Lu Baolu [Tue, 26 Jan 2016 15:50:08 +0000 (17:50 +0200)]
usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms
[ Upstream commit
ccc04afb72cddbdf7c0e1c17e92886405a71b754 ]
Intel Broxton M was verifed to require XHCI_PME_STUCK_QUIRK quirk as well.
Cc: stable@vger.kernel.org
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lu Baolu [Tue, 26 Jan 2016 15:50:07 +0000 (17:50 +0200)]
usb: xhci: set SSIC port unused only if xhci_suspend succeeds
[ Upstream commit
92149c930cce1865d0d4aca2ab07c2b4b197b418 ]
XHCI_SSIC_PORT_UNUSED quirk was applied to the xHCI host controllers
in some Intel SoC chips. With this quirk applied, SSIC port is set
to "unused" prior to xhci_suspend(). This may cause problem if host
fails to suspend. In this case, the port is set to unused without
host further entering D3, and the port will not be usable anymore.
Cc: stable@vger.kernel.org
Signed-off-by: Zhuang Jin Can <jin.can.zhuang@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lu Baolu [Tue, 26 Jan 2016 15:50:06 +0000 (17:50 +0200)]
usb: xhci: add a quirk bit for ssic port unused
[ Upstream commit
7e70cbffe236721051bbaff965e477df06dcb190 ]
Two workarounds introduced by commit
b8cb91e058cd ("xhci: Workaround
for PME stuck issues in Intel xhci") and commit
abce329c27b3 ("xhci:
Workaround to get D3 working in Intel xHCI") share a single quirk bit
XHCI_PME_STUCK_QUIRK. These two workarounds actually are different and
might happen on different hardwares. Need to separate them by adding a
quirk bit for the later.
Cc: stable@vger.kernel.org
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lu Baolu [Tue, 26 Jan 2016 15:50:05 +0000 (17:50 +0200)]
usb: xhci: handle both SSIC ports in PME stuck quirk
[ Upstream commit
fa89537783cb442263fa5a14df6c7693eaf32f11 ]
Commit
abce329c27b3 ("xhci: Workaround to get D3 working in Intel xHCI")
adds a workaround for a limitation of PME storm caused by SSIC port in
some Intel SoCs. This commit only handled one SSIC port, while there
are actually two SSIC ports in the chips. This patch handles both SSIC
ports. Without this fix, users still see PME storm.
Cc: stable@vger.kernel.org # v4.2+
Signed-off-by: Zhuang Jin Can <jin.can.zhuang@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mathias Nyman [Fri, 9 Oct 2015 10:30:08 +0000 (13:30 +0300)]
xhci: create one unified function to calculate TRB TD remainder.
[ Upstream commit
c840d6ce772d47c777070ca4bbbfbf21d8d727a3 ]
xhci versions 1.0 and later report the untransferred data remaining in a
TD a bit differently than older hosts.
We used to have separate functions for these, and needed to check host
version before calling the right function.
Now Mediatek host has an additional quirk on how it uses the TD Size
field for remaining data. To prevent yet another function for calculating
remainder we instead want to make one quirk friendly unified function.
Tested-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lu, Baolu [Fri, 9 Oct 2015 10:30:10 +0000 (13:30 +0300)]
usb: xhci: Makefile: move xhci-pci and xhci-plat-hcd after xhci-hcd
[ Upstream commit
8451a34ff6c7c756e9e0f0094a3ba856c9734e5d ]
Module xhci-pci and xhci-plat-hcd depend on xhci-hcd. Module xhci-hcd
should be put at a place before xhci-pci and xhci-plat-hcd. Otherwise,
xhci_hcd_init() might be executed after other functions in xhci-hcd if
they are all selected to be built in.
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Tomer Barletz [Mon, 21 Sep 2015 14:46:11 +0000 (17:46 +0300)]
xhci: Move xhci_pme_quirk() behind #ifdef CONFIG_PM
[ Upstream commit
2b7627b73e81e5d23d5ae1490fe8e690af86e053 ]
xhci_pme_quirk() is only used when CONFIG_PM is defined.
Compiling a kernel without PM complains about this function
[reworded commit message -Mathias]
Cc: <stable@vger.kernel.org>
Signed-off-by: Tomer Barletz <barletz@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mathias Nyman [Tue, 21 Jul 2015 14:20:25 +0000 (17:20 +0300)]
xhci: call BIOS workaround to enable runtime suspend on Intel Braswell
[ Upstream commit
c3c5819a350952439c3198aa46581f9e4c46557f ]
Intel xhci hw that require XHCI_PME_STUCK quirk have as default disabled
xhci from going to D3 state in runtime suspend. Driver needs to verify
it can deal with the hw by calling an ACPI _DSM method to get D3 enabled.
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Rajmohan Mani [Tue, 21 Jul 2015 14:20:26 +0000 (17:20 +0300)]
xhci: Workaround to get D3 working in Intel xHCI
[ Upstream commit
abce329c27b315cfc01be1a305ee976ee13ed4cf ]
The xHCI in Intel CherryView / Braswell Platform requires
a driver workaround to get xHCI D3 working. Without this
workaround, xHCI might not enter D3.
Workaround is to configure SSIC PORT as "unused" before D3
entry and "used" after D3 exit. This is done through a
vendor specific register (PORT2_SSIC_CONFIG_REG2 at offset
0x883c), in xhci suspend / resume callbacks.
Verified xHCI D3 works fine in CherryView / Braswell platform.
Signed-off-by: Rajmohan Mani <rajmohan.mani@intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Matthew Wilcox [Wed, 3 Feb 2016 00:57:52 +0000 (16:57 -0800)]
radix-tree: fix race in gang lookup
[ Upstream commit
46437f9a554fbe3e110580ca08ab703b59f2f95a ]
If the indirect_ptr bit is set on a slot, that indicates we need to redo
the lookup. Introduce a new function radix_tree_iter_retry() which
forces the loop to retry the lookup by setting 'slot' to NULL and
turning the iterator back to point at the problematic entry.
This is a pretty rare problem to hit at the moment; the lookup has to
race with a grow of the radix tree from a height of 0. The consequences
of hitting this race are that gang lookup could return a pointer to a
radix_tree_node instead of a pointer to whatever the user had inserted
in the tree.
Fixes:
cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Ohad Ben-Cohen <ohad@wizery.com>
Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Kirill A. Shutemov [Wed, 3 Feb 2016 00:57:35 +0000 (16:57 -0800)]
drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration
[ Upstream commit
461c7fa126794157484dca48e88effa4963e3af3 ]
Reduced testcase:
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
#include <numaif.h>
#define SIZE 0x2000
int main()
{
int fd;
void *p;
fd = open("/dev/sg0", O_RDWR);
p = mmap(NULL, SIZE, PROT_EXEC, MAP_PRIVATE | MAP_LOCKED, fd, 0);
mbind(p, SIZE, 0, NULL, 0, MPOL_MF_MOVE);
return 0;
}
We shouldn't try to migrate pages in sg VMA as we don't have a way to
update Sg_scatter_hold::pages accordingly from mm core.
Let's mark the VMA as VM_IO to indicate to mm core that the VMA is not
migratable.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Doug Gilbert <dgilbert@interlog.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Shiraz Hashim <shashim@codeaurora.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Wed, 3 Feb 2016 07:32:44 +0000 (08:32 +0100)]
ALSA: seq: Fix lockdep warnings due to double mutex locks
[ Upstream commit
7f0973e973cd74aa40747c9d38844560cd184ee8 ]
The port subscription code uses double mutex locks for source and
destination ports, and this may become racy once when wrongly set up.
It leads to lockdep warning splat, typically triggered by fuzzer like
syzkaller, although the actual deadlock hasn't been seen, so far.
This patch simplifies the handling by reducing to two single locks, so
that no lockdep warning will be trigger any longer.
By splitting to two actions, a still-in-progress element shall be
added in one list while handling another. For ignoring this element,
a new check is added in deliver_to_subscribers().
Along with it, the code to add/remove the subscribers list element was
cleaned up and refactored.
BugLink: http://lkml.kernel.org/r/CACT4Y+aKQXV7xkBW9hpQbzaDO7LrUvohxWh-UwMxXjDy-yBD=A@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Wed, 3 Feb 2016 13:41:22 +0000 (14:41 +0100)]
ALSA: rawmidi: Fix race at copying & updating the position
[ Upstream commit
81f577542af15640cbcb6ef68baa4caa610cbbfc ]
The rawmidi read and write functions manage runtime stream status
such as runtime->appl_ptr and runtime->avail. These point where to
copy the new data and how many bytes have been copied (or to be
read). The problem is that rawmidi read/write call copy_from_user()
or copy_to_user(), and the runtime spinlock is temporarily unlocked
and relocked while copying user-space. Since the current code
advances and updates the runtime status after the spin unlock/relock,
the copy and the update may be asynchronous, and eventually
runtime->avail might go to a negative value when many concurrent
accesses are done. This may lead to memory corruption in the end.
For fixing this race, in this patch, the status update code is
performed in the same lock before the temporary unlock. Also, the
spinlock is now taken more widely in snd_rawmidi_kernel_read1() for
protecting more properly during the whole operation.
BugLink: http://lkml.kernel.org/r/CACT4Y+b-dCmNf1GpgPKfDO0ih+uZCL2JV4__j-r1kdhPLSgQCQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Sun, 31 Jan 2016 10:57:41 +0000 (11:57 +0100)]
ALSA: rawmidi: Make snd_rawmidi_transmit() race-free
[ Upstream commit
06ab30034ed9c200a570ab13c017bde248ddb2a6 ]
A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by
syzkaller fuzzer:
WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<
ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<
ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<
ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<
ffffffff84f80bd5>] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136
[<
ffffffff84fdb3c1>] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163
[< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
[<
ffffffff84f87ed9>] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223
[<
ffffffff84f89fd3>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273
[<
ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528
[<
ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<
ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616
[<
ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
Also a similar warning is found but in another path:
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<
ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<
ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<
ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<
ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133
[<
ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163
[<
ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185
[< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
[<
ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252
[<
ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302
[<
ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528
[<
ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<
ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616
[<
ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
In the former case, the reason is that virmidi has an open code
calling snd_rawmidi_transmit_ack() with the value calculated outside
the spinlock. We may use snd_rawmidi_transmit() in a loop just for
consuming the input data, but even there, there is a race between
snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack().
Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and
snd_rawmidi_tranmit_ack() separately without protection, so they are
racy as well.
The patch tries to address these issues by the following ways:
- Introduce the unlocked versions of snd_rawmidi_transmit_peek() and
snd_rawmidi_transmit_ack() to be called inside the explicit lock.
- Rewrite snd_rawmidi_transmit() to be race-free (the former case).
- Make the split calls (the latter case) protected in the rawmidi spin
lock.
BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5XjzF1_Vki1eHnVn-Lm0hzhSpu5PA@mail.gmail.com
BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_VHGbpJQK-6xNpiqUjaZYqsXOGw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Wed, 3 Feb 2016 11:32:51 +0000 (12:32 +0100)]
ALSA: hda - Add fixup for Mac Mini 7,1 model
[ Upstream commit
2154cc0e2d4ae15132d005d17e473327c70c9a06 ]
Mac Mini 7,1 model with CS4208 codec reports the headphone jack
detection wrongly in an inverted way. Moreover, the advertised pins
for the audio input and SPDIF output have actually no jack detection.
