902a552a0007d1f71abdf5153bfd4198ee
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 31 17:17:28 2017 +0100
USB: serial: digi_acceleport: fix incomplete rx sanity check
commit 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 upstream.
Make sure the received data has the required headers before parsing it.
Also drop the redundant urb-status check, which has already been handled
by the caller.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9f3ee8e7560ba10edbe92e9f05bca7392f084edd
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 31 17:17:27 2017 +0100
USB: serial: digi_acceleport: fix OOB data sanity check
commit 2d380889215fe20b8523345649dee0579821800c upstream.
Make sure to check for short transfers to avoid underflow in a loop
condition when parsing the receive buffer.
Also fix an off-by-one error in the incomplete sanity check which could
lead to invalid data being parsed.
Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 8602693ae85ecaf5573b0d7a1a995d39bde215b7
Author: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Date: Mon Dec 12 09:16:51 2016 -0200
uvcvideo: Fix a wrong macro
commit 17c341ec0115837a610b2da15e32546e26068234 upstream.
Don't mix up UVC_BUF_STATE_* and VB2_BUF_STATE_* codes.
Fixes: 6998b6fb4b1c ("[media] uvcvideo: Use videobuf2-vmalloc")
Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@intel.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c83c9e0ba829ef77d9dc2df730e16b2457d3bdf7
Author: David Dillow <dillow@google.com>
Date: Mon Jan 30 19:11:11 2017 -0800
iommu/vt-d: Don't over-free page table directories
commit f7116e115acdd74bc75a4daf6492b11d43505125 upstream.
dma_pte_free_level() recurses down the IOMMU page tables and frees
directory pages that are entirely contained in the given PFN range.
Unfortunately, it incorrectly calculates the starting address covered
by the PTE under consideration, which can lead to it clearing an entry
that is still in use.
This occurs if we have a scatterlist with an entry that has a length
greater than 1026 MB and is aligned to 2 MB for both the IOMMU and
physical addresses. For example, if __domain_mapping() is asked to map a
two-entry scatterlist with 2 MB and 1028 MB segments to PFN 0xffff80000,
it will ask if dma_pte_free_pagetable() is asked to PFNs from
0xffff80200 to 0xffffc05ff, it will also incorrectly clear the PFNs from
0xffff80000 to 0xffff801ff because of this issue. The current code will
set level_pfn to 0xffff80200, and 0xffff80200-0xffffc01ff fits inside
the range being cleared. Properly setting the level_pfn for the current
level under consideration catches that this PTE is outside of the range
being cleared.
This patch also changes the value passed into dma_pte_free_level() when
it recurses. This only affects the first PTE of the range being cleared,
and is handled by the existing code that ensures we start our cursor no
lower than start_pfn.
This was found when using dma_map_sg() to map large chunks of contiguous
memory, which immediatedly led to faults on the first access of the
erroneously-deleted mappings.
Fixes: 3269ee0bd668 ("intel-iommu: Fix leaks in pagetable freeing")
Reviewed-by: Benjamin Serebrin <serebrin@google.com>
Signed-off-by: David Dillow <dillow@google.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 2e938b88ceb5959f11f9320b49d109825511f9f7
Author: Randy Dunlap <rdunlap@infradead.org>
Date: Sat Jan 7 23:08:49 2017 -0200
media: fix dm1105.c build error
commit e3bb3cddd177550d63a3e4909cf1a7782f13414d upstream.
Fix dm1105 build error when CONFIG_I2C_ALGOBIT=m and
CONFIG_DVB_DM1105=y.
drivers/built-in.o: In function `dm1105_probe':
dm1105.c:(.text+0x2836e7): undefined reference to `i2c_bit_add_bus'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Cc: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 4ef2fb46d3b27df1122b2bd6987a4fb687df2c8e
Author: Igor Pylypiv <igor.pylypiv@gmail.com>
Date: Mon Jan 30 21:39:54 2017 -0800
staging: wlan-ng: add missing byte order conversion
commit 2c474b8579e9b67ff72b2bcefce9f53c7f4469d4 upstream.
Conversion macros le16_to_cpu was removed and that caused new sparse warning
sparse output:
drivers/staging/wlan-ng/p80211netdev.c:241:44: warning: incorrect type in argument 2 (different base types)
drivers/staging/wlan-ng/p80211netdev.c:241:44: expected unsigned short [unsigned] [usertype] fc
drivers/staging/wlan-ng/p80211netdev.c:241:44: got restricted __le16 [usertype] fc
Fixes: 7ad82572348c ("staging:wlan-ng:Fix sparse warning")
Signed-off-by: Igor Pylypiv <igor.pylypiv@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit aecda4433fc07188722ed9c82da59b1dc7b473e6
Author: Rafał Miłecki <rafal@milecki.pl>
Date: Sat Jan 28 14:31:22 2017 +0100
bcma: use (get|put)_device when probing/removing device driver
commit a971df0b9d04674e325346c17de9a895425ca5e1 upstream.
This allows tracking device state and e.g. makes devm work as expected.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit fbd638f72b48bb92fa472578bfc9c47e94d4bd64
Author: Lars-Peter Clausen <lars@metafoo.de>
Date: Tue Nov 29 09:23:48 2016 -0200
adv7604: Initialize drive strength to default when using DT
commit da8892d410db224d9a24104529794e6e37e0c100 upstream.
The adv7604 driver platform data contains fields for configuring the drive
strength of the output pins. When probing the driver through DT these
fields are not explicitly initialized, which means they are left at 0. This
is a reserved setting for the drive strength configuration though and can
cause signal integrity issues.
Whether these signal integrity issues are visible depends on the PCB
specifics (e.g. the higher the load capacitance for the output the more
visible the issue). But it has been observed on existing solutions at high
pixel clock rates.
Initialize the drive strength settings to the power-on-reset value of the
device when probing through devicetree to avoid this issue.
Fixes: 0e158be0162b ("adv7604: Add DT support")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9e81d29f18cabe9084578494ac6cb61dd40e7920
Author: Marc Zyngier <marc.zyngier@arm.com>
Date: Wed Jan 25 12:29:59 2017 +0000
arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2
commit 8f36ebaf21fdae99c091c67e8b6fab33969f2667 upstream.
When we fault in a page, we flush it to the PoC (Point of Coherency)
if the faulting vcpu has its own caches off, so that it can observe
the page we just brought it.
But if the vcpu has its caches on, we skip that step. Bad things
happen when *another* vcpu tries to access that page with its own
caches disabled. At that point, there is no garantee that the
data has made it to the PoC, and we access stale data.
The obvious fix is to always flush to PoC when a page is faulted
in, no matter what the state of the vcpu is.
Fixes: 2d58b733c876 ("arm64: KVM: force cache clean on page fault when caches are off")
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
[bwh: Backported to 3.16: conditions for flushing were simpler here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 324b4fb18d8b08633fa109e9a9d4aba44af2ddb8
Author: Jan Kara <jack@suse.cz>
Date: Fri Jan 27 14:35:38 2017 -0500
ext4: fix data corruption in data=journal mode
commit 3b136499e906460919f0d21a49db1aaccf0ae963 upstream.
ext4_journalled_write_end() did not propely handle all the cases when
generic_perform_write() did not copy all the data into the target page
and could mark buffers with uninitialized contents as uptodate and dirty
leading to possible data corruption (which would be quickly fixed by
generic_perform_write() retrying the write but still). Fix the problem
by carefully handling the case when the page that is written to is not
uptodate.
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit dabb07246427d46ece1a68a02e0e67fbb46e53fa
Author: Theodore Ts'o <tytso@mit.edu>
Date: Thu Oct 15 10:29:05 2015 -0400
ext4: use private version of page_zero_new_buffers() for data=journal mode
commit b90197b655185a11640cce3a0a0bc5d8291b8ad2 upstream.
If there is a error while copying data from userspace into the page
cache during a write(2) system call, in data=journal mode, in
ext4_journalled_write_end() were using page_zero_new_buffers() from
fs/buffer.c. Unfortunately, this sets the buffer dirty flag, which is
no good if journalling is enabled. This is a long-standing bug that
goes back for years and years in ext3, but a combination of (a)
data=journal not being very common, (b) in many case it only results
in a warning message. and (c) only very rarely causes the kernel hang,
means that we only really noticed this as a problem when commit
998ef75ddb caused this failure to happen frequently enough to cause
generic/208 to fail when run in data=journal mode.
The fix is to have our own version of this function that doesn't call
mark_dirty_buffer(), since we will end up calling
ext4_handle_dirty_metadata() on the buffer head(s) in questions very
shortly afterwards in ext4_journalled_write_end().
Thanks to Dave Hansen and Linus Torvalds for helping to identify the
root cause of the problem.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 37cf4ab1ba60c30ca9fd0fe3b9993b24cb87886a
Author: Jan Kara <jack@suse.cz>
Date: Fri Jan 27 14:34:30 2017 -0500
ext4: trim allocation requests to group size
commit cd648b8a8fd5071d232242d5ee7ee3c0815776af upstream.
If filesystem groups are artifically small (using parameter -g to
mkfs.ext4), ext4_mb_normalize_request() can result in a request that is
larger than a block group. Trim the request size to not confuse
allocation code.
Reported-by: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 71e91ff669a8001575b6d3b8aac690f4e7083535
Author: Alex Deucher <alexander.deucher@amd.com>
Date: Wed Jan 25 15:33:44 2017 -0500
drm/radeon: handle vfct with multiple vbios images
commit a882f5de402ded769af74fbf276132f9c175049c upstream.
