Sergey Senozhatsky [Thu, 14 Jan 2016 23:16:53 +0000 (15:16 -0800)]
scripts/bloat-o-meter: fix python3 syntax error
[ Upstream commit
72214a24a7677d4c7501eecc9517ed681b5f2db2 ]
In Python3+ print is a function so the old syntax is not correct
anymore:
$ ./scripts/bloat-o-meter vmlinux.o vmlinux.o.old
File "./scripts/bloat-o-meter", line 61
print "add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \
^
SyntaxError: invalid syntax
Fix by calling print as a function.
Tested on python 2.7.11, 3.5.1
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Laura Abbott [Thu, 14 Jan 2016 23:16:50 +0000 (15:16 -0800)]
dma-debug: switch check from _text to _stext
[ Upstream commit
ea535e418c01837d07b6c94e817540f50bfdadb0 ]
In include/asm-generic/sections.h:
/*
* Usage guidelines:
* _text, _data: architecture specific, don't use them in
* arch-independent code
* [_stext, _etext]: contains .text.* sections, may also contain
* .rodata.*
* and/or .init.* sections
_text is not guaranteed across architectures. Architectures such as ARM
may reuse parts which are not actually text and erroneously trigger a bug.
Switch to using _stext which is guaranteed to contain text sections.
Came out of https://lkml.kernel.org/g/<
567B1176.4000106@redhat.com>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Sudip Mukherjee [Thu, 14 Jan 2016 23:16:47 +0000 (15:16 -0800)]
m32r: fix m32104ut_defconfig build fail
[ Upstream commit
601f1db653217f205ffa5fb33514b4e1711e56d1 ]
The build of m32104ut_defconfig for m32r arch was failing for long long
time with the error:
ERROR: "memory_start" [fs/udf/udf.ko] undefined!
ERROR: "memory_end" [fs/udf/udf.ko] undefined!
ERROR: "memory_end" [drivers/scsi/sg.ko] undefined!
ERROR: "memory_start" [drivers/scsi/sg.ko] undefined!
ERROR: "memory_end" [drivers/i2c/i2c-dev.ko] undefined!
ERROR: "memory_start" [drivers/i2c/i2c-dev.ko] undefined!
As done in other architectures export the symbols to fix the error.
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Vasily Averin [Thu, 14 Jan 2016 10:41:14 +0000 (13:41 +0300)]
cifs_dbg() outputs an uninitialized buffer in cifs_readdir()
[ Upstream commit
01b9b0b28626db4a47d7f48744d70abca9914ef1 ]
In some cases tmp_bug can be not filled in cifs_filldir and stay uninitialized,
therefore its printk with "%s" modifier can leak content of kernelspace memory.
If old content of this buffer does not contain '\0' access bejond end of
allocated object can crash the host.
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Steve French <sfrench@localhost.localdomain>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Rabin Vincent [Wed, 23 Dec 2015 06:32:41 +0000 (07:32 +0100)]
cifs: fix race between call_async() and reconnect()
[ Upstream commit
820962dc700598ffe8cd21b967e30e7520c34748 ]
cifs_call_async() queues the MID to the pending list and calls
smb_send_rqst(). If smb_send_rqst() performs a partial send, it sets
the tcpStatus to CifsNeedReconnect and returns an error code to
cifs_call_async(). In this case, cifs_call_async() removes the MID
from the list and returns to the caller.
However, cifs_call_async() releases the server mutex _before_ removing
the MID. This means that a cifs_reconnect() can race with this function
and manage to remove the MID from the list and delete the entry before
cifs_call_async() calls cifs_delete_mid(). This leads to various
crashes due to the use after free in cifs_delete_mid().
Task1 Task2
cifs_call_async():
- rc = -EAGAIN
- mutex_unlock(srv_mutex)
cifs_reconnect():
- mutex_lock(srv_mutex)
- mutex_unlock(srv_mutex)
- list_delete(mid)
- mid->callback()
cifs_writev_callback():
- mutex_lock(srv_mutex)
- delete(mid)
- mutex_unlock(srv_mutex)
- cifs_delete_mid(mid) <---- use after free
Fix this by removing the MID in cifs_call_async() before releasing the
srv_mutex. Also hold the srv_mutex in cifs_reconnect() until the MIDs
are moved out of the pending list.
Signed-off-by: Rabin Vincent <rabin.vincent@axis.com>
Acked-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <sfrench@localhost.localdomain>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Jamie Bainbridge [Sat, 7 Nov 2015 12:13:49 +0000 (22:13 +1000)]
cifs: Ratelimit kernel log messages
[ Upstream commit
ec7147a99e33a9e4abad6fc6e1b40d15df045d53 ]
Under some conditions, CIFS can repeatedly call the cifs_dbg() logging
wrapper. If done rapidly enough, the console framebuffer can softlockup
or "rcu_sched self-detected stall". Apply the built-in log ratelimiters
to prevent such hangs.
Signed-off-by: Jamie Bainbridge <jamie.bainbridge@gmail.com>
Signed-off-by: Steve French <smfrench@gmail.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Dmitry V. Levin [Sat, 26 Dec 2015 23:13:27 +0000 (02:13 +0300)]
sparc64: fix incorrect sign extension in sys_sparc64_personality
[ Upstream commit
525fd5a94e1be0776fa652df5c687697db508c91 ]
The value returned by sys_personality has type "long int".
It is saved to a variable of type "int", which is not a problem
yet because the type of task_struct->pesonality is "unsigned int".
The problem is the sign extension from "int" to "long int"
that happens on return from sys_sparc64_personality.
For example, a userspace call personality((unsigned) -EINVAL) will
result to any subsequent personality call, including absolutely
harmless read-only personality(0xffffffff) call, failing with
errno set to EINVAL.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Carlo Caione [Wed, 13 Jan 2016 08:36:55 +0000 (09:36 +0100)]
mmc: core: Enable tuning according to the actual timing
[ Upstream commit
e10c321977091f163eceedec0650e0ef4b3cf4bb ]
While in sdhci_execute_tuning() the choice whether or not to enable the
tuning is done on the actual timing, in the mmc_sdio_init_uhs_card() the
check is done on the capability of the card.
This difference is causing some issues with some SDIO cards in DDR50
mode where the CDM19 is wrongly issued.
With this patch we modify the check in both
mmc_(sd|sdio)_init_uhs_card() functions to take the proper decision
only according to the actual timing specification.
Cc: stable@vger.kernel.org
Signed-off-by: Carlo Caione <carlo@endlessm.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Weijun Yang [Sun, 4 Oct 2015 12:04:11 +0000 (12:04 +0000)]
mmc: core: enable CMD19 tuning for DDR50 mode
[ Upstream commit
4324f6de6d2eb9b232410eb0d67bfafdde8ba711 ]
As SD Specifications Part1 Physical Layer Specification Version
3.01 says, CMD19 tuning is available for unlocked cards in transfer
state of 1.8V signaling mode. The small difference between v3.00
and 3.01 spec means that CMD19 tuning is also available for DDR50
mode.
Signed-off-by: Weijun Yang <york.yang@csr.com>
Signed-off-by: Barry Song <Baohua.Song@csr.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Linus Walleij [Mon, 4 Jan 2016 01:21:55 +0000 (02:21 +0100)]
mmc: mmci: fix an ages old detection error
[ Upstream commit
0bcb7efdff63564e80fe84dd36a9fbdfbf6697a4 ]
commit
4956e10903fd ("ARM: 6244/1: mmci: add variant data and default
MCICLOCK support") added variant data for ARM, U300 and Ux500 variants.
The Nomadik NHK8815/8820 variant was erroneously labeled as a U300
variant, and when the proper Nomadik variant was later introduced in
commit
34fd421349ff ("ARM: 7378/1: mmci: add support for the Nomadik MMCI
variant") this was not fixes. Let's say this fixes the latter commit as
there was no proper Nomadik support until then.
Cc: stable@vger.kernel.org
Fixes:
34fd421349ff ("ARM: 7378/1: mmci: add support for the Nomadik...")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mans Rullgard [Mon, 11 Jan 2016 13:04:29 +0000 (13:04 +0000)]
dmaengine: dw: fix cyclic transfer callbacks
[ Upstream commit
2895b2cad6e7a95104cf396e5330054453382ae1 ]
Cyclic transfer callbacks rely on block completion interrupts which were
disabled in commit
ff7b05f29fd4 ("dmaengine/dw_dmac: Don't handle block
interrupts"). This re-enables block interrupts so the cyclic callbacks
can work. Other transfer types are not affected as they set the INT_EN
bit only on the last block.
Fixes:
ff7b05f29fd4 ("dmaengine/dw_dmac: Don't handle block interrupts")
Signed-off-by: Mans Rullgard <mans@mansr.com>
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mans Rullgard [Mon, 11 Jan 2016 13:04:28 +0000 (13:04 +0000)]
dmaengine: dw: fix cyclic transfer setup
[ Upstream commit
df3bb8a0e619d501cd13334c3e0586edcdcbc716 ]
Commit
61e183f83069 ("dmaengine/dw_dmac: Reconfigure interrupt and
chan_cfg register on resume") moved some channel initialisation to
a new function which must be called before starting a transfer.
This updates dw_dma_cyclic_start() to use dwc_dostart() like the other
modes, thus ensuring dwc_initialize() gets called and removing some code
duplication.
Fixes:
61e183f83069 ("dmaengine/dw_dmac: Reconfigure interrupt and chan_cfg register on resume")
Signed-off-by: Mans Rullgard <mans@mansr.com>
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Greg Kurz [Wed, 13 Jan 2016 17:28:17 +0000 (18:28 +0100)]
KVM: PPC: Fix ONE_REG AltiVec support
[ Upstream commit
b4d7f161feb3015d6306e1d35b565c888ff70c9d ]
The get and set operations got exchanged by mistake when moving the
code from book3s.c to powerpc.c.
Fixes:
3840edc8033ad5b86deee309c1c321ca54257452
Cc: stable@vger.kernel.org # 3.18+
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Chris Wilson [Fri, 27 Nov 2015 13:28:55 +0000 (13:28 +0000)]
drm/i915: Restore inhibiting the load of the default context
[ Upstream commit
06ef83a705a98da63797a5a570220b6ca36febd4 ]
Following a GPU reset, we may leave the context in a poorly defined
state, and reloading from that context will leave the GPU flummoxed. For
secondary contexts, this will lead to that context being banned - but
currently it is also causing the default context to become banned,
leading to turmoil in the shared state.
This is a regression from
commit
6702cf16e0ba8b0129f5aa1b6609d4e9c70bc13b [v4.1]
Author: Ben Widawsky <benjamin.widawsky@intel.com>
Date: Mon Mar 16 16:00:58 2015 +0000
drm/i915: Initialize all contexts
which quietly introduced the removal of the MI_RESTORE_INHIBIT on the
default context.
v2: Mark the global default context as uninitialized on GPU reset so
that the context-local workarounds are reloaded upon re-enabling.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Michel Thierry <michel.thierry@intel.com>
Cc: Mika Kuoppala <mika.kuoppala@intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1448630935-27377-1-git-send-email-chris@chris-wilson.co.uk
Reviewed-by: Mika Kuoppala <mika.kuoppala@intel.com>
Cc: stable@vger.kernel.org
[danvet: This seems to fix a gpu hand on after the first resume,
resulting in any future suspend operation failing with -EIO because
the gpu seems to be in a funky state. Somehow this patch fixes that.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
(cherry picked from commit
42f1cae8c079bcceb3cff079fddc3ff8852c788f)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Helge Deller [Sun, 10 Jan 2016 08:30:42 +0000 (09:30 +0100)]
parisc: Fix __ARCH_SI_PREAMBLE_SIZE
[ Upstream commit
e60fc5aa608eb38b47ba4ee058f306f739eb70a0 ]
On a 64bit kernel build the compiler aligns the _sifields union in the
struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define
compensates for this alignment and thus fixes the wait testcase of the
strace package.
