Heiko Carstens [Thu, 21 Nov 2013 15:22:17 +0000 (16:22 +0100)]
s390/uaccess: add missing page table walk range check
commit
71a86ef055f569b93bc6901f007bdf447dbf515f upstream.
When translating a user space address, the address must be checked against
the ASCE limit of the process. If the address is larger than the maximum
address that is reachable with the ASCE, an ASCE type exception must be
generated.
The current code simply ignored the higher order bits. This resulted in an
address wrap around in user space instead of an exception in user space.
Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Frank Zago [Wed, 13 Nov 2013 22:53:00 +0000 (22:53 +0000)]
iio:accel:kxsd9 fix missing mutex unlock
commit
0ee005c7dc2803125275e24598f0fb37775a6af3 upstream.
This will leave a lock held after reading from the device, preventing
any further reads.
Signed-off-by: Frank Zago <frank@zago.net>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michael Neuling [Mon, 25 Nov 2013 00:12:20 +0000 (11:12 +1100)]
powerpc/signals: Improved mark VSX not saved with small contexts fix
commit
ec67ad82814bee92251fd963bf01c7a173856555 upstream.
In a recent patch:
commit
c13f20ac48328b05cd3b8c19e31ed6c132b44b42
Author: Michael Neuling <mikey@neuling.org>
powerpc/signals: Mark VSX not saved with small contexts
We fixed an issue but an improved solution was later discussed after the patch
was merged.
Firstly, this patch doesn't handle the 64bit signals case, which could also hit
this issue (but has never been reported).
Secondly, the original patch isn't clear what MSR VSX should be set to. The
new approach below always clears the MSR VSX bit (to indicate no VSX is in the
context) and sets it only in the specific case where VSX is available (ie. when
VSX has been used and the signal context passed has space to provide the
state).
This reverts the original patch and replaces it with the improved solution. It
also adds a 64 bit version.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
David Herrmann [Tue, 26 Nov 2013 12:58:18 +0000 (13:58 +0100)]
HID: uhid: fix leak for 64/32 UHID_CREATE
commit
80897aa787ecd58eabb29deab7cbec9249c9b7e6 upstream.
UHID allows short writes so user-space can omit unused fields. We
automatically set them to 0 in the kernel. However, the 64/32 bit
compat-handler didn't do that in the UHID_CREATE fallback. This will
reveal random kernel heap data (of random size, even) to user-space.
Fixes:
befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems')
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
NeilBrown [Thu, 14 Nov 2013 04:16:15 +0000 (15:16 +1100)]
md: fix calculation of stacking limits on level change.
commit
02e5f5c0a0f726e66e3d8506ea1691e344277969 upstream.
The various ->run routines of md personalities assume that the 'queue'
has been initialised by the blk_set_stacking_limits() call in
md_alloc().
However when the level is changed (by level_store()) the ->run routine
for the new level is called for an array which has already had the
stacking limits modified. This can result in incorrect final
settings.
So call blk_set_stacking_limits() before ->run in level_store().
A specific consequence of this bug is that it causes
discard_granularity to be set incorrectly when reshaping a RAID4 to a
RAID0.
This is suitable for any -stable kernel since 3.3 in which
blk_set_stacking_limits() was introduced.
Reported-and-tested-by: "Baldysiak, Pawel" <pawel.baldysiak@intel.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Steve French [Sat, 16 Nov 2013 02:41:32 +0000 (20:41 -0600)]
setfacl removes part of ACL when setting POSIX ACLs to Samba
commit
b1d93356427be6f050dc55c86eb019d173700af6 upstream.
setfacl over cifs mounts can remove the default ACL when setting the
(non-default part of) the ACL and vice versa (we were leaving at 0
rather than setting to -1 the count field for the unaffected
half of the ACL. For example notice the setfacl removed
the default ACL in this sequence:
steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir ; setfacl
-m default:user:test:rwx,user:test:rwx /mnt/test-dir
getfacl: Removing leading '/' from absolute path names
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:test:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir
getfacl: Removing leading '/' from absolute path names
user::rwx
user:test:rwx
group::r-x
mask::rwx
other::r-x
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Robert Richter [Thu, 10 Oct 2013 16:23:38 +0000 (18:23 +0200)]
edac, highbank: Fix interrupt setup of mem and l2 controller
commit
a72b8859fd3941cc1d2940d5c43026d2c6fb959e upstream.
Register and enable interrupts after the edac registration. Otherwise
incomming ecc error interrupts lead to crashes during device setup.
Fixing this in drivers for mc and l2.
Signed-off-by: Robert Richter <robert.richter@linaro.org>
Acked-by: Rob Herring <rob.herring@calxeda.com>
Signed-off-by: Robert Richter <rric@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jerome Glisse [Tue, 12 Nov 2013 15:51:16 +0000 (10:51 -0500)]
radeon: workaround pinning failure on low ram gpu
commit
97b6ff6be9da7675aab339334fda996d6c5077d9 upstream.
GPU with low amount of ram can fails at pinning new framebuffer before
unpinning old one. On such failure, retry with unpinning old one before
pinning new one allowing to work around the issue. This is somewhat
ugly but only affect those old GPU we care about.
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alex Deucher [Thu, 31 Oct 2013 20:43:27 +0000 (16:43 -0400)]
drm/radeon: don't share PPLLs on DCE4.1
commit
70471860ff9f335c60c004d42ebd48945bfa5403 upstream.
Sharing PPLLs seems to cause problems on some boards.
Bug:
https://bugs.freedesktop.org/show_bug.cgi?id=45334
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Christian König [Wed, 30 Oct 2013 11:56:04 +0000 (12:56 +0100)]
drm/radeon: activate UVD clocks before sending the destroy msg
commit
c154a76311293f9671439286834aa325b7ef59fe upstream.
Make sure the UVD clocks are still active before sending
the destroy message, otherwise the hw might hang.
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alex Deucher [Mon, 28 Oct 2013 14:56:23 +0000 (10:56 -0400)]
drm/radeon/si: fix define for MC_SEQ_TRAIN_WAKEUP_CNTL
commit
d5693761b2b4ff530c8af8af9ec55b6eae76e617 upstream.
Typo in the register offset.
Noticed-by: Sylvain BERTRAND <sylware@legeek.net>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Skeggs [Wed, 13 Nov 2013 05:18:32 +0000 (15:18 +1000)]
drm/nouveau: when bailing out of a pushbuf ioctl, do not remove previous fence
commit
9360bd1112d8874d21942e2ae74f5416b00a8db6 upstream.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel Vetter [Mon, 4 Nov 2013 07:13:45 +0000 (08:13 +0100)]
drm/i915: flush cursors harder
commit
b2ea8ef559b4d94190009f3651b5b3ab7c05afd3 upstream.
Apparently they need the same treatment as primary planes. This fixes
modesetting failures because of stuck cursors (!) on Thomas' i830M
machine.
I've figured while at it I'll also roll it out for the ivb 3 pipe
version of this function. I didn't do this for i845/i865 since Bspec
says the update mechanism works differently, and there's some
additional rules about what can be updated in which order.
Tested-by: Thomas Richter <thor@math.tu-berlin.de>
Cc: Thomas Richter <thor@math.tu-berlin.de>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thomas Hellstrom [Wed, 30 Oct 2013 10:29:50 +0000 (03:29 -0700)]
drm/ttm: Fix ttm_bo_move_memcpy
commit
da95c788ef0c645378ffccb7060a0df1a33aee38 upstream.
All error paths will want to keep the mm node, so handle this at the
function exit. This fixes an ioremap failure error path.
Also add some comments to make the function a bit easier to understand.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jakob Bornecrantz [Wed, 30 Oct 2013 09:46:56 +0000 (02:46 -0700)]
drm/ttm: Handle in-memory region copies
commit
9a0599ddeae012a771bba5e23393fc52d8a59d89 upstream.
Fix the case where the ttm pointer may be NULL causing
a NULL pointer dereference.
Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
Signed-off-by: Thomas Hellström <thellstrom@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thomas Hellstrom [Mon, 28 Oct 2013 09:02:19 +0000 (02:02 -0700)]
drm/ttm: Fix memory type compatibility check
commit
59c8e66378fb78adbcd05f0d09783dde6fef282b upstream.
Also check the busy placements before deciding to move a buffer object.
Failing to do this may result in a completely unneccessary move within a
single memory type.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Steven Rostedt (Red Hat) [Tue, 26 Nov 2013 01:59:46 +0000 (20:59 -0500)]
ftrace: Fix function graph with loading of modules
commit
8a56d7761d2d041ae5e8215d20b4167d8aa93f51 upstream.
Commit
8c4f3c3fa9681 "ftrace: Check module functions being traced on reload"
fixed module loading and unloading with respect to function tracing, but
it missed the function graph tracer. If you perform the following
# cd /sys/kernel/debug/tracing
# echo function_graph > current_tracer
# modprobe nfsd
# echo nop > current_tracer
You'll get the following oops message:
------------[ cut here ]------------
WARNING: CPU: 2 PID: 2910 at /linux.git/kernel/trace/ftrace.c:1640 __ftrace_hash_rec_update.part.35+0x168/0x1b9()
Modules linked in: nfsd exportfs nfs_acl lockd ipt_MASQUERADE sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables uinput snd_hda_codec_idt
CPU: 2 PID: 2910 Comm: bash Not tainted 3.13.0-rc1-test #7
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007
0000000000000668 ffff8800787efcf8 ffffffff814fe193 ffff88007d500000
0000000000000000 ffff8800787efd38 ffffffff8103b80a 0000000000000668
ffffffff810b2b9a ffffffff81a48370 0000000000000001 ffff880037aea000
Call Trace:
[<
ffffffff814fe193>] dump_stack+0x4f/0x7c
[<
ffffffff8103b80a>] warn_slowpath_common+0x81/0x9b
[<
ffffffff810b2b9a>] ? __ftrace_hash_rec_update.part.35+0x168/0x1b9
[<
ffffffff8103b83e>] warn_slowpath_null+0x1a/0x1c
[<
ffffffff810b2b9a>] __ftrace_hash_rec_update.part.35+0x168/0x1b9
[<
ffffffff81502f89>] ? __mutex_lock_slowpath+0x364/0x364
[<
ffffffff810b2cc2>] ftrace_shutdown+0xd7/0x12b
[<
ffffffff810b47f0>] unregister_ftrace_graph+0x49/0x78
[<
ffffffff810c4b30>] graph_trace_reset+0xe/0x10
[<
ffffffff810bf393>] tracing_set_tracer+0xa7/0x26a
[<
ffffffff810bf5e1>] tracing_set_trace_write+0x8b/0xbd
[<
ffffffff810c501c>] ? ftrace_return_to_handler+0xb2/0xde
[<
ffffffff811240a8>] ? __sb_end_write+0x5e/0x5e
[<
ffffffff81122aed>] vfs_write+0xab/0xf6
[<
ffffffff8150a185>] ftrace_graph_caller+0x85/0x85
[<
ffffffff81122dbd>] SyS_write+0x59/0x82
[<
ffffffff8150a185>] ftrace_graph_caller+0x85/0x85
[<
ffffffff8150a2d2>] system_call_fastpath+0x16/0x1b
---[ end trace
940358030751eafb ]---
The above mentioned commit didn't go far enough. Well, it covered the
function tracer by adding checks in __register_ftrace_function(). The
problem is that the function graph tracer circumvents that (for a slight
efficiency gain when function graph trace is running with a function
tracer. The gain was not worth this).