The vfct table can contain multiple vbios images if the
platform contains multiple GPUs. Noticed by netkas on
phoronix forums. This patch fixes those platforms.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ac274045c6079cd22524e56ed46620d37e9e19ee
Author: Martin Kaiser <martin@kaiser.cx>
Date: Wed Jan 25 22:42:25 2017 +0100
clk: samsung: mark s3c...._clk_sleep_init() as __init
commit 02c952c8f95fd0adf1835704db95215f57cfc8e6 upstream.
These functions are referencing s3c...._clk_regs[], which are marked as
__initdata. When compiling with CONFIG_DEBUG_SECTION_MISMATCH=y, this
produces warnings like
WARNING: vmlinux.o(.text+0x198350):
Section mismatch in reference from the function s3c2410_clk_sleep_init()
to the (unknown reference) .init.data:(unknown)
Mark the s3c...._clk_sleep_init() functions as __init in
order to fix this.
Fixes: ca2e90ac1809 ("clk: samsung: add clock controller driver for s3c2412")
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 30d833f2faea08e7d265894e9aa135c3e15562c3
Author: Michel Dänzer <michel.daenzer@amd.com>
Date: Wed Jan 25 17:21:31 2017 +0900
drm/ttm: Make sure BOs being swapped out are cacheable
commit 239ac65fa5ffab71adf66e642750f940e7241d99 upstream.
The current caching state may not be tt_cached, even though the
placement contains TTM_PL_FLAG_CACHED, because placement can contain
multiple caching flags. Trying to swap out such a BO would trip up the
BUG_ON(ttm->caching_state != tt_cached);
in ttm_tt_swapout.
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Christian König <christian.koenig@amd.com>.
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 456bf0f6b930f182614231efa0e94cdf6c027efa
Author: Leo Yan <leo.yan@linaro.org>
Date: Sat Jan 21 10:26:31 2017 +0800
clk: hisilicon: fix lock assignment
commit 55da97e38cab844682abb71400a908b871d0054c upstream.
In clock driver initialize phase the spinlock is missed to assignment
to struct clkgate_separated, finally there have no locking to protect
exclusive accessing for clock registers.
This bug introduces the console has no output after enable coresight
driver on 96boards Hikey; this is because console using UART3, which
has shared the same register with coresight clock enabling bit. After
applied this patch it can assign lock properly to protect exclusive
accessing, and console can work well after enabled coresight modules.
Fixes: 0aa0c95f743a ("clk: hisilicon: add common clock support")
Signed-off-by: Leo Yan <leo.yan@linaro.org>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 646fe8e6b3f4ed3b2e31f52a0d7cc8e516fab27f
Author: Kirtika Ruchandani <kirtika.ruchandani@gmail.com>
Date: Tue Nov 8 21:50:33 2016 -0800
iwlwifi: mvm: rs: Remove unused 'mcs' variable
commit 9d50443575fa379c3c72848162af1375a4d43b50 upstream.
Commit 5fc0f76c4 introduced Rx stats from debugfs, the function
iwl_mvm_reset_frame_stats from that commit defines and sets mcs but
does not use it. Compiling iwlwifi with W=1 gives this warning -
iwlwifi/mvm/rs.c: In function ‘iwl_mvm_update_frame_stats’:
iwlwifi/mvm/rs.c:3074:14: warning: variable ‘mcs’ set but not used [-Wunused-but-set-variable]
Fixes: 5fc0f76c43bd (iwlwifi: mvm: add Rx frames statistics via debugfs)
Signed-off-by: Kirtika Ruchandani <kirtika@google.com>
Cc: Eyal Shapira <eyal@wizery.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 51cbf87a7733e641367882f7c81101a08b5b666b
Author: Johan Hovold <johan@kernel.org>
Date: Wed Jan 25 15:35:20 2017 +0100
USB: serial: ftdi_sio: fix extreme low-latency setting
commit c6dce2626606ef16434802989466636bc28c1419 upstream.
Since commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
flag") the FTDI driver has been using a receive latency-timer value of
1 ms instead of the device default of 16 ms.
The latency timer is used to periodically empty a non-full receive
buffer, but a status header is always sent when the timer expires
including when the buffer is empty. This means that a two-byte bulk
message is received every millisecond also for an otherwise idle port as
long as it is open.
Let's restore the pre-2009 behaviour which reduces the rate of the
status messages to 1/16th (e.g. interrupt frequency drops from 1 kHz to
62.5 Hz) by not setting ASYNC_LOW_LATENCY by default.
Anyone willing to pay the price for the minimum-latency behaviour should
set the flag explicitly instead using the TIOCSSERIAL ioctl or a tool
such as setserial (e.g. setserial /dev/ttyUSB0 low_latency).
Note that since commit 0cbd81a9f6ba ("USB: ftdi_sio: remove
tty->low_latency") the ASYNC_LOW_LATENCY flag has no other effects but
to set a minimal latency timer.
Reported-by: Antoine Aubert <a.aubert@overkiz.com>
Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ea96a14de109fff7a5a7b765f10813c57596c124
Author: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Date: Sat Jan 21 23:50:18 2017 +0100
w1: don't leak refcount on slave attach failure in w1_attach_slave_device()
commit d2ce4ea1a0b0162e5d2d7e7942ab6f5cc2063d5a upstream.
Near the beginning of w1_attach_slave_device() we increment a w1 master
reference count.
Later, when we are going to exit this function without actually attaching
a slave device (due to failure of __w1_attach_slave_device()) we need to
decrement this reference count back.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Fixes: 9fcbbac5ded489 ("w1: process w1 netlink commands in w1_process thread")
Cc: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 855a14e9c299302431f83d0ecea679d620a75ef9
Author: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Date: Wed Jan 18 21:31:11 2017 +0100
w1: ds2490: USB transfer buffers need to be DMAable
commit 61cd1b4cd1e8f7f7642ab64529d9bd52e8374641 upstream.
ds2490 driver was doing USB transfers from / to buffers on a stack.
This is not permitted and made the driver non-working with vmapped stacks.
Since all these transfers are done under the same bus_mutex lock we can
simply use shared buffers in a device private structure for two most common
of them.
While we are at it, let's also fix a comparison between int and size_t in
ds9490r_search() which made the driver spin in this function if state
register get requests were failing.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: old code was using printk() directly]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c55e3abb17f6e0ef091189eb285fa680cf2937bf
Author: Alexander Stein <alexanders83@web.de>
Date: Sat Oct 25 14:26:13 2014 +0200
W1: ds2490: Increase timeout when waiting for status
commit d25221525e0e2cfd70e4ec7216549c06609a8bd2 upstream.
Adjust the bulk message timeout to the other ones (1000ms). Otherwise the
following dmesg errors can be seen on a Raspberry Pi:
[ 31.492386] Failed to read 1-wire data from 0x81: err=-110.
[ 31.504168] 0x81: count=-110, status:
[ 31.613404] Failed to read 1-wire data from 0x81: err=-110.
[ 31.621915] 0x81: count=-110, status:
[ 43.260968] Failed to read 1-wire data from 0x81: err=-110.
[ 43.270998] 0x81: count=-110, status:
[ 43.379959] Failed to read 1-wire data from 0x81: err=-110.
[ 43.388854] 0x81: count=-110, status:
Signed-off-by: Alexander Stein <alexanders83@web.de>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3d11f888303e338f2205e75de03db4c9d0ec8b97
Author: Arnd Bergmann <arnd@arndb.de>
Date: Tue Jan 17 16:18:37 2017 +0100
MIPS: 'make -s' should be silent
commit 8c9b23ffb3f92ffa4cbe37b1bab4542586e0bfd1 upstream.
A clean mips64 build produces no output except for two lines:
Checking missing-syscalls for N32
Checking missing-syscalls for O32
On other architectures, there is no output at all, so let's do the
same here for the sake of build testing. The 'kecho' macro is used
to print the message on a normal build but skip it with 'make -s'.
Fixes: e48ce6b8df5b ("[MIPS] Simplify missing-syscalls for N32 and O32")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Huacai Chen <chenhc@lemote.com>
Cc: Maarten ter Huurne <maarten@treewalker.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/15040/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 7b5817de9af7af35b3ad7ca0a25ee675e06e956b
Author: Krzysztof Opasiak <kopasiak90@gmail.com>
Date: Thu Jan 19 18:55:29 2017 +0100
usb: gadget: f_hid: Use spinlock instead of mutex
commit 33e4c1a9987a1fc3b42c3b534100b5b006d55c61 upstream.
As IN request has to be allocated in set_alt() and released in
disable() we cannot use mutex to protect it as we cannot sleep
in those funcitons. Let's replace this mutex with a spinlock.
Tested-by: David Lechner <david@lechnology.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 4911f4c18cd4ea4c92ea93054be7718cbe782a83
Author: Krzysztof Opasiak <kopasiak90@gmail.com>
Date: Thu Jan 19 18:55:28 2017 +0100
usb: gadget: f_hid: fix: Prevent accessing released memory
commit aa65d11aa008f4de58a9cee7e121666d9d68505e upstream.
When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.
To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.
Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Tested-by: David Lechner <david@lechnology.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 6ecc5f5c51495015598cb9df04863bc0afbccd99
Author: Krzysztof Opasiak <kopasiak90@gmail.com>
Date: Thu Jan 19 18:55:27 2017 +0100
usb: gadget: f_hid: fix: Free out requests
commit 20d2ca955bd09639c7b01db5761d157c297aea0a upstream.
Requests for out endpoint are allocated in bind() function
but never released.
This commit ensures that all pending requests are released
when we disable out endpoint.
Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Tested-by: David Lechner <david@lechnology.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 208542e4fa72989bfa62199b73cd81f2048da983
Author: Felipe F. Tonello <eu@felipetonello.com>
Date: Tue Nov 10 17:52:05 2015 +0000
usb: gadget: define free_ep_req as universal function
commit 079fe5a6da616891cca1a26e803e1df2a87e9ae5 upstream.
This function is shared between gadget functions, so this avoid unnecessary
duplicated code and potentially avoid memory leaks.
Reviewed-by: Robert Baldyga <r.baldyga@samsung.com>
Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 926a81d63fd412a2866b41934903c20ec0d486bf
Author: Felipe Balbi <felipe.balbi@linux.intel.com>
Date: Thu Jan 19 13:38:42 2017 +0200
usb: dwc3: gadget: skip Set/Clear Halt when invalid
commit ffb80fc672c3a7b6afd0cefcb1524fb99917b2f3 upstream.
At least macOS seems to be sending
ClearFeature(ENDPOINT_HALT) to endpoints which
aren't Halted. This makes DWC3's CLEARSTALL command
time out which causes several issues for the driver.
Instead, let's just return 0 and bail out early.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 15367f1059f9e2831e56cb5a01fd6beaed334fb1
Author: Liam Breck <liam@networkimprov.net>
Date: Wed Jan 18 09:26:54 2017 -0800
power: supply: bq24190_charger: Handle fault before status on interrupt
commit ba52e75718784fda1b683ee0bfded72a0b83b047 upstream.
Reading both fault and status registers and logging any fault should
take priority over handling status register update.
Fix by moving the status handling to later in interrupt routine.
Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <kernel@networkimprov.net>
Acked-by: Mark Greer <mgreer@animalcreek.com>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 57ab80e6f5a605910c402a416822c33f82eeb986
Author: Liam Breck <liam@networkimprov.net>
Date: Wed Jan 18 09:26:53 2017 -0800
power: supply: bq24190_charger: Don't read fault register outside irq_handle_thread()
commit 68abfb8015832ddf728b911769659468efaf8bd9 upstream.
Caching the fault register after a single I2C read may not keep an accurate
value.
Fix by doing two reads in irq_handle_thread() and using the cached value
elsewhere. If a safety timer fault later clears itself, we apparently don't get
an interrupt (INT), however other interrupts would refresh the register cache.
From the data sheet: "When a fault occurs, the charger device sends out INT
and keeps the fault state in REG09 until the host reads the fault register.
Before the host reads REG09 and all the faults are cleared, the charger
device would not send any INT upon new faults. In order to read the
current fault status, the host has to read REG09 two times consecutively.
The 1st reads fault register status from the last read [1] and the 2nd reads
the current fault register status."
[1] presumably a typo; should be "last fault"
Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <kernel@networkimprov.net>
Acked-by: Mark Greer <mgreer@animalcreek.com>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 167dc75c2faf2a8b237d44de1d1770e59602c382
Author: Liam Breck <liam@networkimprov.net>
Date: Wed Jan 18 09:26:52 2017 -0800
power: supply: bq24190_charger: Call power_supply_changed() for relevant component
commit 2d9fee6a42ea170e4378b3363a7ad385d0e67281 upstream.
We wrongly get uevents for bq24190-charger and bq24190-battery on every
register change.
Fix by checking the association with charger and battery before
emitting uevent(s).
Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <kernel@networkimprov.net>
Acked-by: Mark Greer <mgreer@animalcreek.com>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit d3b941b0085e560e1c522d920646833bf96d6606
Author: Thomas Elste <thomas.elste@imms.de>
Date: Thu May 28 11:05:32 2015 +0200
power: bq24190_charger: Change first_time flag reset condition
commit cd054ee16580690830297dbda0abe9c184276d6a upstream.
The initial register reset of BQ24190 generates a charger status change
whose propagation via power_supply_changed is prevented using a flag.
This flag gets never reset so all following events are ignored as well
leading for example to userspace not detecting charger connects/disconnects.
Therefor change the reset condition of first_time flag, so only the
propagation of the first charger status change is prevented.
Signed-off-by: Thomas Elste <thomas.elste@imms.de>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ebe8733e605cfbac3efa7c68e9fa3c13190ca628
Author: Liam Breck <liam@networkimprov.net>
Date: Wed Jan 18 09:26:50 2017 -0800
power: supply: bq24190_charger: Install irq_handler_thread() at end of probe()
commit d62acc5ef0621463446091ebd7a345e06e9ab80c upstream.
The device specific data is not fully initialized on
request_threaded_irq(). This may cause a crash when the IRQ handler
tries to reference them.
Fix the issue by installing IRQ handler at the end of the probe.
Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <kernel@networkimprov.net>
Acked-by: Mark Greer <mgreer@animalcreek.com>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit cddddea5a5ddae7cd61b54de55f91b3668c10eca
Author: Liam Breck <liam@networkimprov.net>
Date: Wed Jan 18 09:26:49 2017 -0800
power: supply: bq24190_charger: Call set_mode_host() on pm_resume()
commit e05ad7e0741ce0505e1df157c62b22b95172bb97 upstream.
pm_resume() does a register_reset() which clears charger host mode.
Fix by calling set_mode_host() after the reset.
Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <kernel@networkimprov.net>
Acked-by: Mark Greer <mgreer@animalcreek.com>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 42a0e17be3a9c976c085b23271fa1bc7b37439ba
Author: Liam Breck <liam@networkimprov.net>
Date: Wed Jan 18 09:26:48 2017 -0800
power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING
commit 767eee362fd72bb2ca44cc80419ca4b38c6d8369 upstream.
The interrupt signal is TRIGGER_FALLING. This is is specified in the
data sheet PIN FUNCTIONS: "The INT pin sends active low, 256us
pulse to host to report charger device status and fault."
Also the direction can be seen in the data sheet Figure 37 "BQ24190
with D+/D- Detection and USB On-The-Go (OTG)" which shows a 10k
pull-up resistor installed for the sample configurations.
Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <kernel@networkimprov.net>
Acked-by: Mark Greer <mgreer@animalcreek.com>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 85edb87c082d9e0f42d874610c68e7c3003c9870
Author: Omar Sandoval <osandov@fb.com>
Date: Wed Jan 18 11:55:22 2017 -0800
sbitmap: fix wakeup hang after sbq resize
commit 6c0ca7ae292adea09b8bdd33a524bb9326c3e989 upstream.
When we resize a struct sbitmap_queue, we update the wakeup batch size,
but we don't update the wait count in the struct sbq_wait_states. If we
resized down from a size which could use a bigger batch size, these
counts could be too large and cause us to miss necessary wakeups. To fix
this, update the wait counts when we resize (ensuring some careful
memory ordering so that it's safe w.r.t. concurrent clears).
This also fixes a theoretical issue where two threads could end up
bumping the wait count up by the batch size, which could also
potentially lead to hangs.
Reported-by: Martin Raiber <martin@urbackup.org>
Fixes: e3a2b3f931f5 ("blk-mq: allow changing of queue depth through sysfs")
Fixes: 2971c35f3588 ("blk-mq: bitmap tag: fix race on blk_mq_bitmap_tags::wake_cnt")
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
[bwh: Backported to 3.16:
- Adjust filename
- Rename almost everything
- Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit eb7175dd1c6f0713d4312e745103354bb0abaed5
Author: Bart Van Assche <bvanassche@acm.org>
Date: Tue Oct 7 08:45:21 2014 -0600
blk-mq: Make bt_clear_tag() easier to read
commit 9d8f0bcca6ffa024a822ce4ab1008ab663f06672 upstream.
Eliminate a backwards goto statement from bt_clear_tag().
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 2b39b5fe359bd353afbfca6c921567a964d18b11
Author: Brian Norris <briannorris@chromium.org>
Date: Mon Jan 9 15:33:50 2017 -0800
mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
commit 6183468a23fc6b6903f8597982017ad2c7fdefcf upstream.
Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte
SSIDs"), we failed to account for the existence of 32-char SSIDs in our
debugfs code. Unlike in that case though, we zeroed out the containing
struct first, and I'm pretty sure we're guaranteed to have some padding
after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes
long).
So, this is the difference between:
# cat /sys/kernel/debug/mwifiex/mlan0/info
...
essid="0123456789abcdef0123456789abcdef "
...
and the correct output:
# cat /sys/kernel/debug/mwifiex/mlan0/info
...
essid="0123456789abcdef0123456789abcdef"
...
Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjsut filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 132c1a897d833a1ca807d78d2e1f37b39048125f
Author: Michael Petlan <mpetlan@redhat.com>
Date: Fri Jan 13 10:06:52 2017 -0500
perf script: Fix man page about --dump-raw-trace option
commit 5c64f99b1d030ce52acce53d83141d88f79e6362 upstream.