This patch addresses these issues. The inv_jack_detect flag is set
for fixing the headphone jack detection, and the pin configs for audio
input and SPDIF output are marked as non-detectable.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105161
Report-and-tested-by: moosotc@gmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Oded Gabbay [Sat, 30 Jan 2016 05:59:33 +0000 (07:59 +0200)]
drm/radeon: mask out WC from BO on unsupported arches
[ Upstream commit
c5244987394648913ae1a03879c58058a2fc2cee ]
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Michel Dänzer [Thu, 5 Nov 2015 08:25:27 +0000 (17:25 +0900)]
drm/radeon: Always disable RADEON_GEM_GTT_UC along with RADEON_GEM_GTT_WC
[ Upstream commit
a28bbd5824d4a2af98de45b300ab8d8fb39739fc ]
Write-combining is a CPU feature. From the GPU POV, these both simply
mean no GPU<->CPU cache coherency.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Dave Airlie [Sat, 30 Jan 2016 05:59:32 +0000 (07:59 +0200)]
drm: add helper to check for wc memory support
[ Upstream commit
4b0e4e4af6c6dc8354dcb72182d52c1bc55f12fc ]
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Sat, 30 Jan 2016 22:09:08 +0000 (23:09 +0100)]
ALSA: timer: Fix link corruption due to double start or stop
[ Upstream commit
f784beb75ce82f4136f8a0960d3ee872f7109e09 ]
Although ALSA timer code got hardening for races, it still causes
use-after-free error. This is however rather a corrupted linked list,
not actually the concurrent accesses. Namely, when timer start is
triggered twice, list_add_tail() is called twice, too. This ends
up with the link corruption and triggers KASAN error.
The simplest fix would be replacing list_add_tail() with
list_move_tail(), but fundamentally it's the problem that we don't
check the double start/stop correctly. So, the right fix here is to
add the proper checks to snd_timer_start() and snd_timer_stop() (and
their variants).
BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Thu, 14 Jan 2016 16:01:46 +0000 (17:01 +0100)]
ALSA: timer: Code cleanup
[ Upstream commit
c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 ]
This is a minor code cleanup without any functional changes:
- Kill keep_flag argument from _snd_timer_stop(), as all callers pass
only it false.
- Remove redundant NULL check in _snd_timer_stop().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Sat, 30 Jan 2016 22:30:25 +0000 (23:30 +0100)]
ALSA: seq: Fix yet another races among ALSA timer accesses
[ Upstream commit
2cdc7b636d55cbcf42e1e6c8accd85e62d3e9ae8 ]
ALSA sequencer may open/close and control ALSA timer instance
dynamically either via sequencer events or direct ioctls. These are
done mostly asynchronously, and it may call still some timer action
like snd_timer_start() while another is calling snd_timer_close().
Since the instance gets removed by snd_timer_close(), it may lead to
a use-after-free.
This patch tries to address such a race by protecting each
snd_timer_*() call via the existing spinlock and also by avoiding the
access to timer during close call.
BugLink: http://lkml.kernel.org/r/CACT4Y+Z6RzW5MBr-HUdV-8zwg71WQfKTdPpYGvOeS7v4cyurNQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Sun, 31 Jan 2016 09:32:37 +0000 (10:32 +0100)]
ALSA: pcm: Fix potential deadlock in OSS emulation
[ Upstream commit
b248371628aad599a48540962f6b85a21a8a0c3f ]
There are potential deadlocks in PCM OSS emulation code while
accessing read/write and mmap concurrently. This comes from the
infamous mmap_sem usage in copy_from/to_user(). Namely,
snd_pcm_oss_write() ->
&runtime->oss.params_lock ->
copy_to_user() ->
&mm->mmap_sem
mmap() ->
&mm->mmap_sem ->
snd_pcm_oss_mmap() ->
&runtime->oss.params_lock
Since we can't avoid taking params_lock from mmap code path, use
trylock variant and aborts with -EAGAIN as a workaround of this AB/BA
deadlock.
BugLink: http://lkml.kernel.org/r/CACT4Y+bVrBKDG0G2_AcUgUQa+X91VKTeS4v+wN7BSHwHtqn3kQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Mon, 1 Feb 2016 11:04:55 +0000 (12:04 +0100)]
ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check
[ Upstream commit
cc85f7a634cfaf9f0713c6aa06d08817424db37a ]
NULL user-space buffer can be passed even in a normal path, thus it's
not good to spew a kernel warning with stack trace at each time.
Just drop snd_BUG_ON() macro usage there.
BugLink: http://lkml.kernel.org/r/CACT4Y+YfVJ3L+q0i-4vyQVyyPD7V=OMX0PWPi29x9Bo3QaBLdw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Mon, 1 Feb 2016 11:06:42 +0000 (12:06 +0100)]
ALSA: seq: Fix race at closing in virmidi driver
[ Upstream commit
2d1b5c08366acd46c35a2e9aba5d650cb5bf5c19 ]
The virmidi driver has an open race at closing its assigned rawmidi
device, and this may lead to use-after-free in
snd_seq_deliver_single_event().
Plug the hole by properly protecting the linked list deletion and
calling in the right order in snd_virmidi_input_close().
BugLink: http://lkml.kernel.org/r/CACT4Y+Zd66+w12fNN85-425cVQT=K23kWbhnCEcMB8s3us-Frw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Wang, Rui Y [Wed, 27 Jan 2016 09:08:37 +0000 (17:08 +0800)]
crypto: algif_hash - wait for crypto_ahash_init() to complete
[ Upstream commit
fe09786178f9df713a4b2dd6b93c0a722346bf5e ]
hash_sendmsg/sendpage() need to wait for the completion
of crypto_ahash_init() otherwise it can cause panic.
Cc: stable@vger.kernel.org
Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lev Lybin [Fri, 29 Jan 2016 15:55:11 +0000 (22:55 +0700)]
ALSA: usb-audio: Add quirk for Microsoft LifeCam HD-6000
[ Upstream commit
1b3c993a699bed282e47c3f7c49d539c331dae04 ]
Microsoft LifeCam HD-6000 (045e:076f) requires the similar quirk for
avoiding the stall due to the invalid sample rate reads.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111491
Signed-off-by: Lev Lybin <lev.lybin@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Jurgen Kramer [Fri, 29 Jan 2016 13:59:25 +0000 (14:59 +0100)]
ALSA: usb-audio: Add native DSD support for PS Audio NuWave DAC
[ Upstream commit
ad678b4ccd41aa51cf5f142c0e8cffe9d61fc2bf ]
This patch adds native DSD support for the PS Audio NuWave DAC.
Signed-off-by: Jurgen Kramer <gtmkramer@xs4all.nl>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Jurgen Kramer [Fri, 29 Jan 2016 13:49:55 +0000 (14:49 +0100)]
ALSA: usb-audio: Fix OPPO HA-1 vendor ID
[ Upstream commit
5327d6ba975042fd3da50ac6e94d1e9551ebeaec ]
In my patch adding native DSD support for the Oppo HA-1, the wrong vendor ID got
through. This patch fixes the vendor ID and aligns the comment.
Fixes:
a4eae3a506ea ('ALSA: usb: Add native DSD support for Oppo HA-1')
Signed-off-by: Jurgen Kramer <gtmkramer@xs4all.nl>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Jani Nikula [Wed, 13 Jan 2016 14:35:20 +0000 (16:35 +0200)]
drm/i915/dp: fall back to 18 bpp when sink capability is unknown
[ Upstream commit
5efd407674068dede403551bea3b0b134c32513a ]
Per DP spec, the source device should fall back to 18 bpp, VESA range
RGB when the sink capability is unknown. Fix the color depth
clamping. 18 bpp color depth should ensure full color range in automatic
mode.
The clamping has been HDMI specific since its introduction in
commit
996a2239f93b03c5972923f04b097f65565c5bed
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Fri Apr 19 11:24:34 2013 +0200
drm/i915: Disable high-bpc on pre-1.4 EDID screens
Cc: stable@vger.kernel.org
Reported-and-tested-by: Dihan Wickremasuriya <nayomal@gmail.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105331
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1452695720-7076-1-git-send-email-jani.nikula@intel.com
(cherry picked from commit
013dd9e038723bbd2aa67be51847384b75be8253)
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Herbert Xu [Tue, 26 Jan 2016 16:16:37 +0000 (00:16 +0800)]
crypto: shash - Fix has_key setting
[ Upstream commit
00420a65fa2beb3206090ead86942484df2275f3 ]
The has_key logic is wrong for shash algorithms as they always
have a setkey function. So we should instead be testing against
shash_no_setkey.
Fixes:
a5596d633278 ("crypto: hash - Add crypto_ahash_has_setkey")
Cc: stable@vger.kernel.org
Reported-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Nicolas Ferre [Wed, 27 Jan 2016 10:03:02 +0000 (11:03 +0100)]
ARM: dts: at91: sama5d4 xplained: fix phy0 IRQ type
[ Upstream commit
e873cc022ce5e2c04bbc53b5874494b657e29d3f ]
For phy0 KSZ8081, the type of GPIO IRQ should be "level low" instead of
"edge falling".
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Fixes:
38153a017896 ("ARM: at91/dt: sama5d4: add dts for sama5d4 xplained board")
Cc: <stable@vger.kernel.org> # 4.1+
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Wenyou Yang [Wed, 27 Jan 2016 05:16:24 +0000 (13:16 +0800)]
ARM: dts: at91: sama5d4ek: add phy address and IRQ for macb0
[ Upstream commit
aae6b18f5c95b9dc78de66d1e27e8afeee2763b7 ]
On SAMA5D4EK board, the Ethernet doesn't work after resuming from the suspend
state.
Signed-off-by: Wenyou Yang <wenyou.yang@atmel.com>
[nicolas.ferre@atmel.com: adapt to newer kernel]
Fixes:
38153a017896 ("ARM: at91/dt: sama5d4: add dts for sama5d4 xplained board")
Cc: <stable@vger.kernel.org> # 4.1+
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mohamed Jamsheeth Hajanajubudeen [Fri, 11 Dec 2015 11:36:26 +0000 (17:06 +0530)]
ARM: dts: at91: sama5d4: fix instance id of DBGU
[ Upstream commit
929e883f2bfdf68d4bd3aec43912e956417005c7 ]
Change instance id of DBGU to 45.
Signed-off-by: Mohamed Jamsheeth Hajanajubudeen <mohamedjamsheeth.hajanajubudeen@atmel.com>
Fixes:
7c661394c56c ("ARM: at91: dt: add device tree file for SAMA5D4 SoC")
Cc: stable@vger.kernel.org # 3.18+
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Johannes Berg [Tue, 26 Jan 2016 10:29:03 +0000 (11:29 +0100)]
rfkill: fix rfkill_fop_read wait_event usage
[ Upstream commit
6736fde9672ff6717ac576e9bba2fd5f3dfec822 ]
The code within wait_event_interruptible() is called with
!TASK_RUNNING, so mustn't call any functions that can sleep,
like mutex_lock().
Since we re-check the list_empty() in a loop after the wait,
it's safe to simply use list_empty() without locking.
This bug has existed forever, but was only discovered now
because all userspace implementations, including the default
'rfkill' tool, use poll() or select() to get a readable fd
before attempting to read.
Cc: stable@vger.kernel.org
Fixes:
c64fb01627e24 ("rfkill: create useful userspace interface")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Sachin Kulkarni [Tue, 12 Jan 2016 09:00:19 +0000 (14:30 +0530)]
mac80211: Requeue work after scan complete for all VIF types.
[ Upstream commit
4fa11ec726a32ea6dd768dbb2e2af3453a98ec0a ]
During a sw scan ieee80211_iface_work ignores work items for all vifs.
However after the scan complete work is requeued only for STA, ADHOC
and MESH iftypes.
This occasionally results in event processing getting delayed/not
processed for iftype AP when it coexists with a STA. This can result
in data halt and eventually disconnection on the AP interface.
Cc: stable@vger.kernel.org
Signed-off-by: Sachin Kulkarni <Sachin.Kulkarni@imgtec.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Tony Lindgren [Thu, 14 Jan 2016 20:20:48 +0000 (12:20 -0800)]
ARM: OMAP2+: Fix ppa_zero_params and ppa_por_params for rodata
[ Upstream commit
4da597d16602d14405b71a18d45e1c59f28f0fd2 ]
We don't want to write to .text so let's move ppa_zero_params and
ppa_por_params to .data and access them via pointers.
Note that I have not been able to test as we I don't have a HS
omap4 to test with. The code has been changed in similar way as
for omap3 though.