The problem came with ftrace_startup() which should always be called after
__register_ftrace_function(), if you want this bug to be completely fixed.
Anyway, this solution moves __register_ftrace_function() inside of
ftrace_startup() and removes the need to call them both.
Reported-by: Dave Wysochanski <dwysocha@redhat.com>
Fixes:
ed926f9b35cd ("ftrace: Use counters to enable functions to trace")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Williams [Fri, 8 Nov 2013 19:39:44 +0000 (13:39 -0600)]
prism54: set netdev type to "wlan"
commit
8e3ffa471091c560deb6738ed9ab7445b7a5fd04 upstream.
Userspace uses the netdev devtype for stuff like device naming and type
detection. Be nice and set it. Remove the pointless #if/#endif around
SET_NETDEV_DEV too.
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andreas Bießmann [Thu, 24 Oct 2013 10:31:04 +0000 (12:31 +0200)]
avr32: fix out-of-range jump in large kernels
commit
d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 upstream.
This patch fixes following error (for big kernels):
---8<---
arch/avr32/boot/u-boot/head.o: In function `no_tag_table':
(.init.text+0x44): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o
arch/avr32/kernel/built-in.o: In function `bad_return':
(.ex.text+0x236): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o
--->8---
It comes up when the kernel increases and 'panic()' is too far away to fit in
the +/- 2MiB range. Which in turn issues from the 21-bit displacement in
'br{cond4}' mnemonic which is one of the two ways to do jumps (rjmp has just
10-bit displacement and therefore a way smaller range). This fact was stated
before in
8d29b7b9f81d6b83d869ff054e6c189d6da73f1f.
One solution to solve this is to add a local storage for the symbol address
and just load the $pc with that value.
Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andreas Bießmann [Thu, 24 Oct 2013 10:31:03 +0000 (12:31 +0200)]
avr32: setup crt for early panic()
commit
7a2a74f4b856993218aa7cdeeb6c3103101340db upstream.
Before the CRT was (fully) set up in kernel_entry (bss cleared before in
_start, but also not before jump to panic() in no_tag_table case).
This patch fixes this up to have a fully working CRT when branching to panic()
in no_tag_table.
Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paul Moore [Thu, 26 Sep 2013 21:00:46 +0000 (17:00 -0400)]
selinux: correct locking in selinux_netlbl_socket_connect)
commit
42d64e1add3a1ce8a787116036163b8724362145 upstream.
The SELinux/NetLabel glue code has a locking bug that affects systems
with NetLabel enabled, see the kernel error message below. This patch
corrects this problem by converting the bottom half socket lock to a
more conventional, and correct for this call-path, lock_sock() call.
===============================
[ INFO: suspicious RCU usage. ]
3.11.0-rc3+ #19 Not tainted
-------------------------------
net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
2 locks held by ping/731:
#0: (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect
#1: (rcu_read_lock){.+.+..}, at: [<...>] netlbl_conn_setattr
stack backtrace:
CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500
ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000
000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7
Call Trace:
[<
ffffffff81726b6a>] dump_stack+0x54/0x74
[<
ffffffff810e4457>] lockdep_rcu_suspicious+0xe7/0x120
[<
ffffffff8169bec7>] cipso_v4_sock_setattr+0x187/0x1a0
[<
ffffffff8170f317>] netlbl_conn_setattr+0x187/0x190
[<
ffffffff8170f195>] ? netlbl_conn_setattr+0x5/0x190
[<
ffffffff8131ac9e>] selinux_netlbl_socket_connect+0xae/0xc0
[<
ffffffff81303025>] selinux_socket_connect+0x135/0x170
[<
ffffffff8119d127>] ? might_fault+0x57/0xb0
[<
ffffffff812fb146>] security_socket_connect+0x16/0x20
[<
ffffffff815d3ad3>] SYSC_connect+0x73/0x130
[<
ffffffff81739a85>] ? sysret_check+0x22/0x5d
[<
ffffffff810e5e2d>] ? trace_hardirqs_on_caller+0xfd/0x1c0
[<
ffffffff81373d4e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[<
ffffffff815d52be>] SyS_connect+0xe/0x10
[<
ffffffff81739a59>] system_call_fastpath+0x16/0x1b
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Toshi Kani [Wed, 20 Nov 2013 13:25:34 +0000 (14:25 +0100)]
ACPI / hotplug: Fix conflicted PCI bridge notify handlers
commit
ca499fc87ed945094d952da0eb7eea7dbeb1feec upstream.
The PCI host bridge scan handler installs its own notify handler,
handle_hotplug_event_root(), by itself. Nevertheless, the ACPI
hotplug framework also installs the common notify handler,
acpi_hotplug_notify_cb(), for PCI root bridges. This causes
acpi_hotplug_notify_cb() to call _OST method with unsupported
error as hotplug.enabled is not set.
To address this issue, introduce hotplug.ignore flag, which
indicates that the scan handler installs its own notify handler by
itself. The ACPI hotplug framework does not install the common
notify handler when this flag is set.
Signed-off-by: Toshi Kani <toshi.kani@hp.com>
[rjw: Changed the name of the new flag]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yinghai Lu [Tue, 19 Nov 2013 00:02:45 +0000 (17:02 -0700)]
PCI: Remove duplicate pci_disable_device() from pcie_portdrv_remove()
commit
e7cc5cf74544d97d7b69e2701595037474db1f96 upstream.
The pcie_portdrv .probe() method calls pci_enable_device() once, in
pcie_port_device_register(), but the .remove() method calls
pci_disable_device() twice, in pcie_port_device_remove() and in
pcie_portdrv_remove().
That causes a "disabling already-disabled device" warning when removing a
PCIe port device. This happens all the time when removing Thunderbolt
devices, but is also easy to reproduce with, e.g.,
"echo 0000:00:1c.3 > /sys/bus/pci/drivers/pcieport/unbind"
This patch removes the disable from pcie_portdrv_remove().
[bhelgaas: changelog, tag for stable]
Reported-by: David Bulkow <David.Bulkow@stratus.com>
Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jeff Layton [Wed, 8 May 2013 14:32:23 +0000 (10:32 -0400)]
audit: log the audit_names record type
commit
d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 upstream.
...to make it clear what the intent behind each record's operation was.
In many cases you can infer this, based on the context of the syscall
and the result. In other cases it's not so obvious. For instance, in
the case where you have a file being renamed over another, you'll have
two different records with the same filename but different inode info.
By logging this information we can clearly tell which one was created
and which was deleted.
This fixes what was broken in commit
bfcec708.
Commit
79f6530c should also be backported to stable v3.7+.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jeff Layton [Wed, 8 May 2013 14:25:58 +0000 (10:25 -0400)]
audit: add child record before the create to handle case where create fails
commit
14e972b4517128ac8e30e3de2ee4fbd995084223 upstream.
Historically, when a syscall that creates a dentry fails, you get an audit
record that looks something like this (when trying to create a file named
"new" in "/tmp/tmp.SxiLnCcv63"):
type=PATH msg=audit(
1366128956.279:965): item=0 name="/tmp/tmp.SxiLnCcv63/new" inode=2138308 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
This record makes no sense since it's associating the inode information for
"/tmp/tmp.SxiLnCcv63" with the path "/tmp/tmp.SxiLnCcv63/new". The recent
patch I posted to fix the audit_inode call in do_last fixes this, by making it
look more like this:
type=PATH msg=audit(
1366128765.989:13875): item=0 name="/tmp/tmp.DJ1O8V3e4f/" inode=141 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
While this is more correct, if the creation of the file fails, then we
have no record of the filename that the user tried to create.
This patch adds a call to audit_inode_child to may_create. This creates
an AUDIT_TYPE_CHILD_CREATE record that will sit in place until the
create succeeds. When and if the create does succeed, then this record
will be updated with the correct inode info from the create.
This fixes what was broken in commit
bfcec708.
Commit
79f6530c should also be backported to stable v3.7+.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jeff Layton [Mon, 8 Jul 2013 22:59:36 +0000 (15:59 -0700)]
audit: fix mq_open and mq_unlink to add the MQ root as a hidden parent audit_names record
commit
79f6530cb59e2a0af6953742a33cc29e98ca631c upstream.
The old audit PATH records for mq_open looked like this:
type=PATH msg=audit(
1366282323.982:869): item=1 name=(null) inode=6777
dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmpfs_t:s15:c0.c1023
type=PATH msg=audit(
1366282323.982:869): item=0 name="test_mq" inode=26732
dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
...with the audit related changes that went into 3.7, they now look like this:
type=PATH msg=audit(
1366282236.776:3606): item=2 name=(null) inode=66655
dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
type=PATH msg=audit(
1366282236.776:3606): item=1 name=(null) inode=6926
dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmpfs_t:s15:c0.c1023
type=PATH msg=audit(
1366282236.776:3606): item=0 name="test_mq"
Both of these look wrong to me. As Steve Grubb pointed out:
"What we need is 1 PATH record that identifies the MQ. The other PATH
records probably should not be there."
Fix it to record the mq root as a parent, and flag it such that it
should be hidden from view when the names are logged, since the root of
the mq filesystem isn't terribly interesting. With this change, we get
a single PATH record that looks more like this:
type=PATH msg=audit(
1368021604.836:484): item=0 name="test_mq" inode=16914
dev=00:0c mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:user_tmpfs_t:s0
In order to do this, a new audit_inode_parent_hidden() function is
added. If we do it this way, then we avoid having the existing callers
of audit_inode needing to do any sort of flag conversion if auditing is
inactive.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reported-by: Jiri Jaburek <jjaburek@redhat.com>
Cc: Steve Grubb <sgrubb@redhat.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mathias Krause [Mon, 30 Sep 2013 20:04:24 +0000 (22:04 +0200)]
audit: fix info leak in AUDIT_GET requests
commit
64fbff9ae0a0a843365d922e0057fc785f23f0e3 upstream.
We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
we miss to initialize the mask member of status_set. Fix that.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mathias Krause [Mon, 30 Sep 2013 20:04:25 +0000 (22:04 +0200)]
audit: use nlmsg_len() to get message payload length
commit
4d8fe7376a12bf4524783dd95cbc00f1fece6232 upstream.
Using the nlmsg_len member of the netlink header to test if the message
is valid is wrong as it includes the size of the netlink header itself.
Thereby allowing to send short netlink messages that pass those checks.
Use nlmsg_len() instead to test for the right message length. The result
of nlmsg_len() is guaranteed to be non-negative as the netlink message
already passed the checks of nlmsg_ok().
Also switch to min_t() to please checkpatch.pl.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tyler Hicks [Fri, 26 Jul 2013 01:02:55 +0000 (18:02 -0700)]
audit: printk USER_AVC messages when audit isn't enabled
commit
0868a5e150bc4c47e7a003367cd755811eb41e0b upstream.
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of
4a4cd633 ("AUDIT: Optimise the
audit-disabled case for discarding user messages").
When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.
It looks like commit
50397bd1 ("[AUDIT] clean up audit_receive_msg()")
introduced this bug.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ujjal Roy [Tue, 5 Nov 2013 23:01:45 +0000 (15:01 -0800)]
mwifiex: fix wrong eth_hdr usage for bridged packets in AP mode
commit
8d93f1f309d38b65fce0b9f0de91ba6c96990c07 upstream.
The eth_hdr is never defined in this driver but it gets compiled
without any warning/error because kernel has defined eth_hdr.
Fix it by defining our own p_ethhdr and use it instead of eth_hdr.
Signed-off-by: Ujjal Roy <royujjal@gmail.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Avinash Patil [Tue, 5 Nov 2013 23:01:44 +0000 (15:01 -0800)]
mwifiex: correct packet length for packets from SDIO interface
commit
d03b4aa77e1187b77dfe37d14a923547f00baa66 upstream.