The "--dump-raw-script" is not a valid option, replace it with the valid
one, "--dump-raw-trace"
Signed-off-by: Michael Petlan <mpetlan@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 133dc4c39c57 ("perf: Rename 'perf trace' to 'perf script'")
LPU-Reference: 728644547.14560155.1484320012612.JavaMail.zimbra@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 71ea64ad6469ab2148a964eaa83d39e0a0e661ef
Author: Arnd Bergmann <arnd@arndb.de>
Date: Wed Jan 11 15:53:08 2017 +0100
staging: rtl: fix possible NULL pointer dereference
commit 6e017006022abfea5d2466cad936065f45763ad1 upstream.
gcc-7 detects that wlanhdr_to_ethhdr() in two drivers calls memcpy() with
a destination argument that an earlier function call may have set to NULL:
staging/rtl8188eu/core/rtw_recv.c: In function 'wlanhdr_to_ethhdr':
staging/rtl8188eu/core/rtw_recv.c:1318:2: warning: argument 1 null where non-null expected [-Wnonnull]
staging/rtl8712/rtl871x_recv.c: In function 'r8712_wlanhdr_to_ethhdr':
staging/rtl8712/rtl871x_recv.c:649:2: warning: argument 1 null where non-null expected [-Wnonnull]
I'm fixing this by adding a NULL pointer check and returning failure
from the function, which is hopefully already handled properly.
This seems to date back to when the drivers were originally added,
so backporting the fix to stable seems appropriate. There are other
related realtek drivers in the kernel, but none of them contain a
function with a similar name or produce this warning.
Fixes: 1cc18a22b96b ("staging: r8188eu: Add files for new driver - part 5")
Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 2dec3582d9bb1abeee1e21c598625014c8ceb373
Author: Johan Hovold <johan@kernel.org>
Date: Fri Jan 13 13:21:08 2017 +0100
USB: serial: opticon: fix CTS retrieval at open
commit 2eee05020a0e7ee7c04422cbacdb07859e45dce6 upstream.
The opticon driver used a control request at open to trigger a CTS
status notification to be sent over the bulk-in pipe. When the driver
was converted to using the generic read implementation, an inverted test
prevented this request from being sent, something which could lead to
TIOCMGET reporting an incorrect CTS state.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 7a6ee2b02751 ("USB: opticon: switch to generic read
implementation")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9d4e68f7f123796024ffdd2e427bdf6c95c0a8e1
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:23 2017 +0100
USB: serial: ti_usb_3410_5052: fix control-message error handling
commit 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 upstream.
Make sure to detect and return an error on zero-length control-message
transfers when reading from the device.
This addresses a potential failure to detect an empty transmit buffer
during close.
Also remove a redundant check for short transfer when sending a command.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 388804f984f5997b4585fe05f84217f49b7f0aeb
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:22 2017 +0100
USB: serial: ssu100: fix control-message error handling
commit 1eac5c244f705182d1552a53e2f74e2775ed95d6 upstream.
Make sure to detect short control-message transfers rather than continue
with zero-initialised data when retrieving modem status and during
device initialisation.
Fixes: 52af95459939 ("USB: add USB serial ssu100 driver")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3de067ff176f7b3a7c796fd1b9697b9ae9f0a3ea
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:21 2017 +0100
USB: serial: spcp8x5: fix modem-status handling
commit 5ed8d41023751bdd3546f2fe4118304357efe8d2 upstream.
Make sure to detect short control transfers and return zero on success
when retrieving the modem status.
This fixes the TIOCMGET implementation which since e1ed212d8593 ("USB:
spcp8x5: add proper modem-status support") has returned TIOCM_LE on
successful retrieval, and avoids leaking bits from the stack on short
transfers.
This also fixes the carrier-detect implementation which since the above
mentioned commit unconditionally has returned true.
Fixes: e1ed212d8593 ("USB: spcp8x5: add proper modem-status support")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit b56ba7f116b55f72aae04e5b45606b03a7cf7efa
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:20 2017 +0100
USB: serial: quatech2: fix control-message error handling
commit 8c34cb8ddfe808d557b51da983ff10c02793beb2 upstream.
Make sure to detect short control-message transfers when fetching
modem and line state in open and when retrieving registers.
This specifically makes sure that an errno is returned to user space on
errors in TIOCMGET instead of a zero bitmask.
Also drop the unused getdevice function which also lacked appropriate
error handling.
Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a803f361ed935517a4ae5d4446a27c3947a94fc7
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:16 2017 +0100
USB: serial: mct_u232: fix modem-status error handling
commit 36356a669eddb32917fc4b5c2b9b8bf80ede69de upstream.
Make sure to detect short control-message transfers so that errors are
logged when reading the modem status at open.
Note that while this also avoids initialising the modem status using
uninitialised heap data, these bits could not leak to user space as they
are currently not used.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3991ddbe8f9947b35dc0ae13e9aaa9a1dc02e66f
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:14 2017 +0100
USB: serial: io_edgeport: fix descriptor error handling
commit 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 upstream.
Make sure to detect short control-message transfers and log an error
when reading incomplete manufacturer and boot descriptors.
Note that the default all-zero descriptors will now be used after a
short transfer is detected instead of partially initialised ones.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9da745c8baaa290057854610c8de562103f41684
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:13 2017 +0100
USB: serial: io_edgeport: fix epic-descriptor handling
commit e4457d9798adb96272468e93da663de9bd0a4198 upstream.
Use a dedicated buffer for the DMA transfer and make sure to detect
short transfers to avoid parsing a corrupt descriptor.
Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 162adb8bbd2015b11fb4d3bf346dd97ba1c14f85
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:12 2017 +0100
USB: serial: ftdi_sio: fix latency-timer error handling
commit e3e574ad85a208cb179f33720bb5f12b453de33c upstream.
Make sure to detect short responses when reading the latency timer to
avoid using stale buffer data.
Note that no heap data would currently leak through sysfs as
ASYNC_LOW_LATENCY is set by default.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit d7523707720878514cc6c063f74338628dc7ad5f
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:11 2017 +0100
USB: serial: ftdi_sio: fix modem-status error handling
commit 427c3a95e3e29e65f59d99aaf320d7506f3eed57 upstream.
Make sure to detect short responses when fetching the modem status in
order to avoid parsing uninitialised buffer data and having bits of it
leak to user space.
Note that we still allow for short 1-byte responses.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c268b28c992da71e57665556c4a29b8de5defb68
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:10 2017 +0100
USB: serial: ark3116: fix open error handling
commit b631433b175f1002a31020e09bbfc2e5caecf290 upstream.
Fix open error handling which failed to detect errors when reading the
MSR and LSR registers, something which could lead to the shadow
registers being initialised from errnos.
Note that calling the generic close implementation is sufficient in the
error paths as the interrupt urb has not yet been submitted and the
register updates have not been made.
Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware
and add close and release functions.")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 465801e7958b43aa36c4d5500aa7a63d314724a4
Author: Johan Hovold <johan@kernel.org>
Date: Thu Jan 12 14:56:09 2017 +0100
USB: serial: ark3116: fix register-accessor error handling
commit 9fef37d7cf170522fb354d6d0ea6de09b9b16678 upstream.
The current implementation failed to detect short transfers, something
which could lead to bits of the uninitialised heap transfer buffer
leaking to user space.
Fixes: 149fc791a452 ("USB: ark3116: Setup some basic infrastructure for
new ark3116 driver.")
Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware
and add close and release functions.")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ff3d3ee624f21665959621d41959257261698bf9
Author: Johan Hovold <johan@kernel.org>
Date: Fri Jan 6 19:15:17 2017 +0100
USB: serial: ch341: fix modem-status handling
commit a0467a967f347842b30739aae636c44980265265 upstream.
The modem-status register was read as part of device configuration at
port_probe and then again at open (and reset-resume). During open (and
reset-resume) the MSR was read before submitting the interrupt URB,
something which could lead to an MSR-change going unnoticed when it
races with open (reset-resume).
Fix this by dropping the redundant reconfiguration of the port at every
open, and only read the MSR after the interrupt URB has been submitted.
Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 4675edf4758da56a31fb254e7648d132dd37441a
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date: Thu Dec 1 11:47:04 2016 +0000
locking/ww_mutex: Fix compilation of __WW_MUTEX_INITIALIZER
commit af2e859edd477fa1ea3d1d106f41a595cff3d162 upstream.
From conflicting macro parameters, passing the wrong name to
__MUTEX_INITIALIZER and a stray '\', #define __WW_MUTEX_INITIALIZER was
very unhappy.
One unnecessary change was to choose to pass &ww_class instead of
implicitly taking the address of the class within the macro.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 1b375dc30710 ("mutex: Move ww_mutex definitions to ww_mutex.h")
Link: http://lkml.kernel.org/r/20161201114711.28697-2-chris@chris-wilson.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 08c44057825f5845ce1a2b8121753f73027ba133
Author: Feras Daoud <ferasda@mellanox.com>
Date: Wed Dec 28 14:47:28 2016 +0200
IB/ipoib: Change list_del to list_del_init in the tx object
commit 27d41d29c7f093f6f77843624fbb080c1b4a8b9c upstream.
Since ipoib_cm_tx_start function and ipoib_cm_tx_reap function
belong to different work queues, they can run in parallel.
In this case if ipoib_cm_tx_reap calls list_del and release the
lock, ipoib_cm_tx_start may acquire it and call list_del_init
on the already deleted object.
Changing list_del to list_del_init in ipoib_cm_tx_reap fixes the problem.