The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that
_sigchld.si_stime variable is missed to be copied and thus after a
copy_siginfo() will have uninitialized values.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Minchan Kim [Sun, 27 Dec 2015 23:35:13 +0000 (08:35 +0900)]
virtio_balloon: fix race between migration and ballooning
[ Upstream commit
21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb ]
In balloon_page_dequeue, pages_lock should cover the loop
(ie, list_for_each_entry_safe). Otherwise, the cursor page could
be isolated by compaction and then list_del by isolation could
poison the page->lru.{prev,next} so the loop finally could
access wrong address like this. This patch fixes the bug.
general protection fault: 0000 [#1] SMP
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 2 PID: 82 Comm: vballoon Not tainted 4.4.0-rc5-mm1-access_bit+ #1906
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task:
ffff8800a7ff0000 ti:
ffff8800a7fec000 task.ti:
ffff8800a7fec000
RIP: 0010:[<
ffffffff8115e754>] [<
ffffffff8115e754>] balloon_page_dequeue+0x54/0x130
RSP: 0018:
ffff8800a7fefdc0 EFLAGS:
00010246
RAX:
ffff88013fff9a70 RBX:
ffffea000056fe00 RCX:
0000000000002b7d
RDX:
ffff88013fff9a70 RSI:
ffffea000056fe00 RDI:
ffff88013fff9a68
RBP:
ffff8800a7fefde8 R08:
ffffea000056fda0 R09:
0000000000000000
R10:
ffff8800a7fefd90 R11:
0000000000000001 R12:
dead0000000000e0
R13:
ffffea000056fe20 R14:
ffff880138809070 R15:
ffff880138809060
FS:
0000000000000000(0000) GS:
ffff88013fc40000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
CR2:
00007f229c10e000 CR3:
00000000b8b53000 CR4:
00000000000006a0
Stack:
0000000000000100 ffff880138809088 ffff880138809000 ffff880138809060
0000000000000046 ffff8800a7fefe28 ffffffff812c86d3 ffff880138809020
ffff880138809000 fffffffffff91900 0000000000000100 ffff880138809060
Call Trace:
[<
ffffffff812c86d3>] leak_balloon+0x93/0x1a0
[<
ffffffff812c8bc7>] balloon+0x217/0x2a0
[<
ffffffff8143739e>] ? __schedule+0x31e/0x8b0
[<
ffffffff81078160>] ? abort_exclusive_wait+0xb0/0xb0
[<
ffffffff812c89b0>] ? update_balloon_stats+0xf0/0xf0
[<
ffffffff8105b6e9>] kthread+0xc9/0xe0
[<
ffffffff8105b620>] ? kthread_park+0x60/0x60
[<
ffffffff8143b4af>] ret_from_fork+0x3f/0x70
[<
ffffffff8105b620>] ? kthread_park+0x60/0x60
Code: 8d 60 e0 0f 84 af 00 00 00 48 8b 43 20 a8 01 75 3b 48 89 d8 f0 0f ba 28 00 72 10 48 8b 03 f6 c4 08 75 2f 48 89 df e8 8c 83 f9 ff <49> 8b 44 24 20 4d 8d 6c 24 20 48 83 e8 20 4d 39 f5 74 7a 4c 89
RIP [<
ffffffff8115e754>] balloon_page_dequeue+0x54/0x130
RSP <
ffff8800a7fefdc0>
---[ end trace
43cf28060d708d5f ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Cc: <stable@vger.kernel.org>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Rafael Aquini <aquini@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Minchan Kim [Sun, 27 Dec 2015 23:35:12 +0000 (08:35 +0900)]
virtio_balloon: fix race by fill and leak
[ Upstream commit
f68b992bbb474641881932c61c92dcfa6f5b3689 ]
During my compaction-related stuff, I encountered a bug
with ballooning.
With repeated inflating and deflating cycle, guest memory(
ie, cat /proc/meminfo | grep MemTotal) is decreased and
couldn't be recovered.
The reason is balloon_lock doesn't cover release_pages_balloon
so struct virtio_balloon fields could be overwritten by race
of fill_balloon(e,g, vb->*pfns could be critical).
This patch fixes it in my test.
Cc: <stable@vger.kernel.org>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Denis V. Lunev [Wed, 19 Aug 2015 21:49:48 +0000 (00:49 +0300)]
virtio_ballon: change stub of release_pages_by_pfn
[ Upstream commit
b4d34037329f46ed818d3b0a6e1e23b9c8721f79 ]
and rename it to release_pages_balloon. The function originally takes
arrays of pfns and now it takes pointer to struct virtio_ballon.
This change is necessary to conditionally call adjust_managed_page_count
in the next patch.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Benjamin Tissoires [Tue, 12 Jan 2016 01:35:38 +0000 (17:35 -0800)]
Input: elantech - mark protocols v2 and v3 as semi-mt
[ Upstream commit
6544a1df11c48c8413071aac3316792e4678fbfb ]
When using a protocol v2 or v3 hardware, elantech uses the function
elantech_report_semi_mt_data() to report data. This devices are rather
creepy because if num_finger is 3, (x2,y2) is (0,0). Yes, only one valid
touch is reported.
Anyway, userspace (libinput) is now confused by these (0,0) touches,
and detect them as palm, and rejects them.
Commit
3c0213d17a09 ("Input: elantech - fix semi-mt protocol for v3 HW")
was sufficient enough for xf86-input-synaptics and libinput before it has
palm rejection. Now we need to actually tell libinput that this device is
a semi-mt one and it should not rely on the actual values of the 2 touches.
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Roman Volkov [Fri, 1 Jan 2016 13:24:41 +0000 (16:24 +0300)]
clocksource/drivers/vt8500: Increase the minimum delta
[ Upstream commit
f9eccf24615672896dc13251410c3f2f33a14f95 ]
The vt8500 clocksource driver declares itself as capable to handle the
minimum delay of 4 cycles by passing the value into
clockevents_config_and_register(). The vt8500_timer_set_next_event()
requires the passed cycles value to be at least 16. The impact is that
userspace hangs in nanosleep() calls with small delay intervals.
This problem is reproducible in Linux 4.2 starting from:
c6eb3f70d448 ('hrtimer: Get rid of hrtimer softirq')
From Russell King, more detailed explanation:
"It's a speciality of the StrongARM/PXA hardware. It takes a certain
number of OSCR cycles for the value written to hit the compare registers.
So, if a very small delta is written (eg, the compare register is written
with a value of OSCR + 1), the OSCR will have incremented past this value
before it hits the underlying hardware. The result is, that you end up
waiting a very long time for the OSCR to wrap before the event fires.
So, we introduce a check in set_next_event() to detect this and return
-ETIME if the calculated delta is too small, which causes the generic
clockevents code to retry after adding the min_delta specified in
clockevents_config_and_register() to the current time value.
min_delta must be sufficient that we don't re-trip the -ETIME check - if
we do, we will return -ETIME, forward the next event time, try to set it,
return -ETIME again, and basically lock the system up. So, min_delta
must be larger than the check inside set_next_event(). A factor of two
was chosen to ensure that this situation would never occur.
The PXA code worked on PXA systems for years, and I'd suggest no one
changes this mechanism without access to a wide range of PXA systems,
otherwise they're risking breakage."
Cc: stable@vger.kernel.org
Cc: Russell King <linux@arm.linux.org.uk>
Acked-by: Alexey Charkov <alchark@gmail.com>
Signed-off-by: Roman Volkov <rvolkov@v1ros.org>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Dave Chinner [Mon, 11 Jan 2016 20:04:01 +0000 (07:04 +1100)]
xfs: handle dquot buffer readahead in log recovery correctly
[ Upstream commit
7d6a13f023567d573ac362502bb702eda716e654 ]
When we do dquot readahead in log recovery, we do not use a verifier
as the underlying buffer may not have dquots in it. e.g. the
allocation operation hasn't yet been replayed. Hence we do not want
to fail recovery because we detect an operation to be replayed has
not been run yet. This problem was addressed for inodes in commit
d891400 ("xfs: inode buffers may not be valid during recovery
readahead") but the problem was not recognised to exist for dquots
and their buffers as the dquot readahead did not have a verifier.
The result of not using a verifier is that when the buffer is then
next read to replay a dquot modification, the dquot buffer verifier
will only be attached to the buffer if *readahead is not complete*.
Hence we can read the buffer, replay the dquot changes and then add
it to the delwri submission list without it having a verifier
attached to it. This then generates warnings in xfs_buf_ioapply(),
which catches and warns about this case.
Fix this and make it handle the same readahead verifier error cases
as for inode buffers by adding a new readahead verifier that has a
write operation as well as a read operation that marks the buffer as
not done if any corruption is detected. Also make sure we don't run
readahead if the dquot buffer has been marked as cancelled by
recovery.
This will result in readahead either succeeding and the buffer
having a valid write verifier, or readahead failing and the buffer
state requiring the subsequent read to resubmit the IO with the new
verifier. In either case, this will result in the buffer always
ending up with a valid write verifier on it.
Note: we also need to fix the inode buffer readahead error handling
to mark the buffer with EIO. Brian noticed the code I copied from
there wrong during review, so fix it at the same time. Add comments
linking the two functions that handle readahead verifier errors
together so we don't forget this behavioural link in future.
cc: <stable@vger.kernel.org> # 3.12 - current
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Dave Chinner [Mon, 11 Jan 2016 20:03:44 +0000 (07:03 +1100)]
xfs: inode recovery readahead can race with inode buffer creation
[ Upstream commit
b79f4a1c68bb99152d0785ee4ea3ab4396cdacc6 ]
When we do inode readahead in log recovery, we do can do the
readahead before we've replayed the icreate transaction that stamps
the buffer with inode cores. The inode readahead verifier catches
this and marks the buffer as !done to indicate that it doesn't yet
contain valid inodes.
In adding buffer error notification (i.e. setting b_error = -EIO at
the same time as as we clear the done flag) to such a readahead
verifier failure, we can then get subsequent inode recovery failing
with this error:
XFS (dm-0): metadata I/O error: block 0xa00060 ("xlog_recover_do..(read#2)") error 5 numblks 32
This occurs when readahead completion races with icreate item replay
such as:
inode readahead
find buffer
lock buffer
submit RA io
....
icreate recovery
xfs_trans_get_buffer
find buffer
lock buffer
<blocks on RA completion>
.....
<ra completion>
fails verifier
clear XBF_DONE
set bp->b_error = -EIO
release and unlock buffer
<icreate gains lock>
icreate initialises buffer
marks buffer as done
adds buffer to delayed write queue
releases buffer
At this point, we have an initialised inode buffer that is up to
date but has an -EIO state registered against it. When we finally
get to recovering an inode in that buffer:
inode item recovery
xfs_trans_read_buffer
find buffer
lock buffer
sees XBF_DONE is set, returns buffer
sees bp->b_error is set
fail log recovery!
Essentially, we need xfs_trans_get_buf_map() to clear the error status of
the buffer when doing a lookup. This function returns uninitialised
buffers, so the buffer returned can not be in an error state and
none of the code that uses this function expects b_error to be set
on return. Indeed, there is an ASSERT(!bp->b_error); in the
transaction case in xfs_trans_get_buf_map() that would have caught
this if log recovery used transactions....
This patch firstly changes the inode readahead failure to set -EIO
on the buffer, and secondly changes xfs_buf_get_map() to never
return a buffer with an error state set so this first change doesn't
cause unexpected log recovery failures.
cc: <stable@vger.kernel.org> # 3.12 - current
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Ard Biesheuvel [Fri, 1 Jan 2016 12:39:22 +0000 (13:39 +0100)]
s390: fix normalization bug in exception table sorting
[ Upstream commit
bcb7825a77f41c7dd91da6f7ac10b928156a322e ]
The normalization pass in the sorting routine of the relative exception
table serves two purposes:
- it ensures that the address fields of the exception table entries are
fully ordered, so that no ambiguities arise between entries with
identical instruction offsets (i.e., when two instructions that are
exactly 8 bytes apart each have an exception table entry associated with
them)
- it ensures that the offsets of both the instruction and the fixup fields
of each entry are relative to their final location after sorting.