While receiving a packet on SDIO interface, we allocate skb with
size multiple of SDIO block size. We need to resize this skb
after RX using packet length from RX header.
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dave Airlie [Mon, 4 Nov 2013 06:38:08 +0000 (16:38 +1000)]
qxl: avoid an oops in the deferred io code.
commit
cc87509d87696d7cd393882f5dedea01e03e41a9 upstream.
If we are using deferred io due to plymouth or X.org fbdev driver
we will oops in memcpy due to this pointless multiply here,
removing it fixes fbdev to start and not oops.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rafael J. Wysocki [Thu, 7 Nov 2013 00:51:15 +0000 (01:51 +0100)]
PM / runtime: Use pm_runtime_put_sync() in __device_release_driver()
commit
baab52ded242c35a2290e1fa82e0cc147d0d8c1a upstream.
Commit
fa180eb448fa (PM / Runtime: Idle devices asynchronously after
probe|release) modified __device_release_driver() to call
pm_runtime_put(dev) instead of pm_runtime_put_sync(dev) before
detaching the driver from the device. However, that was a mistake,
because pm_runtime_put(dev) causes rpm_idle() to be queued up and
the driver may be gone already when that function is executed.
That breaks the assumptions the drivers have the right to make
about the core's behavior on the basis of the existing documentation
and actually causes problems to happen, so revert that part of
commit
fa180eb448fa and restore the previous behavior of
__device_release_driver().
Reported-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Fixes:
fa180eb448fa (PM / Runtime: Idle devices asynchronously after probe|release)
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Kevin Hilman <khilman@linaro.org>
Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Aaron Lu [Wed, 6 Nov 2013 00:41:31 +0000 (08:41 +0800)]
PM / hibernate: Avoid overflow in hibernate_preallocate_memory()
commit
fd432b9f8c7c88428a4635b9f5a9c6e174df6e36 upstream.
When system has a lot of highmem (e.g. 16GiB using a 32 bits kernel),
the code to calculate how much memory we need to preallocate in
normal zone may cause overflow. As Leon has analysed:
It looks that during computing 'alloc' variable there is overflow:
alloc = (3943404 - 1970542) - 1978280 = -5418 (signed)
And this function goes to err_out.
Fix this by avoiding that overflow.
References: https://bugzilla.kernel.org/show_bug.cgi?id=60817
Reported-and-tested-by: Leon Drugi <eyak@wp.pl>
Signed-off-by: Aaron Lu <aaron.lu@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mikulas Patocka [Mon, 14 Oct 2013 16:11:36 +0000 (12:11 -0400)]
blk-core: Fix memory corruption if blkcg_init_queue fails
commit
fff4996b7db7955414ac74386efa5e07fd766b50 upstream.
If blkcg_init_queue fails, blk_alloc_queue_node doesn't call bdi_destroy
to clean up structures allocated by the backing dev.
------------[ cut here ]------------
WARNING: at lib/debugobjects.c:260 debug_print_object+0x85/0xa0()
ODEBUG: free active (active state 0) object type: percpu_counter hint: (null)
Modules linked in: dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev ipt_MASQUERADE iptable_nat nf_nat_ipv4 msr nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_powersave cpufreq_ondemand cpufreq_conservative spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack lm85 hwmon_vid snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq freq_table mperf sata_svw serverworks kvm_amd ide_core ehci_pci ohci_hcd libata ehci_hcd kvm usbcore tg3 usb_common libphy k10temp pcspkr ptp i2c_piix4 i2c_core evdev microcode hwmon rtc_cmos pps_core e100 skge floppy mii processor button unix
CPU: 0 PID: 2739 Comm: lvchange Tainted: G W
3.10.15-devel #14
Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009
0000000000000009 ffff88023c3c1ae8 ffffffff813c8fd4 ffff88023c3c1b20
ffffffff810399eb ffff88043d35cd58 ffffffff81651940 ffff88023c3c1bf8
ffffffff82479d90 0000000000000005 ffff88023c3c1b80 ffffffff81039a67
Call Trace:
[<
ffffffff813c8fd4>] dump_stack+0x19/0x1b
[<
ffffffff810399eb>] warn_slowpath_common+0x6b/0xa0
[<
ffffffff81039a67>] warn_slowpath_fmt+0x47/0x50
[<
ffffffff8122aaaf>] ? debug_check_no_obj_freed+0xcf/0x250
[<
ffffffff81229a15>] debug_print_object+0x85/0xa0
[<
ffffffff8122abe3>] debug_check_no_obj_freed+0x203/0x250
[<
ffffffff8113c4ac>] kmem_cache_free+0x20c/0x3a0
[<
ffffffff811f6709>] blk_alloc_queue_node+0x2a9/0x2c0
[<
ffffffff811f672e>] blk_alloc_queue+0xe/0x10
[<
ffffffffa04c0093>] dm_create+0x1a3/0x530 [dm_mod]
[<
ffffffffa04c6bb0>] ? list_version_get_info+0xe0/0xe0 [dm_mod]
[<
ffffffffa04c6c07>] dev_create+0x57/0x2b0 [dm_mod]
[<
ffffffffa04c6bb0>] ? list_version_get_info+0xe0/0xe0 [dm_mod]
[<
ffffffffa04c6bb0>] ? list_version_get_info+0xe0/0xe0 [dm_mod]
[<
ffffffffa04c6528>] ctl_ioctl+0x268/0x500 [dm_mod]
[<
ffffffff81097662>] ? get_lock_stats+0x22/0x70
[<
ffffffffa04c67ce>] dm_ctl_ioctl+0xe/0x20 [dm_mod]
[<
ffffffff81161aad>] do_vfs_ioctl+0x2ed/0x520
[<
ffffffff8116cfc7>] ? fget_light+0x377/0x4e0
[<
ffffffff81161d2b>] SyS_ioctl+0x4b/0x90
[<
ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
---[ end trace
4b5ff0d55673d986 ]---
------------[ cut here ]------------
This fix should be backported to stable kernels starting with 2.6.37. Note
that in the kernels prior to 3.5 the affected code is different, but the
bug is still there - bdi_init is called and bdi_destroy isn't.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Williams [Wed, 13 Nov 2013 18:37:36 +0000 (10:37 -0800)]
ioatdma: fix selection of 16 vs 8 source path
commit
21e96c7313486390c694919522a76dfea0a86c59 upstream.
When performing continuations there are implied sources that need to be
added to the source count. Quoting dma_set_maxpq:
/* dma_maxpq - reduce maxpq in the face of continued operations
* @dma - dma device with PQ capability
* @flags - to check if DMA_PREP_CONTINUE and DMA_PREP_PQ_DISABLE_P are set
*
* When an engine does not support native continuation we need 3 extra
* source slots to reuse P and Q with the following coefficients:
* 1/ {00} * P : remove P from Q', but use it as a source for P'
* 2/ {01} * Q : use Q to continue Q' calculation
* 3/ {00} * Q : subtract Q from P' to cancel (2)
*
* In the case where P is disabled we only need 1 extra source:
* 1/ {01} * Q : use Q to continue Q' calculation
*/
...fix the selection of the 16 source path to take these implied sources
into account.
Note this also kills the BUG_ON(src_cnt < 9) check in
__ioat3_prep_pq16_lock(). Besides not accounting for implied sources
the check is redundant given we already made the path selection.
Cc: Dave Jiang <dave.jiang@intel.com>
Acked-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Williams [Wed, 13 Nov 2013 18:15:42 +0000 (10:15 -0800)]
ioatdma: fix sed pool selection
commit
5d48b9b5d80e3aa38a5161565398b1e48a650573 upstream.
The array to lookup the sed pool based on the number of sources
(pq16_idx_to_sedi) is 16 entries and expects a max source index.
However, we pass the total source count which runs off the end of the
array when src_cnt == 16. The minimal fix is to just pass src_cnt-1,
but given we know the source count is > 8 we can just calculate the sed
pool by (src_cnt - 2) >> 3.
Cc: Dave Jiang <dave.jiang@intel.com>
Acked-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mikulas Patocka [Thu, 31 Oct 2013 17:55:45 +0000 (13:55 -0400)]
dm: allocate buffer for messages with small number of arguments using GFP_NOIO
commit
f36afb3957353d2529cb2b00f78fdccd14fc5e9c upstream.
dm-mpath and dm-thin must process messages even if some device is
suspended, so we allocate argv buffer with GFP_NOIO. These messages have
a small fixed number of arguments.
On the other hand, dm-switch needs to process bulk data using messages
so excessive use of GFP_NOIO could cause trouble.
The patch also lowers the default number of arguments from 64 to 8, so
that there is smaller load on GFP_NOIO allocations.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Joe Thornber [Wed, 30 Oct 2013 17:11:58 +0000 (17:11 +0000)]
dm cache: fix a race condition between queuing new migrations and quiescing for a shutdown
commit
66cb1910df17b38334153462ec8166e48058035f upstream.
The code that was trying to do this was inadequate. The postsuspend
method (in ioctl context), needs to wait for the worker thread to
acknowledge the request to quiesce. Otherwise the migration count may
drop to zero temporarily before the worker thread realises we're
quiescing. In this case the target will be taken down, but the worker
thread may have issued a new migration, which will cause an oops when
it completes.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Joe Thornber [Wed, 30 Oct 2013 11:19:59 +0000 (11:19 +0000)]
dm array: fix bug in growing array
commit
9c1d4de56066e4d6abc66ec188faafd7b303fb08 upstream.
Entries would be lost if the old tail block was partially filled.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Shiva Krishna Merla [Wed, 30 Oct 2013 03:26:38 +0000 (03:26 +0000)]
dm mpath: fix race condition between multipath_dtr and pg_init_done
commit
954a73d5d3073df2231820c718fdd2f18b0fe4c9 upstream.
Whenever multipath_dtr() is happening we must prevent queueing any
further path activation work. Implement this by adding a new
'pg_init_disabled' flag to the multipath structure that denotes future
path activation work should be skipped if it is set. By disabling
pg_init and then re-enabling in flush_multipath_work() we also avoid the
potential for pg_init to be initiated while suspending an mpath device.
Without this patch a race condition exists that may result in a kernel
panic:
1) If after pg_init_done() decrements pg_init_in_progress to 0, a call
to wait_for_pg_init_completion() assumes there are no more pending path
management commands.
2) If pg_init_required is set by pg_init_done(), due to retryable
mode_select errors, then process_queued_ios() will again queue the
path activation work.
3) If free_multipath() completes before activate_path() work is called a
NULL pointer dereference like the following can be seen when
accessing members of the recently destructed multipath:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000090
RIP: 0010:[<
ffffffffa003db1b>] [<
ffffffffa003db1b>] activate_path+0x1b/0x30 [dm_multipath]
[<
ffffffff81090ac0>] worker_thread+0x170/0x2a0
[<
ffffffff81096c80>] ? autoremove_wake_function+0x0/0x40
[switch to disabling pg_init in flush_multipath_work & header edits by Mike Snitzer]
Signed-off-by: Shiva Krishna Merla <shivakrishna.merla@netapp.com>
Reviewed-by: Krishnasamy Somasundaram <somasundaram.krishnasamy@netapp.com>
Tested-by: Speagle Andy <Andy.Speagle@netapp.com>
Acked-by: Junichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rodolfo Giometti [Mon, 9 Sep 2013 15:31:59 +0000 (17:31 +0200)]
mmc: atmel-mci: fix oops in atmci_tasklet_func
commit
fbd986cd420d1deeabf1039ec4e74075a5639db5 upstream.