Cc: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Nishanth Menon <nm@ti.com>
Cc: Richard Woodruff <r-woodruff2@ti.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Tero Kristo <t-kristo@ti.com>
Acked-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org # v4.0+
Fixes:
1e6b48116a95 ("ARM: mm: allow non-text sections to be
non-executable")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Tony Lindgren [Thu, 14 Jan 2016 20:20:47 +0000 (12:20 -0800)]
ARM: OMAP2+: Fix save_secure_ram_context for rodata
[ Upstream commit
a5311d4d13df80bd71a9e47f9ecaf327f478fab1 ]
We don't want to write to .text and we can move save_secure_ram_context
into .data as it all gets copied into SRAM anyways.
Cc: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Nishanth Menon <nm@ti.com>
Cc: Richard Woodruff <r-woodruff2@ti.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Cc: Tero Kristo <t-kristo@ti.com>
Acked-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org # v4.0+
Fixes:
1e6b48116a95 ("ARM: mm: allow non-text sections to be
non-executable")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Tony Lindgren [Thu, 14 Jan 2016 20:20:47 +0000 (12:20 -0800)]
ARM: OMAP2+: Fix l2dis_3630 for rodata
[ Upstream commit
eeaf9646aca89d097861caa24d9818434e48810e ]
We don't want to write to .text section. Let's move l2dis_3630
to .data and access it via a pointer.
For calculating the offset, let's optimize out the add and do it
in ldr/str as suggested by Nicolas Pitre <nicolas.pitre@linaro.org>.
Cc: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Nishanth Menon <nm@ti.com>
Cc: Richard Woodruff <r-woodruff2@ti.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Tero Kristo <t-kristo@ti.com>
Cc: stable@vger.kernel.org # v4.0+
Acked-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org # v4.0+
Fixes:
1e6b48116a95 ("ARM: mm: allow non-text sections to be
non-executable")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Tony Lindgren [Thu, 14 Jan 2016 20:20:47 +0000 (12:20 -0800)]
ARM: OMAP2+: Fix wait_dll_lock_timed for rodata
[ Upstream commit
d9db59103305eb5ec2a86369f32063e9921b6ac5 ]
We don't want to be writing to .text so it can be set rodata.
Fix error "Unable to handle kernel paging request at virtual address
c012396c" in wait_dll_lock_timed if CONFIG_DEBUG_RODATA is selected.
As these counters are for debugging only and unused, we can just
remove them.
Cc: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Nishanth Menon <nm@ti.com>
Cc: Richard Woodruff <r-woodruff2@ti.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Tero Kristo <t-kristo@ti.com>
Acked-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org # v4.0+
Fixes:
1e6b48116a95 ("ARM: mm: allow non-text sections to be
non-executable")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Insu Yun [Sat, 23 Jan 2016 20:44:19 +0000 (15:44 -0500)]
ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot()
[ Upstream commit
2c3033a0664dfae91e1dee7fabac10f24354b958 ]
In acpiphp_enable_slot(), there is a missing unlock path
when error occurred. It needs to be unlocked before returning
an error.
Signed-off-by: Insu Yun <wuninsu@gmail.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Huacai Chen [Thu, 21 Jan 2016 13:09:52 +0000 (21:09 +0800)]
MIPS: Fix some missing CONFIG_CPU_MIPSR6 #ifdefs
[ Upstream commit
4f33f6c522948fffc345261896042b58dea23754 ]
Commit
be0c37c985eddc4 (MIPS: Rearrange PTE bits into fixed positions.)
defines fixed PTE bits for MIPS R2. Then, commit
d7b631419b3d230a4d383
(MIPS: pgtable-bits: Fix XPA damage to R6 definitions.) adds the MIPS
R6 definitions in the same way as MIPS R2. But some R6 #ifdefs in the
later commit are missing, so in this patch I fix that.
Signed-off-by: Huacai Chen <chenhc@lemote.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: stable@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/12164/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mika Westerberg [Fri, 29 Jan 2016 14:49:47 +0000 (16:49 +0200)]
serial: 8250_pci: Add Intel Broadwell ports
[ Upstream commit
6c55d9b98335f7f6bd5f061866ff1633401f3a44 ]
Some recent (early 2015) macbooks have Intel Broadwell where LPSS UARTs are
PCI enumerated instead of ACPI. The LPSS UART block is pretty much same as
used on Intel Baytrail so we can reuse the existing Baytrail setup code.
Add both Broadwell LPSS UART ports to the list of supported devices.
Signed-off-by: Leif Liddy <leif.liddy@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Matt Fleming [Fri, 29 Jan 2016 11:36:10 +0000 (11:36 +0000)]
x86/mm/pat: Avoid truncation when converting cpa->numpages to address
[ Upstream commit
742563777e8da62197d6cb4b99f4027f59454735 ]
There are a couple of nasty truncation bugs lurking in the pageattr
code that can be triggered when mapping EFI regions, e.g. when we pass
a cpa->pgd pointer. Because cpa->numpages is a 32-bit value, shifting
left by PAGE_SHIFT will truncate the resultant address to 32-bits.
Viorel-Cătălin managed to trigger this bug on his Dell machine that
provides a ~5GB EFI region which requires 1236992 pages to be mapped.
When calling populate_pud() the end of the region gets calculated
incorrectly in the following buggy expression,
end = start + (cpa->numpages << PAGE_SHIFT);
And only 188416 pages are mapped. Next, populate_pud() gets invoked
for a second time because of the loop in __change_page_attr_set_clr(),
only this time no pages get mapped because shifting the remaining
number of pages (1048576) by PAGE_SHIFT is zero. At which point the
loop in __change_page_attr_set_clr() spins forever because we fail to
map progress.
Hitting this bug depends very much on the virtual address we pick to
map the large region at and how many pages we map on the initial run
through the loop. This explains why this issue was only recently hit
with the introduction of commit
a5caa209ba9c ("x86/efi: Fix boot crash by mapping EFI memmap
entries bottom-up at runtime, instead of top-down")
It's interesting to note that safe uses of cpa->numpages do exist in
the pageattr code. If instead of shifting ->numpages we multiply by
PAGE_SIZE, no truncation occurs because PAGE_SIZE is a UL value, and
so the result is unsigned long.
To avoid surprises when users try to convert very large cpa->numpages
values to addresses, change the data type from 'int' to 'unsigned
long', thereby making it suitable for shifting by PAGE_SHIFT without
any type casting.
The alternative would be to make liberal use of casting, but that is
far more likely to cause problems in the future when someone adds more
code and fails to cast properly; this bug was difficult enough to
track down in the first place.
Reported-and-tested-by: Viorel-Cătălin Răpițeanu <rapiteanu.catalin@gmail.com>
Acked-by: Borislav Petkov <bp@alien8.de>
Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=110131
Link: http://lkml.kernel.org/r/1454067370-10374-1-git-send-email-matt@codeblueprint.co.uk
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Samuel Thibault [Thu, 14 Jan 2016 23:47:41 +0000 (00:47 +0100)]
Staging: speakup: Fix getting port information
[ Upstream commit
327b882d3bcc1fba82dbd39b5cf5a838c81218e2 ]
Commit
f79b0d9c223c ("staging: speakup: Fixed warning <linux/serial.h>
instead of <asm/serial.h>") broke the port information in the speakup
driver: SERIAL_PORT_DFNS only gets defined if asm/serial.h is included,
and no other header includes asm/serial.h.
We here make sure serialio.c does get the arch-specific definition of
SERIAL_PORT_DFNS from asm/serial.h, if any.
Along the way, this makes sure that we do have information for the
requested serial port number (index)
Fixes:
f79b0d9c223c ("staging: speakup: Fixed warning <linux/serial.h> instead of <asm/serial.h>")
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Cc: stable <stable@vger.kernel.org> # 3.18
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Rob Clark [Wed, 15 Oct 2014 19:00:47 +0000 (15:00 -0400)]
drm/vmwgfx: respect 'nomodeset'
[ Upstream commit
96c5d076f0a5e2023ecdb44d8261f87641ee71e0 ]
Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>.
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Thu, 28 Jan 2016 06:54:16 +0000 (07:54 +0100)]
ALSA: dummy: Disable switching timer backend via sysfs
[ Upstream commit
7ee96216c31aabe1eb42fb91ff50dae9fcd014b2 ]
ALSA dummy driver can switch the timer backend between system timer
and hrtimer via its hrtimer module option. This can be also switched
dynamically via sysfs, but it may lead to a memory corruption when
switching is done while a PCM stream is running; the stream instance
for the newly switched timer method tries to access the memory that
was allocated by another timer method although the sizes differ.
As the simplest fix, this patch just disables the switch via sysfs by
dropping the writable bit.
BugLink: http://lkml.kernel.org/r/CACT4Y+ZGEeEBntHW5WHn2GoeE0G_kRrCmUh6=dWyy-wfzvuJLg@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Slava Grigorev [Tue, 26 Jan 2016 22:35:57 +0000 (17:35 -0500)]
drm/radeon: fix DP audio support for APU with DCE4.1 display engine
[ Upstream commit
fe6fc1f132b4300c1f6defd43a5d673eb60a820d ]
Properly setup the DFS divider for DP audio for DCE4.1.
Signed-off-by: Slava Grigorev <slava.grigorev@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Slava Grigorev [Tue, 26 Jan 2016 21:56:25 +0000 (16:56 -0500)]
drm/radeon: Add a common function for DFS handling
[ Upstream commit
a64c9dab1c4d05c87ec8a1cb9b48915816462143 ]
Move encoding of DFS (digital frequency synthesizer) divider into a
separate function and improve calculation precision.
Signed-off-by: Slava Grigorev <slava.grigorev@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Slava Grigorev [Tue, 26 Jan 2016 21:45:10 +0000 (16:45 -0500)]
drm/radeon: cleaned up VCO output settings for DP audio
[ Upstream commit
c9a392eac18409f51a071520cf508c0b4ad990e2 ]
This is preparation for the fixes in the following patches.
Signed-off-by: Slava Grigorev <slava.grigorev@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Alex Deucher [Fri, 24 Jul 2015 04:42:02 +0000 (00:42 -0400)]
drm/radeon: rework audio modeset to handle non-audio hdmi features
[ Upstream commit
7726e72b3d6879ee5fc743a230eb6f5afa12844b ]
Need to setup the deep color and avi packets regardless of
audio setup.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Jann Horn [Sat, 26 Dec 2015 05:00:48 +0000 (06:00 +0100)]
seccomp: always propagate NO_NEW_PRIVS on tsync
[ Upstream commit
103502a35cfce0710909da874f092cb44823ca03 ]
Before this patch, a process with some permissive seccomp filter
that was applied by root without NO_NEW_PRIVS was able to add
more filters to itself without setting NO_NEW_PRIVS by setting
the new filter from a throwaway thread with NO_NEW_PRIVS.
Signed-off-by: Jann Horn <jann@thejh.net>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Milo Kim [Wed, 13 Jan 2016 07:19:50 +0000 (16:19 +0900)]
irqchip/atmel-aic: Fix wrong bit operation for IRQ priority
[ Upstream commit
49f34134aea74f19ca016f055d25ee55ec359dee ]
Atmel AIC has common structure for SMR (Source Mode Register).
bit[6:5] Interrupt source type
bit[2:0] Priority level
Other bits are unused.
To update new priority value, bit[2:0] should be cleared first and then
new priority level can be written. However, aic_common_set_priority()
helper clears source type bits instead of priority bits.
This patch fixes wrong mask bit operation.
Fixes:
b1479ebb7720 "irqchip: atmel-aic: Add atmel AIC/AIC5 drivers"
Signed-off-by: Milo Kim <milo.kim@ti.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Ludovic Desroches <ludovic.desroches@atmel.com>
Cc: Nicholas Ferre <nicolas.ferre@atmel.com>
Cc: stable@vger.kernel.org #v3.17+
Link: http://lkml.kernel.org/r/1452669592-3401-2-git-send-email-milo.kim@ti.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Peter Hurley [Mon, 11 Jan 2016 06:40:58 +0000 (22:40 -0800)]
staging/speakup: Use tty_ldisc_ref() for paste kworker
[ Upstream commit
f4f9edcf9b5289ed96113e79fa65a7bf27ecb096 ]
As the function documentation for tty_ldisc_ref_wait() notes, it is
only callable from a tty file_operations routine; otherwise there
is no guarantee the ref won't be NULL.
