commit 3cab355c2ff3a781b6ebe9d1a25bd4ebc1207430
Author: Sasha Levin <alexander.levin@verizon.com>
Date: Sun Oct 9 10:23:45 2016 -0400
Linux 3.18.43
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 02ce1fd73386e7420cd9b2dc87abd02a7889eaac
Author: Guenter Roeck <linux@roeck-us.net>
Date: Sat Sep 17 12:57:24 2016 -0700
openrisc: fix the fix of copy_from_user()
[ Upstream commit 8e4b72054f554967827e18be1de0e8122e6efc04 ]
Since commit acb2505d0119 ("openrisc: fix copy_from_user()"),
copy_from_user() returns the number of bytes requested, not the
number of bytes not copied.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: acb2505d0119 ("openrisc: fix copy_from_user()")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit fb808fa00a2c784ee1b6b5d38bf557b8a7439f58
Author: Gregory CLEMENT <gregory.clement@free-electrons.com>
Date: Tue Nov 25 16:19:12 2014 +0100
ARM: orion: convert the irq_reg_{readl,writel} calls to the new API
[ Upstream commit 2f90bce7ff1f760986d55d9cb3a834e8638b1295 ]
The commit "genirq: Generic chip: Change irq_reg_{readl,writel}
arguments" modified the API. In the same tome the
arch/arm/plat-orion/gpio.c file received a fix with the use of the old
API: "ARM: orion: Fix for certain sequence of request_irq can cause
irq storm". This commit fixes the use of the API.
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Olof Johansson <olof@lixom.net>
Link: https://lkml.kernel.org/r/1416928752-24529-1-git-send-email-gregory.clement@free-electrons.com
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit db9b2a3891d52770da56a5c6dca85ab007df2473
Author: Guenter Roeck <linux@roeck-us.net>
Date: Sat Sep 17 07:52:49 2016 -0700
avr32: fix 'undefined reference to `___copy_from_user'
[ Upstream commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 ]
avr32 builds fail with:
arch/avr32/kernel/built-in.o: In function `arch_ptrace':
(.text+0x650): undefined reference to `___copy_from_user'
arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined
reference to `___copy_from_user'
kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax':
(.text+0x5dd8): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin':
sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `ptrace_has_cap':
ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user'
kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to
`___copy_from_user' follow
Fixes: 8630c32275ba ("avr32: fix copy_from_user()")
Cc: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Havard Skinnemoen <hskinnemoen@gmail.com>
Acked-by: Hans-Christian Noren Egtvedt <egtvedt@samfundet.no>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 54e7defb67e15b0b0f8f6505193922cb1af4eaba
Author: Guenter Roeck <linux@roeck-us.net>
Date: Tue Dec 9 14:21:45 2014 -0800
hexagon: Fix build failures in linux-next
[ Upstream commit cb84c2b401d9cead5508cfed57b59b6d5feffdac ]
hexagon:defconfig fails to build in linux-next since commit 332fd7c4fef5
("genirq: Generic chip: Change irq_reg_{readl,writel} arguments").
The primary build failure is
arch/hexagon/include/asm/cacheflush.h: In function 'copy_to_user_page':
arch/hexagon/include/asm/cacheflush.h:89:22: error: 'VM_EXEC' undeclared
This is the result of including of <linux/io.h> from <linux/irq.h>,
which is now necessary due to the use of readl and writel from irq.h.
This causes recursive inclusions in hexagon code; cacheflush.h is included
from mm.h prior to the definition of VM_EXEC.
Fix the problem by moving copy_to_user_page from the hexagon include file to
arch/hexagon/mm/cache.c, similar to other architectures. After this change,
several redefinitions of readl and writel are reported. Those are caused
by recursive inclusions of io.h and asm/cacheflush.h. Fix those problems by
reducing the number of files included from those files. Also, it was necessary
to stop including asm-generic/cacheflush.h from asm/cacheflush.h. Instead,
functionality originally provided by asm-generic/cacheflush.h is now coded
in asm/cacheflush.h directly.
Cc: Kevin Cernekee <cernekee@gmail.com>
Cc: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
signed-off-by: Richard Kuo <rkuo@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit f6e672ada0c9714c7d1a63054ca98c707fa916d6
Author: Martin K. Petersen <martin.petersen@oracle.com>
Date: Wed Jul 22 07:57:12 2015 -0400
block: Do a full clone when splitting discard bios
This fixes a data corruption bug when using discard on top of MD linear,
raid0 and raid10 personalities.
Commit 20d0189b1012 "block: Introduce new bio_split()" permits sharing
the bio_vec between the two resulting bios. That is fine for read/write
requests where the bio_vec is immutable. For discards, however, we need
to be able to attach a payload and update the bio_vec so the page can
get mapped to a scatterlist entry. Therefore the bio_vec can not be
shared when splitting discards and we must do a full clone.
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Reported-by: Seunguk Shin <seunguk.shin@samsung.com>
Tested-by: Seunguk Shin <seunguk.shin@samsung.com>
Cc: Seunguk Shin <seunguk.shin@samsung.com>
Cc: Jens Axboe <axboe@fb.com>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: <stable@vger.kernel.org> # v3.14+
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
commit 31714bce258a8b098d5629a88f61568c28bf8ca4
Author: Jeff Mahoney <jeffm@suse.com>
Date: Wed Sep 21 08:31:29 2016 -0400
btrfs: ensure that file descriptor used with subvol ioctls is a dir
[ Upstream commit 325c50e3cebb9208009083e841550f98a863bfa0 ]
If the subvol/snapshot create/destroy ioctls are passed a regular file
with execute permissions set, we'll eventually Oops while trying to do
inode->i_op->lookup via lookup_one_len.
This patch ensures that the file descriptor refers to a directory.
Fixes: cb8e70901d (Btrfs: Fix subvolume creation locking rules)
Fixes: 76dda93c6a (Btrfs: add snapshot/subvolume destroy ioctl)
Cc: <stable@vger.kernel.org> #v2.6.29+
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 400f32af8fa658ffd530aab033e5eb0ad419c18d
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date: Tue Sep 20 20:07:42 2016 +0100
fix fault_in_multipages_...() on architectures with no-op access_ok()
[ Upstream commit e23d4159b109167126e5bcd7f3775c95de7fee47 ]
Switching iov_iter fault-in to multipages variants has exposed an old
bug in underlying fault_in_multipages_...(); they break if the range
passed to them wraps around. Normally access_ok() done by callers will
prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
such a range and they should not point to any valid objects).
However, on architectures where userland and kernel live in different
MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
with a wraparound can reach fault_in_multipages_...().