Fixes: 839fcaba355a ("IPoIB: Connected mode experimental support")
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Reviewed-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 967236f84f585d2f48b4001f21a59c3e69f46965
Author: Feras Daoud <ferasda@mellanox.com>
Date: Wed Dec 28 14:47:27 2016 +0200
IB/ipoib: Replace list_del of the neigh->list with list_del_init
commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 upstream.
In order to resolve a situation where a few process delete
the same list element in sequence and cause panic, list_del
is replaced with list_del_init. In this case if the first
process that calls list_del releases the lock before acquiring
it again, other processes who can acquire the lock will call
list_del_init.
Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup")
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Reviewed-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 14ae60fd3722b7b1196fe3d40df5e0b9dc83ec1a
Author: Feras Daoud <ferasda@mellanox.com>
Date: Wed Dec 28 14:47:24 2016 +0200
IB/ipoib: rtnl_unlock can not come after free_netdev
commit 89a3987ab7a923c047c6dec008e60ad6f41fac22 upstream.
The ipoib_vlan_add function calls rtnl_unlock after free_netdev,
rtnl_unlock not only releases the lock, but also calls netdev_run_todo.
The latter function browses the net_todo_list array and completes the
unregistration of all its net_device instances. If we call free_netdev
before rtnl_unlock, then netdev_run_todo call over the freed device causes
panic.
To fix, move rtnl_unlock call before free_netdev call.
Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit aeec470b3513ef30040fe68372b4fae76089cb7b
Author: Feras Daoud <ferasda@mellanox.com>
Date: Wed Dec 28 14:47:23 2016 +0200
IB/ipoib: Fix deadlock between rmmod and set_mode
commit 0a0007f28304cb9fc87809c86abb80ec71317f20 upstream.
When calling set_mode from sys/fs, the call flow locks the sys/fs lock
first and then tries to lock rtnl_lock (when calling ipoib_set_mod).
On the other hand, the rmmod call flow takes the rtnl_lock first
(when calling unregister_netdev) and then tries to take the sys/fs
lock. Deadlock a->b, b->a.
The problem starts when ipoib_set_mod frees it's rtnl_lck and tries
to get it after that.
set_mod:
[<ffffffff8104f2bd>] ? check_preempt_curr+0x6d/0x90
[<ffffffff814fee8e>] __mutex_lock_slowpath+0x13e/0x180
[<ffffffff81448655>] ? __rtnl_unlock+0x15/0x20
[<ffffffff814fed2b>] mutex_lock+0x2b/0x50
[<ffffffff81448675>] rtnl_lock+0x15/0x20
[<ffffffffa02ad807>] ipoib_set_mode+0x97/0x160 [ib_ipoib]
[<ffffffffa02b5f5b>] set_mode+0x3b/0x80 [ib_ipoib]
[<ffffffff8134b840>] dev_attr_store+0x20/0x30
[<ffffffff811f0fe5>] sysfs_write_file+0xe5/0x170
[<ffffffff8117b068>] vfs_write+0xb8/0x1a0
[<ffffffff8117ba81>] sys_write+0x51/0x90
[<ffffffff8100b0f2>] system_call_fastpath+0x16/0x1b
rmmod:
[<ffffffff81279ffc>] ? put_dec+0x10c/0x110
[<ffffffff8127a2ee>] ? number+0x2ee/0x320
[<ffffffff814fe6a5>] schedule_timeout+0x215/0x2e0
[<ffffffff8127cc04>] ? vsnprintf+0x484/0x5f0
[<ffffffff8127b550>] ? string+0x40/0x100
[<ffffffff814fe323>] wait_for_common+0x123/0x180
[<ffffffff81060250>] ? default_wake_function+0x0/0x20
[<ffffffff8119661e>] ? ifind_fast+0x5e/0xb0
[<ffffffff814fe43d>] wait_for_completion+0x1d/0x20
[<ffffffff811f2e68>] sysfs_addrm_finish+0x228/0x270
[<ffffffff811f2fb3>] sysfs_remove_dir+0xa3/0xf0
[<ffffffff81273f66>] kobject_del+0x16/0x40
[<ffffffff8134cd14>] device_del+0x184/0x1e0
[<ffffffff8144e59b>] netdev_unregister_kobject+0xab/0xc0
[<ffffffff8143c05e>] rollback_registered+0xae/0x130
[<ffffffff8143c102>] unregister_netdevice+0x22/0x70
[<ffffffff8143c16e>] unregister_netdev+0x1e/0x30
[<ffffffffa02a91b0>] ipoib_remove_one+0xe0/0x120 [ib_ipoib]
[<ffffffffa01ed95f>] ib_unregister_device+0x4f/0x100 [ib_core]
[<ffffffffa021f5e1>] mlx4_ib_remove+0x41/0x180 [mlx4_ib]
[<ffffffffa01ab771>] mlx4_remove_device+0x71/0x90 [mlx4_core]
Fixes: 862096a8bbf8 ("IB/ipoib: Add more rtnl_link_ops callbacks")
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 6c7de48f2bc3a49306b5e0b2b5807b542b0d99e7
Author: Feras Daoud <ferasda@mellanox.com>
Date: Wed Dec 28 14:47:22 2016 +0200
IB/ipoib: Fix deadlock over vlan_mutex
commit 1c3098cdb05207e740715857df7b0998e372f527 upstream.
This patch fixes Deadlock while executing ipoib_vlan_delete.
The function takes the vlan_rwsem semaphore and calls
unregister_netdevice. The later function calls
ipoib_mcast_stop_thread that cause workqueue flush.
When the queue has one of the ipoib_ib_dev_flush_xxx events,
a deadlock occur because these events also tries to catch the
same vlan_rwsem semaphore.
To fix, unregister_netdevice should be called after releasing
the semaphore.
Fixes: cbbe1efa4972 ("IPoIB: Fix deadlock between ipoib_open() and child interface create")
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Reviewed-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 76c62a0772827908a1420fef39a25e53af1f0c06
Author: Feras Daoud <ferasda@mellanox.com>
Date: Wed Dec 28 14:47:21 2016 +0200
IB/ipoib: Set device connection mode only when needed
commit 80b5b35aba62232521b31440f0a3cf6caa033849 upstream.
When changing the connection mode, the ipoib_set_mode function
did not check if the previous connection mode equals to the
new one. This commit adds the required check and return 0 if the new
mode equals to the previous one.
Fixes: 839fcaba355a ("IPoIB: Connected mode experimental support")
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Reviewed-by: Alex Vesker <valex@mellanox.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 92bc9cddddf7a77be2b85bac809b33054188e4e7
Author: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Date: Thu Dec 22 18:07:52 2016 -0700
RDMA/core: Fix incorrect structure packing for booleans
commit 55efcfcd7776165b294f8b5cd6e05ca00ec89b7c upstream.
The RDMA core uses ib_pack() to convert from unpacked CPU structs
to on-the-wire bitpacked structs.
This process requires that 1 bit fields are declared as u8 in the
unpacked struct, otherwise the packing process does not read the
value properly and the packed result is wired to 0. Several
places wrongly used int.
Crucially this means the kernel has never, set reversible
correctly in the path record request. It has always asked for
irreversible paths even if the ULP requests otherwise.
When the kernel is used with a SM that supports this feature, it
completely breaks communication management if reversible paths are
not properly requested.
The only reason this ever worked is because opensm ignores the
reversible bit.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 47a6229f47c22283335e0e9e236fba7fd6b82ba7
Author: Nicholas Mc Guire <hofrat@osadl.org>
Date: Thu Jan 12 13:09:41 2017 +0100
ASoC: rt5640: use msleep() for long delays
commit 4a312c9c825adf74c0026c98fed4ab59ce190863 upstream.
ulseep_range() uses hrtimers and provides no advantage over msleep()
for larger delays. Fix up the 70/80ms delays here passing the "min"
value to msleep(). This reduces the load on the hrtimer subsystem.
Link: http://lkml.org/lkml/2017/1/11/377
Fixes: commit 246693ba7b0b ("ASoC: rt5640: change widget sequence for depop")
Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c124df9e1528f6579050e484b303f9b11a540baf
Author: Felix Fietkau <nbd@nbd.name>
Date: Wed Jan 11 16:32:13 2017 +0200
ath5k: drop bogus warning on drv_set_key with unsupported cipher
commit a70e1d6fd6b5e1a81fa6171600942bee34f5128f upstream.
Simply return -EOPNOTSUPP instead.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a269db5ad45303570a3ae055b8c92d6c6877b952
Author: Javier Martinez Canillas <javier@osg.samsung.com>
Date: Mon Jan 2 11:57:20 2017 -0300
tty: serial: msm: Fix module autoload
commit abe81f3b8ed2996e1712d26d38ff6b73f582c616 upstream.
If the driver is built as a module, autoload won't work because the module
alias information is not filled. So user-space can't match the registered
device with the corresponding module.
Export the module alias information using the MODULE_DEVICE_TABLE() macro.
Before this patch:
$ modinfo drivers/tty/serial/msm_serial.ko | grep alias
$
After this patch:
$ modinfo drivers/tty/serial/msm_serial.ko | grep alias
alias: of:N*T*Cqcom,msm-uartdmC*
alias: of:N*T*Cqcom,msm-uartdm
alias: of:N*T*Cqcom,msm-uartC*
alias: of:N*T*Cqcom,msm-uart
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3e96c3fdcfccb321a9e1623f78cc71b44593e965
Author: Theodore Ts'o <tytso@mit.edu>
Date: Wed Jan 11 21:50:46 2017 -0500
ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
commit c755e251357a0cee0679081f08c3f4ba797a8009 upstream.