The key difference with the VT's paste_selection() is that is an ioctl,
where __speakup_paste_selection() is completely async kworker, kicked
off from interrupt context.
Fixes:
28a821c30688 ("Staging: speakup: Update __speakup_paste_selection()
tty (ab)usage to match vt")
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Peter Hurley [Mon, 11 Jan 2016 06:40:56 +0000 (22:40 -0800)]
n_tty: Fix unsafe reference to "other" ldisc
[ Upstream commit
6d27a63caad3f13e96cf065d2d96828c2006be6b ]
Although n_tty_check_unthrottle() has a valid ldisc reference (since
the tty core gets the ldisc ref in tty_read() before calling the line
discipline read() method), it does not have a valid ldisc reference to
the "other" pty of a pty pair. Since getting an ldisc reference for
tty->link essentially open-codes tty_wakeup(), just replace with the
equivalent tty_wakeup().
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Peter Hurley [Mon, 11 Jan 2016 06:40:55 +0000 (22:40 -0800)]
tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
[ Upstream commit
5c17c861a357e9458001f021a7afa7aab9937439 ]
ioctl(TIOCGETD) retrieves the line discipline id directly from the
ldisc because the line discipline id (c_line) in termios is untrustworthy;
userspace may have set termios via ioctl(TCSETS*) without actually
changing the line discipline via ioctl(TIOCSETD).
However, directly accessing the current ldisc via tty->ldisc is
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
is changing via ioctl(TIOCSETD) or hangup.
Wait for the line discipline reference (just like read() or write())
to retrieve the "current" line discipline id.
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Alan Stern [Wed, 20 Jan 2016 16:26:01 +0000 (11:26 -0500)]
SCSI: fix crashes in sd and sr runtime PM
[ Upstream commit
13b4389143413a1f18127c07f72c74cad5b563e8 ]
Runtime suspend during driver probe and removal can cause problems.
The driver's runtime_suspend or runtime_resume callbacks may invoked
before the driver has finished binding to the device or after the
driver has unbound from the device.
This problem shows up with the sd and sr drivers, and can cause disk
or CD/DVD drives to become unusable as a result. The fix is simple.
The drivers store a pointer to the scsi_disk or scsi_cd structure as
their private device data when probing is finished, so we simply have
to be sure to clear the private data during removal and test it during
runtime suspend/resume.
This fixes <https://bugs.debian.org/801925>.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Paul Menzel <paul.menzel@giantmonkey.de>
Reported-by: Erich Schubert <erich@debian.org>
Reported-by: Alexandre Rossi <alexandre.rossi@gmail.com>
Tested-by: Paul Menzel <paul.menzel@giantmonkey.de>
Tested-by: Erich Schubert <erich@debian.org>
CC: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Gavin Shan [Wed, 2 Dec 2015 05:25:32 +0000 (16:25 +1100)]
powerpc/eeh: Fix PE location code
[ Upstream commit
7e56f627768da4e6480986b5145dc3422bc448a5 ]
In eeh_pe_loc_get(), the PE location code is retrieved from the
"ibm,loc-code" property of the device node for the bridge of the
PE's primary bus. It's not correct because the property indicates
the parent PE's location code.
This reads the correct PE location code from "ibm,io-base-loc-code"
or "ibm,slot-location-code" property of PE parent bus's device node.
Cc: stable@vger.kernel.org # v3.16+
Fixes:
357b2f3dd9b7 ("powerpc/eeh: Dump PE location code")
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Tested-by: Russell Currey <ruscur@russell.cc>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Jan Beulich [Tue, 26 Jan 2016 11:15:18 +0000 (04:15 -0700)]
x86/mm: Fix types used in pgprot cacheability flags translations
[ Upstream commit
3625c2c234ef66acf21a72d47a5ffa94f6c5ebf2 ]
For PAE kernels "unsigned long" is not suitable to hold page protection
flags, since _PAGE_NX doesn't fit there. This is the reason for quite a
few W+X pages getting reported as insecure during boot (observed namely
for the entire initrd range).
Fixes:
281d4078be ("x86: Make page cache mode a real type")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <JGross@suse.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/56A7635602000078000CAFF1@prv-mh.provo.novell.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mika Penttilä [Tue, 26 Jan 2016 15:47:25 +0000 (15:47 +0000)]
arm64: mm: avoid calling apply_to_page_range on empty range
[ Upstream commit
57adec866c0440976c96a4b8f5b59fb411b1cacb ]
Calling apply_to_page_range with an empty range results in a BUG_ON
from the core code. This can be triggered by trying to load the st_drv
module with CONFIG_DEBUG_SET_MODULE_RONX enabled:
kernel BUG at mm/memory.c:1874!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 3 PID: 1764 Comm: insmod Not tainted 4.5.0-rc1+ #2
Hardware name: ARM Juno development board (r0) (DT)
task:
ffffffc9763b8000 ti:
ffffffc975af8000 task.ti:
ffffffc975af8000
PC is at apply_to_page_range+0x2cc/0x2d0
LR is at change_memory_common+0x80/0x108
This patch fixes the issue by making change_memory_common (called by the
set_memory_* functions) a NOP when numpages == 0, therefore avoiding the
erroneous call to apply_to_page_range and bringing us into line with x86
and s390.
Cc: <stable@vger.kernel.org>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Mika Penttilä <mika.penttila@nextfour.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lucas Tanure [Mon, 25 Jan 2016 21:30:23 +0000 (19:30 -0200)]
ALSA: bebob: Use a signed return type for get_formation_index
[ Upstream commit
07905298e4d5777eb58516cdc242f7ac1ca387a2 ]
The return type "unsigned int" was used by the get_formation_index function
despite of the aspect that it will eventually return a negative error code.
So, change to signed int and get index by reference in the parameters.
Done with the help of Coccinelle.
[Fix the missing braces suggested by Julia Lawall -- tiwai]
Signed-off-by: Lucas Tanure <tanure@linux.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Tested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Michael S. Tsirkin [Thu, 14 Jan 2016 14:00:41 +0000 (16:00 +0200)]
virtio_pci: fix use after free on release
[ Upstream commit
2989be09a8a9d62a785137586ad941f916e08f83 ]
KASan detected a use-after-free error in virtio-pci remove code. In
virtio_pci_remove(), vp_dev is still used after being freed in
unregister_virtio_device() (in virtio_pci_release_dev() more
precisely).
To fix, keep a reference until cleanup is done.
Fixes:
63bd62a08ca4 ("virtio_pci: defer kfree until release callback")
Reported-by: Jerome Marchand <jmarchan@redhat.com>
Cc: stable@vger.kernel.org
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Guillaume Fougnies [Mon, 25 Jan 2016 23:28:27 +0000 (00:28 +0100)]
ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay
[ Upstream commit
5a4ff9ec8d6edd2ab1cfe8ce6a080d6e57cbea9a ]
TEAC UD-501/UD-503/NT-503 fail to switch properly between different
rate/format. Similar to 'Playback Design', this patch corrects the
invalid clock source error for TEAC products and avoids complete
freeze of the usb interface of 503 series.
Signed-off-by: Guillaume Fougnies <guillaume@eulerian.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Mon, 25 Jan 2016 12:59:21 +0000 (13:59 +0100)]
ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures
[ Upstream commit
462b3f161beb62eeb290f4ec52f5ead29a2f8ac7 ]
Some architectures like PowerPC can handle the maximum struct size in
an ioctl only up to 13 bits, and struct snd_compr_codec_caps used by
SNDRV_COMPRESS_GET_CODEC_CAPS ioctl overflows this limit. This
problem was revealed recently by a powerpc change, as it's now treated
as a fatal build error.
This patch is a stop-gap for that: for architectures with less than 14
bit ioctl struct size, get rid of the handling of the relevant ioctl.
We should provide an alternative equivalent ioctl code later, but for
now just paper over it. Luckily, the compress API hasn't been used on
such architectures, so the impact must be effectively zero.
Reviewed-by: Mark Brown <broonie@kernel.org>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
John Ernberg [Mon, 25 Jan 2016 12:27:17 +0000 (12:27 +0000)]
USB: option: fix Cinterion AHxx enumeration
[ Upstream commit
4152b387da81617c80cb2946b2d56e3958906b3e ]
In certain kernel configurations where the cdc_ether and option drivers
are compiled as modules there can occur a race condition in enumeration.
This causes the option driver to enumerate the ethernet(wwan) interface
as usb-serial interfaces.
usb-devices output for the modem:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 5 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1e2d ProdID=0055 Rev=00.00
S: Manufacturer=Cinterion
S: Product=AHx
C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=10mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
Signed-off-by: John Ernberg <john.ernberg@actia.se>
Fixes:
1941138e1c02 ("USB: added support for Cinterion's products...")
Cc: stable <stable@vger.kernel.org> # v3.9: 8ff10bdb14a52
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lorenzo Pieralisi [Wed, 13 Jan 2016 14:50:03 +0000 (14:50 +0000)]
arm64: kernel: fix architected PMU registers unconditional access
[ Upstream commit
f436b2ac90a095746beb6729b8ee8ed87c9eaede ]
The Performance Monitors extension is an optional feature of the
AArch64 architecture, therefore, in order to access Performance
Monitors registers safely, the kernel should detect the architected
PMU unit presence through the ID_AA64DFR0_EL1 register PMUVer field
before accessing them.
This patch implements a guard by reading the ID_AA64DFR0_EL1 register
PMUVer field to detect the architected PMU presence and prevent accessing
PMU system registers if the Performance Monitors extension is not
implemented in the core.
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: <stable@vger.kernel.org>
Fixes:
60792ad349f3 ("arm64: kernel: enforce pmuserenr_el0 initialization and restore")
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Greg Kroah-Hartman [Wed, 20 Jan 2016 07:43:13 +0000 (23:43 -0800)]
USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable
[ Upstream commit
e03cdf22a2727c60307be6a729233edab3bfda9c ]
Harald Linden reports that the ftdi_sio driver works properly for the
Yaesu SCU-18 cable if the device ids are added to the driver. So let's
add them.
Reported-by: Harald Linden <harald.linden@7183.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Mon, 25 Jan 2016 10:24:56 +0000 (11:24 +0100)]
ALSA: seq: Degrade the error message for too many opens
[ Upstream commit
da10816e3d923565b470fec78a674baba794ed33 ]
ALSA OSS sequencer spews a kernel error message ("ALSA: seq_oss: too
many applications") when user-space tries to open more than the
limit. This means that it can easily fill the log buffer.
Since it's merely a normal error, it's safe to suppress it via
pr_debug() instead.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Takashi Iwai [Mon, 25 Jan 2016 10:01:47 +0000 (11:01 +0100)]
ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup()
[ Upstream commit
599151336638d57b98d92338aa59c048e3a3e97d ]
ALSA sequencer OSS emulation code has a sanity check for currently
opened devices, but there is a thinko there, eventually it spews
warnings and skips the operation wrongly like:
WARNING: CPU: 1 PID: 7573 at sound/core/seq/oss/seq_oss_synth.c:311
Fix this off-by-one error.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Daniele Palmas [Tue, 12 Jan 2016 16:22:06 +0000 (17:22 +0100)]
USB: serial: option: Adding support for Telit LE922
[ Upstream commit
ff4e2494dc17b173468e1713fdf6237fd8578bc7 ]
This patch adds support for two PIDs of LE922.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Vladis Dronov [Tue, 12 Jan 2016 14:10:50 +0000 (15:10 +0100)]
USB: serial: visor: fix crash on detecting device without write_urbs
[ Upstream commit
cb3232138e37129e88240a98a1d2aba2187ff57c ]
The visor driver crashes in clie_5_attach() when a specially crafted USB
device without bulk-out endpoint is detected. This fix adds a check that
the device has proper configuration expected by the driver.
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Fixes:
cfb8da8f69b8 ("USB: visor: fix initialisation of UX50/TH55 devices")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Johan Hovold [Tue, 12 Jan 2016 11:05:20 +0000 (12:05 +0100)]
USB: visor: fix null-deref at probe
[ Upstream commit
cac9b50b0d75a1d50d6c056ff65c005f3224c8e0 ]
Fix null-pointer dereference at probe should a (malicious) Treo device
lack the expected endpoints.