Since any wraparound means EFAULT there, the fix is trivial - turn
those
while (uaddr <= end)
...
into
if (unlikely(uaddr > end))
return -EFAULT;
do
...
while (uaddr <= end);
Reported-by: Jan Stancek <jstancek@redhat.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Cc: stable@vger.kernel.org # v3.5+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 1108f7038cbb0e1e38849ce5ad727633416db03a
Author: Ashish Samant <ashish.samant@oracle.com>
Date: Mon Sep 19 14:44:42 2016 -0700
ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
[ Upstream commit d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960 ]
If we punch a hole on a reflink such that following conditions are met:
1. start offset is on a cluster boundary
2. end offset is not on a cluster boundary
3. (end offset is somewhere in another extent) or
(hole range > MAX_CONTIG_BYTES(1MB)),
we dont COW the first cluster starting at the start offset. But in this
case, we were wrongly passing this cluster to
ocfs2_zero_range_for_truncate() to zero out. This will modify the
cluster in place and zero it in the source too.
Fix this by skipping this cluster in such a scenario.
To reproduce:
1. Create a random file of say 10 MB
xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile
2. Reflink it
reflink -f 10MBfile reflnktest
3. Punch a hole at starting at cluster boundary with range greater that
1MB. You can also use a range that will put the end offset in another
extent.
fallocate -p -o 0 -l 1048615 reflnktest
4. sync
5. Check the first cluster in the source file. (It will be zeroed out).
dd if=10MBfile iflag=direct bs=<cluster size> count=1 | hexdump -C
Link: http://lkml.kernel.org/r/1470957147-14185-1-git-send-email-ashish.samant@oracle.com
Signed-off-by: Ashish Samant <ashish.samant@oracle.com>
Reported-by: Saar Maoz <saar.maoz@oracle.com>
Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <joseph.qi@huawei.com>
Cc: Eric Ren <zren@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 8a781b2ef81309458b9b24b51f8ad81ac7e98fe2
Author: Jan Kara <jack@suse.cz>
Date: Mon Sep 19 14:44:30 2016 -0700
fanotify: fix list corruption in fanotify_get_response()
[ Upstream commit 96d41019e3ac55f6f0115b0ce97e4f24a3d636d2 ]
fanotify_get_response() calls fsnotify_remove_event() when it finds that
group is being released from fanotify_release() (bypass_perm is set).
However the event it removes need not be only in the group's notification
queue but it can have already moved to access_list (userspace read the
event before closing the fanotify instance fd) which is protected by a
different lock. Thus when fsnotify_remove_event() races with
fanotify_release() operating on access_list, the list can get corrupted.
Fix the problem by moving all the logic removing permission events from
the lists to one place - fanotify_release().
Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events")
Link: http://lkml.kernel.org/r/1473797711-14111-3-git-send-email-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reported-by: Miklos Szeredi <mszeredi@redhat.com>
Tested-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Miklos Szeredi <mszeredi@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 05eb9c077253bf285dc2d0daaa4b14d1cf782528
Author: Jan Kara <jack@suse.cz>
Date: Mon Sep 19 14:44:27 2016 -0700
fsnotify: add a way to stop queueing events on group shutdown
[ Upstream commit 12703dbfeb15402260e7554d32a34ac40c233990 ]
Implement a function that can be called when a group is being shutdown
to stop queueing new events to the group. Fanotify will use this.
Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events")
Link: http://lkml.kernel.org/r/1473797711-14111-2-git-send-email-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Miklos Szeredi <mszeredi@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 8a66ed3130d239398c821263953aaa7cbb8350ca
Author: Ian Kent <raven@themaw.net>
Date: Mon Sep 19 14:44:12 2016 -0700
autofs: use dentry flags to block walks during expire
[ Upstream commit 7cbdb4a286a60c5d519cb9223fe2134d26870d39 ]
Somewhere along the way the autofs expire operation has changed to hold
a spin lock over expired dentry selection. The autofs indirect mount
expired dentry selection is complicated and quite lengthy so it isn't
appropriate to hold a spin lock over the operation.
Commit 47be61845c77 ("fs/dcache.c: avoid soft-lockup in dput()") added a
might_sleep() to dput() causing a WARN_ONCE() about this usage to be
issued.
But the spin lock doesn't need to be held over this check, the autofs
dentry info. flags are enough to block walks into dentrys during the
expire.
I've left the direct mount expire as it is (for now) because it is much
simpler and quicker than the indirect mount expire and adding spin lock
release and re-aquires would do nothing more than add overhead.
Fixes: 47be61845c77 ("fs/dcache.c: avoid soft-lockup in dput()")
Link: http://lkml.kernel.org/r/20160912014017.1773.73060.stgit@pluto.themaw.net
Signed-off-by: Ian Kent <raven@themaw.net>
Reported-by: Takashi Iwai <tiwai@suse.de>
Tested-by: Takashi Iwai <tiwai@suse.de>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: NeilBrown <neilb@suse.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 14386af60453989c978bbf000729afb77257ce83
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Jun 12 11:24:46 2016 -0400
autofs races
[ Upstream commit ea01a18494b3d7a91b2f1f2a6a5aaef4741bc294 ]
* make autofs4_expire_indirect() skip the dentries being in process of
expiry
* do *not* mess with list_move(); making sure that dentry with
AUTOFS_INF_EXPIRING are not picked for expiry is enough.
* do not remove NO_RCU when we set EXPIRING, don't bother with smp_mb()
there. Clear it at the same time we clear EXPIRING. Makes a bunch of
tests simpler.
* rename NO_RCU to WANT_EXPIRE, which is what it really is.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit de32bc4cff478e8a244265362ac90074fb93866b
Author: Joseph Qi <joseph.qi@huawei.com>
Date: Mon Sep 19 14:43:55 2016 -0700
ocfs2/dlm: fix race between convert and migration
[ Upstream commit e6f0c6e6170fec175fe676495f29029aecdf486c ]
Commit ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery")
checks if lockres master has changed to identify whether new master has
finished recovery or not. This will introduce a race that right after
old master does umount ( means master will change), a new convert
request comes.
In this case, it will reset lockres state to DLM_RECOVERING and then
retry convert, and then fail with lockres->l_action being set to
OCFS2_AST_INVALID, which will cause inconsistent lock level between
ocfs2 and dlm, and then finally BUG.
Since dlm recovery will clear lock->convert_pending in
dlm_move_lockres_to_recovery_list, we can use it to correctly identify
the race case between convert and recovery. So fix it.