The xattr_sem deadlock problems fixed in commit 2e81a4eeedca: "ext4:
avoid deadlock when expanding inode size" didn't include the use of
xattr_sem in fs/ext4/inline.c. With the addition of project quota
which added a new extra inode field, this exposed deadlocks in the
inline_data code similar to the ones fixed by 2e81a4eeedca.
The deadlock can be reproduced via:
dmesg -n 7
mke2fs -t ext4 -O inline_data -Fq -I 256 /dev/vdc 32768
mount -t ext4 -o debug_want_extra_isize=24 /dev/vdc /vdc
mkdir /vdc/a
umount /vdc
mount -t ext4 /dev/vdc /vdc
echo foo > /vdc/a/foo
and looks like this:
[ 11.158815]
[ 11.160276] =============================================
[ 11.161960] [ INFO: possible recursive locking detected ]
[ 11.161960] 4.10.0-rc3-00015-g011b30a8a3cf #160 Tainted: G W
[ 11.161960] ---------------------------------------------
[ 11.161960] bash/2519 is trying to acquire lock:
[ 11.161960] (&ei->xattr_sem){++++..}, at: [<c1225a4b>] ext4_expand_extra_isize_ea+0x3d/0x4cd
[ 11.161960]
[ 11.161960] but task is already holding lock:
[ 11.161960] (&ei->xattr_sem){++++..}, at: [<c1227941>] ext4_try_add_inline_entry+0x3a/0x152
[ 11.161960]
[ 11.161960] other info that might help us debug this:
[ 11.161960] Possible unsafe locking scenario:
[ 11.161960]
[ 11.161960] CPU0
[ 11.161960] ----
[ 11.161960] lock(&ei->xattr_sem);
[ 11.161960] lock(&ei->xattr_sem);
[ 11.161960]
[ 11.161960] *** DEADLOCK ***
[ 11.161960]
[ 11.161960] May be due to missing lock nesting notation
[ 11.161960]
[ 11.161960] 4 locks held by bash/2519:
[ 11.161960] #0: (sb_writers#3){.+.+.+}, at: [<c11a2414>] mnt_want_write+0x1e/0x3e
[ 11.161960] #1: (&type->i_mutex_dir_key){++++++}, at: [<c119508b>] path_openat+0x338/0x67a
[ 11.161960] #2: (jbd2_handle){++++..}, at: [<c123314a>] start_this_handle+0x582/0x622
[ 11.161960] #3: (&ei->xattr_sem){++++..}, at: [<c1227941>] ext4_try_add_inline_entry+0x3a/0x152
[ 11.161960]
[ 11.161960] stack backtrace:
[ 11.161960] CPU: 0 PID: 2519 Comm: bash Tainted: G W 4.10.0-rc3-00015-g011b30a8a3cf #160
[ 11.161960] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1 04/01/2014
[ 11.161960] Call Trace:
[ 11.161960] dump_stack+0x72/0xa3
[ 11.161960] __lock_acquire+0xb7c/0xcb9
[ 11.161960] ? kvm_clock_read+0x1f/0x29
[ 11.161960] ? __lock_is_held+0x36/0x66
[ 11.161960] ? __lock_is_held+0x36/0x66
[ 11.161960] lock_acquire+0x106/0x18a
[ 11.161960] ? ext4_expand_extra_isize_ea+0x3d/0x4cd
[ 11.161960] down_write+0x39/0x72
[ 11.161960] ? ext4_expand_extra_isize_ea+0x3d/0x4cd
[ 11.161960] ext4_expand_extra_isize_ea+0x3d/0x4cd
[ 11.161960] ? _raw_read_unlock+0x22/0x2c
[ 11.161960] ? jbd2_journal_extend+0x1e2/0x262
[ 11.161960] ? __ext4_journal_get_write_access+0x3d/0x60
[ 11.161960] ext4_mark_inode_dirty+0x17d/0x26d
[ 11.161960] ? ext4_add_dirent_to_inline.isra.12+0xa5/0xb2
[ 11.161960] ext4_add_dirent_to_inline.isra.12+0xa5/0xb2
[ 11.161960] ext4_try_add_inline_entry+0x69/0x152
[ 11.161960] ext4_add_entry+0xa3/0x848
[ 11.161960] ? __brelse+0x14/0x2f
[ 11.161960] ? _raw_spin_unlock_irqrestore+0x44/0x4f
[ 11.161960] ext4_add_nondir+0x17/0x5b
[ 11.161960] ext4_create+0xcf/0x133
[ 11.161960] ? ext4_mknod+0x12f/0x12f
[ 11.161960] lookup_open+0x39e/0x3fb
[ 11.161960] ? __wake_up+0x1a/0x40
[ 11.161960] ? lock_acquire+0x11e/0x18a
[ 11.161960] path_openat+0x35c/0x67a
[ 11.161960] ? sched_clock_cpu+0xd7/0xf2
[ 11.161960] do_filp_open+0x36/0x7c
[ 11.161960] ? _raw_spin_unlock+0x22/0x2c
[ 11.161960] ? __alloc_fd+0x169/0x173
[ 11.161960] do_sys_open+0x59/0xcc
[ 11.161960] SyS_open+0x1d/0x1f
[ 11.161960] do_int80_syscall_32+0x4f/0x61
[ 11.161960] entry_INT80_32+0x2f/0x2f
[ 11.161960] EIP: 0xb76ad469
[ 11.161960] EFLAGS: 00000286 CPU: 0
[ 11.161960] EAX: ffffffda EBX: 08168ac8 ECX: 00008241 EDX: 000001b6
[ 11.161960] ESI: b75e46bc EDI: b7755000 EBP: bfbdb108 ESP: bfbdafc0
[ 11.161960] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
Reported-by: George Spelvin <linux@sciencehorizons.net>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit b329791bdb180d5618ca8635bc481dc476a69589
Author: Jan Kara <jack@suse.cz>
Date: Thu Aug 11 12:38:55 2016 -0400
ext4: avoid deadlock when expanding inode size
commit 2e81a4eeedcaa66e35f58b81e0755b87057ce392 upstream.
When we need to move xattrs into external xattr block, we call
ext4_xattr_block_set() from ext4_expand_extra_isize_ea(). That may end
up calling ext4_mark_inode_dirty() again which will recurse back into
the inode expansion code leading to deadlocks.
Protect from recursion using EXT4_STATE_NO_EXPAND inode flag and move
its management into ext4_expand_extra_isize_ea() since its manipulation
is safe there (due to xattr_sem) from possible races with
ext4_xattr_set_handle() which plays with it as well.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context[
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5cf6cf8d961dd03b564c63d8aa2a56f5908ae038
Author: Soramichi Akiyama <akiyama@m.soramichi.jp>
Date: Tue Jan 10 10:41:00 2017 -0300
perf evlist: Fix typo in perf_evlist__start_workload()
commit e978be9ea2990f1af60fe10eadd2312a6250e0b8 upstream.
This patch fixes a typo: s/enable to/unable to/
Signed-off-by: Soramichi AKIYAMA <akiyama@m.soramichi.jp>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Namhyung Kim <namhyung.kim@lge.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: bcf3145fbeb1 ("perf evlist: Enhance perf_evlist__start_workload()")
Link: http://lkml.kernel.org/r/20170110200006.e1f7a766b4faf1f107ae2e1b@m.soramichi.jp
[ Wasn't applying, fixed it up by hand, added Fixes: tag ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5aa052b223ec1c6a9669f542bfcad6f07c377210
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Wed Dec 7 01:16:26 2016 -0800
hv: init percpu_list in hv_synic_alloc()
commit 3c7630d35009e6635e5b58d62de554fd5b6db5df upstream.
Initializing hv_context.percpu_list in hv_synic_alloc() helps to prevent a
crash in percpu_channel_enq() when not all CPUs were online during
initialization and it naturally belongs there.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c5398ac16c168d9a6495cf492be8bcd1a48a8da2
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Wed Dec 7 01:16:25 2016 -0800
hv: allocate synic pages for all present CPUs
commit 421b8f20d3c381b215f988b42428f56fc3b82405 upstream.
It may happen that not all CPUs are online when we do hv_synic_alloc() and
in case more CPUs come online later we may try accessing these allocated
structures.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit d1f5156e1d83f6f2f3cc04aed506ca1f2b603b5d
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Wed Dec 7 01:16:24 2016 -0800
Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
commit c0bb03924f1a80e7f65900e36c8e6b3dc167c5f8 upstream.
DoS protection conditions were altered in WS2016 and now it's easy to get
-EAGAIN returned from vmbus_post_msg() (e.g. when we try changing MTU on a
netvsc device in a loop). All vmbus_post_msg() callers don't retry the
operation and we usually end up with a non-functional device or crash.
While host's DoS protection conditions are unknown to me my tests show that
it can take up to 10 seconds before the message is sent so doing udelay()
is not an option, we really need to sleep. Almost all vmbus_post_msg()
callers are ready to sleep but there is one special case:
vmbus_initiate_unload() which can be called from interrupt/NMI context and
we can't sleep there. I'm also not sure about the lonely
vmbus_send_tl_connect_request() which has no in-tree users but its external
users are most likely waiting for the host to reply so sleeping there is
also appropriate.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Drop changes in vmbus_send_tl_connect_request(),
vmbus_initiate_unload()
- Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f6b751ff2a6abc6f9a85ad59c3d977ed131fe2e1
Author: K. Y. Srinivasan <kys@microsoft.com>
Date: Fri Jul 1 16:26:36 2016 -0700
Drivers: hv: vmbus: Reduce the delay between retries in vmbus_post_msg()
commit 8de0d7e951826d7592e0ba1da655b175c4aa0923 upstream.