In some cases, a NULL pointer dereference happens because data is NULL when
STATE_END_REQUEST case is reached in atmci_tasklet_func.
Signed-off-by: Rodolfo Giometti <giometti@enneenne.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ludovic Desroches [Mon, 9 Sep 2013 15:29:56 +0000 (17:29 +0200)]
mmc: atmel-mci: abort transfer on timeout error
commit
c1fa3426aa5c782724c97394303d52228206eda4 upstream.
When a software timeout occurs, the transfer is not stopped. In DMA case,
it causes DMA channel to be stuck because the transfer is still active
causing following transfers to be queued but not computed.
Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Reported-by: Alexander Morozov <etesial@gmail.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Akira Takeuchi [Tue, 12 Nov 2013 23:08:21 +0000 (15:08 -0800)]
mm: ensure get_unmapped_area() returns higher address than mmap_min_addr
commit
2afc745f3e3079ab16c826be4860da2529054dd2 upstream.
This patch fixes the problem that get_unmapped_area() can return illegal
address and result in failing mmap(2) etc.
In case that the address higher than PAGE_SIZE is set to
/proc/sys/vm/mmap_min_addr, the address lower than mmap_min_addr can be
returned by get_unmapped_area(), even if you do not pass any virtual
address hint (i.e. the second argument).
This is because the current get_unmapped_area() code does not take into
account mmap_min_addr.
This leads to two actual problems as follows:
1. mmap(2) can fail with EPERM on the process without CAP_SYS_RAWIO,
although any illegal parameter is not passed.
2. The bottom-up search path after the top-down search might not work in
arch_get_unmapped_area_topdown().
Note: The first and third chunk of my patch, which changes "len" check,
are for more precise check using mmap_min_addr, and not for solving the
above problem.
[How to reproduce]
--- test.c -------------------------------------------------
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/errno.h>
int main(int argc, char *argv[])
{
void *ret = NULL, *last_map;
size_t pagesize = sysconf(_SC_PAGESIZE);
do {
last_map = ret;
ret = mmap(0, pagesize, PROT_NONE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
// printf("ret=%p\n", ret);
} while (ret != MAP_FAILED);
if (errno != ENOMEM) {
printf("ERR: unexpected errno: %d (last map=%p)\n",
errno, last_map);
}
return 0;
}
---------------------------------------------------------------
$ gcc -m32 -o test test.c
$ sudo sysctl -w vm.mmap_min_addr=65536
vm.mmap_min_addr = 65536
$ ./test (run as non-priviledge user)
ERR: unexpected errno: 1 (last map=0x10000)
Signed-off-by: Akira Takeuchi <takeuchi.akr@jp.panasonic.com>
Signed-off-by: Kiyoshi Owada <owada.kiyoshi@jp.panasonic.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stanislaw Gruszka [Tue, 15 Oct 2013 12:28:48 +0000 (14:28 +0200)]
rt2400pci: fix RSSI read
commit
2bf127a5cc372b9319afcbae10b090663b621c8b upstream.
RSSI value is provided on word3 not on word2.
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ursula Braun [Wed, 6 Nov 2013 08:04:52 +0000 (09:04 +0100)]
qeth: avoid buffer overflow in snmp ioctl
commit
6fb392b1a63ae36c31f62bc3fc8630b49d602b62 upstream.
Check user-defined length in snmp ioctl request and allow request
only if it fits into a qeth command buffer.
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Reviewed-by: Heiko Carstens <heicars2@linux.vnet.ibm.com>
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Larry Finger [Tue, 5 Nov 2013 21:15:29 +0000 (15:15 -0600)]
rtlwifi: rtl8192cu: Fix incorrect signal strength for unassociated AP
commit
78dbfecb95be4635b995af3bd29fa10013409fcd upstream.
The routine that processes received frames was returning the RSSI value for the
signal strength; however, that value is available only for associated APs. As
a result, the strength was the absurd value of 10 dBm. As a result, scans
return incorrect values for the strength, which causes unwanted attempts to roam.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Larry Finger [Tue, 5 Nov 2013 21:15:28 +0000 (15:15 -0600)]
rtlwifi: rtl8192se: Fix incorrect signal strength for unassociated AP
commit
b4ade797668e33b4e8353c2701ce01d7084dfafa upstream.
The routine that processes received frames was returning the RSSI value for the
signal strength; however, that value is available only for associated APs. As
a result, the strength was the absurd value of 10 dBm. As a result, scans
return incorrect values for the strength, which causes unwanted attempts to roam.
This patch fixes https://bugzilla.kernel.org/show_bug.cgi?id=63881.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Matthieu Baerts <matttbe@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Larry Finger [Tue, 5 Nov 2013 21:15:30 +0000 (15:15 -0600)]
rtlwifi: rtl8192de: Fix incorrect signal strength for unassociated AP
commit
3545f3d5f4af715c914394123ce7725a9cf0a1c4 upstream.
The routine that processes received frames was returning the RSSI value for the
signal strength; however, that value is available only for associated APs. As
a result, the strength was the absurd value of 10 dBm. As a result, scans
return incorrect values for the strength, which causes unwanted attempts to roam.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Vegard Nossum [Thu, 5 Sep 2013 11:00:14 +0000 (13:00 +0200)]
xen/blkback: fix reference counting
commit
ea5ec76d76da9279d12027c1828544c5ccbe7932 upstream.
If the permission check fails, we drop a reference to the blkif without
having taken it in the first place. The bug was introduced in commit
604c499cbbcc3d5fe5fb8d53306aa0fae1990109 (xen/blkback: Check device
permissions before allowing OP_DISCARD).
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Theodore Ts'o [Fri, 1 Nov 2013 03:00:24 +0000 (23:00 -0400)]
ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea()
commit
dcb9917ba041866686fe152850364826c4622a36 upstream.
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Huang Shijie [Mon, 11 Nov 2013 04:13:45 +0000 (12:13 +0800)]
mtd: gpmi: fix kernel BUG due to racing DMA operations
commit
7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 upstream.
[1] The gpmi uses the nand_command_lp to issue the commands to NAND chips.
The gpmi issues a DMA operation with gpmi_cmd_ctrl when it handles
a NAND_CMD_NONE control command. So when we read a page(NAND_CMD_READ0)
from the NAND, we may send two DMA operations back-to-back.
If we do not serialize the two DMA operations, we will meet a bug when
1.1) we enable CONFIG_DMA_API_DEBUG, CONFIG_DMADEVICES_DEBUG,
and CONFIG_DEBUG_SG.
1.2) Use the following commands in an UART console and a SSH console:
cmd 1: while true;do dd if=/dev/mtd0 of=/dev/null;done
cmd 1: while true;do dd if=/dev/mmcblk0 of=/dev/null;done
The kernel log shows below:
-----------------------------------------------------------------
kernel BUG at lib/scatterlist.c:28!
Unable to handle kernel NULL pointer dereference at virtual address
00000000
.........................
[<
80044a0c>] (__bug+0x18/0x24) from [<
80249b74>] (sg_next+0x48/0x4c)
[<
80249b74>] (sg_next+0x48/0x4c) from [<
80255398>] (debug_dma_unmap_sg+0x170/0x1a4)
[<
80255398>] (debug_dma_unmap_sg+0x170/0x1a4) from [<
8004af58>] (dma_unmap_sg+0x14/0x6c)
[<
8004af58>] (dma_unmap_sg+0x14/0x6c) from [<
8027e594>] (mxs_dma_tasklet+0x18/0x1c)
[<
8027e594>] (mxs_dma_tasklet+0x18/0x1c) from [<
8007d444>] (tasklet_action+0x114/0x164)
-----------------------------------------------------------------
1.3) Assume the two DMA operations is X (first) and Y (second).
The root cause of the bug:
Assume process P issues DMA X, and sleep on the completion
@this->dma_done. X's tasklet callback is dma_irq_callback. It firstly
wake up the process sleeping on the completion @this->dma_done,
and then trid to unmap the scatterlist S. The waked process P will
issue Y in another ARM core. Y initializes S->sg_magic to zero
with sg_init_one(), while dma_irq_callback is unmapping S at the same
time.
See the diagram:
ARM core 0 | ARM core 1
-------------------------------------------------------------
(P issues DMA X, then sleep) --> |
|
(X's tasklet wakes P) --> |
|
| <-- (P begin to issue DMA Y)
|
(X's tasklet unmap the |
scatterlist S with dma_unmap_sg) --> | <-- (Y calls sg_init_one() to init
| scatterlist S)
|
[2] This patch serialize both the X and Y in the following way:
Unmap the DMA scatterlist S firstly, and wake up the process at the end
of the DMA callback, in such a way, Y will be executed after X.
After this patch:
ARM core 0 | ARM core 1
-------------------------------------------------------------
(P issues DMA X, then sleep) --> |
|
(X's tasklet unmap the |
scatterlist S with dma_unmap_sg) --> |
|
(X's tasklet wakes P) --> |
|
| <-- (P begin to issue DMA Y)
|
| <-- (Y calls sg_init_one() to init
| scatterlist S)
|
Signed-off-by: Huang Shijie <b32955@freescale.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wang Haitao [Thu, 22 Aug 2013 11:32:38 +0000 (19:32 +0800)]
mtd: map: fixed bug in 64-bit systems
commit
a4d62babf988fe5dfde24437fa135ef147bc7aa0 upstream.
Hardware:
CPU: XLP832,the 64-bit OS
NOR Flash:S29GL128S 128M
Software:
Kernel:2.6.32.41
Filesystem:JFFS2
When writing files, errors appear:
Write len 182 but return retlen 180
Write of 182 bytes at 0x072c815c failed. returned -5, retlen 180
Write len 186 but return retlen 184
Write of 186 bytes at 0x072caff4 failed. returned -5, retlen 184
These errors exist only in 64-bit systems,not in 32-bit systems. After analysis, we
found that the left shift operation is wrong in map_word_load_partial. For instance:
unsigned char buf[3] ={0x9e,0x3a,0xea};
map_bankwidth(map) is 4;
for (i=0; i < 3; i++) {
int bitpos;
bitpos = (map_bankwidth(map)-1-i)*8;
orig.x[0] &= ~(0xff << bitpos);
orig.x[0] |= buf[i] << bitpos;
}
The value of orig.x[0] is expected to be 0x9e3aeaff, but in this situation(64-bit
System) we'll get the wrong value of 0xffffffff9e3aeaff due to the 64-bit sign
extension:
buf[i] is defined as "unsigned char" and the left-shift operation will convert it
to the type of "signed int", so when left-shift buf[i] by 24 bits, the final result
will get the wrong value: 0xffffffff9e3aeaff.
If the left-shift bits are less than 24, then sign extension will not occur. Whereas
the bankwidth of the nor flash we used is 4, therefore this BUG emerges.
Signed-off-by: Pang Xunlei <pang.xunlei@zte.com.cn>
Signed-off-by: Zhang Yi <zhang.yi20@zte.com.cn>
Signed-off-by: Lu Zhongjun <lu.zhongjun@zte.com.cn>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Brian Norris [Wed, 28 Aug 2013 01:45:10 +0000 (18:45 -0700)]
mtd: nand: hack ONFI for non-power-of-2 dimensions
commit
4355b70cf48363c50a9de450b01178c83aba8f6a upstream.
Some bright specification writers decided to write this in the ONFI spec
(from ONFI 3.0, Section 3.1):
"The number of blocks and number of pages per block is not required to
be a power of two. In the case where one of these values is not a
power of two, the corresponding address shall be rounded to an
integral number of bits such that it addresses a range up to the
subsequent power of two value. The host shall not access upper
addresses in a range that is shown as not supported."