Fixes: ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery")
Link: http://lkml.kernel.org/r/57CE1569.8010704@huawei.com
Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Signed-off-by: Jun Piao <piaojun@huawei.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 0b5f2bd0dfa47e81a2c2104849c27c5be920782e
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date: Wed Aug 17 12:41:08 2016 -0300
can: flexcan: fix resume function
[ Upstream commit 4de349e786a3a2d51bd02d56f3de151bbc3c3df9 ]
On a imx6ul-pico board the following error is seen during system suspend:
dpm_run_callback(): platform_pm_resume+0x0/0x54 returns -110
PM: Device 2090000.flexcan failed to resume: error -110
The reason for this suspend error is because when the CAN interface is not
active the clocks are disabled and then flexcan_chip_enable() will
always fail due to a timeout error.
In order to fix this issue, only call flexcan_chip_enable/disable()
when the CAN interface is active.
Based on a patch from Dong Aisheng in the NXP kernel.
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 8694542801332f0019b6a0f12bdf64a358057804
Author: Alan Stern <stern@rowland.harvard.edu>
Date: Fri Sep 16 10:24:26 2016 -0400
USB: change bInterval default to 10 ms
[ Upstream commit 08c5cd37480f59ea39682f4585d92269be6b1424 ]
Some full-speed mceusb infrared transceivers contain invalid endpoint
descriptors for their interrupt endpoints, with bInterval set to 0.
In the past they have worked out okay with the mceusb driver, because
the driver sets the bInterval field in the descriptor to 1,
overwriting whatever value may have been there before. However, this
approach was never sanctioned by the USB core, and in fact it does not
work with xHCI controllers, because they use the bInterval value that
was present when the configuration was installed.
Currently usbcore uses 32 ms as the default interval if the value in
the endpoint descriptor is invalid. It turns out that these IR
transceivers don't work properly unless the interval is set to 10 ms
or below. To work around this mceusb problem, this patch changes the
endpoint-descriptor parsing routine, making the default interval value
be 10 ms rather than 32 ms.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Wade Berrier <wberrier@gmail.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit e58d9a8251584d92976d4cc7f46ab30963c9e99a
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date: Thu Sep 15 02:35:29 2016 +0100
fix minor infoleak in get_user_ex()
[ Upstream commit 1c109fabbd51863475cd12ac206bdd249aee35af ]
get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak
(at most we are leaking uninitialized 64bit value off the kernel stack,
and in a fairly constrained situation, at that), but the fix is trivial,
so...
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ This sat in different branch from the uaccess fixes since mid-August ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 0772cbae23cefb135c5214aed8631b344f791a43
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Sep 9 19:28:23 2016 -0400
avr32: fix copy_from_user()
[ Upstream commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e ]
really ugly, but apparently avr32 compilers turns access_ok() into
something so bad that they want it in assembler. Left that way,
zeroing added in inline wrapper.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit c352b42eb1718eda1ab4c520eed77e4734ec6196
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Sep 9 19:23:33 2016 -0400
microblaze: fix __get_user()
[ Upstream commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit d31b0dcfb1d1a6ca5b98d3605c5c5318cd9195a4
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Sep 9 19:22:34 2016 -0400
microblaze: fix copy_from_user()
[ Upstream commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit ba08781d8abc610e4094dacec31bbd3a87c506bd
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Sep 9 19:20:13 2016 -0400
m32r: fix __get_user()
[ Upstream commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit f27aa24d83767480930a97be76ff05e624ed81cd
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Sep 9 19:16:58 2016 -0400
blackfin: fix copy_from_user()
[ Upstream commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 9050993a5a2aff7b9088c7b10a673a210cfa463f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Mon Aug 22 00:23:07 2016 -0400
sparc32: fix copy_from_user()
[ Upstream commit 917400cecb4b52b5cde5417348322bb9c8272fa6 ]
Cc: stable@vger.kernel.org
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 8bd2ef709d42a7c839c4ebf7c91f4dec2c90b6f6
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Aug 21 23:39:47 2016 -0400
sh: fix copy_from_user()
[ Upstream commit 6e050503a150b2126620c1a1e9b3a368fcd51eac ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 94000fc8f4ab34b031caecdfcc767f478900a7bb
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Aug 21 23:33:47 2016 -0400
sh64: failing __get_user() should zero
[ Upstream commit c6852389228df9fb3067f94f3b651de2a7921b36 ]
It could be done in exception-handling bits in __get_user_b() et.al.,
but the surgery involved would take more knowledge of sh64 details
than I have or _want_ to have.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit c1c77a5f1371315e5ee0686ad38ee6826cd458bd
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Aug 21 22:30:44 2016 -0400
score: fix copy_from_user() and friends
[ Upstream commit b615e3c74621e06cd97f86373ca90d43d6d998aa ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 68f1e32cd2fc2e3b131b334ad48e9a9b4d20c764
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Aug 21 22:13:39 2016 -0400
score: fix __get_user/get_user
[ Upstream commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 ]
* should zero on any failure
* __get_user() should use __copy_from_user(), not copy_from_user()
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 0cdee92f5c26e9fa9858816a7dcc8928d192ebd1
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Aug 21 22:00:54 2016 -0400
s390: get_user() should zero on failure
[ Upstream commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 1b228faae706dfe7a2a0f321e2c4827f297fa440
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Aug 21 19:16:26 2016 -0400
ppc32: fix copy_from_user()
[ Upstream commit 224264657b8b228f949b42346e09ed8c90136a8e ]
should clear on access_ok() failures. Also remove the useless
range truncation logics.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 6c696327470978196e46cc588debdbc90164a198
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Aug 20 19:03:37 2016 -0400
parisc: fix copy_from_user()
[ Upstream commit aace880feea38875fbc919761b77e5732a3659ef ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 499e590cbe0052d4343cc5cab0e7baf1d48d7061
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Aug 20 17:05:21 2016 -0400
openrisc: fix copy_from_user()
[ Upstream commit acb2505d0119033a80c85ac8d02dccae41271667 ]
... that should zero on faults. Also remove the <censored> helpful
logics wrt range truncation copied from ppc32. Where it had ever
been needed only in case of copy_from_user() *and* had not been merged
into the mainline until a month after the need had disappeared.
A decade before openrisc went into mainline, I might add...
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 8260a515dd670f2994e50a7783ddbe75eb6d4e0d
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Aug 20 16:33:10 2016 -0400
mn10300: copy_from_user() should zero on access_ok() failure...
[ Upstream commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit f17364dd43ea3966bb068f94f40d23613e17aba0
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Aug 20 16:32:02 2016 -0400
mn10300: failing __get_user() and get_user() should zero
[ Upstream commit 43403eabf558d2800b429cd886e996fd555aa542 ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit c99e37cddc0bdc9e108d0c7e2287248711268fdf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat Aug 20 16:18:53 2016 -0400
mips: copy_from_user() must zero the destination on access_ok() failure
[ Upstream commit e69d700535ac43a18032b3c399c69bf4639e89a2 ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 09baa6b1ba17ac7168ad16daeb0f114dfac1cedc
Author: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Date: Fri Aug 19 12:10:02 2016 -0700
ARC: uaccess: get_user to zero out dest in cause of fault
[ Upstream commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af ]
Al reported potential issue with ARC get_user() as it wasn't clearing
out destination pointer in case of fault due to bad address etc.