Specifically, the Treo port-setup hack was dereferencing the bulk-in and
interrupt-in urbs without first making sure they had been allocated by
core.
Fixes:
1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Peter Dedecker [Fri, 8 Jan 2016 11:34:41 +0000 (12:34 +0100)]
USB: cp210x: add ID for IAI USB to RS485 adaptor
[ Upstream commit
f487c54ddd544e1c9172cd510954f697b77b76e3 ]
Added the USB serial console device ID for IAI Corp. RCB-CV-USB
USB to RS485 adaptor.
Signed-off-by: Peter Dedecker <peter.dedecker@hotmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Du, Changbin [Mon, 18 Jan 2016 13:02:42 +0000 (21:02 +0800)]
usb: hub: do not clear BOS field during reset device
[ Upstream commit
d8f00cd685f5c8e0def8593e520a7fef12c22407 ]
In function usb_reset_and_verify_device, the old BOS descriptor may
still be used before allocating a new one. (usb_unlocked_disable_lpm
function uses it under the situation that it fails to disable lpm.)
So we cannot set the udev->bos to NULL before that, just keep what it
was. It will be overwrite when allocating a new one.
Crash log:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
IP: [<
ffffffff8171f98d>] usb_enable_link_state+0x2d/0x2f0
Call Trace:
[<
ffffffff8171ed5b>] ? usb_set_lpm_timeout+0x12b/0x140
[<
ffffffff8171fcd1>] usb_enable_lpm+0x81/0xa0
[<
ffffffff8171fdd8>] usb_disable_lpm+0xa8/0xc0
[<
ffffffff8171fe1c>] usb_unlocked_disable_lpm+0x2c/0x50
[<
ffffffff81723933>] usb_reset_and_verify_device+0xc3/0x710
[<
ffffffff8172c4ed>] ? usb_sg_wait+0x13d/0x190
[<
ffffffff81724743>] usb_reset_device+0x133/0x280
[<
ffffffff8179ccd1>] usb_stor_port_reset+0x61/0x70
[<
ffffffff8179cd68>] usb_stor_invoke_transport+0x88/0x520
Signed-off-by: Du, Changbin <changbin.du@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Oliver Neukum [Mon, 18 Jan 2016 14:45:18 +0000 (15:45 +0100)]
cdc-acm:exclude Samsung phone 04e8:685d
[ Upstream commit
e912e685f372ab62a2405a1acd923597f524e94a ]
This phone needs to be handled by a specialised firmware tool
and is reported to crash irrevocably if cdc-acm takes it.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lu Baolu [Wed, 6 Jan 2016 07:10:04 +0000 (15:10 +0800)]
usb: cdc-acm: send zero packet for intel 7260 modem
[ Upstream commit
ffdb1e369a73b380fce95b05f8498d92c43842b4 ]
For Intel 7260 modem, it is needed for host side to send zero
packet if the BULK OUT size is equal to USB endpoint max packet
length. Otherwise, modem side may still wait for more data and
cannot give response to host side.
Signed-off-by: Konrad Leszczynski <konrad.leszczynski@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lu Baolu [Wed, 30 Dec 2015 04:59:08 +0000 (12:59 +0800)]
usb: cdc-acm: handle unlinked urb in acm read callback
[ Upstream commit
19454462acb1bdef80542061bdc9b410e4ed1ff6 ]
In current acm driver, the bulk-in callback function ignores the
URBs unlinked in usb core.
This causes unexpected data loss in some cases. For example,
runtime suspend entry will unlinked all urbs and set urb->status
to -ENOENT even those urbs might have data not processed yet.
Hence, data loss occurs.
This patch lets bulk-in callback function handle unlinked urbs
to avoid data loss.
Signed-off-by: Tang Jian Qiang <jianqiang.tang@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Cc: stable@vger.kernel.org
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Josh Boyer [Sun, 24 Jan 2016 15:46:42 +0000 (10:46 -0500)]
ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list
[ Upstream commit
6b31de3e698582fe0b8f7f4bab15831b73204800 ]
Like the Yoga 900 models the Lenovo Yoga 700 does not have a
hw rfkill switch, and trying to read the hw rfkill switch through the
ideapad module causes it to always reported blocking breaking wifi.
This commit adds the Lenovo Yoga 700 to the no_hw_rfkill dmi list, fixing
the wifi breakage.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1295272
Tested-by: <dinyar.rabady+spam@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Hans de Goede [Mon, 9 Nov 2015 16:09:05 +0000 (17:09 +0100)]
ideapad-laptop: Add Lenovo Yoga 900 to no_hw_rfkill dmi list
[ Upstream commit
f71c882dd4cfe4aa88ea07b1402ddd43605d4aef ]
Like some of the other Yoga models the Lenovo Yoga 900 does not have a
hw rfkill switch, and trying to read the hw rfkill switch through the
ideapad module causes it to always reported blocking breaking wifi.
This commit adds the Lenovo Yoga 900 to the no_hw_rfkill dmi list, fixing
the wifi breakage.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1275490
Cc: stable@vger.kernel.org
Reported-and-tested-by: Kevin Fenzi <kevin@scrye.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Trond Myklebust [Thu, 21 Jan 2016 20:39:40 +0000 (15:39 -0500)]
pNFS/flexfiles: Fix an XDR encoding bug in layoutreturn
[ Upstream commit
082fa37d1351a41afc491d44a1d095cb8d919aa2 ]
We must not skip encoding the statistics, or the server will see an
XDR encoding error.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Cc: stable@vger.kernel.org # 4.0+
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Tariq Saeed [Fri, 22 Jan 2016 00:40:39 +0000 (16:40 -0800)]
ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock
[ Upstream commit
b1b1e15ef6b80facf76d6757649dfd7295eda29f ]
NFS on a 2 node ocfs2 cluster each node exporting dir. The lock causing
the hang is the global bit map inode lock. Node 1 is master, has the
lock granted in PR mode; Node 2 is in the converting list (PR -> EX).
There are no holders of the lock on the master node so it should
downconvert to NL and grant EX to node 2 but that does not happen.
BLOCKED + QUEUED in lock res are set and it is on osb blocked list.
Threads are waiting in __ocfs2_cluster_lock on BLOCKED. One thread
wants EX, rest want PR. So it is as though the downconvert thread needs
to be kicked to complete the conv.
The hang is caused by an EX req coming into __ocfs2_cluster_lock on the
heels of a PR req after it sets BUSY (drops l_lock, releasing EX
thread), forcing the incoming EX to wait on BUSY without doing anything.
PR has called ocfs2_dlm_lock, which sets the node 1 lock from NL -> PR,
queues ast.
At this time, upconvert (PR ->EX) arrives from node 2, finds conflict
with node 1 lock in PR, so the lock res is put on dlm thread's dirty
listt.
After ret from ocf2_dlm_lock, PR thread now waits behind EX on BUSY till
awoken by ast.
Now it is dlm_thread that serially runs dlm_shuffle_lists, ast, bast, in
that order. dlm_shuffle_lists ques a bast on behalf of node 2 (which
will be run by dlm_thread right after the ast). ast does its part, sets
UPCONVERT_FINISHING, clears BUSY and wakes its waiters. Next,
dlm_thread runs bast. It sets BLOCKED and kicks dc thread. dc thread
runs ocfs2_unblock_lock, but since UPCONVERT_FINISHING set, skips doing
anything and reques.
Inside of __ocfs2_cluster_lock, since EX has been waiting on BUSY ahead
of PR, it wakes up first, finds BLOCKED set and skips doing anything but
clearing UPCONVERT_FINISHING (which was actually "meant" for the PR
thread), and this time waits on BLOCKED. Next, the PR thread comes out
of wait but since UPCONVERT_FINISHING is not set, it skips updating the
l_ro_holders and goes straight to wait on BLOCKED. So there, we have a
hang! Threads in __ocfs2_cluster_lock wait on BLOCKED, lock res in osb
blocked list. Only when dc thread is awoken, it will run
ocfs2_unblock_lock and things will unhang.
One way to fix this is to wake the dc thread on the flag after clearing
UPCONVERT_FINISHING
Orabug:
20933419
Signed-off-by: Tariq Saeed <tariq.x.saeed@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Reviewed-by: Wengang Wang <wen.gang.wang@oracle.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: Joseph Qi <joseph.qi@huawei.com>
Cc: Eric Ren <zren@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Kirill A. Shutemov [Fri, 22 Jan 2016 00:40:27 +0000 (16:40 -0800)]
mm: fix mlock accouting
[ Upstream commit
7162a1e87b3e380133dadc7909081bb70d0a7041 ]
Tetsuo Handa reported underflow of NR_MLOCK on munlock.
Testcase:
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#define BASE ((void *)0x400000000000)
#define SIZE (1UL << 21)
int main(int argc, char *argv[])
{
void *addr;
system("grep Mlocked /proc/meminfo");
addr = mmap(BASE, SIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE | MAP_LOCKED | MAP_FIXED,
-1, 0);
if (addr == MAP_FAILED)
printf("mmap() failed\n"), exit(1);
munmap(addr, SIZE);
system("grep Mlocked /proc/meminfo");
return 0;
}
It happens on munlock_vma_page() due to unfortunate choice of nr_pages
data type:
__mod_zone_page_state(zone, NR_MLOCK, -nr_pages);
For unsigned int nr_pages, implicitly casted to long in
__mod_zone_page_state(), it becomes something around UINT_MAX.
munlock_vma_page() usually called for THP as small pages go though
pagevec.
Let's make nr_pages signed int.
Similar fixes in
6cdb18ad98a4 ("mm/vmstat: fix overflow in
mod_zone_page_state()") used `long' type, but `int' here is OK for a
count of the number of sub-pages in a huge page.
Fixes:
ff6a6da60b89 ("mm: accelerate munlock() treatment of THP pages")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Michel Lespinasse <walken@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org> [4.4+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Ilya Dryomov [Mon, 28 Dec 2015 10:18:34 +0000 (13:18 +0300)]
libceph: fix ceph_msg_revoke()
[ Upstream commit
67645d7619738e51c668ca69f097cb90b5470422 ]
There are a number of problems with revoking a "was sending" message:
(1) We never make any attempt to revoke data - only kvecs contibute to
con->out_skip. However, once the header (envelope) is written to the
socket, our peer learns data_len and sets itself to expect at least
data_len bytes to follow front or front+middle. If ceph_msg_revoke()
is called while the messenger is sending message's data portion,
anything we send after that call is counted by the OSD towards the now
revoked message's data portion. The effects vary, the most common one
is the eventual hang - higher layers get stuck waiting for the reply to
the message that was sent out after ceph_msg_revoke() returned and
treated by the OSD as a bunch of data bytes. This is what Matt ran
into.
(2) Flat out zeroing con->out_kvec_bytes worth of bytes to handle kvecs
is wrong. If ceph_msg_revoke() is called before the tag is sent out or
while the messenger is sending the header, we will get a connection
reset, either due to a bad tag (0 is not a valid tag) or a bad header
CRC, which kind of defeats the purpose of revoke. Currently the kernel
client refuses to work with header CRCs disabled, but that will likely
change in the future, making this even worse.
(3) con->out_skip is not reset on connection reset, leading to one or
more spurious connection resets if we happen to get a real one between
con->out_skip is set in ceph_msg_revoke() and before it's cleared in
write_partial_skip().
Fixing (1) and (3) is trivial. The idea behind fixing (2) is to never
zero the tag or the header, i.e. send out tag+header regardless of when
ceph_msg_revoke() is called. That way the header is always correct, no
unnecessary resets are induced and revoke stands ready for disabled
CRCs. Since ceph_msg_revoke() rips out con->out_msg, introduce a new
"message out temp" and copy the header into it before sending.