This breaks every assumption MTD makes about NAND block/chip-size
dimensions -- they *must* be a power of two!
And of course, an enterprising manufacturer has made use of this lovely
freedom. Exhibit A: Micron MT29F32G08CBADAWP
"- Plane size: 2 planes x 1064 blocks per plane
- Device size: 32Gb: 2128 blockss [sic]"
This quickly hits a BUG() in nand_base.c, since the extra dimensions
overflow so we think it's a second chip (on my single-chip setup):
ONFI param page 0 valid
ONFI flash detected
NAND device: Manufacturer ID: 0x2c, Chip ID: 0x44 (Micron MT29F32G08CBADAWP), 4256MiB, page size: 8192, OOB size: 744
------------[ cut here ]------------
kernel BUG at drivers/mtd/nand/nand_base.c:203!
Internal error: Oops - BUG: 0 [#1] SMP ARM
[... trim ...]
[<
c02cf3e4>] (nand_select_chip+0x18/0x2c) from [<
c02d25c0>] (nand_do_read_ops+0x90/0x424)
[<
c02d25c0>] (nand_do_read_ops+0x90/0x424) from [<
c02d2dd8>] (nand_read+0x54/0x78)
[<
c02d2dd8>] (nand_read+0x54/0x78) from [<
c02ad2c8>] (mtd_read+0x84/0xbc)
[<
c02ad2c8>] (mtd_read+0x84/0xbc) from [<
c02d4b28>] (scan_read.clone.4+0x4c/0x64)
[<
c02d4b28>] (scan_read.clone.4+0x4c/0x64) from [<
c02d4c88>] (search_bbt+0x148/0x290)
[<
c02d4c88>] (search_bbt+0x148/0x290) from [<
c02d4ea4>] (nand_scan_bbt+0xd4/0x5c0)
[... trim ...]
---[ end trace
0c9363860d865ff2 ]---
So to fix this, just truncate these dimensions down to the greatest
power-of-2 dimension that is less than or equal to the specified
dimension.
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mikulas Patocka [Tue, 15 Oct 2013 20:14:38 +0000 (14:14 -0600)]
loop: fix crash when using unassigned loop device
commit
ef7e7c82e02b602f29c2b87f42dcd6143a6777da upstream.
When the loop module is loaded, it creates 8 loop devices /dev/loop[0-7].
The devices have no request routine and thus, when they are used without
being assigned, a crash happens.
For example, these commands cause crash (assuming there are no used loop
devices):
Kernel Fault: Code=26 regs=
000000007f420980 (Addr=
0000000000000010)
CPU: 1 PID: 50 Comm: kworker/1:1 Not tainted 3.11.0 #1
Workqueue: ksnaphd do_metadata [dm_snapshot]
task:
000000007fcf4078 ti:
000000007f420000 task.ti:
000000007f420000
[ 116.319988]
YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW:
00001000000001001111111100001111 Not tainted
r00-03
000000ff0804ff0f 00000000408bf5d0 00000000402d8204 000000007b7ff6c0
r04-07
00000000408a95d0 000000007f420950 000000007b7ff6c0 000000007d06c930
r08-11
000000007f4205c0 0000000000000001 000000007f4205c0 000000007f4204b8
r12-15
0000000000000010 0000000000000000 0000000000000000 0000000000000000
r16-19
000000001108dd48 000000004061cd7c 000000007d859800 000000000800000f
r20-23
0000000000000000 0000000000000008 0000000000000000 0000000000000000
r24-27
00000000ffffffff 000000007b7ff6c0 000000007d859800 00000000408a95d0
r28-31
0000000000000000 000000007f420950 000000007f420980 000000007f4208e8
sr00-03
0000000000000000 0000000000000000 0000000000000000 0000000000303000
sr04-07
0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 117.549988]
IASQ:
0000000000000000 0000000000000000 IAOQ:
00000000402d82fc 00000000402d8300
IIR:
53820020 ISR:
0000000000000000 IOR:
0000000000000010
CPU: 1 CR30:
000000007f420000 CR31:
ffffffffffffffff
ORIG_R28:
0000000000000001
IAOQ[0]: generic_make_request+0x11c/0x1a0
IAOQ[1]: generic_make_request+0x120/0x1a0
RP(r2): generic_make_request+0x24/0x1a0
Backtrace:
[<
00000000402d83f0>] submit_bio+0x70/0x140
[<
0000000011087c4c>] dispatch_io+0x234/0x478 [dm_mod]
[<
0000000011087f44>] sync_io+0xb4/0x190 [dm_mod]
[<
00000000110883bc>] dm_io+0x2c4/0x310 [dm_mod]
[<
00000000110bfcd0>] do_metadata+0x28/0xb0 [dm_snapshot]
[<
00000000401591d8>] process_one_work+0x160/0x460
[<
0000000040159bc0>] worker_thread+0x300/0x478
[<
0000000040161a70>] kthread+0x118/0x128
[<
0000000040104020>] end_fault_vector+0x20/0x28
[<
0000000040177220>] task_tick_fair+0x420/0x4d0
[<
00000000401aa048>] invoke_rcu_core+0x50/0x60
[<
00000000401ad5b8>] rcu_check_callbacks+0x210/0x8d8
[<
000000004014aaa0>] update_process_times+0xa8/0xc0
[<
00000000401ab86c>] rcu_process_callbacks+0x4b4/0x598
[<
0000000040142408>] __do_softirq+0x250/0x2c0
[<
00000000401789d0>] find_busiest_group+0x3c0/0xc70
[ 119.379988]
Kernel panic - not syncing: Kernel Fault
Rebooting in 1 seconds..
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mikulas Patocka [Mon, 14 Oct 2013 16:12:24 +0000 (12:12 -0400)]
loop: fix crash if blk_alloc_queue fails
commit
3ec981e30fae1f3c8728a05c730acaa1f627bcfb upstream.
loop: fix crash if blk_alloc_queue fails
If blk_alloc_queue fails, loop_add cleans up, but it doesn't clean up the
identifier allocated with idr_alloc. That causes crash on module unload in
idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); where we attempt to
remove non-existed device with that id.
BUG: unable to handle kernel NULL pointer dereference at
0000000000000380
IP: [<
ffffffff812057c9>] del_gendisk+0x19/0x2d0
PGD
43d399067 PUD
43d0ad067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: loop(-) dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative cpufreq_powersave spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc lm85 hwmon_vid snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq ohci_hcd freq_table tg3 ehci_pci mperf ehci_hcd kvm_amd kvm sata_svw serverworks libphy libata ide_core k10temp usbcore hwmon microcode ptp pcspkr pps_core e100 skge mii usb_common i2c_piix4 floppy evdev rtc_cmos i2c_core processor but!
ton unix
CPU: 7 PID: 2735 Comm: rmmod Tainted: G W 3.10.15-devel #15
Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009
task:
ffff88043d38e780 ti:
ffff88043d21e000 task.ti:
ffff88043d21e000
RIP: 0010:[<
ffffffff812057c9>] [<
ffffffff812057c9>] del_gendisk+0x19/0x2d0
RSP: 0018:
ffff88043d21fe10 EFLAGS:
00010282
RAX:
ffffffffa05102e0 RBX:
0000000000000000 RCX:
0000000000000000
RDX:
0000000000000000 RSI:
ffff88043ea82800 RDI:
0000000000000000
RBP:
ffff88043d21fe48 R08:
0000000000000000 R09:
0000000000000001
R10:
0000000000000001 R11:
0000000000000000 R12:
00000000000000ff
R13:
0000000000000080 R14:
0000000000000000 R15:
ffff88043ea82800
FS:
00007ff646534700(0000) GS:
ffff880447000000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
CR2:
0000000000000380 CR3:
000000043e9bf000 CR4:
00000000000007e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
Stack:
ffffffff8100aba4 0000000000000092 ffff88043d21fe48 ffff88043ea82800
00000000000000ff ffff88043d21fe98 0000000000000000 ffff88043d21fe60
ffffffffa05102b4 0000000000000000 ffff88043d21fe70 ffffffffa05102ec
Call Trace:
[<
ffffffff8100aba4>] ? native_sched_clock+0x24/0x80
[<
ffffffffa05102b4>] loop_remove+0x14/0x40 [loop]
[<
ffffffffa05102ec>] loop_exit_cb+0xc/0x10 [loop]
[<
ffffffff81217b74>] idr_for_each+0x104/0x190
[<
ffffffffa05102e0>] ? loop_remove+0x40/0x40 [loop]
[<
ffffffff8109adc5>] ? trace_hardirqs_on_caller+0x105/0x1d0
[<
ffffffffa05135dc>] loop_exit+0x34/0xa58 [loop]
[<
ffffffff810a98ea>] SyS_delete_module+0x13a/0x260
[<
ffffffff81221d5e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[<
ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
Code: f0 4c 8b 6d f8 c9 c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 4c 8d af 80 00 00 00 41 54 53 48 89 fb 48 83 ec 18 <48> 83 bf 80 03 00
00 00 74 4d e8 98 fe ff ff 31 f6 48 c7 c7 20
RIP [<
ffffffff812057c9>] del_gendisk+0x19/0x2d0
RSP <
ffff88043d21fe10>
CR2:
0000000000000380
---[ end trace
64ec069ec70f1309 ]---
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bart Van Assche [Thu, 10 Oct 2013 11:53:25 +0000 (13:53 +0200)]
IB/srp: Report receive errors correctly
commit
cd4e38542a5c2cab94e5410fb17c1cc004a60792 upstream.
The IB spec does not guarantee that the opcode is available in error
completions. Hence do not rely on it. See also commit
948d1e889e5b
("IB/srp: Introduce srp_handle_qp_err()").
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mike Marciniszyn [Fri, 25 Oct 2013 15:17:59 +0000 (11:17 -0400)]
IB/qib: Fix txselect regression
commit
2fadd83184d58701f1116ca578465b5a75f9417c upstream.
Commit
7fac33014f54("IB/qib: checkpatch fixes") was overzealous in
removing a simple_strtoul for a parse routine, setup_txselect(). That
routine is required to handle a multi-value string.
Unwind that aspect of the fix.
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jan Kara [Fri, 4 Oct 2013 13:29:06 +0000 (09:29 -0400)]
IB/ipath: Convert ipath_user_sdma_pin_pages() to use get_user_pages_fast()
commit
4adcf7fb6783e354aab38824d803fa8c4f8e8a27 upstream.
ipath_user_sdma_queue_pkts() gets called with mmap_sem held for
writing. Except for get_user_pages() deep down in
ipath_user_sdma_pin_pages() we don't seem to need mmap_sem at all.
Even more interestingly the function ipath_user_sdma_queue_pkts() (and
also ipath_user_sdma_coalesce() called somewhat later) call
copy_from_user() which can hit a page fault and we deadlock on trying
to get mmap_sem when handling that fault. So just make
ipath_user_sdma_pin_pages() use get_user_pages_fast() and leave
mmap_sem locking for mm.
This deadlock has actually been observed in the wild when the node
is under memory pressure.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
[ Merged in fix for call to get_user_pages_fast from Tetsuo Handa
<penguin-kernel@I-love.SAKURA.ne.jp>. - Roland ]
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Seppanen [Wed, 20 Nov 2013 22:19:52 +0000 (14:19 -0800)]
iscsi-target: chap auth shouldn't match username with trailing garbage
commit
86784c6bdeeef78eed94d298be7a8879f6a97ee2 upstream.