The current delay between retries is unnecessarily high and is negatively
affecting the time it takes to boot the system.
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit e040b7b294bada9acbeeda8f490764c16cc5066f
Author: Haiyang Zhang <haiyangz@microsoft.com>
Date: Fri Mar 27 09:10:14 2015 -0700
hv_vmbus: Add gradually increased delay for retries in vmbus_post_msg()
commit e1c0d82dab4a4605d3bd1968436f030dfed4a829 upstream.
Most of the retries can be done within a millisecond successfully, so we
sleep 1ms before the first retry, then gradually increase the retry
interval to 2^n with max value of 2048ms. Doing so, we will have shorter
overall delay time, because most of the cases succeed within 1-2 attempts.
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Reviewed-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit fc927717694feb1a4c6feabadbd749d28c87c33e
Author: Dexuan Cui <decui@microsoft.com>
Date: Fri Feb 27 11:25:59 2015 -0800
hv: vmbus_post_msg: retry the hypercall on some transient errors
commit 89f9f6796d41e10e224b0cb0027ddd78cb881f65 upstream.
I got HV_STATUS_INVALID_CONNECTION_ID on Hyper-V 2008 R2 when keeping running
"rmmod hv_netvsc; modprobe hv_netvsc; rmmod hv_utils; modprobe hv_utils"
in a Linux guest. Looks the host has some kind of throttling mechanism if
some kinds of hypercalls are sent too frequently.
Without the patch, the driver can occasionally fail to load.
Also let's retry HV_STATUS_INSUFFICIENT_MEMORY, though we didn't get it
before.
Removed 'case -ENOMEM', since the hypervisor doesn't return this.
CC: "K. Y. Srinivasan" <kys@microsoft.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 84672b2c82bdaeb1979bd36bf9e6155ee931daf3
Author: Nicholas Mc Guire <hofrat@osadl.org>
Date: Mon Dec 12 08:40:09 2016 +0100
clk: wm831x: fix usleep_range with bad range
commit ed784c532a3d0959db488f40a96c5127f63d42dc upstream.
The delay here is not in atomic context and does not seem critical with
respect to precision, but usleep_range(min,max) with min==max results in
giving the timer subsystem no room to optimize uncritical delays. Fix
this by setting the range to 2000,3000 us.
Fixes: commit f05259a6ffa4 ("clk: wm831x: Add initial WM831x clock driver")
Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit d7c195dcb274cc643b4b81b10ee57f582fc0265b
Author: Mathias Svensson <idolf@google.com>
Date: Fri Jan 6 13:32:39 2017 -0800
samples/seccomp: fix 64-bit comparison macros
commit 916cafdc95843fb9af5fd5f83ca499d75473d107 upstream.
There were some bugs in the JNE64 and JLT64 comparision macros. This fixes
them, improves comments, and cleans up the file while we are at it.
Reported-by: Stephen Röttger <sroettger@google.com>
Signed-off-by: Mathias Svensson <idolf@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 48360510977057ec2eaf3de78f485759aedfc381
Author: Eli Cohen <eli@mellanox.com>
Date: Tue Jan 3 23:55:22 2017 +0200
IB/mlx5: Fix retrieval of index to first hi class bfreg
commit 0b80c14f009758cefeed0edff4f9141957964211 upstream.
First the function retrieving the index of the first hi latency class
blue flame register. High latency class bfregs are located right above
medium latency class bfregs.
Fixes: c1be5232d21d ('IB/mlx5: Fix micro UAR allocator')
Signed-off-by: Eli Cohen <eli@mellanox.com>
Reviewed-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
[bwh: Backported to 3.16:
- s/bfreg/uuar/g
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 971dc924c72dc18a633a544388a4a7f350b7031a
Author: Long Li <longli@microsoft.com>
Date: Wed Dec 14 18:46:03 2016 -0800
scsi: storvsc: properly set residual data length on errors
commit 40630f462824ee24bc00d692865c86c3828094e0 upstream.
On I/O errors, the Windows driver doesn't set data_transfer_length
on error conditions other than SRB_STATUS_DATA_OVERRUN.
In these cases we need to set data_transfer_length to 0,
indicating there is no data transferred. On SRB_STATUS_DATA_OVERRUN,
data_transfer_length is set by the Windows driver to the actual data transferred.
Reported-by: Shiva Krishna <Shiva.Krishna@nimblestorage.com>
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 5a010bed1550422f34054fc963adadc50c97d84d
Author: Long Li <longli@microsoft.com>
Date: Wed Dec 14 18:46:02 2016 -0800
scsi: storvsc: properly handle SRB_ERROR when sense message is present
commit bba5dc332ec2d3a685cb4dae668c793f6a3713a3 upstream.
When sense message is present on error, we should pass along to the upper
layer to decide how to deal with the error.
This patch fixes connectivity issues with Fiber Channel devices.
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 019b8b6851e84db9ed56efa02d8117b941dd01e8
Author: K. Y. Srinivasan <kys@microsoft.com>
Date: Tue Oct 6 18:04:01 2015 -0700
scsi: storvsc: Fix a bug in the handling of SRB status flags
commit 3209f9d780d137cdb54c85e0a776cb19e723a170 upstream.
SRB status can have additional information. Mask these out before processing
SRB status.
This patch was sent as part of a collection of patches more than a year ago.
While the rest of the patches in the set were comitted, this patch was not.
I woulod like to thank Olaf for noticing that this patch was not committed
upstream.
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit b8a03a52eb380b71dbe130e3c8493fceb1f14ea7
Author: Long Li <longli@microsoft.com>
Date: Wed Dec 14 18:46:01 2016 -0800
scsi: storvsc: use tagged SRB requests if supported by the device
commit 3cd6d3d9b1abab8dcdf0800224ce26daac24eea2 upstream.
Properly set SRB flags when hosting device supports tagged queuing.
This patch improves the performance on Fiber Channel disks.
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c0770c4cd769ffef28f26ade2c8894cfdcdae930
Author: Paul Burton <paul.burton@imgtec.com>
Date: Fri Sep 2 15:18:21 2016 +0100
MIPS: Netlogic: Fix assembler warning from smpboot.S
commit a8b3b0c94ac282628f0668d1366239a3fa72dc9d upstream.
The netlogic platform can be built for either MIPS32 or MIPS64, and when
built for MIPS32 (as by nlm_xlr_defconfig) the use of the dla
pseudo-instruction leads to warnings such as the following from recent
versions of the GNU assembler:
arch/mips/netlogic/common/smpboot.S: Assembler messages:
arch/mips/netlogic/common/smpboot.S:62: Warning: dla used to load 32-bit register; recommend using la instead
arch/mips/netlogic/common/smpboot.S:63: Warning: dla used to load 32-bit register; recommend using la instead
Avoid these warnings by using the PTR_LA macro to make use of the
appropriate la or dla pseudo-instruction for the build.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 66d29985fab8 ("MIPS: Netlogic: Merge some of XLR/XLP wakup code")
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Jayachandran C <jchandra@broadcom.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14185/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c6b5d15aace719ef983782eecabecbb5325aa059
Author: Paul Burton <paul.burton@imgtec.com>
Date: Mon Nov 7 15:07:07 2016 +0000
MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
commit 096a0de427ea333f56f0ee00328cff2a2731bcf1 upstream.
is_jump_ins() checks for plain jump ("j") instructions since commit
e7438c4b893e ("MIPS: Fix sibling call handling in get_frame_info") but
that commit didn't make the same change to the microMIPS code, leaving
it inconsistent with the MIPS32/MIPS64 code. Handle the microMIPS
encoding of the jump instruction too such that it behaves consistently.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: e7438c4b893e ("MIPS: Fix sibling call handling in get_frame_info")
Cc: Tony Wu <tung7970@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14533/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9a84bb41df5aaec5173340d07ebaf64067c24ac4
Author: Paul Burton <paul.burton@imgtec.com>
Date: Mon Nov 7 15:07:06 2016 +0000
MIPS: Calculate microMIPS ra properly when unwinding the stack
commit bb9bc4689b9c635714fbcd5d335bad9934a7ebfc upstream.
get_frame_info() calculates the offset of the return address within a
stack frame simply by dividing a the bottom 16 bits of the instruction,
treated as a signed integer, by the size of a long. Whilst this works
for MIPS32 & MIPS64 ISAs where the sw or sd instructions are used, it's
incorrect for microMIPS where encodings differ. The result is that we
typically completely fail to unwind the stack on microMIPS.
Fix this by adjusting is_ra_save_ins() to calculate the return address
offset, and take into account the various different encodings there in
the same place as we consider whether an instruction is storing the
ra/$31 register.