Cc: stable@vger.kernel.org # 4.0+
Reported-by: Matt Conner <matt.conner@keepertech.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Tested-by: Matt Conner <matt.conner@keepertech.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mateusz Guzik [Wed, 20 Jan 2016 23:01:02 +0000 (15:01 -0800)]
prctl: take mmap sem for writing to protect against others
[ Upstream commit
ddf1d398e517e660207e2c807f76a90df543a217 ]
An unprivileged user can trigger an oops on a kernel with
CONFIG_CHECKPOINT_RESTORE.
proc_pid_cmdline_read takes mmap_sem for reading and obtains args + env
start/end values. These get sanity checked as follows:
BUG_ON(arg_start > arg_end);
BUG_ON(env_start > env_end);
These can be changed by prctl_set_mm. Turns out also takes the semaphore for
reading, effectively rendering it useless. This results in:
kernel BUG at fs/proc/base.c:240!
invalid opcode: 0000 [#1] SMP
Modules linked in: virtio_net
CPU: 0 PID: 925 Comm: a.out Not tainted 4.4.0-rc8-next-20160105dupa+ #71
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task:
ffff880077a68000 ti:
ffff8800784d0000 task.ti:
ffff8800784d0000
RIP: proc_pid_cmdline_read+0x520/0x530
RSP: 0018:
ffff8800784d3db8 EFLAGS:
00010206
RAX:
ffff880077c5b6b0 RBX:
ffff8800784d3f18 RCX:
0000000000000000
RDX:
0000000000000002 RSI:
00007f78e8857000 RDI:
0000000000000246
RBP:
ffff8800784d3e40 R08:
0000000000000008 R09:
0000000000000001
R10:
0000000000000000 R11:
0000000000000001 R12:
0000000000000050
R13:
00007f78e8857800 R14:
ffff88006fcef000 R15:
ffff880077c5b600
FS:
00007f78e884a740(0000) GS:
ffff88007b200000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
CR2:
00007f78e8361770 CR3:
00000000790a5000 CR4:
00000000000006f0
Call Trace:
__vfs_read+0x37/0x100
vfs_read+0x82/0x130
SyS_read+0x58/0xd0
entry_SYSCALL_64_fastpath+0x12/0x76
Code: 4c 8b 7d a8 eb e9 48 8b 9d 78 ff ff ff 4c 8b 7d 90 48 8b 03 48 39 45 a8 0f 87 f0 fe ff ff e9 d1 fe ff ff 4c 8b 7d 90 eb c6 0f 0b <0f> 0b 0f 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
RIP proc_pid_cmdline_read+0x520/0x530
---[ end trace
97882617ae9c6818 ]---
Turns out there are instances where the code just reads aformentioned
values without locking whatsoever - namely environ_read and get_cmdline.
Interestingly these functions look quite resilient against bogus values,
but I don't believe this should be relied upon.
The first patch gets rid of the oops bug by grabbing mmap_sem for
writing.
The second patch is optional and puts locking around aformentioned
consumers for safety. Consumers of other fields don't seem to benefit
from similar treatment and are left untouched.
This patch (of 2):
The code was taking the semaphore for reading, which does not protect
against readers nor concurrent modifications.
The problem could cause a sanity checks to fail in procfs's cmdline
reader, resulting in an OOPS.
Note that some functions perform an unlocked read of various mm fields,
but they seem to be fine despite possible modificaton.
Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Jarod Wilson <jarod@redhat.com>
Cc: Jan Stancek <jstancek@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Anshuman Khandual <anshuman.linux@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
James Bottomley [Wed, 20 Jan 2016 22:58:29 +0000 (14:58 -0800)]
string_helpers: fix precision loss for some inputs
[ Upstream commit
564b026fbd0d28e9f70fb3831293d2922bb7855b ]
It was noticed that we lose precision in the final calculation for some
inputs. The most egregious example is size=3000 blk_size=1900 in units
of 10 should yield 5.70 MB but in fact yields 3.00 MB (oops).
This is because the current algorithm doesn't correctly account for
all the remainders in the logarithms. Fix this by doing a correct
calculation in the remainders based on napier's algorithm.
Additionally, now we have the correct result, we have to account for
arithmetic rounding because we're printing 3 digits of precision. This
means that if the fourth digit is five or greater, we have to round up,
so add a section to ensure correct rounding. Finally account for all
possible inputs correctly, including zero for block size.
Fixes:
b9f28d863594c429e1df35a0474d2663ca28b307
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: <stable@vger.kernel.org> [delay until after 4.4 release]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Vitaly Kuznetsov [Thu, 17 Sep 2015 23:01:51 +0000 (16:01 -0700)]
lib/string_helpers.c: fix infinite loop in string_get_size()
[ Upstream commit
62bef58a55dfa8ada2a22b2496c6340468ecd98a ]
Some string_get_size() calls (e.g.:
string_get_size(1, 512, STRING_UNITS_10, ..., ...)
string_get_size(15, 64, STRING_UNITS_10, ..., ...)
) result in an infinite loop. The problem is that if size is equal to
divisor[units]/blk_size and is smaller than divisor[units] we'll end
up with size == 0 when we start doing sf_cap calculations:
For string_get_size(1, 512, STRING_UNITS_10, ..., ...) case:
...
remainder = do_div(size, divisor[units]); -> size is 0, remainder is 1
remainder *= blk_size; -> remainder is 512
...
size *= blk_size; -> size is still 0
size += remainder / divisor[units]; -> size is still 0
The caller causing the issue is sd_read_capacity(), the problem was
noticed on Hyper-V, such weird size was reported by host when scanning
collides with device removal. This is probably a separate issue worth
fixing, this patch is intended to prevent the library routine from
infinite looping.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Acked-by: James Bottomley <JBottomley@Odin.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Junil Lee [Wed, 20 Jan 2016 22:58:18 +0000 (14:58 -0800)]
zsmalloc: fix migrate_zspage-zs_free race condition
[ Upstream commit
c102f07ca0b04f2cb49cfc161c83f6239d17f491 ]
record_obj() in migrate_zspage() does not preserve handle's
HANDLE_PIN_BIT, set by find_aloced_obj()->trypin_tag(), and implicitly
(accidentally) un-pins the handle, while migrate_zspage() still performs
an explicit unpin_tag() on the that handle. This additional explicit
unpin_tag() introduces a race condition with zs_free(), which can pin
that handle by this time, so the handle becomes un-pinned.
Schematically, it goes like this:
CPU0 CPU1
migrate_zspage
find_alloced_obj
trypin_tag
set HANDLE_PIN_BIT zs_free()
pin_tag()
obj_malloc() -- new object, no tag
record_obj() -- remove HANDLE_PIN_BIT set HANDLE_PIN_BIT
unpin_tag() -- remove zs_free's HANDLE_PIN_BIT
The race condition may result in a NULL pointer dereference:
Unable to handle kernel NULL pointer dereference at virtual address
00000000
CPU: 0 PID: 19001 Comm: CookieMonsterCl Tainted:
PC is at get_zspage_mapping+0x0/0x24
LR is at obj_free.isra.22+0x64/0x128
Call trace:
get_zspage_mapping+0x0/0x24
zs_free+0x88/0x114
zram_free_page+0x64/0xcc
zram_slot_free_notify+0x90/0x108
swap_entry_free+0x278/0x294
free_swap_and_cache+0x38/0x11c
unmap_single_vma+0x480/0x5c8
unmap_vmas+0x44/0x60
exit_mmap+0x50/0x110
mmput+0x58/0xe0
do_exit+0x320/0x8dc
do_group_exit+0x44/0xa8
get_signal+0x538/0x580
do_signal+0x98/0x4b8
do_notify_resume+0x14/0x5c
This patch keeps the lock bit in migration path and update value
atomically.
Signed-off-by: Junil Lee <junil0814.lee@lge.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: <stable@vger.kernel.org> [4.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Herbert Xu [Tue, 19 Jan 2016 13:23:57 +0000 (21:23 +0800)]
crypto: algif_skcipher - sendmsg SG marking is off by one
[ Upstream commit
202736d99b7f29279db9da61587f11a08a04a9c6 ]
We mark the end of the SG list in sendmsg and sendpage and unmark
it on the next send call. Unfortunately the unmarking in sendmsg
is off-by-one, leading to an SG list that is too short.
Fixes:
0f477b655a52 ("crypto: algif - Mark sgl end at the end of data")
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Nicholas Bellinger [Wed, 20 Jan 2016 00:15:27 +0000 (16:15 -0800)]
iscsi-target: Fix potential dead-lock during node acl delete
[ Upstream commit
26a99c19f810b2593410899a5b304b21b47428a6 ]
This patch is a iscsi-target specific bug-fix for a dead-lock
that can occur during explicit struct se_node_acl->acl_group
se_session deletion via configfs rmdir(2), when iscsi-target
time2retain timer is still active.
It changes iscsi-target to obtain se_portal_group->session_lock
internally using spin_in_locked() to check for the specific
se_node_acl configfs shutdown rmdir(2) case.
Note this patch is intended for stable, and the subsequent
v4.5-rc patch converts target_core_tpg.c to use proper
se_sess->sess_kref reference counting for both se_node_acl
deletion + se_node_acl->queue_depth se_session restart.