In iSCSI negotiations with initiator CHAP enabled, usernames with
trailing garbage are permitted, because the string comparison only
checks the strlen of the configured username.
e.g. "usernameXXXXX" will be permitted to match "username".
Just check one more byte so the trailing null char is also matched.
Signed-off-by: Eric Seppanen <eric@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Seppanen [Wed, 20 Nov 2013 22:19:51 +0000 (14:19 -0800)]
iscsi-target: fix extract_param to handle buffer length corner case
commit
369653e4fb511928511b0ce81f41c812ff1f28b6 upstream.
extract_param() is called with max_length set to the total size of the
output buffer. It's not safe to allow a parameter length equal to the
buffer size as the terminating null would be written one byte past the
end of the output buffer.
Signed-off-by: Eric Seppanen <eric@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nicholas Bellinger [Wed, 13 Nov 2013 01:54:56 +0000 (17:54 -0800)]
iscsi-target: Fix mutex_trylock usage in iscsit_increment_maxcmdsn
commit
5e8e6b4b3adebf01a9d97056cbbfd8c44330df99 upstream.
This patch fixes a >= v3.10 regression bug with mutex_trylock() usage
within iscsit_increment_maxcmdsn(), that was originally added to allow
for a special case where ->cmdsn_mutex was already held from the
iscsit_execute_cmd() exception path for ib_isert.
When !mutex_trylock() was occuring under contention during normal RX/TX
process context codepaths, the bug was manifesting itself as the following
protocol error:
Received CmdSN: 0x000fcbb7 is greater than MaxCmdSN: 0x000fcbb6, protocol error.
Received CmdSN: 0x000fcbb8 is greater than MaxCmdSN: 0x000fcbb6, protocol error.
This patch simply avoids the direct ib_isert callback in lio_queue_status()
for the special iscsi_execute_cmd() exception cases, that allows the problematic
mutex_trylock() usage in iscsit_increment_maxcmdsn() to go away.
Reported-by: Moussa Ba <moussaba@micron.com>
Tested-by: Moussa Ba <moussaba@micron.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Samir Benmendil [Sun, 17 Nov 2013 22:56:17 +0000 (23:56 +0100)]
ahci: add Marvell 9230 to the AHCI PCI device list
commit
6d5278a68a75891db1df5ae1ecf83d288fc58c65 upstream.
Tested with a DAWICONTROL DC-624e on 3.10.10
Signed-off-by: Samir Benmendil <samir.benmendil@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Levente Kurusa <levex@linux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
xiangliang yu [Sun, 27 Oct 2013 12:03:04 +0000 (08:03 -0400)]
ahci: disabled FBS prior to issuing software reset
commit
89dafa20f3daab5b3e0c13d0068a28e8e64e2102 upstream.
Tested with Marvell 88se9125, attached with one port mulitplier(5 ports)
and one disk, we will get following boot log messages if using current
code:
ata8: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
ata8.15: Port Multiplier 1.2, 0x1b4b:0x9715 r160, 5 ports, feat 0x1/0x1f
ahci 0000:03:00.0: FBS is enabled
ata8.00: hard resetting link
ata8.00: SATA link down (SStatus 0 SControl 330)
ata8.01: hard resetting link
ata8.01: SATA link down (SStatus 0 SControl 330)
ata8.02: hard resetting link
ata8.02: SATA link down (SStatus 0 SControl 330)
ata8.03: hard resetting link
ata8.03: SATA link up 6.0 Gbps (SStatus 133 SControl 133)
ata8.04: hard resetting link
ata8.04: failed to resume link (SControl 133)
ata8.04: failed to read SCR 0 (Emask=0x40)
ata8.04: failed to read SCR 0 (Emask=0x40)
ata8.04: failed to read SCR 1 (Emask=0x40)
ata8.04: failed to read SCR 0 (Emask=0x40)
ata8.03: native sectors (2) is smaller than sectors (
976773168)
ata8.03: ATA-8: ST3500413AS, JC4B, max UDMA/133
ata8.03:
976773168 sectors, multi 0: LBA48 NCQ (depth 31/32)
ata8.03: configured for UDMA/133
ata8.04: failed to IDENTIFY (I/O error, err_mask=0x100)
ata8.15: hard resetting link
ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
ata8.15: PMP revalidation failed (errno=-19)
ata8.15: hard resetting link
ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330)
ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
ata8.15: PMP revalidation failed (errno=-19)
ata8.15: limiting SATA link speed to 3.0 Gbps
ata8.15: hard resetting link
ata8.15: SATA link up 3.0 Gbps (SStatus 123 SControl 320)
ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133'
ata8.15: PMP revalidation failed (errno=-19)
ata8.15: failed to recover PMP after 5 tries, giving up
ata8.15: Port Multiplier detaching
ata8.03: disabled
ata8.00: disabled
ata8: EH complete
The reason is that current detection code doesn't follow AHCI spec:
First,the port multiplier detection process look like this:
ahci_hardreset(link, class, deadline)
if (class == ATA_DEV_PMP) {
sata_pmp_attach(dev) /* will enable FBS */
sata_pmp_init_links(ap, nr_ports);
ata_for_each_link(link, ap, EDGE) {
sata_std_hardreset(link, class, deadline);
if (link_is_online) /* do soft reset */
ahci_softreset(link, class, deadline);
}
}
But, according to chapter 9.3.9 in AHCI spec: Prior to issuing software
reset, software shall clear PxCMD.ST to '0' and then clear PxFBS.EN to
'0'.
The patch test ok with kernel 3.11.1.
tj: Patch white space contaminated, applied manually with trivial
updates.
Signed-off-by: Xiangliang Yu <yuxiangl@marvell.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
James Ralston [Mon, 4 Nov 2013 17:24:58 +0000 (09:24 -0800)]
ahci: Add Device IDs for Intel Wildcat Point-LP
commit
9f961a5f6efc87a79571d7166257b36af28ffcfe upstream.
This patch adds the AHCI-mode SATA Device IDs for the Intel Wildcat Point-LP PCH.
Signed-off-by: James Ralston <james.d.ralston@intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Manfred Spraul [Wed, 16 Oct 2013 20:46:45 +0000 (13:46 -0700)]
ipc/sem.c: synchronize semop and semctl with IPC_RMID
commit
6e224f94597842c5eb17f1fc2208d20b6f7f7d49 upstream.
After acquiring the semlock spinlock, operations must test that the
array is still valid.
- semctl() and exit_sem() would walk stale linked lists (ugly, but
should be ok: all lists are empty)
- semtimedop() would sleep forever - and if woken up due to a signal -
access memory after free.
The patch also:
- standardizes the tests for .deleted, so that all tests in one
function leave the function with the same approach.
- unconditionally tests for .deleted immediately after every call to
sem_lock - even it it means that for semctl(GETALL), .deleted will be
tested twice.
Both changes make the review simpler: After every sem_lock, there must
be a test of .deleted, followed by a goto to the cleanup code (if the
function uses "goto cleanup").
The only exception is semctl_down(): If sem_ids().rwsem is locked, then
the presence in ids->ipcs_idr is equivalent to !.deleted, thus no
additional test is required.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Cc: Mike Galbraith <efault@gmx.de>
Acked-by: Davidlohr Bueso <davidlohr@hp.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Davidlohr Bueso [Wed, 16 Oct 2013 20:46:45 +0000 (13:46 -0700)]
ipc: update locking scheme comments
commit
18ccee263c7e250a57f01c9434658f11f4118a64 upstream.
The initial documentation was a bit incomplete, update accordingly.
[akpm@linux-foundation.org: make it more readable in 80 columns]
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mathias Krause [Sun, 3 Nov 2013 11:36:28 +0000 (12:36 +0100)]
ipc, msg: forbid negative values for "msg{max,mnb,mni}"
commit
9bf76ca325d5e9208eb343f7bd4cc666f703ed30 upstream.
Negative message lengths make no sense -- so don't do negative queue
lenghts or identifier counts. Prevent them from getting negative.
Also change the underlying data types to be unsigned to avoid hairy
surprises with sign extensions in cases where those variables get
evaluated in unsigned expressions with bigger data types, e.g size_t.
In case a user still wants to have "unlimited" sizes she could just use
INT_MAX instead.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mathias Krause [Tue, 12 Nov 2013 23:11:47 +0000 (15:11 -0800)]
ipc, msg: fix message length check for negative values
commit
4e9b45a19241354daec281d7a785739829b52359 upstream.
On 64 bit systems the test for negative message sizes is bogus as the
size, which may be positive when evaluated as a long, will get truncated
to an int when passed to load_msg(). So a long might very well contain a
positive value but when truncated to an int it would become negative.
That in combination with a small negative value of msg_ctlmax (which will
be promoted to an unsigned type for the comparison against msgsz, making
it a big positive value and therefore make it pass the check) will lead to
two problems: 1/ The kmalloc() call in alloc_msg() will allocate a too
small buffer as the addition of alen is effectively a subtraction. 2/ The
copy_from_user() call in load_msg() will first overflow the buffer with
userland data and then, when the userland access generates an access
violation, the fixup handler copy_user_handle_tail() will try to fill the
remainder with zeros -- roughly 4GB. That almost instantly results in a
system crash or reset.
,-[ Reproducer (needs to be run as root) ]--
| #include <sys/stat.h>
| #include <sys/msg.h>
| #include <unistd.h>
| #include <fcntl.h>
|
| int main(void) {
| long msg = 1;
| int fd;
|
| fd = open("/proc/sys/kernel/msgmax", O_WRONLY);
| write(fd, "-1", 2);
| close(fd);
|
| msgsnd(0, &msg, 0xfffffff0, IPC_NOWAIT);
|
| return 0;
| }
'---
Fix the issue by preventing msgsz from getting truncated by consistently
using size_t for the message length. This way the size checks in
do_msgsnd() could still be passed with a negative value for msg_ctlmax but
we would fail on the buffer allocation in that case and error out.
Also change the type of m_ts from int to size_t to avoid similar nastiness
in other code paths -- it is used in similar constructs, i.e. signed vs.
unsigned checks. It should never become negative under normal
circumstances, though.
Setting msg_ctlmax to a negative value is an odd configuration and should
be prevented. As that might break existing userland, it will be handled
in a separate commit so it could easily be reverted and reworked without
reintroducing the above described bug.
Hardening mechanisms for user copy operations would have catched that bug
early -- e.g. checking slab object sizes on user copy operations as the
usercopy feature of the PaX patch does. Or, for that matter, detect the
long vs. int sign change due to truncation, as the size overflow plugin
of the very same patch does.
[akpm@linux-foundation.org: fix i386 min() warnings]
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Pax Team <pageexec@freemail.hu>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Larry Finger [Mon, 11 Nov 2013 04:11:16 +0000 (22:11 -0600)]
rtlwifi: rtl8192cu: Fix more pointer arithmetic errors
commit
eafbdde9c5629bea58df07275c5917eb42afbbe7 upstream.
This driver uses a number of macros to get and set various fields in the
RX and TX descriptors. To work correctly, a u8 pointer to the descriptor
must be used; however, in some cases a descriptor structure pointer is used
instead. In addition, a duplicated statement is removed.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Felipe Pena [Sat, 19 Oct 2013 00:52:40 +0000 (21:52 -0300)]
rtlwifi: rtl8192se: Fix wrong assignment
commit
3aef7dde8dcf09e0124f0a2665845a507331972b upstream.
There is a typo in the struct member name on assignment when checking
rtlphy->current_chan_bw == HT_CHANNEL_WIDTH_20_40, the check uses pwrgroup_ht40
for bound limit and uses pwrgroup_ht20 when assigning instead.