Verified using following
| {
| u32 bogus1 = 0xdeadbeef;
| u64 bogus2 = 0xdead;
| int rc1, rc2;
|
| pr_info("Orig values %x %llx\n", bogus1, bogus2);
| rc1 = get_user(bogus1, (u32 __user *)0x40000000);
| rc2 = get_user(bogus2, (u64 __user *)0x50000000);
| pr_info("access %d %d, new values %x %llx\n",
| rc1, rc2, bogus1, bogus2);
| }
| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko
| Orig values deadbeef dead
| access -14 -14, new values 0 0
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-snps-arc@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 9a34b2a78d804cc01704de334d6795b71555a9e1
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu Aug 18 22:08:20 2016 -0400
metag: copy_from_user() should zero the destination on access_ok() failure
[ Upstream commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b ]
Cc: stable@vger.kernel.org
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit ddc84f7b3093f0e29252f155d74191fef3746a86
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu Aug 18 21:31:41 2016 -0400
ia64: copy_from_user() should zero the destination on access_ok() failure
[ Upstream commit a5e541f796f17228793694d64b507f5f57db4cd7 ]
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 591ca382baa0416352fd917bc33bf05491a270c6
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu Aug 18 21:16:49 2016 -0400
hexagon: fix strncpy_from_user() error return
[ Upstream commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 ]
It's -EFAULT, not -1 (and contrary to the comment in there,
__strnlen_user() can return 0 - on faults).
Cc: stable@vger.kernel.org
Acked-by: Richard Kuo <rkuo@codeaurora.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit a4bc5779f6e3ec3d1052d7b327aa76f26d73acaf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu Aug 18 20:54:02 2016 -0400
frv: fix clear_user()
[ Upstream commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 ]
It should check access_ok(). Otherwise a bunch of places turn into
trivially exploitable rootholes.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit f13847df64d58b4ca99423b6e678675217702d14
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed Aug 17 23:19:01 2016 -0400
asm-generic: make get_user() clear the destination on errors
[ Upstream commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa ]
both for access_ok() failures and for faults halfway through
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit a0ed243c99234b62e9b25871eda6374289e6d506
Author: Yoshinori Sato <ysato@users.sourceforge.jp>
Date: Thu Jul 16 13:56:06 2015 +0900
asm-generic: {get,put}_user ptr argument evaluate only 1 time
[ Upstream commit a02613a4ba679eacec8251976d02809d533fa717 ]
Current implemantation ptr argument evaluate 2 times.
It'll be an unexpected result.
Changes v5:
Remove unnecessary const.
Changes v4:
Temporary pointer type change to const void*
Changes v3:
Some build error fix.
Changes v2:
Argument x protect.
Signed-off-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 93e5a11e71677cabca6fb5e48acbccd2985d5b2d
Author: Johannes Berg <johannes.berg@intel.com>
Date: Tue Sep 13 15:53:55 2016 +0200
nl80211: validate number of probe response CSA counters
[ Upstream commit ad5987b47e96a0fb6d13fea250e936aed000093c ]
Due to an apparent copy/paste bug, the number of counters for the
beacon configuration were checked twice, instead of checking the
number of probe response counters. Fix this to check the number of
probe response counters before parsing those.
Cc: stable@vger.kernel.org
Fixes: 9a774c78e211 ("cfg80211: Support multiple CSA counters")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit bc6285a72c76afbf339a6212dc038e4154a49b90
Author: Huacai Chen <chenhc@lemote.com>
Date: Mon Sep 5 08:48:03 2016 +0800
MIPS: Add a missing ".set pop" in an early commit
[ Upstream commit 3cbc6fc9c99f1709203711f125bc3b79487aba06 ]
Commit 842dfc11ea9a21 ("MIPS: Fix build with binutils 2.24.51+") missing
a ".set pop" in macro fpu_restore_16even, so add it.
Signed-off-by: Huacai Chen <chenhc@lemote.com>
Acked-by: Manuel Lauss <manuel.lauss@gmail.com>
Cc: Steven J . Hill <Steven.Hill@caviumnetworks.com>
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: stable@vger.kernel.org # 3.18+
Patchwork: https://patchwork.linux-mips.org/patch/14210/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 790e65fd71e04d5a8e0cda2543e7bbbf98bc5456
Author: Boris Brezillon <boris.brezillon@free-electrons.com>
Date: Tue Sep 13 15:58:28 2016 +0200
genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers
[ Upstream commit ebf9ff753c041b296241990aef76163bbb2cc9c8 ]
Some irqchip drivers need to take the generic chip lock outside of the
irq context.
Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow
one to disable irqs while entering a critical section protected by
gc->lock.
Note that we do not provide optimized version of these helpers for !SMP,
because they are not called from the hot-path.
[ tglx: Added a comment when these helpers should be [not] used ]
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
Cc: stable@vger.kernel.org
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit b5937a545309b73ec6deef5b5d19d664db6236a1
Author: Kevin Cernekee <cernekee@gmail.com>
Date: Thu Nov 6 22:44:17 2014 -0800
genirq: Generic chip: Change irq_reg_{readl,writel} arguments
[ Upstream commit 332fd7c4fef5f3b166e93decb07fd69eb24f7998 ]
Pass in the irq_chip_generic struct so we can use different readl/writel
settings for each irqchip driver, when appropriate. Compute
(gc->reg_base + reg_offset) in the helper function because this is pretty
much what all callers want to do anyway.
Compile-tested using the following configurations:
at91_dt_defconfig (CONFIG_ATMEL_AIC_IRQ=y)
sama5_defconfig (CONFIG_ATMEL_AIC5_IRQ=y)
sunxi_defconfig (CONFIG_ARCH_SUNXI=y)
tb10x (ARC) is untested.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Acked-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lkml.kernel.org/r/1415342669-30640-3-git-send-email-cernekee@gmail.com
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 75175017413938fffb835911b6191ef58012909f
Author: Matt Redfearn <matt.redfearn@imgtec.com>
Date: Mon Sep 5 15:43:40 2016 +0100
MIPS: paravirt: Fix undefined reference to smp_bootstrap
[ Upstream commit 951c39cd3bc0aedf67fbd8fb4b9380287e6205d1 ]
If the paravirt machine is compiles without CONFIG_SMP, the following
linker error occurs
arch/mips/kernel/head.o: In function `kernel_entry':
(.ref.text+0x10): undefined reference to `smp_bootstrap'
due to the kernel entry macro always including SMP startup code.