Reported-by:: Sagi Grimberg <sagig@mellanox.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Andy Grover <agrover@redhat.com>
Cc: Mike Christie <michaelc@cs.wisc.edu>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Filipe Manana [Fri, 15 Jan 2016 11:05:12 +0000 (11:05 +0000)]
Btrfs: fix deadlock running delayed iputs at transaction commit time
[ Upstream commit
c2d6cb1636d235257086f939a8194ef0bf93af6e ]
While running a stress test I ran into a deadlock when running the delayed
iputs at transaction time, which produced the following report and trace:
[ 886.399989] =============================================
[ 886.400871] [ INFO: possible recursive locking detected ]
[ 886.401663] 4.4.0-rc6-btrfs-next-18+ #1 Not tainted
[ 886.402384] ---------------------------------------------
[ 886.403182] fio/8277 is trying to acquire lock:
[ 886.403568] (&fs_info->delayed_iput_sem){++++..}, at: [<
ffffffffa0538823>] btrfs_run_delayed_iputs+0x36/0xbf [btrfs]
[ 886.403568]
[ 886.403568] but task is already holding lock:
[ 886.403568] (&fs_info->delayed_iput_sem){++++..}, at: [<
ffffffffa0538823>] btrfs_run_delayed_iputs+0x36/0xbf [btrfs]
[ 886.403568]
[ 886.403568] other info that might help us debug this:
[ 886.403568] Possible unsafe locking scenario:
[ 886.403568]
[ 886.403568] CPU0
[ 886.403568] ----
[ 886.403568] lock(&fs_info->delayed_iput_sem);
[ 886.403568] lock(&fs_info->delayed_iput_sem);
[ 886.403568]
[ 886.403568] *** DEADLOCK ***
[ 886.403568]
[ 886.403568] May be due to missing lock nesting notation
[ 886.403568]
[ 886.403568] 3 locks held by fio/8277:
[ 886.403568] #0: (sb_writers#11){.+.+.+}, at: [<
ffffffff81174c4c>] __sb_start_write+0x5f/0xb0
[ 886.403568] #1: (&sb->s_type->i_mutex_key#15){+.+.+.}, at: [<
ffffffffa054620d>] btrfs_file_write_iter+0x73/0x408 [btrfs]
[ 886.403568] #2: (&fs_info->delayed_iput_sem){++++..}, at: [<
ffffffffa0538823>] btrfs_run_delayed_iputs+0x36/0xbf [btrfs]
[ 886.403568]
[ 886.403568] stack backtrace:
[ 886.403568] CPU: 6 PID: 8277 Comm: fio Not tainted 4.4.0-rc6-btrfs-next-18+ #1
[ 886.403568] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
[ 886.403568]
0000000000000000 ffff88009f80f770 ffffffff8125d4fd ffffffff82af1fc0
[ 886.403568]
ffff88009f80f830 ffffffff8108e5f9 0000000200000000 ffff88009fd92290
[ 886.403568]
0000000000000000 ffffffff82af1fc0 ffffffff829cfb01 00042b216d008804
[ 886.403568] Call Trace:
[ 886.403568] [<
ffffffff8125d4fd>] dump_stack+0x4e/0x79
[ 886.403568] [<
ffffffff8108e5f9>] __lock_acquire+0xd42/0xf0b
[ 886.403568] [<
ffffffff810c22db>] ? __module_address+0xdf/0x108
[ 886.403568] [<
ffffffff8108eb77>] lock_acquire+0x10d/0x194
[ 886.403568] [<
ffffffff8108eb77>] ? lock_acquire+0x10d/0x194
[ 886.403568] [<
ffffffffa0538823>] ? btrfs_run_delayed_iputs+0x36/0xbf [btrfs]
[ 886.489542] [<
ffffffff8148556b>] down_read+0x3e/0x4d
[ 886.489542] [<
ffffffffa0538823>] ? btrfs_run_delayed_iputs+0x36/0xbf [btrfs]
[ 886.489542] [<
ffffffffa0538823>] btrfs_run_delayed_iputs+0x36/0xbf [btrfs]
[ 886.489542] [<
ffffffffa0533953>] btrfs_commit_transaction+0x8f5/0x96e [btrfs]
[ 886.489542] [<
ffffffffa0521d7a>] flush_space+0x435/0x44a [btrfs]
[ 886.489542] [<
ffffffffa052218b>] ? reserve_metadata_bytes+0x26a/0x384 [btrfs]
[ 886.489542] [<
ffffffffa05221ae>] reserve_metadata_bytes+0x28d/0x384 [btrfs]
[ 886.489542] [<
ffffffffa052256c>] ? btrfs_block_rsv_refill+0x58/0x96 [btrfs]
[ 886.489542] [<
ffffffffa0522584>] btrfs_block_rsv_refill+0x70/0x96 [btrfs]
[ 886.489542] [<
ffffffffa053d747>] btrfs_evict_inode+0x394/0x55a [btrfs]
[ 886.489542] [<
ffffffff81188e31>] evict+0xa7/0x15c
[ 886.489542] [<
ffffffff81189878>] iput+0x1d3/0x266
[ 886.489542] [<
ffffffffa053887c>] btrfs_run_delayed_iputs+0x8f/0xbf [btrfs]
[ 886.489542] [<
ffffffffa0533953>] btrfs_commit_transaction+0x8f5/0x96e [btrfs]
[ 886.489542] [<
ffffffff81085096>] ? signal_pending_state+0x31/0x31
[ 886.489542] [<
ffffffffa0521191>] btrfs_alloc_data_chunk_ondemand+0x1d7/0x288 [btrfs]
[ 886.489542] [<
ffffffffa0521282>] btrfs_check_data_free_space+0x40/0x59 [btrfs]
[ 886.489542] [<
ffffffffa05228f5>] btrfs_delalloc_reserve_space+0x1e/0x4e [btrfs]
[ 886.489542] [<
ffffffffa053620a>] btrfs_direct_IO+0x10c/0x27e [btrfs]
[ 886.489542] [<
ffffffff8111d9a1>] generic_file_direct_write+0xb3/0x128
[ 886.489542] [<
ffffffffa05463c3>] btrfs_file_write_iter+0x229/0x408 [btrfs]
[ 886.489542] [<
ffffffff8108ae38>] ? __lock_is_held+0x38/0x50
[ 886.489542] [<
ffffffff8117279e>] __vfs_write+0x7c/0xa5
[ 886.489542] [<
ffffffff81172cda>] vfs_write+0xa0/0xe4
[ 886.489542] [<
ffffffff811734cc>] SyS_write+0x50/0x7e
[ 886.489542] [<
ffffffff814872d7>] entry_SYSCALL_64_fastpath+0x12/0x6f
[ 1081.852335] INFO: task fio:8244 blocked for more than 120 seconds.
[ 1081.854348] Not tainted 4.4.0-rc6-btrfs-next-18+ #1
[ 1081.857560] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1081.863227] fio D
ffff880213f9bb28 0 8244 8240 0x00000000
[ 1081.868719]
ffff880213f9bb28 00ffffff810fc6b0 ffffffff0000000a ffff88023ed55240
[ 1081.872499]
ffff880206b5d400 ffff880213f9c000 ffff88020a4d5318 ffff880206b5d400
[ 1081.876834]
ffffffff00000001 ffff880206b5d400 ffff880213f9bb40 ffffffff81482ba4
[ 1081.880782] Call Trace:
[ 1081.881793] [<
ffffffff81482ba4>] schedule+0x7f/0x97
[ 1081.883340] [<
ffffffff81485eb5>] rwsem_down_write_failed+0x2d5/0x325
[ 1081.895525] [<
ffffffff8108d48d>] ? trace_hardirqs_on_caller+0x16/0x1ab
[ 1081.897419] [<
ffffffff81269723>] call_rwsem_down_write_failed+0x13/0x20
[ 1081.899251] [<
ffffffff81269723>] ? call_rwsem_down_write_failed+0x13/0x20
[ 1081.901063] [<
ffffffff81089fae>] ? __down_write_nested.isra.0+0x1f/0x21
[ 1081.902365] [<
ffffffff814855bd>] down_write+0x43/0x57
[ 1081.903846] [<
ffffffffa05211b0>] ? btrfs_alloc_data_chunk_ondemand+0x1f6/0x288 [btrfs]
[ 1081.906078] [<
ffffffffa05211b0>] btrfs_alloc_data_chunk_ondemand+0x1f6/0x288 [btrfs]
[ 1081.908846] [<
ffffffff8108d461>] ? mark_held_locks+0x56/0x6c
[ 1081.910409] [<
ffffffffa0521282>] btrfs_check_data_free_space+0x40/0x59 [btrfs]
[ 1081.912482] [<
ffffffffa05228f5>] btrfs_delalloc_reserve_space+0x1e/0x4e [btrfs]
[ 1081.914597] [<
ffffffffa053620a>] btrfs_direct_IO+0x10c/0x27e [btrfs]
[ 1081.919037] [<
ffffffff8111d9a1>] generic_file_direct_write+0xb3/0x128
[ 1081.920754] [<
ffffffffa05463c3>] btrfs_file_write_iter+0x229/0x408 [btrfs]
[ 1081.922496] [<
ffffffff8108ae38>] ? __lock_is_held+0x38/0x50
[ 1081.923922] [<
ffffffff8117279e>] __vfs_write+0x7c/0xa5
[ 1081.925275] [<
ffffffff81172cda>] vfs_write+0xa0/0xe4
[ 1081.926584] [<
ffffffff811734cc>] SyS_write+0x50/0x7e
[ 1081.927968] [<
ffffffff814872d7>] entry_SYSCALL_64_fastpath+0x12/0x6f
[ 1081.985293] INFO: lockdep is turned off.
[ 1081.986132] INFO: task fio:8249 blocked for more than 120 seconds.
[ 1081.987434] Not tainted 4.4.0-rc6-btrfs-next-18+ #1
[ 1081.988534] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1081.990147] fio D
ffff880218febbb8 0 8249 8240 0x00000000
[ 1081.991626]
ffff880218febbb8 00ffffff81486b8e ffff88020000000b ffff88023ed75240
[ 1081.993258]
ffff8802120a9a00 ffff880218fec000 ffff88020a4d5318 ffff8802120a9a00
[ 1081.994850]
ffffffff00000001 ffff8802120a9a00 ffff880218febbd0 ffffffff81482ba4
[ 1081.996485] Call Trace:
[ 1081.997037] [<
ffffffff81482ba4>] schedule+0x7f/0x97
[ 1081.998017] [<
ffffffff81485eb5>] rwsem_down_write_failed+0x2d5/0x325
[ 1081.999241] [<
ffffffff810852a5>] ? finish_wait+0x6d/0x76
[ 1082.000306] [<
ffffffff81269723>] call_rwsem_down_write_failed+0x13/0x20
[ 1082.001533] [<
ffffffff81269723>] ? call_rwsem_down_write_failed+0x13/0x20
[ 1082.002776] [<
ffffffff81089fae>] ? __down_write_nested.isra.0+0x1f/0x21
[ 1082.003995] [<
ffffffff814855bd>] down_write+0x43/0x57
[ 1082.005000] [<
ffffffffa05211b0>] ? btrfs_alloc_data_chunk_ondemand+0x1f6/0x288 [btrfs]
[ 1082.007403] [<
ffffffffa05211b0>] btrfs_alloc_data_chunk_ondemand+0x1f6/0x288 [btrfs]
[ 1082.008988] [<
ffffffffa0545064>] btrfs_fallocate+0x7c1/0xc2f [btrfs]
[ 1082.010193] [<
ffffffff8108a1ba>] ? percpu_down_read+0x4e/0x77
[ 1082.011280] [<
ffffffff81174c4c>] ? __sb_start_write+0x5f/0xb0
[ 1082.012265] [<
ffffffff81174c4c>] ? __sb_start_write+0x5f/0xb0
[ 1082.013021] [<
ffffffff811712e4>] vfs_fallocate+0x170/0x1ff
[ 1082.013738] [<
ffffffff81181ebb>] ioctl_preallocate+0x89/0x9b
[ 1082.014778] [<
ffffffff811822d7>] do_vfs_ioctl+0x40a/0x4ea
[ 1082.015778] [<
ffffffff81176ea7>] ? SYSC_newfstat+0x25/0x2e
[ 1082.016806] [<
ffffffff8118b4de>] ? __fget_light+0x4d/0x71
[ 1082.017789] [<
ffffffff8118240e>] SyS_ioctl+0x57/0x79
[ 1082.018706] [<
ffffffff814872d7>] entry_SYSCALL_64_fastpath+0x12/0x6f
This happens because we can recursively acquire the semaphore
fs_info->delayed_iput_sem when attempting to allocate space to satisfy
a file write request as shown in the first trace above - when committing
a transaction we acquire (down_read) the semaphore before running the
delayed iputs, and when running a delayed iput() we can end up calling
an inode's eviction handler, which in turn commits another transaction
and attempts to acquire (down_read) again the semaphore to run more
delayed iput operations.
This results in a deadlock because if a task acquires multiple times a
semaphore it should invoke down_read_nested() with a different lockdep
class for each level of recursion.
Fix this by simplifying the implementation and use a mutex instead that
is acquired by the cleaner kthread before it runs the delayed iputs
instead of always acquiring a semaphore before delayed references are
run from anywhere.
Fixes:
d7c151717a1e (btrfs: Fix NO_SPACE bug caused by delayed-iput)
Cc: stable@vger.kernel.org # 4.1+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
David Sterba [Thu, 19 Nov 2015 13:15:51 +0000 (14:15 +0100)]
btrfs: put delayed item hook into inode
[ Upstream commit
8089fe62c6603860f6796ca80519b92391292f21 ]
Inodes for delayed iput allocate a trivial helper structure, let's place
the list hook directly into the inode and save a kmalloc (killing a
__GFP_NOFAIL as a bonus) at the cost of increasing size of btrfs_inode.
The inode can be put into the delayed_iputs list more than once and we
have to keep the count. This means we can't use the list_splice to
process a bunch of inodes because we'd lost track of the count if the
inode is put into the delayed iputs again while it's processed.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Josh Boyer [Thu, 10 Dec 2015 02:12:52 +0000 (21:12 -0500)]
ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill dmi list
[ Upstream commit
edde316acb5f07c04abf09a92f59db5d2efd14e2 ]
One of the newest ideapad models also lacks a physical hw rfkill switch,
and trying to read the hw rfkill switch through the ideapad module
causes it to always reported blocking breaking wifi.
Fix it by adding this model to the DMI list.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1286293
Cc: stable@vger.kernel.org
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Vinit Agnihotri [Mon, 11 Jan 2016 17:57:25 +0000 (12:57 -0500)]
IB/qib: Support creating qps with GFP_NOIO flag
[ Upstream commit
fbbeb8632bf0b46ab44cfcedc4654cd7831b7161 ]
The current code is problematic when the QP creation and ipoib is used to
support NFS and NFS desires to do IO for paging purposes. In that case, the
GFP_KERNEL allocation in qib_qp.c causes a deadlock in tight memory
situations.
This fix adds support to create queue pair with GFP_NOIO flag for connected
mode only to cleanly fail the create queue pair in those situations.