Commit
eb608fb366de ("s390/exceptions: switch to relative exception table
entries") ported the relative exception table format from x86, but modified
the sorting routine to only normalize the instruction offset field and not
the fixup offset field. The result is that the fixup offset of each entry
will be relative to the original location of the entry before sorting,
likely leading to crashes when those entries are dereferenced.
Fixes:
eb608fb366de ("s390/exceptions: switch to relative exception table entries")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Ben Skeggs [Thu, 7 Jan 2016 22:56:51 +0000 (08:56 +1000)]
drm/nouveau/kms: take mode_config mutex in connector hotplug path
[ Upstream commit
0a882cadbc63fd2da3994af7115b4ada2fcbd638 ]
fdo#93634
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Vegard Nossum [Fri, 18 Dec 2015 20:28:53 +0000 (21:28 +0100)]
uml: flush stdout before forking
[ Upstream commit
0754fb298f2f2719f0393491d010d46cfb25d043 ]
I was seeing some really weird behaviour where piping UML's output
somewhere would cause output to get duplicated:
$ ./vmlinux | head -n 40
Checking that ptrace can change system call numbers...Core dump limits :
soft - 0
hard - NONE
OK
Checking syscall emulation patch for ptrace...Core dump limits :
soft - 0
hard - NONE
OK
Checking advanced syscall emulation patch for ptrace...Core dump limits :
soft - 0
hard - NONE
OK
Core dump limits :
soft - 0
hard - NONE
This is because these tests do a fork() which duplicates the non-empty
stdout buffer, then glibc flushes the duplicated buffer as each child
exits.
A simple workaround is to flush before forking.
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Vegard Nossum [Wed, 16 Dec 2015 20:59:56 +0000 (21:59 +0100)]
uml: fix hostfs mknod()
[ Upstream commit
9f2dfda2f2f1c6181c3732c16b85c59ab2d195e0 ]
An inverted return value check in hostfs_mknod() caused the function
to return success after handling it as an error (and cleaning up).
It resulted in the following segfault when trying to bind() a named
unix socket:
Pid: 198, comm: a.out Not tainted 4.4.0-rc4
RIP: 0033:[<
0000000061077df6>]
RSP:
00000000daae5d60 EFLAGS:
00010202
RAX:
0000000000000000 RBX:
000000006092a460 RCX:
00000000dfc54208
RDX:
0000000061073ef1 RSI:
0000000000000070 RDI:
00000000e027d600
RBP:
00000000daae5de0 R08:
00000000da980ac0 R09:
0000000000000000
R10:
0000000000000003 R11:
00007fb1ae08f72a R12:
0000000000000000
R13:
000000006092a460 R14:
00000000daaa97c0 R15:
00000000daaa9a88
Kernel panic - not syncing: Kernel mode fault at addr 0x40, ip 0x61077df6
CPU: 0 PID: 198 Comm: a.out Not tainted 4.4.0-rc4 #1
Stack:
e027d620 dfc54208 0000006f da981398
61bee000 0000c1ed daae5de0 0000006e
e027d620 dfcd4208 00000005 6092a460
Call Trace:
[<
60dedc67>] SyS_bind+0xf7/0x110
[<
600587be>] handle_syscall+0x7e/0x80
[<
60066ad7>] userspace+0x3e7/0x4e0
[<
6006321f>] ? save_registers+0x1f/0x40
[<
6006c88e>] ? arch_prctl+0x1be/0x1f0
[<
60054985>] fork_handler+0x85/0x90
Let's also get rid of the "cosmic ray protection" while we're at it.
Fixes:
e9193059b1b3 "hostfs: fix races in dentry_name() and inode_name()"
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mikulas Patocka [Sat, 9 Jan 2016 00:07:55 +0000 (19:07 -0500)]
dm snapshot: fix hung bios when copy error occurs
[ Upstream commit
385277bfb57faac44e92497104ba542cdd82d5fe ]
When there is an error copying a chunk dm-snapshot can incorrectly hold
associated bios indefinitely, resulting in hung IO.
The function copy_callback sets pe->error if there was error copying the
chunk, and then calls complete_exception. complete_exception calls
pending_complete on error, otherwise it calls commit_exception with
commit_callback (and commit_callback calls complete_exception).
The persistent exception store (dm-snap-persistent.c) assumes that calls
to prepare_exception and commit_exception are paired.
persistent_prepare_exception increases ps->pending_count and
persistent_commit_exception decreases it.
If there is a copy error, persistent_prepare_exception is called but
persistent_commit_exception is not. This results in the variable
ps->pending_count never returning to zero and that causes some pending
exceptions (and their associated bios) to be held forever.
Fix this by unconditionally calling commit_exception regardless of
whether the copy was successful. A new "valid" parameter is added to
commit_exception -- when the copy fails this parameter is set to zero so
that the chunk that failed to copy (and all following chunks) is not
recorded in the snapshot store. Also, remove commit_callback now that
it is merely a wrapper around pending_complete.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mike Christie [Thu, 7 Jan 2016 22:34:05 +0000 (16:34 -0600)]
scsi: add Synology to 1024 sector blacklist
[ Upstream commit
9055082fb100cc66e20c048251d05159f5f2cfba ]
Another iscsi target that cannot handle large IOs, but does not tell us
a limit.
The Synology iSCSI targets report:
Block limits VPD page (SBC):
Write same no zero (WSNZ): 0
Maximum compare and write length: 0 blocks
Optimal transfer length granularity: 0 blocks
Maximum transfer length: 0 blocks
Optimal transfer length: 0 blocks
Maximum prefetch length: 0 blocks
Maximum unmap LBA count: 0
Maximum unmap block descriptor count: 0
Optimal unmap granularity: 0
Unmap granularity alignment valid: 0
Unmap granularity alignment: 0
Maximum write same length: 0x0 blocks
and the size of the command it can handle seems to depend on how much
memory it can allocate at the time. This results in IO errors when
handling large IOs. This patch just has us use the old 1024 default
sectors for this target by adding it to the scsi blacklist. We do not
have good contacs with this vendors, so I have not been able to try and
fix on their side.
I have posted this a long while back, but it was not merged. This
version just fixes it up for merge/patch failures in the original
version.
Reported-by: Ancoron Luciferis <ancoron.luciferis@googlemail.com>
Reported-by: Michael Meyers <steltek@tcnnet.com>
Signed-off-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: <stable@vger.kernel.org> # 4.1+
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Jeff Layton [Thu, 7 Jan 2016 21:38:10 +0000 (16:38 -0500)]
locks: fix unlock when fcntl_setlk races with a close
[ Upstream commit
7f3697e24dc3820b10f445a4a7d914fc356012d1 ]
Dmitry reported that he was able to reproduce the WARN_ON_ONCE that
fires in locks_free_lock_context when the flc_posix list isn't empty.
The problem turns out to be that we're basically rebuilding the
file_lock from scratch in fcntl_setlk when we discover that the setlk
has raced with a close. If the l_whence field is SEEK_CUR or SEEK_END,
then we may end up with fl_start and fl_end values that differ from
when the lock was initially set, if the file position or length of the
file has changed in the interim.
Fix this by just reusing the same lock request structure, and simply
override fl_type value with F_UNLCK as appropriate. That ensures that
we really are unlocking the lock that was initially set.
While we're there, make sure that we do pop a WARN_ON_ONCE if the
removal ever fails. Also return -EBADF in this event, since that's
what we would have returned if the close had happened earlier.
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Fixes:
c293621bbf67 (stale POSIX lock handling)
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
Acked-by: "J. Bruce Fields" <bfields@fieldses.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Emmanuel Grumbach [Tue, 5 Jan 2016 13:25:43 +0000 (15:25 +0200)]
iwlwifi: pcie: properly configure the debug buffer size for 8000
[ Upstream commit
62d7476d958ce06d7a10b02bdb30006870286fe2 ]
8000 device family has a new debug engine that needs to be
configured differently than 7000's.
The debug engine's DMA works in chunks of memory and the
size of the buffer really means the start of the last
chunk. Since one chunk is 256-byte long, we should
configure the device to write to buffer_size - 256.
This fixes a situation were the device would write to
memory it is not allowed to access.
CC: <stable@vger.kernel.org> [4.1+]
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Sasha Levin [Mon, 1 Feb 2016 20:02:44 +0000 (15:02 -0500)]
iwlwifi: update and fix 7265 series PCI IDs
[ Upstream commit
006bda75d81fd27a583a3b310e9444fea2aa6ef2 ]
Update and fix some 7265 PCI IDs entries.
CC: <stable@vger.kernel.org> [3.13+]
Signed-off-by: Oren Givon <oren.givon@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
David Sterba [Mon, 30 Nov 2015 16:27:06 +0000 (17:27 +0100)]
btrfs: handle invalid num_stripes in sys_array
[ Upstream commit
f5cdedd73fa71b74dcc42f2a11a5735d89ce7c4f ]
We can handle the special case of num_stripes == 0 directly inside
btrfs_read_sys_array. The BUG_ON in btrfs_chunk_item_size is there to
catch other unhandled cases where we fail to validate external data.
A crafted or corrupted image crashes at mount time:
BTRFS: device fsid
9006933e-2a9a-44f0-917f-
514252aeec2c devid 1 transid 7 /dev/loop0
BTRFS info (device loop0): disk space caching is enabled
BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()!
Kernel panic - not syncing: BUG!
CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25
Stack:
637af890 60062489 602aeb2e 604192ba
60387961 00000011 637af8a0 6038a835
637af9c0 6038776b 634ef32b 00000000
Call Trace:
[<
6001c86d>] show_stack+0xfe/0x15b
[<
6038a835>] dump_stack+0x2a/0x2c
[<
6038776b>] panic+0x13e/0x2b3
[<
6020f099>] btrfs_read_sys_array+0x25d/0x2ff
[<
601cfbbe>] open_ctree+0x192d/0x27af
[<
6019c2c1>] btrfs_mount+0x8f5/0xb9a
[<
600bc9a7>] mount_fs+0x11/0xf3
[<
600d5167>] vfs_kern_mount+0x75/0x11a
[<
6019bcb0>] btrfs_mount+0x2e4/0xb9a
[<
600bc9a7>] mount_fs+0x11/0xf3
[<
600d5167>] vfs_kern_mount+0x75/0x11a
[<
600d710b>] do_mount+0xa35/0xbc9
[<
600d7557>] SyS_mount+0x95/0xc8
[<
6001e884>] handle_syscall+0x6b/0x8e
Reported-by: Jiri Slaby <jslaby@suse.com>
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
CC: stable@vger.kernel.org # 3.19+
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Grygorii Strashko [Thu, 10 Dec 2015 19:18:20 +0000 (21:18 +0200)]
PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD
[ Upstream commit
8ff0ef996ca00028519c70e8d51d32bd37eb51dc ]
On -RT and if kernel is booting with "threadirqs" cmd line parameter,
PCIe/PCI (MSI) IRQ cascade handlers (like dra7xx_pcie_msi_irq_handler())
will be forced threaded and, as result, will generate warnings like this:
WARNING: CPU: 1 PID: 82 at kernel/irq/handle.c:150 handle_irq_event_percpu+0x14c/0x174()
irq 460 handler irq_default_primary_handler+0x0/0x14 enabled interrupts
Backtrace:
(warn_slowpath_common) from (warn_slowpath_fmt+0x38/0x40)
(warn_slowpath_fmt) from (handle_irq_event_percpu+0x14c/0x174)
(handle_irq_event_percpu) from (handle_irq_event+0x84/0xb8)
(handle_irq_event) from (handle_simple_irq+0x90/0x118)
(handle_simple_irq) from (generic_handle_irq+0x30/0x44)
(generic_handle_irq) from (dra7xx_pcie_msi_irq_handler+0x7c/0x8c)
(dra7xx_pcie_msi_irq_handler) from (irq_forced_thread_fn+0x28/0x5c)
(irq_forced_thread_fn) from (irq_thread+0x128/0x204)
This happens because all of them invoke generic_handle_irq() from the
requested handler. generic_handle_irq() grabs raw_locks and thus needs to
run in raw-IRQ context.