Wrap this code in CONFIG_SMP to fix the error.
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # 3.16+
Patchwork: https://patchwork.linux-mips.org/patch/14212/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit e47705fb816e99975748201dafb695db7fd90a07
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Sep 13 09:48:53 2016 +0100
crypto: arm64/aes-ctr - fix NULL dereference in tail processing
[ Upstream commit 2db34e78f126c6001d79d3b66ab1abb482dc7caa ]
The AES-CTR glue code avoids calling into the blkcipher API for the
tail portion of the walk, by comparing the remainder of walk.nbytes
modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight
into the tail processing block if they are equal. This tail processing
block checks whether nbytes != 0, and does nothing otherwise.
However, in case of an allocation failure in the blkcipher layer, we
may enter this code with walk.nbytes == 0, while nbytes > 0. In this
case, we should not dereference the source and destination pointers,
since they may be NULL. So instead of checking for nbytes != 0, check
for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in
non-error conditions.
Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions")
Cc: stable@vger.kernel.org
Reported-by: xiakaixu <xiakaixu@huawei.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 4f17ddb10568a473ef3e786536cb38f56a3a2a91
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue Sep 13 14:43:29 2016 +0800
crypto: skcipher - Fix blkcipher walk OOM crash
[ Upstream commit acdb04d0b36769b3e05990c488dc74d8b7ac8060 ]
When we need to allocate a temporary blkcipher_walk_next and it
fails, the code is supposed to take the slow path of processing
the data block by block. However, due to an unrelated change
we instead end up dereferencing the NULL pointer.
This patch fixes it by moving the unrelated bsize setting out
of the way so that we enter the slow path as inteded.
Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
Cc: stable@vger.kernel.org
Reported-by: xiakaixu <xiakaixu@huawei.com>
Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit f5c698a84c6e7570dc27338db9f65552ace9a8ac
Author: Daniele Palmas <dnlplm@gmail.com>
Date: Fri Sep 2 10:37:56 2016 +0200
USB: serial: simple: add support for another Infineon flashloader
[ Upstream commit f190fd92458da3e869b4e2c6289e2c617490ae53 ]
This patch adds support for Infineon flashloader 0x8087/0x0801.
The flashloader is used in Telit LE940B modem family with Telit
flashing application.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 11e9b4ed30479de5555fa95022e958caadc6edc7
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed Aug 17 16:36:37 2016 -0400
asm-generic: make copy_from_user() zero the destination properly
[ Upstream commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 ]
... in all cases, including the failing access_ok()
Note that some architectures using asm-generic/uaccess.h have
__copy_from_user() not zeroing the tail on failure halfway
through. This variant works either way.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 62fc2f90511bc865c2d6386bc348283005c0f951
Author: Will Deacon <will.deacon@arm.com>
Date: Mon Sep 5 11:56:05 2016 +0100
arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
[ Upstream commit 872c63fbf9e153146b07f0cece4da0d70b283eeb ]
smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation
to a full barrier, such that prior stores are ordered with respect to
loads and stores occuring inside the critical section.
Unfortunately, the core code defines the barrier as smp_wmb(), which
is insufficient to provide the required ordering guarantees when used in
conjunction with our load-acquire-based spinlock implementation.
This patch overrides the arm64 definition of smp_mb__before_spinlock()
to map to a full smp_mb().
Cc: <stable@vger.kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit f4e1eb5d3efa7ba4dc1c03495d5fb5dd0838762d
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date: Thu Sep 8 16:25:49 2016 +0100
kvm-arm: Unmap shadow pagetables properly
[ Upstream commit 293f293637b55db4f9f522a5a72514e98a541076 ]
On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via
mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when
the userspace buffer gets unmapped. However, when the Hypervisor
process exits without explicit unmap of the guest buffers, the only
notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release
) which does nothing on arm. Later this causes us to access pages that
were already released [via exit_mmap() -> unmap_vmas()] when we actually
get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() ->
kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC,
which unmaps any free'd pages from the linear map.
[ 757.644120] Unable to handle kernel paging request at virtual address
ffff800661e00000
[ 757.652046] pgd = ffff20000b1a2000
[ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003,
*pmd=00000047fcc7c003, *pte=00e8004661e00712
[ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP
[ 757.672041] Modules linked in:
[ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D
4.8.0-rc1 #3
[ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board,
BIOS 3.06.15 Aug 19 2016
[ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000
[ 757.698840] PC is at __flush_dcache_area+0x1c/0x40
[ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70
[ 757.708469] pc : [<ffff20000809dbdc>] lr : [<ffff2000080b4a70>] pstate: 20000145
...
[ 758.357249] [<ffff20000809dbdc>] __flush_dcache_area+0x1c/0x40
[ 758.363059] [<ffff2000080b6748>] unmap_stage2_range+0x458/0x5f0
[ 758.368954] [<ffff2000080b708c>] kvm_free_stage2_pgd+0x34/0x60
[ 758.374761] [<ffff2000080b2280>] kvm_arch_destroy_vm+0x20/0x68
[ 758.380570] [<ffff2000080aa330>] kvm_put_kvm+0x210/0x358
[ 758.385860] [<ffff2000080aa524>] kvm_vm_release+0x2c/0x40
[ 758.391239] [<ffff2000082ad234>] __fput+0x114/0x2e8
[ 758.396096] [<ffff2000082ad46c>] ____fput+0xc/0x18
[ 758.400869] [<ffff200008104658>] task_work_run+0x108/0x138
[ 758.406332] [<ffff2000080dc8ec>] do_exit+0x48c/0x10e8
[ 758.411363] [<ffff2000080dd5fc>] do_group_exit+0x6c/0x130
[ 758.416739] [<ffff2000080ed924>] get_signal+0x284/0xa18
[ 758.421943] [<ffff20000808a098>] do_signal+0x158/0x860
[ 758.427060] [<ffff20000808aad4>] do_notify_resume+0x6c/0x88
[ 758.432608] [<ffff200008083624>] work_pending+0x10/0x14
[ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20)
This patch fixes the issue by moving the kvm_free_stage2_pgd() to
kvm_arch_flush_shadow_all().
Cc: <stable@vger.kernel.org> # 3.9+
Tested-by: Itaru Kitayama <itaru.kitayama@riken.jp>
Reported-by: Itaru Kitayama <itaru.kitayama@riken.jp>
Reported-by: James Morse <james.morse@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 1a30ab34ce72bcf8b549c72d9c7e64ace95f02b3
Author: Takashi Iwai <tiwai@suse.de>
Date: Wed Sep 7 15:45:31 2016 +0200
ALSA: timer: Fix zero-division by continue of uninitialized instance
[ Upstream commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b ]
When a user timer instance is continued without the explicit start
beforehand, the system gets eventually zero-division error like:
divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003c9b2280 task.stack: ffff880027280000
RIP: 0010:[<ffffffff858e1a6c>] [< inline >] ktime_divns include/linux/ktime.h:195
RIP: 0010:[<ffffffff858e1a6c>] [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
Call Trace:
<IRQ>
[< inline >] __run_hrtimer kernel/time/hrtimer.c:1238
[<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
[<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
[<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
[<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
[<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
<EOI>
.....