Signed-off-by: Felipe Pena <felipensp@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mark Cave-Ayland [Sat, 2 Nov 2013 19:28:35 +0000 (14:28 -0500)]
rtlwifi: Fix endian error in extracting packet type
commit
0c5d63f0ab6728f05ddefa25aff55e31297f95e6 upstream.
All of the rtlwifi drivers have an error in the routine that tests if
the data is "special". If it is, the subsequant transmission will be
at the lowest rate to enhance reliability. The 16-bit quantity is
big-endian, but was being extracted in native CPU mode. One of the
effects of this bug is to inhibit association under some conditions
as the TX rate is too high.
Based on suggestions by Joe Perches, the entire routine is rewritten.
One of the local headers contained duplicates of some of the ETH_P_XXX
definitions. These are deleted.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Larry Finger [Wed, 25 Sep 2013 17:57:48 +0000 (12:57 -0500)]
rtlwifi: rtl8188ee: Fix smatch warning in rtl8188ee/hw.c
commit
dab3df5e88b979f8d09860f873ccfaa7a55758d2 upstream.
Smatch lists the following:
CHECK drivers/net/wireless/rtlwifi/rtl8188ee/hw.c
drivers/net/wireless/rtlwifi/rtl8188ee/hw.c:149 _rtl88ee_set_fw_clock_on() info: ignoring unreachable code.
drivers/net/wireless/rtlwifi/rtl8188ee/hw.c:149 _rtl88ee_set_fw_clock_on() info: ignoring unreachable code.
This info message is the result of a real error due to a missing break statement
in a "while (1)" loop.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ryan Mallon [Tue, 12 Nov 2013 23:08:51 +0000 (15:08 -0800)]
vsprintf: check real user/group id for %pK
commit
312b4e226951f707e120b95b118cbc14f3d162b2 upstream.
Some setuid binaries will allow reading of files which have read
permission by the real user id. This is problematic with files which
use %pK because the file access permission is checked at open() time,
but the kptr_restrict setting is checked at read() time. If a setuid
binary opens a %pK file as an unprivileged user, and then elevates
permissions before reading the file, then kernel pointer values may be
leaked.
This happens for example with the setuid pppd application on Ubuntu 12.04:
$ head -1 /proc/kallsyms
00000000 T startup_32
$ pppd file /proc/kallsyms
pppd: In file /proc/kallsyms: unrecognized option '
c1000000'
This will only leak the pointer value from the first line, but other
setuid binaries may leak more information.
Fix this by adding a check that in addition to the current process having
CAP_SYSLOG, that effective user and group ids are equal to the real ids.
If a setuid binary reads the contents of a file which uses %pK then the
pointer values will be printed as NULL if the real user is unprivileged.
Update the sysctl documentation to reflect the changes, and also correct
the documentation to state the kptr_restrict=0 is the default.
This is a only temporary solution to the issue. The correct solution is
to do the permission check at open() time on files, and to replace %pK
with a function which checks the open() time permission. %pK uses in
printk should be removed since no sane permission check can be done, and
instead protected by using dmesg_restrict.
Signed-off-by: Ryan Mallon <rmallon@gmail.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Joe Perches <joe@perches.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Shan Hai [Mon, 28 Oct 2013 08:08:01 +0000 (16:08 +0800)]
drivers/libata: Set max sector to 65535 for Slimtype DVD A DS8A9SH drive
commit
0523f037f65dba10191b0fa9c51266f90ba64630 upstream.
The "Slimtype DVD A DS8A9SH" drive locks up with following backtrace when
the max sector is smaller than 65535 bytes, fix it by adding a quirk to set
the max sector to 65535 bytes.
INFO: task flush-11:0:663 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
flush-11:0 D
00000000ffff5ceb 0 663 2 0x00000000
ffff88026d3b1710 0000000000000046 0000000000000001 0000000000000000
ffff88026f2530c0 ffff88026d365860 ffff88026d3b16e0 ffffffff812ffd52
ffff88026d4fd3d0 0000000100000001 ffff88026d3b16f0 ffff88026d3b1fd8
Call Trace:
[<
ffffffff812ffd52>] ? cfq_may_queue+0x52/0xf0
[<
ffffffff81604338>] schedule+0x18/0x30
[<
ffffffff81604392>] io_schedule+0x42/0x60
[<
ffffffff812f22bb>] get_request_wait+0xeb/0x1f0
[<
ffffffff81065660>] ? autoremove_wake_function+0x0/0x40
[<
ffffffff812eb382>] ? elv_merge+0x42/0x210
[<
ffffffff812f26ae>] __make_request+0x8e/0x4e0
[<
ffffffff812f068e>] generic_make_request+0x21e/0x5e0
[<
ffffffff812f0aad>] submit_bio+0x5d/0xd0
[<
ffffffff81141422>] submit_bh+0xf2/0x130
[<
ffffffff8114474c>] __block_write_full_page+0x1dc/0x3a0
[<
ffffffff81143f60>] ? end_buffer_async_write+0x0/0x120
[<
ffffffff811474e0>] ? blkdev_get_block+0x0/0x70
[<
ffffffff811474e0>] ? blkdev_get_block+0x0/0x70
[<
ffffffff81143f60>] ? end_buffer_async_write+0x0/0x120
[<
ffffffff811449ee>] block_write_full_page_endio+0xde/0x100
[<
ffffffff81144a20>] block_write_full_page+0x10/0x20
[<
ffffffff81148703>] blkdev_writepage+0x13/0x20
[<
ffffffff810d7525>] __writepage+0x15/0x40
[<
ffffffff810d7c0f>] write_cache_pages+0x1cf/0x3e0
[<
ffffffff810d7510>] ? __writepage+0x0/0x40
[<
ffffffff810d7e42>] generic_writepages+0x22/0x30
[<
ffffffff810d7e6f>] do_writepages+0x1f/0x40
[<
ffffffff8113ae67>] writeback_single_inode+0xe7/0x3b0
[<
ffffffff8113b574>] writeback_sb_inodes+0x184/0x280
[<
ffffffff8113bedb>] writeback_inodes_wb+0x6b/0x1a0
[<
ffffffff8113c24b>] wb_writeback+0x23b/0x2a0
[<
ffffffff8113c42d>] wb_do_writeback+0x17d/0x190
[<
ffffffff8113c48b>] bdi_writeback_task+0x4b/0xe0
[<
ffffffff810e82a0>] ? bdi_start_fn+0x0/0x100
[<
ffffffff810e8321>] bdi_start_fn+0x81/0x100
[<
ffffffff810e82a0>] ? bdi_start_fn+0x0/0x100
[<
ffffffff8106522e>] kthread+0x8e/0xa0
[<
ffffffff81039274>] ? finish_task_switch+0x54/0xc0
[<
ffffffff81003334>] kernel_thread_helper+0x4/0x10
[<
ffffffff810651a0>] ? kthread+0x0/0xa0
[<
ffffffff81003330>] ? kernel_thread_helper+0x0/0x10
The above trace was triggered by
"dd if=/dev/zero of=/dev/sr0 bs=2048 count=32768"
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gwendal Grignou [Fri, 25 Oct 2013 23:28:57 +0000 (16:28 -0700)]
libata: Fix display of sata speed
commit
3e85c3ecbc520751324a191d23bb94873ed01b10 upstream.
6.0 Gbps link speed was not decoded properly:
speed was reported at 3.0 Gbps only.
Tested: On a machine where libata reports 6.0 Gbps in
/var/log/messages:
ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
Before:
cat /sys/class/ata_link/link1/sata_spd
3.0 Gbps
After:
cat /sys/class/ata_link/link1/sata_spd
6.0 Gbps
Signed-off-by: Gwendal Grignou <gwendal@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Thu, 7 Nov 2013 07:56:51 +0000 (10:56 +0300)]
gpio: rcar: NULL dereference on error in probe()
commit
0c8aab8e65e450f2bfea494c1b6a86ded653f88c upstream.
It's not obvious from the label name but "err1" tries to release
"p->irq_domain" which leads to a NULL dereference.
Fixes:
119f5e448d32 ('gpio: Renesas R-Car GPIO driver V3')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Magnus Damm <damm@opensource.se>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Thu, 7 Nov 2013 07:50:19 +0000 (10:50 +0300)]
gpio: mvebu: make mvchip->irqbase signed for error handling
commit
d535922691fc026479fcc03e78ac3d931a54e75a upstream.
There is a bug in mvebu_gpio_probe() where we do:
mvchip->irqbase = irq_alloc_descs(-1, 0, ngpios, -1);
if (mvchip->irqbase < 0) {
The problem is that mvchip->irqbase is unsigned so the error handling
doesn't work. I have changed it to be a regular int.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tony Lindgren [Mon, 18 Nov 2013 23:22:49 +0000 (15:22 -0800)]
gpio: twl4030: Fix regression for twl gpio output
commit
0b2aa8bed3e13892fcac77e4f50ec6e80125469d upstream.
Commit
c111feabe2e2 (gpio: twl4030: Cache the direction and output
states in private data) improved things in general, but caused a
regression for setting the GPIO output direction.
The change reorganized twl_direction_out() and twl_set() and swapped
the function names around in the process. While doing that, a bug got
introduced that's not obvious while reading the patch as it appears
as no change to the code.
The bug is we now call function twl4030_set_gpio_dataout() twice in
both twl_direction_out() and twl_set(). Instead, we should first
call twl_direction_out() in twl_direction_out() followed by
twl4030_set_gpio_dataout() in twl_set().
This regression probably has gone unnoticed for a long time as the
bootloader may have set the GPIO direction properly in many cases.
This fixes at least the LCD panel not turning on omap3 LDP for
example.
Cc: linux-gpio@vger.kernel.org
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stephen Warren [Tue, 26 Nov 2013 03:35:42 +0000 (20:35 -0700)]
ARM: bcm2835: add missing #xxx-cells to I2C nodes
commit
a31ab44ef5d07c6707df4a9ad2c8affd2d62ff4b upstream.
The I2C controller node needs #address-cells and #size-cells properties,
but these are currently missing. Add them. This allows child nodes to be
parsed correctly.
Signed-off-by: Stephen Warren <swarren@wwwdotorg.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Doug Anderson [Wed, 23 Oct 2013 13:11:01 +0000 (06:11 -0700)]
ARM: dts: Add max77686 RTC interrupt to cros5250-common
commit
c61248afa8190ae3f47ee67f46e3c9b584a73d31 upstream.
Without the interrupt you'll get problems if you enable
CONFIG_RTC_DRV_MAX77686. Setup the interrupt properly in the device
tree.
Signed-off-by: Doug Anderson <dianders@chromium.org>
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ionut Nicu [Fri, 11 Oct 2013 12:17:10 +0000 (14:17 +0200)]
i2c: mux: gpio: use gpio_set_value_cansleep()
commit
250ad590d6f12d93f4d85be305b0a598d609232e upstream.
Some gpio chips may have get/set operations that
can sleep. gpio_set_value() only works for chips
which do not sleep, for the others we will get a
kernel warning. Using gpio_set_value_cansleep()
will work for both chips that do sleep and those
who don't.
Signed-off-by: Ionut Nicu <ioan.nicu.ext@nsn.com>
Acked-by: Peter Korsgaard <peter.korsgaard@barco.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ionut Nicu [Fri, 11 Oct 2013 10:09:57 +0000 (12:09 +0200)]
i2c: mux: gpio: use reg value for i2c_add_mux_adapter
commit
8c0ec2500eeb89749341884a972860d7f9e56f9c upstream.