This issue was originally reproduced on TI dra7-evem, but, as was
identified during discussion [1], other hosts can also suffer from this
issue. Fix all them at once by marking PCIe/PCI (MSI) IRQ cascade handlers
IRQF_NO_THREAD explicitly.
[1] http://lkml.kernel.org/r/
1448027966-21610-1-git-send-email-grygorii.strashko@ti.com
[bhelgaas: add stable tag, fix typos]
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Lucas Stach <l.stach@pengutronix.de> (for imx6)
CC: stable@vger.kernel.org
CC: Kishon Vijay Abraham I <kishon@ti.com>
CC: Jingoo Han <jingoohan1@gmail.com>
CC: Kukjin Kim <kgene@kernel.org>
CC: Krzysztof Kozlowski <k.kozlowski@samsung.com>
CC: Richard Zhu <Richard.Zhu@freescale.com>
CC: Thierry Reding <thierry.reding@gmail.com>
CC: Stephen Warren <swarren@wwwdotorg.org>
CC: Alexandre Courbot <gnurou@gmail.com>
CC: Simon Horman <horms@verge.net.au>
CC: Pratyush Anand <pratyush.anand@gmail.com>
CC: Michal Simek <michal.simek@xilinx.com>
CC: "Sören Brinkmann" <soren.brinkmann@xilinx.com>
CC: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Christoph Biedl [Wed, 23 Dec 2015 15:51:57 +0000 (16:51 +0100)]
PCI: Fix minimum allocation address overwrite
[ Upstream commit
3460baa620685c20f5ee19afb6d99d26150c382c ]
Commit
36e097a8a297 ("PCI: Split out bridge window override of minimum
allocation address") claimed to do no functional changes but unfortunately
did: The "min" variable is altered. At least the AVM A1 PCMCIA adapter was
no longer detected, breaking ISDN operation.
Use a local copy of "min" to restore the previous behaviour.
[bhelgaas: avoid gcc "?:" extension for portability and readability]
Fixes:
36e097a8a297 ("PCI: Split out bridge window override of minimum allocation address")
Signed-off-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: stable@vger.kernel.org # v3.14+
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mykola Lysenko [Fri, 25 Dec 2015 08:14:48 +0000 (16:14 +0800)]
drm/dp/mst: fix in RAD element access
[ Upstream commit
7a11a334aa6af4c65c6a0d81b60c97fc18673532 ]
This is needed to receive correct port
number from RAD, so MSTB could be found
Acked-by: Dave Airlie <airlied@gmail.com>
Signed-off-by: Mykola Lysenko <Mykola.Lysenko@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mykola Lysenko [Fri, 25 Dec 2015 08:14:47 +0000 (16:14 +0800)]
drm/dp/mst: fix in MSTB RAD initialization
[ Upstream commit
75af4c8c4c0f60d7ad135419805798f144e9baf9 ]
This fix is needed to support more then two
branch displays, so RAD address consist at
least of 2 elements
Acked-by: Dave Airlie <airlied@gmail.com>
Signed-off-by: Mykola Lysenko <Mykola.Lysenko@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mykola Lysenko [Fri, 18 Dec 2015 22:14:43 +0000 (17:14 -0500)]
drm/dp/mst: always send reply for UP request
[ Upstream commit
1f16ee7fa13649f4e55aa48ad31c3eb0722a62d3 ]
We should always send reply for UP request in order
to make downstream device clean-up resources appropriately.
Issue was that reply for UP request was sent only once.
Acked-by: Dave Airlie <airlied@gmail.com>
Signed-off-by: Mykola Lysenko <Mykola.Lysenko@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mykola Lysenko [Fri, 18 Dec 2015 22:14:42 +0000 (17:14 -0500)]
drm/dp/mst: process broadcast messages correctly
[ Upstream commit
bd9343208704fcc70a5b919f228a7d26ae472727 ]
In case broadcast message received in UP request,
RAD cannot be used to identify message originator.
Message should be parsed, originator should be found
by GUID from parsed message.
Also reply with broadcast in case broadcast message
received (for now it is always broadcast)
Acked-by: Dave Airlie <airlied@gmail.com>
Signed-off-by: Mykola Lysenko <Mykola.Lysenko@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Andrew Gabbasov [Thu, 24 Dec 2015 16:25:33 +0000 (10:25 -0600)]
udf: Check output buffer length when converting name to CS0
[ Upstream commit
bb00c898ad1ce40c4bb422a8207ae562e9aea7ae ]
If a name contains at least some characters with Unicode values
exceeding single byte, the CS0 output should have 2 bytes per character.
And if other input characters have single byte Unicode values, then
the single input byte is converted to 2 output bytes, and the length
of output becomes larger than the length of input. And if the input
name is long enough, the output length may exceed the allocated buffer
length.
All this means that conversion from UTF8 or NLS to CS0 requires
checking of output length in order to stop when it exceeds the given
output buffer size.
[JK: Make code return -ENAMETOOLONG instead of silently truncating the
name]
CC: stable@vger.kernel.org
Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Andrew Gabbasov [Thu, 24 Dec 2015 16:25:32 +0000 (10:25 -0600)]
udf: Prevent buffer overrun with multi-byte characters
[ Upstream commit
ad402b265ecf6fa22d04043b41444cdfcdf4f52d ]
udf_CS0toUTF8 function stops the conversion when the output buffer
length reaches UDF_NAME_LEN-2, which is correct maximum name length,
but, when checking, it leaves the space for a single byte only,
while multi-bytes output characters can take more space, causing
buffer overflow.
Similar error exists in udf_CS0toNLS function, that restricts
the output length to UDF_NAME_LEN, while actual maximum allowed
length is UDF_NAME_LEN-2.
In these cases the output can override not only the current buffer
length field, causing corruption of the name buffer itself, but also
following allocation structures, causing kernel crash.
Adjust the output length checks in both functions to prevent buffer
overruns in case of multi-bytes UTF8 or NLS characters.
CC: stable@vger.kernel.org
Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Aurélien Francillon [Sun, 3 Jan 2016 04:39:54 +0000 (20:39 -0800)]
Input: i8042 - add Fujitsu Lifebook U745 to the nomux list
[ Upstream commit
dd0d0d4de582a6a61c032332c91f4f4cb2bab569 ]
Without i8042.nomux=1 the Elantech touch pad is not working at all on
a Fujitsu Lifebook U745. This patch does not seem necessary for all
U745 (maybe because of different BIOS versions?). However, it was
verified that the patch does not break those (see opensuse bug 883192:
https://bugzilla.opensuse.org/show_bug.cgi?id=883192).
Signed-off-by: Aurélien Francillon <aurelien@francillon.net>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Uri Mashiach [Thu, 24 Dec 2015 14:05:00 +0000 (16:05 +0200)]
wlcore/wl12xx: spi: fix NULL pointer dereference (Oops)
[ Upstream commit
e47301b06d5a65678690f04c2248fd181db1e59a ]
Fix the below Oops when trying to modprobe wlcore_spi.
The oops occurs because the wl1271_power_{off,on}()
function doesn't check the power() function pointer.
[ 23.401447] Unable to handle kernel NULL pointer dereference at
virtual address
00000000
[ 23.409954] pgd =
c0004000
[ 23.412922] [
00000000] *pgd=
00000000
[ 23.416693] Internal error: Oops:
80000007 [#1] SMP ARM
[ 23.422168] Modules linked in: wl12xx wlcore mac80211 cfg80211
musb_dsps musb_hdrc usbcore usb_common snd_soc_simple_card evdev joydev
omap_rng wlcore_spi snd_soc_tlv320aic23_i2c rng_core snd_soc_tlv320aic23
c_can_platform c_can can_dev snd_soc_davinci_mcasp snd_soc_edma
snd_soc_omap omap_wdt musb_am335x cpufreq_dt thermal_sys hwmon
[ 23.453253] CPU: 0 PID: 36 Comm: kworker/0:2 Not tainted
4.2.0-00002-g951efee-dirty #233
[ 23.461720] Hardware name: Generic AM33XX (Flattened Device Tree)
[ 23.468123] Workqueue: events request_firmware_work_func
[ 23.473690] task:
de32efc0 ti:
de4ee000 task.ti:
de4ee000
[ 23.479341] PC is at 0x0
[ 23.482112] LR is at wl12xx_set_power_on+0x28/0x124 [wlcore]
[ 23.488074] pc : [<
00000000>] lr : [<
bf2581f0>] psr:
60000013
[ 23.488074] sp :
de4efe50 ip :
00000002 fp :
00000000
[ 23.500162] r10:
de7cdd00 r9 :
dc848800 r8 :
bf27af00
[ 23.505663] r7 :
bf27a1a8 r6 :
dcbd8a80 r5 :
dce0e2e0 r4 :
dce0d2e0
[ 23.512536] r3 :
00000000 r2 :
00000000 r1 :
00000001 r0 :
dc848810
[ 23.519412] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM
Segment kernel
[ 23.527109] Control:
10c5387d Table:
9cb78019 DAC:
00000015
[ 23.533160] Process kworker/0:2 (pid: 36, stack limit = 0xde4ee218)
[ 23.539760] Stack: (0xde4efe50 to 0xde4f0000)
[...]
[ 23.665030] [<
bf2581f0>] (wl12xx_set_power_on [wlcore]) from
[<
bf25f7ac>] (wlcore_nvs_cb+0x118/0xa4c [wlcore])
[ 23.675604] [<
bf25f7ac>] (wlcore_nvs_cb [wlcore]) from [<
c04387ec>]
(request_firmware_work_func+0x30/0x58)
[ 23.685784] [<
c04387ec>] (request_firmware_work_func) from
[<
c0058e2c>] (process_one_work+0x1b4/0x4b4)
[ 23.695591] [<
c0058e2c>] (process_one_work) from [<
c0059168>]
(worker_thread+0x3c/0x4a4)
[ 23.704124] [<
c0059168>] (worker_thread) from [<
c005ee68>]
(kthread+0xd4/0xf0)
[ 23.711747] [<
c005ee68>] (kthread) from [<
c000f598>]
(ret_from_fork+0x14/0x3c)
[ 23.719357] Code: bad PC value
[ 23.722760] ---[ end trace
981be8510db9b3a9 ]---
Prevent oops by validationg power() pointer value before
calling the function.
Signed-off-by: Uri Mashiach <uri.mashiach@compulab.co.il>
Cc: stable@vger.kernel.org
Acked-by: Igor Grinberg <grinberg@compulab.co.il>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Kent Overstreet [Mon, 30 Nov 2015 02:47:01 +0000 (18:47 -0800)]
bcache: Change refill_dirty() to always scan entire disk if necessary
[ Upstream commit
627ccd20b4ad3ba836472468208e2ac4dfadbf03 ]
Previously, it would only scan the entire disk if it was starting from
the very start of the disk - i.e. if the previous scan got to the end.
This was broken by refill_full_stripes(), which updates last_scanned so
that refill_dirty was never triggering the searched_from_start path.
But if we change refill_dirty() to always scan the entire disk if
necessary, regardless of what last_scanned was, the code gets cleaner
and we fix that bug too.
Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Stefan Bader [Mon, 30 Nov 2015 02:44:49 +0000 (18:44 -0800)]
bcache: prevent crash on changing writeback_running
[ Upstream commit
8d16ce540c94c9d366eb36fc91b7154d92d6397b ]
Added a safeguard in the shutdown case. At least while not being
attached it is also possible to trigger a kernel bug by writing into
writeback_running. This change adds the same check before trying to
wake up the thread for that case.
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Gabriel de Perthuis [Mon, 30 Nov 2015 02:40:23 +0000 (18:40 -0800)]
bcache: allows use of register in udev to avoid "device_busy" error.
[ Upstream commit
d7076f21629f8f329bca4a44dc408d94670f49e2 ]
Allows to use register, not register_quiet in udev to avoid "device_busy" error.
The initial patch proposed at https://lkml.org/lkml/2013/8/26/549 by Gabriel de Perthuis
<g2p.code@gmail.com> does not unlock the mutex and hangs the kernel.
See http://thread.gmane.org/gmane.linux.kernel.bcache.devel/2594 for the discussion.
Cc: Denis Bychkov <manover@gmail.com>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Gabriel de Perthuis <g2p.code@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Zheng Liu [Mon, 30 Nov 2015 01:21:57 +0000 (17:21 -0800)]
bcache: unregister reboot notifier if bcache fails to unregister device
[ Upstream commit
2ecf0cdb2b437402110ab57546e02abfa68a716b ]
In bcache_init() function it forgot to unregister reboot notifier if
bcache fails to unregister a block device. This commit fixes this.
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Tested-by: Joshua Schmid <jschmid@suse.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Al Viro [Mon, 30 Nov 2015 01:20:59 +0000 (17:20 -0800)]
bcache: fix a leak in bch_cached_dev_run()
[ Upstream commit
4d4d8573a8451acc9f01cbea24b7e55f04a252fe ]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Joshua Schmid <jschmid@suse.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Zheng Liu [Mon, 30 Nov 2015 01:19:32 +0000 (17:19 -0800)]
bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device
[ Upstream commit
fecaee6f20ee122ad75402c53d8278f9bb142ddc ]
This bug can be reproduced by the following script:
#!/bin/bash
bcache_sysfs="/sys/fs/bcache"
function clear_cache()
{
if [ ! -e $bcache_sysfs ]; then
echo "no bcache sysfs"
exit
fi
cset_uuid=$(ls -l $bcache_sysfs|head -n 2|tail -n 1|awk '{print $9}')
sudo sh -c "echo $cset_uuid > /sys/block/sdb/sdb1/bcache/detach"
sleep 5
sudo sh -c "echo $cset_uuid > /sys/block/sdb/sdb1/bcache/attach"
}
for ((i=0;i<10;i++)); do
clear_cache
done
The warning messages look like below:
[ 275.948611] ------------[ cut here ]------------
[ 275.963840] WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xb8/0xd0() (Tainted: P W
--------------- )
[ 275.979253] Hardware name: Tecal RH2285
[ 275.994106] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:09.0/0000:08:00.0/host4/target4:2:1/4:2:1:0/block/sdb/sdb1/bcache/cache'
[ 276.024105] Modules linked in: bcache tcp_diag inet_diag ipmi_devintf ipmi_si ipmi_msghandler
bonding 8021q garp stp llc ipv6 ext3 jbd loop sg iomemory_vsl(P) bnx2 microcode serio_raw i2c_i801
i2c_core iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 jbd2 mbcache megaraid_sas
pata_acpi ata_generic ata_piix dm_mod [last unloaded: scsi_wait_scan]
[ 276.072643] Pid: 2765, comm: sh Tainted: P W --------------- 2.6.32 #1
[ 276.089315] Call Trace:
[ 276.105801] [<
ffffffff81070fe7>] ? warn_slowpath_common+0x87/0xc0
[ 276.122650] [<
ffffffff810710d6>] ? warn_slowpath_fmt+0x46/0x50
[ 276.139361] [<
ffffffff81205c08>] ? sysfs_add_one+0xb8/0xd0
[ 276.156012] [<
ffffffff8120609b>] ? sysfs_do_create_link+0x12b/0x170
[ 276.172682] [<
ffffffff81206113>] ? sysfs_create_link+0x13/0x20
[ 276.189282] [<
ffffffffa03bda21>] ? bcache_device_link+0xc1/0x110 [bcache]
[ 276.205993] [<
ffffffffa03bfa08>] ? bch_cached_dev_attach+0x478/0x4f0 [bcache]
[ 276.222794] [<
ffffffffa03c4a17>] ? bch_cached_dev_store+0x627/0x780 [bcache]
[ 276.239680] [<
ffffffff8116783a>] ? alloc_pages_current+0xaa/0x110
[ 276.256594] [<
ffffffff81203b15>] ? sysfs_write_file+0xe5/0x170
[ 276.273364] [<
ffffffff811887b8>] ? vfs_write+0xb8/0x1a0
[ 276.290133] [<
ffffffff811890b1>] ? sys_write+0x51/0x90
[ 276.306368] [<
ffffffff8100c072>] ? system_call_fastpath+0x16/0x1b
[ 276.322301] ---[ end trace
9f5d4fcdd0c3edfb ]---
[ 276.338241] ------------[ cut here ]------------
[ 276.354109] WARNING: at /home/wenqing.lz/bcache/bcache/super.c:720
bcache_device_link+0xdf/0x110 [bcache]() (Tainted: P W --------------- )
[ 276.386017] Hardware name: Tecal RH2285
[ 276.401430] Couldn't create device <-> cache set symlinks
[ 276.401759] Modules linked in: bcache tcp_diag inet_diag ipmi_devintf ipmi_si ipmi_msghandler
bonding 8021q garp stp llc ipv6 ext3 jbd loop sg iomemory_vsl(P) bnx2 microcode serio_raw i2c_i801
i2c_core iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 jbd2 mbcache megaraid_sas
pata_acpi ata_generic ata_piix dm_mod [last unloaded: scsi_wait_scan]
[ 276.465477] Pid: 2765, comm: sh Tainted: P W --------------- 2.6.32 #1
[ 276.482169] Call Trace:
[ 276.498610] [<
ffffffff81070fe7>] ? warn_slowpath_common+0x87/0xc0
[ 276.515405] [<
ffffffff810710d6>] ? warn_slowpath_fmt+0x46/0x50
[ 276.532059] [<
ffffffffa03bda3f>] ? bcache_device_link+0xdf/0x110 [bcache]
[ 276.548808] [<
ffffffffa03bfa08>] ? bch_cached_dev_attach+0x478/0x4f0 [bcache]
[ 276.565569] [<
ffffffffa03c4a17>] ? bch_cached_dev_store+0x627/0x780 [bcache]
[ 276.582418] [<
ffffffff8116783a>] ? alloc_pages_current+0xaa/0x110
[ 276.599341] [<
ffffffff81203b15>] ? sysfs_write_file+0xe5/0x170
[ 276.616142] [<
ffffffff811887b8>] ? vfs_write+0xb8/0x1a0
[ 276.632607] [<
ffffffff811890b1>] ? sys_write+0x51/0x90
[ 276.648671] [<
ffffffff8100c072>] ? system_call_fastpath+0x16/0x1b
[ 276.664756] ---[ end trace
9f5d4fcdd0c3edfc ]---
We forget to clear BCACHE_DEV_UNLINK_DONE flag in bcache_device_attach()
function when we attach a backing device first time. After detaching this
backing device, this flag will be true and sysfs_remove_link() isn't called in
bcache_device_unlink(). Then when we attach this backing device again,
sysfs_create_link() will return EEXIST error in bcache_device_link().
So the fix is trival and we clear this flag in bcache_device_link().
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Tested-by: Joshua Schmid <jschmid@suse.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Kent Overstreet [Mon, 30 Nov 2015 01:18:33 +0000 (17:18 -0800)]
bcache: Add a cond_resched() call to gc
[ Upstream commit
c5f1e5adf956e3ba82d204c7c141a75da9fa449a ]
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Zheng Liu [Mon, 30 Nov 2015 01:17:05 +0000 (17:17 -0800)]
bcache: fix a livelock when we cause a huge number of cache misses
[ Upstream commit
2ef9ccbfcb90cf84bdba320a571b18b05c41101b ]
Subject : [PATCH v2] bcache: fix a livelock in btree lock
Date : Wed, 25 Feb 2015 20:32:09 +0800 (02/25/2015 04:32:09 AM)
This commit tries to fix a livelock in bcache. This livelock might
happen when we causes a huge number of cache misses simultaneously.
When we get a cache miss, bcache will execute the following path.
->cached_dev_make_request()
->cached_dev_read()
->cached_lookup()
->bch->btree_map_keys()
->btree_root() <------------------------
->bch_btree_map_keys_recurse() |
->cache_lookup_fn() |
->cached_dev_cache_miss() |
->bch_btree_insert_check_key() -|
[If btree->seq is not equal to seq + 1, we should return
EINTR and traverse btree again.]
In bch_btree_insert_check_key() function we first need to check upgrade
flag (op->lock == -1), and when this flag is true we need to release
read btree->lock and try to take write btree->lock. During taking and
releasing this write lock, btree->seq will be monotone increased in
order to prevent other threads modify this in cache miss (see btree.h:74).
But if there are some cache misses caused by some requested, we could
meet a livelock because btree->seq is always changed by others. Thus no
one can make progress.
This commit will try to take write btree->lock if it encounters a race
when we traverse btree. Although it sacrifice the scalability but we
can ensure that only one can modify the btree.
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Tested-by: Joshua Schmid <jschmid@suse.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Joshua Schmid <jschmid@suse.com>
Cc: Zhu Yanhai <zhu.yanhai@gmail.com>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Larry Finger [Mon, 21 Dec 2015 23:05:08 +0000 (17:05 -0600)]
rtlwifi: rtl_pci: Fix kernel panic
[ Upstream commit
f99551a2d39dc26ea03dc6761be11ac913eb2d57 ]
In commit
38506ecefab9 (rtlwifi: rtl_pci: Start modification for new
drivers), a bug was introduced that causes a NULL pointer dereference.
As this bug only affects the infrequently used RTL8192EE and only under
low-memory conditions, it has taken a long time for the bug to show up.
The bug was reported on the linux-wireless mailing list and also at
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/ as
bug #1527603 (kernel crashes due to rtl8192ee driver on ubuntu 15.10).
Fixes:
38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers")
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Trond Myklebust [Tue, 29 Dec 2015 23:55:19 +0000 (18:55 -0500)]
NFS: Fix attribute cache revalidation
[ Upstream commit
ade14a7df796d4e86bd9d181193c883a57b13db0 ]
If a NFSv4 client uses the cache_consistency_bitmask in order to
request only information about the change attribute, timestamps and
size, then it has not revalidated all attributes, and hence the
attribute timeout timestamp should not be updated.
Reported-by: Donald Buczek <buczek@molgen.mpg.de>
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Trond Myklebust [Sun, 5 Jul 2015 15:12:07 +0000 (11:12 -0400)]
NFS: Remove the "NFS_CAP_CHANGE_ATTR" capability
[ Upstream commit
cd812599796f500b042f5464b6665755eca21137 ]
Setting the change attribute has been mandatory for all NFS versions, since
commit
3a1556e8662c ("NFSv2/v3: Simulate the change attribute"). We should
therefore not have anything be conditional on it being set/unset.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Larry Finger [Mon, 14 Dec 2015 22:34:38 +0000 (16:34 -0600)]
rtlwifi: rtl8192cu: Add missing parameter setup
[ Upstream commit
b68d0ae7e58624c33f2eddab471fee55db27dbf9 ]
This driver fails to copy the module parameter for software encryption
to the locations used by the main code.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Larry Finger [Mon, 14 Dec 2015 22:34:37 +0000 (16:34 -0600)]
rtlwifi: rtl8192ce: Fix handling of module parameters
[ Upstream commit
b24f19f16b9e43f54218c07609b783ea8625406a ]
The module parameter for software encryption was never transferred to
the location used by the driver.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Larry Finger [Mon, 14 Dec 2015 22:34:36 +0000 (16:34 -0600)]
rtlwifi: rtl8192se: Fix module parameter initialization
[ Upstream commit
7503efbd82c15c4070adffff1344e5169d3634b4 ]
Two of the module parameter descriptions show incorrect default values.