Although a similar issue was spotted and a fix patch was merged in
commit [6b760bb2c63a: ALSA: timer: fix division by zero after
SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
iceberg.
In this patch, we fix the issue a bit more drastically. Basically the
continue of an uninitialized timer is supposed to be a fresh start, so
we do it for user timers. For the direct snd_timer_continue() call,
there is no way to pass the initial tick value, so we kick out for the
uninitialized case.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 1174014a57eda377f5ed60e4c880c935d02c7bde
Author: Takashi Iwai <tiwai@suse.de>
Date: Wed Feb 10 12:47:03 2016 +0100
ALSA: timer: Call notifier in the same spinlock
[ Upstream commit f65e0d299807d8a11812845c972493c3f9a18e10 ]
snd_timer_notify1() is called outside the spinlock and it retakes the
lock after the unlock. This is rather racy, and it's safer to move
snd_timer_notify() call inside the main spinlock.
The patch also contains a slight refactoring / cleanup of the code.
Now all start/stop/continue/pause look more symmetric and a bit better
readable.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 10494714165113e2a1c9a8013109319d054dc426
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date: Wed Sep 7 17:26:33 2016 +0300
xhci: fix null pointer dereference in stop command timeout function
[ Upstream commit bcf42aa60c2832510b9be0f30c090bfd35bb172d ]
The stop endpoint command has its own 5 second timeout timer.
If the timeout function is triggered between USB3 and USB2 host
removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd)
the ->primary_hcd will be set to NULL at USB3 hcd removal.
Fix this by first checking if the PCI host is being removed, and
also by using only xhci_to_hcd() as it will always return the primary
hcd.
CC: <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 029a0cab4ef671ac1a5c4bfe7e4c39a2ddaff10d
Author: Paul Mackerras <paulus@ozlabs.org>
Date: Fri Sep 2 21:47:59 2016 +1000
powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
[ Upstream commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa ]
In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13)
we lost a check on the region number (the top four bits of the effective
address) for addresses below PAGE_OFFSET. That commit replaced a check
that the top 18 bits were all zero with a check that bits 46 - 59 were
zero (performed for all addresses, not just user addresses).
This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
and we will insert a valid SLB entry for it. The VSID used will be the
same as if the top 4 bits were 0, but the page size will be some random
value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
array in the paca. If that page size is the same as would be used for
region 0, then userspace just has an alias of the region 0 space. If the
page size is different, then no HPTE will be found for the access, and
the process will get a SIGSEGV (since hash_page_mm() will refuse to create
a HPTE for the bogus address).
The access beyond the end of the mm_ctx_high_slices_psize can be at most
5.5MB past the array, and so will be in RAM somewhere. Since the access
is a load performed in real mode, it won't fault or crash the kernel.
At most this bug could perhaps leak a little bit of information about
blocks of 32 bytes of memory located at offsets of i * 512kB past the
paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.
Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range")
Cc: stable@vger.kernel.org # v3.9+
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 87af205b4c7ab1611a0fe915abcf178a2ba10a5d
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Thu Sep 1 14:25:43 2016 +0100
crypto: cryptd - initialize child shash_desc on import
[ Upstream commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e ]
When calling .import() on a cryptd ahash_request, the structure members
that describe the child transform in the shash_desc need to be initialized
like they are when calling .init()
Cc: stable@vger.kernel.org
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit f6692fc52b3cb0571b4d7291438f8f5b71b1dc7a
Author: Wei Yongjun <weiyongjun1@huawei.com>
Date: Mon Sep 5 16:06:31 2016 +0800
ipv6: addrconf: fix dev refcont leak when DAD failed
[ Upstream commit 751eb6b6042a596b0080967c1a529a9fe98dac1d ]
In general, when DAD detected IPv6 duplicate address, ifp->state
will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
delayed work, the call tree should be like this:
ndisc_recv_ns
-> addrconf_dad_failure <- missing ifp put
-> addrconf_mod_dad_work
-> schedule addrconf_dad_work()
-> addrconf_dad_stop() <- missing ifp hold before call it
addrconf_dad_failure() called with ifp refcont holding but not put.
addrconf_dad_work() call addrconf_dad_stop() without extra holding
refcount. This will not cause any issue normally.
But the race between addrconf_dad_failure() and addrconf_dad_work()
may cause ifp refcount leak and netdevice can not be unregister,
dmesg show the following messages:
IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
...
unregister_netdevice: waiting for eth0 to become free. Usage count = 1
Cc: stable@vger.kernel.org
Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing
to workqueue")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 52e5087ce97a09d5baba7cfe85def389e892d73f
Author: Chris Mason <clm@fb.com>
Date: Tue Sep 6 05:37:40 2016 -0700
Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
[ Upstream commit cbd60aa7cd17d81a434234268c55192862147439 ]
We use a btrfs_log_ctx structure to pass information into the
tree log commit, and get error values out. It gets added to a per
log-transaction list which we walk when things go bad.
Commit d1433debe added an optimization to skip waiting for the log
commit, but didn't take root_log_ctx out of the list. This
patch makes sure we remove things before exiting.
Signed-off-by: Chris Mason <clm@fb.com>
Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4
cc: stable@vger.kernel.org # 3.15+
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit a55325e134ecca559da21385d64fa9eef3e6cefe
Author: Forrest Liu <forrestl@synology.com>
Date: Fri Jan 30 19:42:12 2015 +0800
Btrfs: add missing blk_finish_plug in btrfs_sync_log()
[ Upstream commit 3da5ab56482f322a9736c484db8773899c5c731b ]
Add missing blk_finish_plug in btrfs_sync_log()
Signed-off-by: Forrest Liu <forrestl@synology.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit f5518a3e2d8cb7d649d9400400ad28223de0e4e3
Author: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Date: Mon Aug 29 18:00:38 2016 +0900
usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
[ Upstream commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 ]
The previous driver is possible to stop the transfer wrongly.
For example:
1) An interrupt happens, but not BRDY interruption.
2) Read INTSTS0. And than state->intsts0 is not set to BRDY.
3) BRDY is set to 1 here.
4) Read BRDYSTS.
5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly.
Remarks:
- The INTSTS0.BRDY is read only.