Cc: <stable@vger.kernel.org> # 3.16+
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Vinit Agnihotri <vinit.abhay.agnihotri@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mike Marciniszyn [Thu, 7 Jan 2016 21:44:10 +0000 (16:44 -0500)]
IB/qib: fix mcast detach when qp not attached
[ Upstream commit
09dc9cd6528f5b52bcbd3292a6312e762c85260f ]
The code produces the following trace:
[1750924.419007] general protection fault: 0000 [#3] SMP
[1750924.420364] Modules linked in: nfnetlink autofs4 rpcsec_gss_krb5 nfsv4
dcdbas rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl dm_multipath nfs lockd
scsi_dh sunrpc fscache radeon ttm drm_kms_helper drm serio_raw parport_pc
ppdev i2c_algo_bit lpc_ich ipmi_si ib_mthca ib_qib dca lp parport ib_ipoib
mac_hid ib_cm i3000_edac ib_sa ib_uverbs edac_core ib_umad ib_mad ib_core
ib_addr tg3 ptp dm_mirror dm_region_hash dm_log psmouse pps_core
[1750924.420364] CPU: 1 PID: 8401 Comm: python Tainted: G D
3.13.0-39-generic #66-Ubuntu
[1750924.420364] Hardware name: Dell Computer Corporation PowerEdge
860/0XM089, BIOS A04 07/24/2007
[1750924.420364] task:
ffff8800366a9800 ti:
ffff88007af1c000 task.ti:
ffff88007af1c000
[1750924.420364] RIP: 0010:[<
ffffffffa0131d51>] [<
ffffffffa0131d51>]
qib_mcast_qp_free+0x11/0x50 [ib_qib]
[1750924.420364] RSP: 0018:
ffff88007af1dd70 EFLAGS:
00010246
[1750924.420364] RAX:
0000000000000001 RBX:
ffff88007b822688 RCX:
000000000000000f
[1750924.420364] RDX:
ffff88007b822688 RSI:
ffff8800366c15a0 RDI:
6764697200000000
[1750924.420364] RBP:
ffff88007af1dd78 R08:
0000000000000001 R09:
0000000000000000
[1750924.420364] R10:
0000000000000011 R11:
0000000000000246 R12:
ffff88007baa1d98
[1750924.420364] R13:
ffff88003ecab000 R14:
ffff88007b822660 R15:
0000000000000000
[1750924.420364] FS:
00007ffff7fd8740(0000) GS:
ffff88007fc80000(0000)
knlGS:
0000000000000000
[1750924.420364] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[1750924.420364] CR2:
00007ffff597c750 CR3:
000000006860b000 CR4:
00000000000007e0
[1750924.420364] Stack:
[1750924.420364]
ffff88007b822688 ffff88007af1ddf0 ffffffffa0132429
000000007af1de20
[1750924.420364]
ffff88007baa1dc8 ffff88007baa0000 ffff88007af1de70
ffffffffa00cb313
[1750924.420364]
00007fffffffde88 0000000000000000 0000000000000008
ffff88003ecab000
[1750924.420364] Call Trace:
[1750924.420364] [<
ffffffffa0132429>] qib_multicast_detach+0x1e9/0x350
[ib_qib]
[1750924.568035] [<
ffffffffa00cb313>] ? ib_uverbs_modify_qp+0x323/0x3d0
[ib_uverbs]
[1750924.568035] [<
ffffffffa0092d61>] ib_detach_mcast+0x31/0x50 [ib_core]
[1750924.568035] [<
ffffffffa00cc213>] ib_uverbs_detach_mcast+0x93/0x170
[ib_uverbs]
[1750924.568035] [<
ffffffffa00c61f6>] ib_uverbs_write+0xc6/0x2c0 [ib_uverbs]
[1750924.568035] [<
ffffffff81312e68>] ? apparmor_file_permission+0x18/0x20
[1750924.568035] [<
ffffffff812d4cd3>] ? security_file_permission+0x23/0xa0
[1750924.568035] [<
ffffffff811bd214>] vfs_write+0xb4/0x1f0
[1750924.568035] [<
ffffffff811bdc49>] SyS_write+0x49/0xa0
[1750924.568035] [<
ffffffff8172f7ed>] system_call_fastpath+0x1a/0x1f
[1750924.568035] Code: 66 2e 0f 1f 84 00 00 00 00 00 31 c0 5d c3 66 2e 0f 1f
84 00 00 00 00 00 66 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 8b 7f 10
<f0> ff 8f 40 01 00 00 74 0e 48 89 df e8 8e f8 06 e1 5b 5d c3 0f
[1750924.568035] RIP [<
ffffffffa0131d51>] qib_mcast_qp_free+0x11/0x50
[ib_qib]
[1750924.568035] RSP <
ffff88007af1dd70>
[1750924.650439] ---[ end trace
73d5d4b3f8ad4851 ]
The fix is to note the qib_mcast_qp that was found. If none is found, then
return EINVAL indicating the error.
Cc: <stable@vger.kernel.org>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Jean Delvare [Mon, 18 Jan 2016 16:06:05 +0000 (17:06 +0100)]
crypto: crc32c - Fix crc32c soft dependency
[ Upstream commit
fd7f6727102a1ccf6b4c1dfcc631f9b546526b26 ]
I don't think it makes sense for a module to have a soft dependency
on itself. This seems quite cyclic by nature and I can't see what
purpose it could serve.
OTOH libcrc32c calls crypto_alloc_shash("crc32c", 0, 0) so it pretty
much assumes that some incarnation of the "crc32c" hash algorithm has
been loaded. Therefore it makes sense to have the soft dependency
there (as crc-t10dif does.)
Cc: stable@vger.kernel.org
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Dave Chinner [Mon, 18 Jan 2016 21:28:10 +0000 (08:28 +1100)]
xfs: log mount failures don't wait for buffers to be released
[ Upstream commit
85bec5460ad8e05e0a8d70fb0f6750eb719ad092 ]
Recently I've been seeing xfs/051 fail on 1k block size filesystems.
Trying to trace the events during the test lead to the problem going
away, indicating that it was a race condition that lead to this
ASSERT failure:
XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0, file: fs/xfs/xfs_mount.c, line: 156
.....
[<
ffffffff814e1257>] xfs_free_perag+0x87/0xb0
[<
ffffffff814e21b9>] xfs_mountfs+0x4d9/0x900
[<
ffffffff814e5dff>] xfs_fs_fill_super+0x3bf/0x4d0
[<
ffffffff811d8800>] mount_bdev+0x180/0x1b0
[<
ffffffff814e3ff5>] xfs_fs_mount+0x15/0x20
[<
ffffffff811d90a8>] mount_fs+0x38/0x170
[<
ffffffff811f4347>] vfs_kern_mount+0x67/0x120
[<
ffffffff811f7018>] do_mount+0x218/0xd60
[<
ffffffff811f7e5b>] SyS_mount+0x8b/0xd0
When I finally caught it with tracing enabled, I saw that AG 2 had
an elevated reference count and a buffer was responsible for it. I
tracked down the specific buffer, and found that it was missing the
final reference count release that would put it back on the LRU and
hence be found by xfs_wait_buftarg() calls in the log mount failure
handling.
The last four traces for the buffer before the assert were (trimmed
for relevance)
kworker/0:1-5259 xfs_buf_iodone: hold 2 lock 0 flags ASYNC
kworker/0:1-5259 xfs_buf_ioerror: hold 2 lock 0 error -5
mount-7163 xfs_buf_lock_done: hold 2 lock 0 flags ASYNC
mount-7163 xfs_buf_unlock: hold 2 lock 1 flags ASYNC
This is an async write that is completing, so there's nobody waiting
for it directly. Hence we call xfs_buf_relse() once all the
processing is complete. That does:
static inline void xfs_buf_relse(xfs_buf_t *bp)
{
xfs_buf_unlock(bp);
xfs_buf_rele(bp);
}
Now, it's clear that mount is waiting on the buffer lock, and that
it has been released by xfs_buf_relse() and gained by mount. This is
expected, because at this point the mount process is in
xfs_buf_delwri_submit() waiting for all the IO it submitted to
complete.
The mount process, however, is waiting on the lock for the buffer
because it is in xfs_buf_delwri_submit(). This waits for IO
completion, but it doesn't wait for the buffer reference owned by
the IO to go away. The mount process collects all the completions,
fails the log recovery, and the higher level code then calls
xfs_wait_buftarg() to free all the remaining buffers in the
filesystem.
The issue is that on unlocking the buffer, the scheduler has decided
that the mount process has higher priority than the the kworker
thread that is running the IO completion, and so immediately
switched contexts to the mount process from the semaphore unlock
code, hence preventing the kworker thread from finishing the IO
completion and releasing the IO reference to the buffer.
Hence by the time that xfs_wait_buftarg() is run, the buffer still
has an active reference and so isn't on the LRU list that the
function walks to free the remaining buffers. Hence we miss that
buffer and continue onwards to tear down the mount structures,
at which time we get find a stray reference count on the perag
structure. On a non-debug kernel, this will be ignored and the
structure torn down and freed. Hence when the kworker thread is then
rescheduled and the buffer released and freed, it will access a
freed perag structure.
The problem here is that when the log mount fails, we still need to
quiesce the log to ensure that the IO workqueues have returned to
idle before we run xfs_wait_buftarg(). By synchronising the
workqueues, we ensure that all IO completions are fully processed,
not just to the point where buffers have been unlocked. This ensures
we don't end up in the situation above.
cc: <stable@vger.kernel.org> # 3.18
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Arnd Bergmann [Mon, 18 Jan 2016 09:45:00 +0000 (10:45 +0100)]
ARM: debug-ll: fix BCM63xx entry for multiplatform
[ Upstream commit
6c54809977de3c9e2ef9e9934a2c6625f7e161e7 ]
During my randconfig build testing, I found that a kernel with
DEBUG_AT91_UART and ARCH_BCM_63XX fails to build:
arch/arm/include/debug/at91.S:18:0: error: "CONFIG_DEBUG_UART_VIRT" redefined [-Werror]
It turns out that the DEBUG_UART_BCM63XX option is enabled whenever
the ARCH_BCM_63XX is, and that breaks multiplatform kernels because
we then end up using the UART address from BCM63XX rather than the
one we actually configured (if any).
This changes the BCM63XX options to only have one Kconfig option,
and only enable that if the user explicitly turns it on.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes:
b51312bebfa4 ("ARM: BCM63XX: add low-level UART debug support")
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Songjun Wu [Mon, 18 Jan 2016 10:14:44 +0000 (11:14 +0100)]
dmaengine: at_xdmac: fix resume for cyclic transfers
[ Upstream commit
611dcadb01c89d1d3521450c05a4ded332e5a32d ]
When having cyclic transfers, the channel was paused when performing
suspend but was not correctly resumed.
Signed-off-by: Songjun Wu <songjun.wu@atmel.com>
Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Fixes:
e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel
eXtended DMA Controller driver")
Cc: <stable@vger.kernel.org> # 4.1 and later
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Herbert Xu [Fri, 15 Jan 2016 14:01:08 +0000 (22:01 +0800)]
crypto: algif_hash - Fix race condition in hash_check_key
[ Upstream commit
ad46d7e33219218605ea619e32553daf4f346b9f ]
We need to lock the child socket in hash_check_key as otherwise
two simultaneous calls can cause the parent socket to be freed.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Herbert Xu [Wed, 13 Jan 2016 07:03:32 +0000 (15:03 +0800)]
crypto: af_alg - Forbid bind(2) when nokey child sockets are present
[ Upstream commit
a6a48c565f6f112c6983e2a02b1602189ed6e26e ]
This patch forbids the calling of bind(2) when there are child
sockets created by accept(2) in existence, even if they are created
on the nokey path.
This is needed as those child sockets have references to the tfm
object which bind(2) will destroy.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Herbert Xu [Wed, 13 Jan 2016 07:00:36 +0000 (15:00 +0800)]
crypto: algif_hash - Remove custom release parent function
[ Upstream commit
f1d84af1835846a5a2b827382c5848faf2bb0e75 ]
This patch removes the custom release parent function as the
generic af_alg_release_parent now works for nokey sockets too.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
projects / platform / kernel / linux-exynos.git / log