In addition the value for software encryption is not transferred to
the locations used by the driver.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Larry Finger [Mon, 14 Dec 2015 22:34:35 +0000 (16:34 -0600)]
rtlwifi: rtl8192de: Fix incorrect module parameter descriptions
[ Upstream commit
d4d60b4caaa5926e1b243070770968f05656107a ]
Two of the module parameters are listed with incorrect default values.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Larry Finger [Mon, 14 Dec 2015 22:34:34 +0000 (16:34 -0600)]
rtlwifi: rtl8188ee: Fix module parameter initialization
[ Upstream commit
06f34572c6110e2e2d5e653a957f1d74db9e3f2b ]
In this driver, parameters disable_watchdog and sw_crypto are never
copied into the locations used in the main code. While modifying the
parameter handling, the copying of parameter msi_support is moved to
be with the rest.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Richard Cochran [Tue, 22 Dec 2015 21:19:58 +0000 (22:19 +0100)]
posix-clock: Fix return code on the poll method's error path
[ Upstream commit
1b9f23727abb92c5e58f139e7d180befcaa06fe0 ]
The posix_clock_poll function is supposed to return a bit mask of
POLLxxx values. However, in case the hardware has disappeared (due to
hot plugging for example) this code returns -ENODEV in a futile
attempt to throw an error at the file descriptor level. The kernel's
file_operations interface does not accept such error codes from the
poll method. Instead, this function aught to return POLLERR.
The value -ENODEV does, in fact, contain the POLLERR bit (and almost
all the other POLLxxx bits as well), but only by chance. This patch
fixes code to return a proper bit mask.
Credit goes to Markus Elfring for pointing out the suspicious
signed/unsigned mismatch.
Reported-by: Markus Elfring <elfring@users.sourceforge.net>
igned-off-by: Richard Cochran <richardcochran@gmail.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Link: http://lkml.kernel.org/r/1450819198-17420-1-git-send-email-richardcochran@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Chen Yu [Fri, 30 Oct 2015 08:32:10 +0000 (16:32 +0800)]
Thermal: do thermal zone update after a cooling device registered
[ Upstream commit
4511f7166a2deb5f7a578cf87fd2fe1ae83527e3 ]
When a new cooling device is registered, we need to update the
thermal zone to set the new registered cooling device to a proper
state.
This fixes a problem that the system is cool, while the fan devices
are left running on full speed after boot, if fan device is registered
after thermal zone device.
Here is the history of why current patch looks like this:
https://patchwork.kernel.org/patch/7273041/
CC: <stable@vger.kernel.org> #3.18+
Reference:https://bugzilla.kernel.org/show_bug.cgi?id=92431
Tested-by: Manuel Krause <manuelkrause@netscape.net>
Tested-by: szegad <szegadlo@poczta.onet.pl>
Tested-by: prash <prash.n.rao@gmail.com>
Tested-by: amish <ammdispose-arch@yahoo.com>
Reviewed-by: Javi Merino <javi.merino@arm.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Zhang Rui [Fri, 30 Oct 2015 08:31:58 +0000 (16:31 +0800)]
Thermal: handle thermal zone device properly during system sleep
[ Upstream commit
ff140fea847e1c2002a220571ab106c2456ed252 ]
Current thermal code does not handle system sleep well because
1. the cooling device cooling state may be changed during suspend
2. the previous temperature reading becomes invalid after resumed because
it is got before system sleep
3. updating thermal zone device during suspending/resuming
is wrong because some devices may have already been suspended
or may have not been resumed.
Thus, the proper way to do this is to cancel all thermal zone
device update requirements during suspend/resume, and after all
the devices have been resumed, reset and update every registered
thermal zone devices.
This also fixes a regression introduced by:
Commit
19593a1fb1f6 ("ACPI / fan: convert to platform driver")
Because, with above commit applied, all the fan devices are attached
to the acpi_general_pm_domain, and they are turned on by the pm_domain
automatically after resume, without the awareness of thermal core.
CC: <stable@vger.kernel.org> #3.18+
Reference: https://bugzilla.kernel.org/show_bug.cgi?id=78201
Reference: https://bugzilla.kernel.org/show_bug.cgi?id=91411
Tested-by: Manuel Krause <manuelkrause@netscape.net>
Tested-by: szegad <szegadlo@poczta.onet.pl>
Tested-by: prash <prash.n.rao@gmail.com>
Tested-by: amish <ammdispose-arch@yahoo.com>
Tested-by: Matthias <morpheusxyz123@yahoo.de>
Reviewed-by: Javi Merino <javi.merino@arm.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Zhang Rui [Fri, 30 Oct 2015 08:31:47 +0000 (16:31 +0800)]
Thermal: initialize thermal zone device correctly
[ Upstream commit
bb431ba26c5cd0a17c941ca6c3a195a3a6d5d461 ]
After thermal zone device registered, as we have not read any
temperature before, thus tz->temperature should not be 0,
which actually means 0C, and thermal trend is not available.
In this case, we need specially handling for the first
thermal_zone_device_update().
Both thermal core framework and step_wise governor is
enhanced to handle this. And since the step_wise governor
is the only one that uses trends, so it's the only thermal
governor that needs to be updated.
CC: <stable@vger.kernel.org> #3.18+
Tested-by: Manuel Krause <manuelkrause@netscape.net>
Tested-by: szegad <szegadlo@poczta.onet.pl>
Tested-by: prash <prash.n.rao@gmail.com>
Tested-by: amish <ammdispose-arch@yahoo.com>
Tested-by: Matthias <morpheusxyz123@yahoo.de>
Reviewed-by: Javi Merino <javi.merino@arm.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Andrew Elble [Wed, 2 Dec 2015 14:20:57 +0000 (09:20 -0500)]
nfs: Fix race in __update_open_stateid()
[ Upstream commit
361cad3c89070aeb37560860ea8bfc092d545adc ]
We've seen this in a packet capture - I've intermixed what I
think was going on. The fix here is to grab the so_lock sooner.
1964379 -> #1 open (for write) reply seqid=1
1964393 -> #2 open (for read) reply seqid=2
__nfs4_close(), state->n_wronly--
nfs4_state_set_mode_locked(), changes state->state = [R]
state->flags is [RW]
state->state is [R], state->n_wronly == 0, state->n_rdonly == 1
1964398 -> #3 open (for write) call -> because close is already running
1964399 -> downgrade (to read) call seqid=2 (close of #1)
1964402 -> #3 open (for write) reply seqid=3
__update_open_stateid()
nfs_set_open_stateid_locked(), changes state->flags
state->flags is [RW]
state->state is [R], state->n_wronly == 0, state->n_rdonly == 1
new sequence number is exposed now via nfs4_stateid_copy()
next step would be update_open_stateflags(), pending so_lock
1964403 -> downgrade reply seqid=2, fails with OLD_STATEID (close of #1)
nfs4_close_prepare() gets so_lock and recalcs flags -> send close
1964405 -> downgrade (to read) call seqid=3 (close of #1 retry)
__update_open_stateid() gets so_lock
* update_open_stateflags() updates state->n_wronly.
nfs4_state_set_mode_locked() updates state->state
state->flags is [RW]
state->state is [RW], state->n_wronly == 1, state->n_rdonly == 1
* should have suppressed the preceding nfs4_close_prepare() from
sending open_downgrade
1964406 -> write call
1964408 -> downgrade (to read) reply seqid=4 (close of #1 retry)
nfs_clear_open_stateid_locked()
state->flags is [R]
state->state is [RW], state->n_wronly == 1, state->n_rdonly == 1
1964409 -> write reply (fails, openmode)
Signed-off-by: Andrew Elble <aweits@rit.edu>
Cc: stable@vger,kernel.org
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Chen-Yu Tsai [Tue, 22 Dec 2015 04:27:35 +0000 (02:27 -0200)]
[media] rc: sunxi-cir: Initialize the spinlock properly
[ Upstream commit
768acf46e1320d6c41ed1b7c4952bab41c1cde79 ]
The driver allocates the spinlock but fails to initialize it correctly.
The kernel reports a BUG indicating bad spinlock magic when spinlock
debugging is enabled.
Call spin_lock_init() on it to initialize it correctly.
Fixes:
b4e3e59fb59c ("[media] rc: add sunxi-ir driver")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Vegard Nossum [Fri, 11 Dec 2015 14:54:16 +0000 (15:54 +0100)]
udf: limit the maximum number of indirect extents in a row
[ Upstream commit
b0918d9f476a8434b055e362b83fa4fd1d462c3f ]
udf_next_aext() just follows extent pointers while extents are marked as
indirect. This can loop forever for corrupted filesystem. Limit number
the of indirect extents we are willing to follow in a row.
[JK: Updated changelog, limit, style]
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: stable@vger.kernel.org
Cc: Jan Kara <jack@suse.com>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Adrian Hunter [Thu, 26 Nov 2015 12:00:50 +0000 (14:00 +0200)]
mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
[ Upstream commit
5c671c410c8704800f4f1673b6f572137e7e6ddd ]
sdhci has a legacy facility to prevent runtime suspend if the
bus power is on. This is needed in cases where the power to
the card is dependent on the bus power. It is controlled by
a pair of functions: sdhci_runtime_pm_bus_on() and
sdhci_runtime_pm_bus_off(). These functions use a boolean
variable 'bus_on' to ensure changes are always paired.
There is an additional check for 'runtime_suspended' which is
the problem. In fact, its use is ill-conceived as the only
requirement for the logic is that 'on' and 'off' are paired,
which is actually broken by the check, for example if the bus
power is turned on during runtime resume. So remove the check.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v3.11+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Adrian Hunter [Thu, 26 Nov 2015 12:00:48 +0000 (14:00 +0200)]
mmc: sdhci: Fix DMA descriptor with zero data length
[ Upstream commit
347ea32dc118326c4f2636928239a29d192cc9b8 ]
SDHCI has built-in DMA called ADMA2. ADMA2 uses a descriptor
table to define DMA scatter-gather. Each desciptor can specify
a data length up to 65536 bytes, however the length field is
only 16-bits so zero means 65536. Consequently, putting zero
when the size is zero must not be allowed. This patch fixes
one case where zero data length could be set inadvertently.
The problem happens because unaligned data gets split and the
code did not consider that the remaining aligned portion might
be zero length. That case really only happens for SDIO because
SD and eMMC cards transfer blocks that are invariably sector-
aligned. For SDIO, access to function registers is done by
data transfer (CMD53) when the register is bigger than 1 byte.
Generally registers are 4 bytes but 2-byte registers are possible.
So DMA of 4 bytes or less can happen. When 32-bit DMA is used,
the data alignment must be 4, so 4-byte transfers won't casue a
problem, but a 2-byte transfer could. However with the introduction
of 64-bit DMA, the data alignment for 64-bit DMA was made 8 bytes,
so all 4-byte transfers not on 8-byte boundaries get "split" into
a 4-byte chunk and a 0-byte chunk, thereby hitting the bug.