- If any bits of BRDYSTS are set to 1, the BRDY is set to 1.
- If BRDYSTS is 0, the BRDY is set to 0.
So, this patch adds condition to avoid such situation. (And about
NRDYSTS, this is not used for now. But, avoiding any side effects,
this patch doesn't touch it.)
Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method")
Cc: <stable@vger.kernel.org> # v3.8+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit fb4064af0fd3887fafec8dfeba206966d0ff12b3
Author: Balbir Singh <bsingharora@gmail.com>
Date: Mon Sep 5 13:16:40 2016 +1000
sched/core: Fix a race between try_to_wake_up() and a woken up task
[ Upstream commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf ]
The origin of the issue I've seen is related to
a missing memory barrier between check for task->state and
the check for task->on_rq.
The task being woken up is already awake from a schedule()
and is doing the following:
do {
schedule()
set_current_state(TASK_(UN)INTERRUPTIBLE);
} while (!cond);
The waker, actually gets stuck doing the following in
try_to_wake_up():
while (p->on_cpu)
cpu_relax();
Analysis:
The instance I've seen involves the following race:
CPU1 CPU2
while () {
if (cond)
break;
do {
schedule();
set_current_state(TASK_UN..)
} while (!cond);
wakeup_routine()
spin_lock_irqsave(wait_lock)
raw_spin_lock_irqsave(wait_lock) wake_up_process()
} try_to_wake_up()
set_current_state(TASK_RUNNING); ..
list_del(&waiter.list);
CPU2 wakes up CPU1, but before it can get the wait_lock and set
current state to TASK_RUNNING the following occurs:
CPU3
wakeup_routine()
raw_spin_lock_irqsave(wait_lock)
if (!list_empty)
wake_up_process()
try_to_wake_up()
raw_spin_lock_irqsave(p->pi_lock)
..
if (p->on_rq && ttwu_wakeup())
..
while (p->on_cpu)
cpu_relax()
..
CPU3 tries to wake up the task on CPU1 again since it finds
it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
after CPU2, CPU3 got it.
CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
the task is spinning on the wait_lock. Interestingly since p->on_rq
is checked under pi_lock, I've noticed that try_to_wake_up() finds
p->on_rq to be 0. This was the most confusing bit of the analysis,
but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
check is not reliable without this fix IMHO. The race is visible
(based on the analysis) only when ttwu_queue() does a remote wakeup
via ttwu_queue_remote. In which case the p->on_rq change is not
done uder the pi_lock.
The result is that after a while the entire system locks up on
the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
Reproduction of the issue:
The issue can be reproduced after a long run on my system with 80
threads and having to tweak available memory to very low and running
memory stress-ng mmapfork test. It usually takes a long time to
reproduce. I am trying to work on a test case that can reproduce
the issue faster, but thats work in progress. I am still testing the
changes on my still in a loop and the tests seem OK thus far.
Big thanks to Benjamin and Nick for helping debug this as well.
Ben helped catch the missing barrier, Nick caught every missing
bit in my theory.
Signed-off-by: Balbir Singh <bsingharora@gmail.com>
[ Updated comment to clarify matching barriers. Many
architectures do not have a full barrier in switch_to()
so that cannot be relied upon. ]
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit a2b268541d262c70ec53328415730da80fcd10de
Author: Linus Walleij <linus.walleij@linaro.org>
Date: Thu Sep 1 11:44:35 2016 +0200
iio: accel: kxsd9: Fix scaling bug
[ Upstream commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de ]
All the scaling of the KXSD9 involves multiplication with a
fraction number < 1.
However the scaling value returned from IIO_INFO_SCALE was
unpredictable as only the micros of the value was assigned, and
not the integer part, resulting in scaling like this:
$cat in_accel_scale
-1057462640.011978
Fix this by assigning zero to the integer part.
Cc: stable@vger.kernel.org
Tested-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 7107bc8e091a3bafb6a4c8697847ae894919f730
Author: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Date: Wed Aug 31 22:58:42 2016 +0900
ALSA: fireworks: accessing to user space outside spinlock
[ Upstream commit 6b1ca4bcadf9ef077cc5f03c6822ba276ed14902 ]
In hwdep interface of fireworks driver, accessing to user space is in a
critical section with disabled local interrupt. Depending on architecture,
accessing to user space can cause page fault exception. Then local
processor stores machine status and handles the synchronous event. A
handler corresponding to the event can call task scheduler to wait for
preparing pages. In a case of usage of single core processor, the state to
disable local interrupt is worse because it don't handle usual interrupts
from hardware.
This commit fixes this bug, performing the accessing outside spinlock. This
commit also gives up counting the number of queued response messages to
simplify ring-buffer management.
Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
Cc: stable@vger.kernel.org
Fixes: 555e8a8f7f14('ALSA: fireworks: Add command/response functionality into hwdep interface')
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 3294908b6d56d3232c338fac2a2461dafaac93d6
Author: Anson Huang <Anson.Huang@nxp.com>
Date: Mon Aug 22 23:53:25 2016 +0800
ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx
[ Upstream commit 8aade778f787305fdbfd3c1d54e6b583601b5902 ]
i.MX6SX has bypass PMIC ready function, as this function
is normally NOT enabled on the board design, so we need
to bypass the PMIC ready pin check during DSM mode resume
flow, otherwise, the internal DSM resume logic will be
waiting for this signal to be ready forever and cause
resume fail.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx")
Cc: <stable@vger.kernel.org>
Tested-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 6000f01b3e3123fa2efef180de2aca4164b692f5
Author: Ken Lin <ken.lin@advantech.com.tw>
Date: Fri Aug 12 14:08:47 2016 -0400
ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114
[ Upstream commit 83d9956b7e6b310c1062df7894257251c625b22e ]
Avoid getting sample rate on B850V3 CP2114 as it is unsupported and
causes noisy "current rate is different from the runtime rate" messages
when playback starts.