With this we are now able to unwind the stack for kernels targetting the
microMIPS ISA, for example we can produce:
Call Trace:
[<80109e1f>] show_stack+0x63/0x7c
[<8011ea17>] __warn+0x9b/0xac
[<8011ea45>] warn_slowpath_fmt+0x1d/0x20
[<8013fe53>] register_console+0x43/0x314
[<8067c58d>] of_setup_earlycon+0x1dd/0x1ec
[<8067f63f>] early_init_dt_scan_chosen_stdout+0xe7/0xf8
[<8066c115>] do_early_param+0x75/0xac
[<801302f9>] parse_args+0x1dd/0x308
[<8066c459>] parse_early_options+0x25/0x28
[<8066c48b>] parse_early_param+0x2f/0x38
[<8066e8cf>] setup_arch+0x113/0x488
[<8066c4f3>] start_kernel+0x57/0x328
---[ end trace 0000000000000000 ]---
Whereas previously we only produced:
Call Trace:
[<80109e1f>] show_stack+0x63/0x7c
---[ end trace 0000000000000000 ]---
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14532/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 03a01131724f233e51af8f552c9797b1a004f0ba
Author: Paul Burton <paul.burton@imgtec.com>
Date: Mon Nov 7 15:07:05 2016 +0000
MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions
commit 67c75057709a6d85c681c78b9b2f9b71191f01a2 upstream.
is_jump_ins() checks 16b instruction fields without verifying that the
instruction is indeed 16b, as is done by is_ra_save_ins() &
is_sp_move_ins(). Add the appropriate check.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14531/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit b219b4aa90492acbffd84670ff69a2161542569e
Author: Paul Burton <paul.burton@imgtec.com>
Date: Mon Nov 7 15:07:04 2016 +0000
MIPS: Fix get_frame_info() handling of microMIPS function size
commit b6c7a324df37bf05ef7a2c1580683cf10d082d97 upstream.
get_frame_info() is meant to iterate over up to the first 128
instructions within a function, but for microMIPS kernels it will not
reach that many instructions unless the function is 512 bytes long since
we calculate the maximum number of instructions to check by dividing the
function length by the 4 byte size of a union mips_instruction. In
microMIPS kernels this won't do since instructions are variable length.
Fix this by instead checking whether the pointer to the current
instruction has reached the end of the function, and use max_insns as a
simple constant to check the number of iterations against.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14530/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit a56f4a6795ede32daaeb629ad039574665207a74
Author: Paul Burton <paul.burton@imgtec.com>
Date: Mon Nov 7 15:07:03 2016 +0000
MIPS: Prevent unaligned accesses during stack unwinding
commit a3552dace7d1d0cabf573e88fc3025cb90c4a601 upstream.
During stack unwinding we call a number of functions to determine what
type of instruction we're looking at. The union mips_instruction pointer
provided to them may be pointing at a 2 byte, but not 4 byte, aligned
address & we thus cannot directly access the 4 byte wide members of the
union mips_instruction. To avoid this is_ra_save_ins() copies the
required half-words of the microMIPS instruction to a correctly aligned
union mips_instruction on the stack, which it can then access safely.
The is_jump_ins() & is_sp_move_ins() functions do not correctly perform
this temporary copy, and instead attempt to directly dereference 4 byte
fields which may be misaligned and lead to an address exception.
Fix this by copying the instruction halfwords to a temporary union
mips_instruction in get_frame_info() such that we can provide a 4 byte
aligned union mips_instruction to the is_*_ins() functions and they do
not need to deal with misalignment themselves.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14529/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16: old code had extra parentheses]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit bf3ccacbe375e652c8b8d3f4ffb8bac04a239742
Author: Paul Burton <paul.burton@imgtec.com>
Date: Mon Nov 7 15:07:02 2016 +0000
MIPS: Clear ISA bit correctly in get_frame_info()
commit ccaf7caf2c73c6db920772bf08bf1d47b2170634 upstream.
get_frame_info() can be called in microMIPS kernels with the ISA bit
already clear. For example this happens when unwind_stack_by_address()
is called because we begin with a PC that has the ISA bit set & subtract
the (odd) offset from the preceding symbol (which does not have the ISA
bit set). Since get_frame_info() unconditionally subtracts 1 from the PC
in microMIPS kernels it incorrectly misaligns the address it then
attempts to access code at, leading to an address error exception.
Fix this by using msk_isa16_mode() to clear the ISA bit, which allows
get_frame_info() to function regardless of whether it is provided with a
PC that has the ISA bit set or not.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14528/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit ceb135b401d357541a83a6aab193ce8ee9c28759
Author: Ping-Ke Shih <pkshih@realtek.com>
Date: Wed Dec 28 15:40:04 2016 -0600
rtlwifi: Fix alignment issues
commit 40b368af4b750863b2cb66a3a9513241db2f0793 upstream.
The addresses of Wlan NIC registers are natural alignment, but some
drivers have bugs. These are evident on platforms that need natural
alignment to access registers. This change contains the following:
1. Function _rtl8821ae_dbi_read() is used to read one byte from DBI,
thus it should use rtl_read_byte().
2. Register 0x4C7 of 8192ee is single byte.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 7636a8e8d98d8629a3a42d53731a93d2e79afb82
Author: Marcin Niestroj <m.niestroj@grinn-global.com>
Date: Mon Dec 12 17:58:42 2016 +0100
iio: st_pressure: Fix data sign
commit 1b211d48abaa0e12e6e6177c0316ff55d11fdfce upstream.
Datasheet of each device (lps331ap, lps25h, lps001wp, lps22hb) says that
the pressure and temperature data is a 2's complement.
I'm sending this the slow way, as negative pressures on these are pretty
unusual and the nature of the fixing of multiple device introduction patches
will make it hard to apply to older kernels - Jonathan.
Fixes: 217494e5b780 ("iio:pressure: Add STMicroelectronics pressures driver")
Fixes: 2f5effcbd097 ("iio: pressure-core: st: Expand and rename LPS331AP's channel descriptor")
Fixes: 7885a8ce6800 ("iio: pressure: st: Add support for new LPS001WP pressure sensor")
Fixes: e039e2f5b4da ("iio:st_pressure:initial lps22hb sensor support")
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[bwh: Backported to 3.16: drop change in st_press_lps22hb_channels]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit f78f389966841af6cfe79c9c863bb1c0a82b2622
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed Dec 7 14:21:22 2016 +0300
adm80211: return an error if adm8211_alloc_rings() fails
commit c705a6b3aa7804d7bc6660183f51e510c61dc807 upstream.
We accidentally return success when adm8211_alloc_rings() fails but we
should preserve the error code.
Fixes: cc0b88cf5ecf ("[PATCH] Add adm8211 802.11b wireless driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 3eef21d54c2a7f942c31279115f21a536cee2e39
Author: Nicholas Mc Guire <hofrat@osadl.org>
Date: Fri Dec 16 02:59:38 2016 +0100
drm/i915: relax uncritical udelay_range()
commit 15a43cbf4736a3932e6259fa7d6e47558f6222b0 upstream.
udelay_range(1, 2) is inefficient and as discussions with Jani Nikula
<jani.nikula@linux.intel.com> unnecessary here. This replaces this
tight setting with a relaxed delay of min=20 and max=50 which helps
the hrtimer subsystem optimize timer handling.
Fixes: commit be4fc046bed3 ("drm/i915: add VLV DSI PLL Calculations")
Link: http://lkml.org/lkml/2016/12/15/147
Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1481853578-19834-1-git-send-email-hofrat@osadl.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 03ad287a1bcbddacfabbe8bec40f251111c16692
Author: Michal Hocko <mhocko@suse.com>
Date: Tue Mar 28 15:17:26 2017 +0200
mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" backport
This is a stable follow up fix for an incorrect backport. The issue is
not present in the upstream kernel.
Miroslav has noticed the following splat when testing my 3.2 forward
port of 8310d48b125d ("mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for
thp") to 3.12:
BUG: Bad page state in process a.out pfn:26400
page:ffffea000085e000 count:0 mapcount:1 mapping: (null) index:0x7f049d600
page flags: 0x1fffff80108018(uptodate|dirty|head|swapbacked)
page dumped because: nonzero mapcount
[iii]
CPU: 2 PID: 5926 Comm: a.out Tainted: G E 3.12.61-0-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
0000000000000000 ffffffff81515830 ffffea000085e000 ffffffff81800ad7
ffffffff815118a5 ffffea000085e000 0000000000000000 000fffff80000000
ffffffff81140f18 fff000007c000000 ffffea000085e000 0000000000000009
Call Trace:
[<ffffffff8100475d>] dump_trace+0x7d/0x2d0
[<ffffffff81004a44>] show_stack_log_lvl+0x94/0x170
[<ffffffff81005ce1>] show_stack+0x21/0x50
[<ffffffff81515830>] dump_stack+0x5d/0x78
[<ffffffff815118a5>] bad_page.part.67+0xe8/0x102
[<ffffffff81140f18>] free_pages_prepare+0x198/0x1b0
[<ffffffff81141275>] __free_pages_ok+0x15/0xd0
[<ffffffff8116444c>] __access_remote_vm+0x7c/0x1e0
[<ffffffff81205afb>] mem_rw.isra.13+0x14b/0x1a0
[<ffffffff811a3b18>] vfs_write+0xb8/0x1e0
[<ffffffff811a469b>] SyS_pwrite64+0x6b/0xa0
[<ffffffff81523b49>] system_call_fastpath+0x16/0x1b
[<00007f049da18573>] 0x7f049da18572
The problem is that the original 3.2 backport didn't return NULL page on
the FOLL_COW page and so the page got reused.
Reported-and-tested-by: Miroslav Beneš <mbenes@suse.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>