In fact, a closer look at the SDHCI specs indicates that only the
descriptor table requires 8-byte alignment for 64-bit DMA. That
will be dealt with in a separate patch, but the potential for a
2-byte access remains, so this fix is needed anyway.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v3.19+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Adrian Hunter [Thu, 26 Nov 2015 12:00:47 +0000 (14:00 +0200)]
mmc: sdio: Fix invalid vdd in voltage switch power cycle
[ Upstream commit
d9bfbb95ed598a09cf336adb0f190ee0ff802f0d ]
The 'ocr' parameter passed to mmc_set_signal_voltage()
defines the power-on voltage used when power cycling
after a failure to set the voltage. However, in the
case of mmc_sdio_init_card(), the value passed has the
R4_18V_PRESENT flag set which is not valid for power-on
and results in an invalid vdd. Fix by passing the card's
ocr value which does not have the flag.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v3.13+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Alex Deucher [Thu, 17 Dec 2015 17:52:17 +0000 (12:52 -0500)]
drm/radeon: clean up fujitsu quirks
[ Upstream commit
0eb1c3d4084eeb6fb3a703f88d6ce1521f8fcdd1 ]
Combine the two quirks.
bug:
https://bugzilla.kernel.org/show_bug.cgi?id=109481
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Felix Kuehling [Mon, 23 Nov 2015 22:39:11 +0000 (17:39 -0500)]
drm/radeon: Fix off-by-one errors in radeon_vm_bo_set_addr
[ Upstream commit
42ef344c0994cc453477afdc7a8eadc578ed0257 ]
eoffset is sometimes treated as the last address inside the address
range, and sometimes as the first address outside the range. This
was resulting in errors when a test filled up the entire address
space. Make it consistent to always be the last address within the
range. Also fixed related errors when checking the VA limit and in
radeon_vm_fence_pts.
Signed-off-by: Felix.Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mathieu Poirier [Thu, 17 Dec 2015 15:47:02 +0000 (08:47 -0700)]
coresight: checking for NULL string in coresight_name_match()
[ Upstream commit
fadf3a44e974b030e7145218ad1ab25e3ef91738 ]
Connection child names associated to ports can sometimes be NULL,
which is the case when booting a system on QEMU or when the Coresight
power domain isn't switched on.
This patch is adding a check to make sure a NULL string isn't fed
to strcmp(), something that avoid crashing the system.
Cc: <stable@vger.kernel.org> # v3.18+
Reported-by: Tyler Baker <tyler.baker@linaro.org>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Lorenzo Pieralisi [Fri, 18 Dec 2015 10:35:54 +0000 (10:35 +0000)]
arm64: kernel: enforce pmuserenr_el0 initialization and restore
[ Upstream commit
d2d39a3b91628ef5abdf58e83905b173e63d5ecf ]
commit
60792ad349f3c6dc5735aafefe5dc9121c79e320 upstream.
The pmuserenr_el0 register value is architecturally UNKNOWN on reset.
Current kernel code resets that register value iff the core pmu device is
correctly probed in the kernel. On platforms with missing DT pmu nodes (or
disabled perf events in the kernel), the pmu is not probed, therefore the
pmuserenr_el0 register is not reset in the kernel, which means that its
value retains the reset value that is architecturally UNKNOWN (system
may run with eg pmuserenr_el0 == 0x1, which means that PMU counters access
is available at EL0, which must be disallowed).
This patch adds code that resets pmuserenr_el0 on cold boot and restores
it on core resume from shutdown, so that the pmuserenr_el0 setup is
always enforced in the kernel.
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Will Deacon [Thu, 20 Aug 2015 10:47:13 +0000 (11:47 +0100)]
arm64: mdscr_el1: avoid exposing DCC to userspace
[ Upstream commit
d8d23fa0f27f3b2942a7bbc7378c7735324ed519 ]
We don't want to expose the DCC to userspace, particularly as there is
a kernel console driver for it.
This patch resets mdscr_el1 to disable userspace access to the DCC
registers on the cold boot path.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Thomas Gleixner [Sat, 19 Dec 2015 20:07:38 +0000 (20:07 +0000)]
futex: Drop refcount if requeue_pi() acquired the rtmutex
[ Upstream commit
fb75a4282d0d9a3c7c44d940582c2d226cf3acfb ]
If the proxy lock in the requeue loop acquires the rtmutex for a
waiter then it acquired also refcount on the pi_state related to the
futex, but the waiter side does not drop the reference count.
Add the missing free_pi_state() call.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Darren Hart <darren@dvhart.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Bhuvanesh_Surachari@mentor.com
Cc: Andy Lowe <Andy_Lowe@mentor.com>
Link: http://lkml.kernel.org/r/20151219200607.178132067@linutronix.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Slava Grigorev [Thu, 17 Dec 2015 16:09:58 +0000 (11:09 -0500)]
drm/radeon: Fix "slow" audio over DP on DCE8+
[ Upstream commit
ac4a9350abddc51ccb897abf0d9f3fd592b97e0b ]
DP audio is derived from the dfs clock.
Signed-off-by: Slava Grigorev <slava.grigorev@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Nikolay Borisov [Thu, 17 Dec 2015 16:03:35 +0000 (18:03 +0200)]
dm thin: fix race condition when destroying thin pool workqueue
[ Upstream commit
18d03e8c25f173f4107a40d0b8c24defb6ed69f3 ]
When a thin pool is being destroyed delayed work items are
cancelled using cancel_delayed_work(), which doesn't guarantee that on
return the delayed item isn't running. This can cause the work item to
requeue itself on an already destroyed workqueue. Fix this by using
cancel_delayed_work_sync() which guarantees that on return the work item
is not running anymore.
Fixes:
905e51b39a555 ("dm thin: commit outstanding data every second")
Fixes:
85ad643b7e7e5 ("dm thin: add timeout to stop out-of-data-space mode holding IO forever")
Signed-off-by: Nikolay Borisov <kernel@kyup.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Will Deacon [Tue, 15 Dec 2015 16:08:12 +0000 (16:08 +0000)]
iommu/io-pgtable-arm: Ensure we free the final level on teardown
[ Upstream commit
12c2ab09571e8aae3a87da2a4a452632a5fac1e5 ]
When tearing down page tables, we return early for the final level
since we know that we won't have any table pointers to follow.
Unfortunately, this also means that we forget to free the final level,
so we end up leaking memory.
Fix the issue by always freeing the current level, but just don't bother
to iterate over the ptes if we're at the final level.
Cc: <stable@vger.kernel.org>
Reported-by: Zhang Bo <zhangbo_a@xiaomi.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Borislav Petkov [Fri, 27 Nov 2015 09:38:38 +0000 (10:38 +0100)]
EDAC: Robustify workqueues destruction
[ Upstream commit
fcd5c4dd8201595d4c598c9cca5e54760277d687 ]
EDAC workqueue destruction is really fragile. We cancel delayed work
but if it is still running and requeues itself, we still go ahead and
destroy the workqueue and the queued work explodes when workqueue core
attempts to run it.
Make the destruction more robust by switching op_state to offline so
that requeuing stops. Cancel any pending work *synchronously* too.
EDAC i7core: Driver loaded.
general protection fault: 0000 [#1] SMP
CPU 12
Modules linked in:
Supported: Yes
Pid: 0, comm: kworker/0:1 Tainted: G IE 3.0.101-0-default #1 HP ProLiant DL380 G7
RIP: 0010:[<
ffffffff8107dcd7>] [<
ffffffff8107dcd7>] __queue_work+0x17/0x3f0
< ... regs ...>
Process kworker/0:1 (pid: 0, threadinfo
ffff88019def6000, task
ffff88019def4600)
Stack:
...
Call Trace:
call_timer_fn
run_timer_softirq
__do_softirq
call_softirq
do_softirq
irq_exit
smp_apic_timer_interrupt
apic_timer_interrupt
intel_idle
cpuidle_idle_call
cpu_idle
Code: ...
RIP __queue_work
RSP <...>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Borislav Petkov [Tue, 1 Dec 2015 14:52:36 +0000 (15:52 +0100)]
EDAC, mc_sysfs: Fix freeing bus' name
[ Upstream commit
12e26969b32c79018165d52caff3762135614aa1 ]
I get the splat below when modprobing/rmmoding EDAC drivers. It happens
because bus->name is invalid after bus_unregister() has run. The Code: section
below corresponds to:
.loc 1 1108 0
movq 672(%rbx), %rax # mci_1(D)->bus, mci_1(D)->bus
.loc 1 1109 0
popq %rbx #
.loc 1 1108 0
movq (%rax), %rdi # _7->name,
jmp kfree #
and %rax has some funky stuff
2030203020312030 which looks a lot like
something walked over it.
Fix that by saving the name ptr before doing stuff to string it points to.
general protection fault: 0000 [#1] SMP
Modules linked in: ...
CPU: 4 PID: 10318 Comm: modprobe Tainted: G I EN 3.12.51-11-default+ #48
Hardware name: HP ProLiant DL380 G7, BIOS P67 05/05/2011
task:
ffff880311320280 ti:
ffff88030da3e000 task.ti:
ffff88030da3e000
RIP: 0010:[<
ffffffffa019da92>] [<
ffffffffa019da92>] edac_unregister_sysfs+0x22/0x30 [edac_core]
RSP: 0018:
ffff88030da3fe28 EFLAGS:
00010292
RAX:
2030203020312030 RBX:
ffff880311b4e000 RCX:
000000000000095c
RDX:
0000000000000001 RSI:
ffff880327bb9600 RDI:
0000000000000286
RBP:
ffff880311b4e750 R08:
0000000000000000 R09:
ffffffff81296110
R10:
0000000000000400 R11:
0000000000000000 R12:
ffff88030ba1ac68
R13:
0000000000000001 R14:
00000000011b02f0 R15:
0000000000000000
FS:
00007fc9bf8f5700(0000) GS:
ffff8801a7c40000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
CR2:
0000000000403c90 CR3:
000000019ebdf000 CR4:
00000000000007e0
Stack:
Call Trace:
i7core_unregister_mci.isra.9
i7core_remove
pci_device_remove
__device_release_driver
driver_detach
bus_remove_driver
pci_unregister_driver
i7core_exit
SyS_delete_module
system_call_fastpath
0x7fc9bf426536
Code: 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 53 48 89 fb e8 52 2a 1f e1 48 8b bb a0 02 00 00 e8 46 59 1f e1 48 8b 83 a0 02 00 00 5b <48> 8b 38 e9 26 9a fe e0 66 0f 1f 44 00 00 66 66 66 66 90 48 8b
RIP [<
ffffffffa019da92>] edac_unregister_sysfs+0x22/0x30 [edac_core]
RSP <
ffff88030da3fe28>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: <stable@vger.kernel.org> # v3.6..
Fixes:
7a623c039075 ("edac: rewrite the sysfs code to use struct device")
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Konstantin Khlebnikov [Mon, 16 Nov 2015 15:44:11 +0000 (18:44 +0300)]
ovl: check dentry positiveness in ovl_cleanup_whiteouts()
[ Upstream commit
84889d49335627bc770b32787c1ef9ebad1da232 ]
This patch fixes kernel crash at removing directory which contains
whiteouts from lower layers.
Cache of directory content passed as "list" contains entries from all
layers, including whiteouts from lower layers. So, lookup in upper dir
(moved into work at this stage) will return negative entry. Plus this
cache is filled long before and we can race with external removal.
Example:
mkdir -p lower0/dir lower1/dir upper work overlay
touch lower0/dir/a lower0/dir/b
mknod lower1/dir/a c 0 0
mount -t overlay none overlay -o lowerdir=lower1:lower0,upperdir=upper,workdir=work
rm -fr overlay/dir
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@vger.kernel.org> # 3.18+
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Miklos Szeredi [Fri, 11 Dec 2015 15:30:49 +0000 (16:30 +0100)]
ovl: setattr: check permissions before copy-up
[ Upstream commit
cf9a6784f7c1b5ee2b9159a1246e327c331c5697 ]
Without this copy-up of a file can be forced, even without actually being
allowed to do anything on the file.
[Arnd Bergmann] include <linux/pagemap.h> for PAGE_CACHE_SIZE (used by
MAX_LFS_FILESIZE definition).