Signed-off-by: Ken Lin <ken.lin@advantech.com.tw>
Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 14e3a78605126470ca818bcdc0f2e922fd6bb3c2
Author: Vegard Nossum <vegard.nossum@oracle.com>
Date: Mon Aug 29 00:33:51 2016 +0200
ALSA: timer: fix NULL pointer dereference on memory allocation failure
[ Upstream commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 ]
I hit this with syzkaller:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff88011278d600 task.stack: ffff8801120c0000
RIP: 0010:[<ffffffff82c8ba07>] [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
Stack:
ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
Call Trace:
[<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
[<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
[<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
RIP [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP <ffff8801120c7a60>
---[ end trace 5955b08db7f2b029 ]---
This can happen if snd_hrtimer_open() fails to allocate memory and
returns an error, which is currently not checked by snd_timer_open():
ioctl(SNDRV_TIMER_IOCTL_SELECT)
- snd_timer_user_tselect()
- snd_timer_close()
- snd_hrtimer_close()
- (struct snd_timer *) t->private_data = NULL
- snd_timer_open()
- snd_hrtimer_open()
- kzalloc() fails; t->private_data is still NULL
ioctl(SNDRV_TIMER_IOCTL_START)
- snd_timer_user_start()
- snd_timer_start()
- snd_timer_start1()
- snd_hrtimer_start()
- t->private_data == NULL // boom
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit a987c6258df6763cedd736673aa11bfdf682f299
Author: Vegard Nossum <vegard.nossum@oracle.com>
Date: Mon Aug 29 00:33:50 2016 +0200
ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
[ Upstream commit 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 ]
I got this:
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff8801120a9580 task.stack: ffff8801120b0000
RIP: 0010:[<ffffffff82c8bd9a>] [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
RSP: 0018:ffff88011aa87da8 EFLAGS: 00010006
RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
FS: 00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
Stack:
0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
Call Trace:
<IRQ>
[<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
[<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
[<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
[<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
[<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
[<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
[<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
[<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
[<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
<EOI>
[<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
[<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
[<ffffffff82c87015>] snd_timer_continue+0x45/0x80
[<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
[<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
RIP [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
RSP <ffff88011aa87da8>
---[ end trace 6aa380f756a21074 ]---
The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
completely new/unused timer -- it will have ->sticks == 0, which causes a
divide by 0 in snd_hrtimer_callback().
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit d0a2d41031c85163c28df36db153c7a69795c9bf
Author: Simon Baatz <gmbnomis@gmail.com>
Date: Fri Aug 12 19:12:50 2016 +0200
ARM: kirkwood: ib62x0: fix size of u-boot environment partition
[ Upstream commit a778937888867aac17a33887d1c429120790fbc2 ]
Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment
partition") split the "u-boot" partition into "u-boot" and "u-boot
environment". However, instead of the size of the environment, an offset
was given, resulting in overlapping partitions.
Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition")
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Gregory Clement <gregory.clement@free-electrons.com>
Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Cc: Luka Perkov <luka@openwrt.org>
Cc: stable@vger.kernel.org # 3.13+
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit cb3662589ad97db5643d0ce9e10adc0f56476a50
Author: Pawel Moll <pawel.moll@arm.com>
Date: Wed Aug 10 17:06:26 2016 +0100
bus: arm-ccn: Fix XP watchpoint settings bitmask
[ Upstream commit b928466b2169e061822daad48ecf55b005445547 ]
The code setting XP watchpoint comparator and mask registers should, in
order to be fully compliant with specification, zero one or more most
significant bits of each field. In both L cases it means zeroing bit 63.
The bitmask doing this was wrong, though, zeroing bit 60 instead.
Fortunately, due to a lucky coincidence, this turned out to be fairly
innocent with the existing hardware.
Fixed now.
Cc: stable@vger.kernel.org # 3.17+
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 703dd66fe5555544b4aed696e9e25616cda4c55a
Author: Pawel Moll <pawel.moll@arm.com>
Date: Fri Aug 5 15:07:10 2016 +0100
bus: arm-ccn: Do not attempt to configure XPs for cycle counter
[ Upstream commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 ]
Fuzzing the CCN perf driver revealed a small but definitely dangerous
mistake in the event setup code. When a cycle counter is requested, the
driver should not reconfigure the events bus at all, otherwise it will
corrupt (in most but the simplest cases) its configuration and may end
up accessing XP array out of its bounds and corrupting control
registers.
Reported-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Cc: stable@vger.kernel.org # 3.17+
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 26a0e0c213827b9ea19dc089b369bd7dc31f3c0f
Author: Johannes Berg <johannes.berg@intel.com>
Date: Mon Aug 8 08:45:33 2016 +0200
Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel"
[ Upstream commit 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 ]
This reverts commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724.
Ben Hutchings pointed out that the commit isn't safe since it assumes
that the structure used by the driver is iw_point, when in fact there's
no way to know about that.
Fortunately, the only driver in the tree that ever runs this code path
is the wilc1000 staging driver, so it doesn't really matter.
Clearly I should have investigated this better before applying, sorry.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org [though I guess it doesn't matter much]
Fixes: 3d5fdff46c4b ("wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 177b489883ed5dbe2238cf65b8162d9024a9a3ee
Author: Sebastian Reichel <sre@kernel.org>
Date: Fri Jun 24 03:59:33 2016 +0200
ARM: OMAP3: hwmod data: Add sysc information for DSI
[ Upstream commit b46211d6dcfb81a8af66b8684a42d629183670d4 ]
Add missing sysconfig/sysstatus information
to OMAP3 hwmod. The information has been
checked against OMAP34xx and OMAP36xx TRM.
Without this change DSI block is not reset
during boot, which is required for working
Nokia N950 display.
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 2ee6abbd821cd0374a1a8217651308a0486b5125
Author: Miklos Szeredi <mszeredi@redhat.com>
Date: Mon Sep 5 13:55:20 2016 +0200
ovl: fix workdir creation
[ Upstream commit e1ff3dd1ae52cef5b5373c8cc4ad949c2c25a71c ]
Workdir creation fails in latest kernel.
Fix by allowing EOPNOTSUPP as a valid return value from
vfs_removexattr(XATTR_NAME_POSIX_ACL_*). Upper filesystem may not support
ACL and still be perfectly able to support overlayfs.
Reported-by: Martin Ziegler <ziegler@uni-freiburg.de>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: c11b9fdd6a61 ("ovl: remove posix_acl_default from workdir")
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
commit 7cc3f9b1d8455fb3fb6ad180b2c98b688a8b2be8
Author: James Hogan <james.hogan@imgtec.com>
Date: Thu Sep 15 22:51:08 2016 +0100
MIPS: KVM: Check for pfn noslot case
commit ba913e4f72fc9cfd03dad968dfb110eb49211d80 upstream.
When mapping a page into the guest we error check using is_error_pfn(),
however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an
error HVA for the page. This can only happen on MIPS right now due to
unusual memslot management (e.g. being moved / removed / resized), or
with an Enhanced Virtual Memory (EVA) configuration where the default
KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed
in a later patch). This case will be treated as a pfn of zero, mapping
the first page of physical memory into the guest.
It would appear the MIPS KVM port wasn't updated prior to being merged
(in v3.10) to take commit 81c52c56e2b4 ("KVM: do not treat noslot pfn as
a error pfn") into account (merged v3.8), which converted a bunch of
is_error_pfn() calls to is_error_noslot_pfn(). Switch to using
is_error_noslot_pfn() instead to catch this case properly.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[james.hogan@imgtec.com: Backport to v4.7.y]
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>