The i2c-mux driver requires that the chan_id parameter
passed to the i2c_add_mux_adapter() function is equal
to the reg value for that adapter:
for_each_child_of_node(mux_dev->of_node, child) {
ret = of_property_read_u32(child, "reg", ®);
if (ret)
continue;
if (chan_id == reg) {
priv->adap.dev.of_node = child;
break;
}
}
The i2c-mux-gpio driver uses an internal logical index
for chan_id when calling i2c_add_mux_adapter() instead
of using the reg value.
Because of this, there will problems in selecting the
right adapter when the i2c-mux-gpio's index into
mux->data.values doesn't match the reg value.
An example of such a case:
mux->data.values = { 1, 0 }
For chan_id = 0, i2c-mux will bind the adapter to the
of_node with reg = <0>, but when it will call the
select() callback with chan_id set to 0, the i2c-mux-gpio
will use it as an index into mux->data.values and it will
actually select the bus with reg = <1>.
Signed-off-by: Ionut Nicu <ioan.nicu.ext@nsn.com>
Acked-by: Alexander Sverdlin <alexander.sverdlin@nsn.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Marc Kleine-Budde [Fri, 27 Sep 2013 10:15:05 +0000 (12:15 +0200)]
can: flexcan: fix flexcan_chip_start() on imx6
commit
0d1862ea1a5bb876cf05555a7307080cb75bf379 upstream.
In the flexcan_chip_start() function first the flexcan core is going through
the soft reset sequence, then the RX FIFO is enabled.
With the hardware is put into FIFO mode, message buffers 1...7 are reserved by
the FIFO engine. The remaining message buffers are in reset default values.
This patch removes the bogus initialization of the message buffers, as it
causes an imprecise external abort on imx6.
Reported-by: Lothar Waßmann <LW@KARO-electronics.de>
Tested-by: Lothar Waßmann <LW@KARO-electronics.de>
[mkl: adjusted context for stable]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Helge Deller [Mon, 14 Oct 2013 19:04:13 +0000 (21:04 +0200)]
parisc: break out SOCK_NONBLOCK define to own asm header file
commit
38c7937379276a5ea8c54481205003af2f2b5694 upstream.
Break SOCK_NONBLOCK out to its own asm-file as other arches do. This
fixes build errors with auditd and probably other packages.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ilija Hadzic [Tue, 12 Nov 2013 23:11:45 +0000 (15:11 -0800)]
devpts: plug the memory leak in kill_sb
commit
66da0e1f9034140ae2f571ef96e254a25083906c upstream.
When devpts is unmounted, there may be a no-longer-used IDR tree hanging
off the superblock we are about to kill. This needs to be cleaned up
before destroying the SB.
The leak is usually not a big deal because unmounting devpts is typically
done when shutting down the whole machine. However, shutting down an LXC
container instead of a physical machine exposes the problem (the garbage
is detectable with kmemleak).
Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Roel Kluin [Sun, 13 Oct 2013 23:27:27 +0000 (01:27 +0200)]
pinctrl: dove: unset twsi option3 for gconfig as well
commit
6d0a4ed2b90a12e1403d3e7d9d8c2cc7fdc301b5 upstream.
This fixes a typo which left twsi config3 option enabled.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
KOSAKI Motohiro [Mon, 14 Oct 2013 21:33:16 +0000 (17:33 -0400)]
alarmtimer: return EINVAL instead of ENOTSUPP if rtcdev doesn't exist
commit
98d6f4dd84a134d942827584a3c5f67ffd8ec35f upstream.
Fedora Ruby maintainer reported latest Ruby doesn't work on Fedora Rawhide
on ARM. (http://bugs.ruby-lang.org/issues/9008)
Because of, commit
1c6b39ad3f (alarmtimers: Return -ENOTSUPP if no
RTC device is present) intruduced to return ENOTSUPP when
clock_get{time,res} can't find a RTC device. However this is incorrect.
First, ENOTSUPP isn't exported to userland (ENOTSUP or EOPNOTSUP are the
closest userland equivlents).
Second, Posix and Linux man pages agree that clock_gettime and
clock_getres should return EINVAL if clk_id argument is invalid.
While the arugment that the clockid is valid, but just not supported
on this hardware could be made, this is just a technicality that
doesn't help userspace applicaitons, and only complicates error
handling.
Thus, this patch changes the code to use EINVAL.
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Reported-by: Vit Ondruch <v.ondruch@tiscali.cz>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
[jstultz: Tweaks to commit message to include full rational]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michael Hudson-Doyle [Thu, 31 Oct 2013 23:47:45 +0000 (16:47 -0700)]
perf tools: Remove cast of non-variadic function to variadic
commit
53805eca3d89b095062c11a6798689bb0af09216 upstream.
The
4fb71074a570 (perf ui/hist: Consolidate hpp helpers) cset introduced
a cast of percent_color_snprintf to a function pointer type with
varargs. Change percent_color_snprintf to be variadic and remove the
cast.
The symptom of this was all percentages being reported as 0.00% in perf
report --stdio output on the armhf arch.
Signed-off-by: Michael Hudson-Doyle <michael.hudson@linaro.org>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Jean Pihet <jean.pihet@linaro.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
Link: http://lkml.kernel.org/r/87zjppvw7y.fsf@canonical.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Charles Keepax [Tue, 19 Nov 2013 10:51:29 +0000 (10:51 +0000)]
ASoC: wm5110: Add post SYSCLK register patch for rev D chip
commit
f69f86b1ba6493126a7f093a65a8952bcb183de2 upstream.
Certain registers require patching after the SYSCLK has been brought up
add support for this into the CODEC driver.
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Richard Fitzgerald [Wed, 20 Nov 2013 14:37:09 +0000 (14:37 +0000)]
ASoC: arizona: Set FLL to free-run before disabling
commit
3e68ce1bc72e5d6615677ec5a8b0a9bcb6c7a490 upstream.
The FLL must be placed into free-run mode before disabling
to allow it to entirely shut down.
Signed-off-by: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Oskar Schirmer [Tue, 12 Nov 2013 15:46:38 +0000 (15:46 +0000)]
ASoC: fsl: imx-pcm-fiq: omit fiq counter to avoid harm in unbalanced situations
commit
fc7dc61d9a87011aaf8a6eb3144ebf9552adf5d2 upstream.
Unbalanced calls to snd_imx_pcm_trigger() may result in endless
FIQ activity and thus provoke eternal sound. While on the first glance,
the switch statement looks pretty symmetric, the SUSPEND/RESUME
pair is not: the suspend case comes along snd_pcm_suspend_all(),
which for fsl/imx-pcm-fiq is called only at snd_soc_suspend(),
but the resume case originates straight from the SNDRV_PCM_IOCTL_RESUME.
This way userland may provoke an unbalanced resume, which might cause
the fiq_enable counter to increase and never return to zero again,
so eventually imx_pcm_fiq is never disabled.
Simply removing the fiq_enable will solve the problem, as long as
one never goes play and capture game simultaneously, but beware
trying both at once, the early TRIGGER_STOP will cut off the other
activity prematurely. So now playing and capturing is scrutinized
separately, instead of by counting.
Signed-off-by: Oskar Schirmer <oskar@scara.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Takashi Iwai [Wed, 13 Nov 2013 16:15:00 +0000 (17:15 +0100)]
ASoC: blackfin: Fix missing break
commit
afed4dbe3a043dbd833a53b6b4951e155708afd2 upstream.
Fixes:
4b2ffc205cb9 ('ASoC: Blackfin I2S: add 8-bit sample support')
Reported-by: David Binderman
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nicolin Chen [Thu, 14 Nov 2013 03:59:21 +0000 (11:59 +0800)]
ASoC: wm8962: Turn on regcache_cache_only before disabling regulator
commit
50bfcf2df2fadf77e143d6099150e6fa7ef4d78c upstream.
It's safer to turn on regcache_cache_only before disabling regulator since
the driver will turn off the regcache_cache_only after enabling regulator.
If we remain cache_only false, some command like 'amixer cset' would get
failure if being run before wm8962_resume().
Signed-off-by: Nicolin Chen <b42378@freescale.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Brian Austin [Thu, 14 Nov 2013 17:46:12 +0000 (11:46 -0600)]
ASoC: cs42l52: Correct MIC CTL mask
commit
3d800c6d75b8c92fa928a0bcaf95cd7ac5fd1ce5 upstream.
The mask for CS42L52_MIC_CTL_TYPE_MASK was wrong keeping the mic config
from being set correctly.
Signed-off-by: Brian Austin <brian.austin@cirrus.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Phil Edworthy [Fri, 1 Nov 2013 06:06:17 +0000 (23:06 -0700)]
ASoC: ak4642: prevent un-necessary changes to SG_SL1
commit
7b5bfb82882b9b1c8423ce0ed6852ca3762d967a upstream.
If you record the sound during playback,
the playback sound becomes silent.
Modify so that the codec driver does not clear
SG_SL1::DACL bit which is controlled under widget
Signed-off-by: Phil Edworthy <phil.edworthy@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Tue, 12 Nov 2013 23:09:38 +0000 (15:09 -0800)]
backlight: atmel-pwm-bl: fix reported brightness
commit
185d91442550110db67a7dc794a32efcea455a36 upstream.
The driver supports 16-bit brightness values, but the value returned
from get_brightness was truncated to eight bits.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Tue, 12 Nov 2013 23:09:39 +0000 (15:09 -0800)]
backlight: atmel-pwm-bl: fix gpio polarity in remove
commit
ad5066d4c2b1d696749f8d7816357c23b648c4d3 upstream.
Make sure to honour gpio polarity also at remove so that the backlight is
actually disabled on boards with active-low enable pin.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Acked-by: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Malcolm Priestley [Thu, 7 Nov 2013 21:49:04 +0000 (21:49 +0000)]
staging: vt6656: [BUG] Fix for TX USB resets from vendors driver.
commit
9df682927c2e3a92f43803d6b52095992e3b2ab8 upstream.
This fixes resets on heavy TX data traffic.
Vendor driver
VT6656_Linux_src_v1.21.03_x86_11.04.zip
http://www.viaembedded.com/servlet/downloadSvl?id=1890&download_file_id=14704
This is GPL-licensed code.
original code
BBbVT3184Init
...
//2007-0725, RobertChang add, Enable Squelch detect reset option(SQ_RST_Opt), USB (register4, bit1)
CONTROLnsRequestIn(pDevice,
MESSAGE_TYPE_READ,
(WORD)0x600+4, // USB's Reg4's bit1
MESSAGE_REQUEST_MEM,
1,
(PBYTE) &byData);
byData = byData|2 ;
CONTROLnsRequestOut(pDevice,
MESSAGE_TYPE_WRITE,
(WORD)0x600+4, // USB's Reg4's bit1
MESSAGE_REQUEST_MEM,
1,
(PBYTE) &byData);
return TRUE;//ntStatus;
....
A back port patch is needed for kernels less than 3.10.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Olav Haugan [Fri, 22 Nov 2013 17:30:41 +0000 (09:30 -0800)]
staging: zsmalloc: Ensure handle is never 0 on success
commit
67296874eb1cc80317bf2a8fba22b494e21eb29b upstream.
zsmalloc encodes a handle using the pfn and an object
index. On hardware platforms with physical memory starting
at 0x0 the pfn can be 0. This causes the encoded handle to be
0 and is incorrectly interpreted as an allocation failure.
This issue affects all current and future SoCs with physical
memory starting at 0x0. All MSM8974 SoCs which includes
Google Nexus 5 devices are affected.
To prevent this false error we ensure that the encoded handle
will not be 0 when allocation succeeds.
Signed-off-by: Olav Haugan <ohaugan@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>