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Uri Mashiach [Thu, 10 Dec 2015 13:12:56 +0000 (15:12 +0200)]
wlcore/wl12xx: spi: fix oops on firmware load
[ Upstream commit
9b2761cb72dc41e1948c8a5512b4efd384eda130 ]
The maximum chunks used by the function is
(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1).
The original commands array had space for
(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands.
When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last
command is stored outside the bounds of the commands array.
Oops 5 (page fault) is generated during current wl1271 firmware load
attempt:
root@debian-armhf:~# ifconfig wlan0 up
[ 294.312399] Unable to handle kernel paging request at virtual address
00203fc4
[ 294.320173] pgd =
de528000
[ 294.323028] [
00203fc4] *pgd=
00000000
[ 294.326916] Internal error: Oops: 5 [#1] SMP ARM
[ 294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx
wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common
wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys
hwmon
[ 294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted
4.2.0-00002-g3e9ad27-dirty #78
[ 294.360154] Hardware name: Generic AM33XX (Flattened Device Tree)
[ 294.366557] task:
dc9d6d40 ti:
de550000 task.ti:
de550000
[ 294.372236] PC is at __spi_validate+0xa8/0x2ac
[ 294.376902] LR is at __spi_sync+0x78/0x210
[ 294.381200] pc : [<
c049c760>] lr : [<
c049ebe0>] psr:
60000013
[ 294.381200] sp :
de551998 ip :
de5519d8 fp :
00200000
[ 294.393242] r10:
de551c8c r9 :
de5519d8 r8 :
de3a9000
[ 294.398730] r7 :
de3a9258 r6 :
de3a9400 r5 :
de551a48 r4 :
00203fbc
[ 294.405577] r3 :
00000000 r2 :
00000000 r1 :
00000000 r0 :
de3a9000
[ 294.412420] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM
Segment user
[ 294.419918] Control:
10c5387d Table:
9e528019 DAC:
00000015
[ 294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218)
[ 294.432437] Stack: (0xde551998 to 0xde552000)
...
[ 294.883613] [<
c049c760>] (__spi_validate) from [<
c049ebe0>]
(__spi_sync+0x78/0x210)
[ 294.891670] [<
c049ebe0>] (__spi_sync) from [<
bf036598>]
(wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi])
[ 294.901661] [<
bf036598>] (wl12xx_spi_raw_write [wlcore_spi]) from
[<
bf21c694>] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore])
[ 294.914038] [<
bf21c694>] (wlcore_boot_upload_firmware [wlcore]) from
[<
bf24532c>] (wl12xx_boot+0xc10/0xfac [wl12xx])
[ 294.925161] [<
bf24532c>] (wl12xx_boot [wl12xx]) from [<
bf20d5cc>]
(wl1271_op_add_interface+0x5b0/0x910 [wlcore])
[ 294.936364] [<
bf20d5cc>] (wl1271_op_add_interface [wlcore]) from
[<
bf15c4ac>] (ieee80211_do_open+0x44c/0xf7c [mac80211])
[ 294.947963] [<
bf15c4ac>] (ieee80211_do_open [mac80211]) from
[<
c0537978>] (__dev_open+0xa8/0x110)
[ 294.957307] [<
c0537978>] (__dev_open) from [<
c0537bf8>]
(__dev_change_flags+0x88/0x148)
[ 294.965713] [<
c0537bf8>] (__dev_change_flags) from [<
c0537cd0>]
(dev_change_flags+0x18/0x48)
[ 294.974576] [<
c0537cd0>] (dev_change_flags) from [<
c05a55a0>]
(devinet_ioctl+0x6b4/0x7d0)
[ 294.983191] [<
c05a55a0>] (devinet_ioctl) from [<
c0517040>]
(sock_ioctl+0x1e4/0x2bc)
[ 294.991244] [<
c0517040>] (sock_ioctl) from [<
c017d378>]
(do_vfs_ioctl+0x420/0x6b0)
[ 294.999208] [<
c017d378>] (do_vfs_ioctl) from [<
c017d674>]
(SyS_ioctl+0x6c/0x7c)
[ 295.006880] [<
c017d674>] (SyS_ioctl) from [<
c000f4c0>]
(ret_fast_syscall+0x0/0x54)
[ 295.014835] Code:
e1550004 e2444034 0a00007d e5953018 (
e5942008)
[ 295.021544] ---[ end trace
66ed188198f4e24e ]---
Signed-off-by: Uri Mashiach <uri.mashiach@compulab.co.il>
Acked-by: Igor Grinberg <grinberg@compulab.co.il>
Cc: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Peter Wu [Mon, 7 Dec 2015 00:07:31 +0000 (01:07 +0100)]
rtlwifi: fix memory leak for USB device
[ Upstream commit
17bc55864f81dd730d05f09b1641312a7990d636 ]
Free skb for received frames with a wrong checksum. This can happen
pretty rapidly, exhausting all memory.
This fixes a memleak (detected with kmemleak). Originally found while
using monitor mode, but it also appears during managed mode (once the
link is up).
Cc: stable@vger.kernel.org
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
ACKed-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Ville Syrjälä [Thu, 3 Dec 2015 21:14:09 +0000 (23:14 +0200)]
drm: Don't overwrite UNVERFIED mode status to OK
[ Upstream commit
be8719a610003297c28b140f1ebd4445aef1d613 ]
The way the mode probing works is this:
1. All modes currently on the mode list are marked as UNVERIFIED
2. New modes are on the probed_modes list (they start with
status OK)
3. Modes are moved from the probed_modes list to the actual
mode list. If a mode already on the mode list is deemed
to match one of the probed modes, the duplicate is dropped
and the mode status updated to OK. After this the
probed_modes list will be empty.
4. All modes on the mode list are verified to not violate any
constraints. Any that do are marked as such.
5. Any mode left with a non-OK status is pruned from the list,
with an appropriate debug message.
What all this means is that any mode on the original list that
didn't have a duplicate on the probed_modes list, should be left
with status UNVERFIED (or previously could have been left with
some other status, but never OK).
I broke that in
commit
05acaec334fc ("drm: Reorganize probed mode validation")
by always assigning something to the mode->status during the validation
step. So any mode from the old list that still passed the validation
would be left on the list with status OK in the end.
Fix this by not doing the basic mode validation unless the mode
already has status OK (meaning it came from the probed_modes list,
or at least a duplicate of it was on that list). This way we will
correctly prune away any mode from the old mode list that didn't
appear on the probed_modes list.
Cc: stable@vger.kernel.org
Cc: Adam Jackson <ajax@redhat.com>
Fixes:
05acaec334fc ("drm: Reorganize probed mode validation")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1449177255-9515-2-git-send-email-ville.syrjala@linux.intel.com
Testcase: igt/kms_force_connector_basic/prune-stale-modes
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93332
[danvet: Also applying to drm-misc to avoid too much conflict hell -
there's a big pile of patches from Ville on top of this one.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Dmitry Tunin [Sat, 5 Dec 2015 11:09:36 +0000 (14:09 +0300)]
Bluetooth: Add support of Toshiba Broadcom based devices
[ Upstream commit
1623d0bf847d3b38d8cf24367b3689ba0e3fe2aa ]
BugLink: https://bugs.launchpad.net/bugs/1522949
T: Bus=03 Lev=02 Prnt=02 Port=05 Cnt=02 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0930 ProdID=0225 Rev=01.12
S: Manufacturer=Broadcom Corp
S: Product=BCM43142A0
S: SerialNumber=
4CBB58034671
C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Miklos Szeredi [Wed, 9 Dec 2015 15:11:59 +0000 (16:11 +0100)]
ovl: root: copy attr
[ Upstream commit
ed06e069775ad9236087594a1c1667367e983fb5 ]
We copy i_uid and i_gid of underlying inode into overlayfs inode. Except
for the root inode.
Fix this omission.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Thomas Huth [Fri, 20 Nov 2015 08:11:45 +0000 (09:11 +0100)]
KVM: PPC: Fix emulation of H_SET_DABR/X on POWER8
[ Upstream commit
760a7364f27d974d100118d88190e574626e18a6 ]
In the old DABR register, the BT (Breakpoint Translation) bit
is bit number 61. In the new DAWRX register, the WT (Watchpoint
Translation) bit is bit number 59. So to move the DABR-BT bit
into the position of the DAWRX-WT bit, it has to be shifted by
two, not only by one. This fixes hardware watchpoints in gdb of
older guests that only use the H_SET_DABR/X interface instead
of the new H_SET_MODE interface.
Cc: stable@vger.kernel.org # v3.14+
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
David Gibson [Mon, 30 Nov 2015 01:30:30 +0000 (12:30 +1100)]
time: Avoid signed overflow in timekeeping_get_ns()
[ Upstream commit
35a4933a895927990772ae96fdcfd2f806929ee2 ]
1e75fa8 "time: Condense timekeeper.xtime into xtime_sec" replaced a call to
clocksource_cyc2ns() from timekeeping_get_ns() with an open-coded version
of the same logic to avoid keeping a semi-redundant struct timespec
in struct timekeeper.
However, the commit also introduced a subtle semantic change - where
clocksource_cyc2ns() uses purely unsigned math, the new version introduces
a signed temporary, meaning that if (delta * tk->mult) has a 63-bit
overflow the following shift will still give a negative result. The
choice of 'maxsec' in __clocksource_updatefreq_scale() means this will
generally happen if there's a ~10 minute pause in examining the
clocksource.
This can be triggered on a powerpc KVM guest by stopping it from qemu for
a bit over 10 minutes. After resuming time has jumped backwards several
minutes causing numerous problems (jiffies does not advance, msleep()s can
be extended by minutes..). It doesn't happen on x86 KVM guests, because
the guest TSC is effectively frozen while the guest is stopped, which is
not the case for the powerpc timebase.
Obviously an unsigned (64 bit) overflow will only take twice as long as a
signed, 63-bit overflow. I don't know the time code well enough to know
if that will still cause incorrect calculations, or if a 64-bit overflow
is avoided elsewhere.
Still, an incorrect forwards clock adjustment will cause less trouble than
time going backwards. So, this patch removes the potential for
intermediate signed overflow.
Cc: stable@vger.kernel.org (3.7+)
Suggested-by: Laurent Vivier <lvivier@redhat.com>
Tested-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Thomas Petazzoni [Fri, 4 Dec 2015 13:29:02 +0000 (14:29 +0100)]
ARM: mvebu: remove duplicated regulator definition in Armada 388 GP
[ Upstream commit
079ae0c121fd23287f4ad2be9e9f8a13f63cae73 ]
The Armada 388 GP Device Tree file describes two times a regulator
named 'reg_usb2_1_vbus', with the exact same description. This has
been wrong since Armada 388 GP support was introduced.
Fixes:
928413bd859c0 ("ARM: mvebu: Add Armada 388 General Purpose Development Board support")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: <stable@vger.kernel.org> # v4.0+
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Alex Deucher [Tue, 24 Nov 2015 19:32:44 +0000 (14:32 -0500)]
drm/radeon: call hpd_irq_event on resume
[ Upstream commit
dbb17a21c131eca94eb31136eee9a7fe5aff00d9 ]
Need to call this on resume if displays changes during
suspend in order to properly be notified of changes.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Steven Rostedt [Mon, 16 Nov 2015 22:25:16 +0000 (17:25 -0500)]
tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines
[ Upstream commit
32abc2ede536aae52978d6c0a8944eb1df14f460 ]
When a long value is read on 32 bit machines for 64 bit output, the
parsing needs to change "%lu" into "%llu", as the value is read
natively.
Unfortunately, if "%llu" is already there, the code will add another "l"
to it and fail to parse it properly.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20151116172516.4b79b109@gandalf.local.home
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Malcolm Priestley [Mon, 31 Aug 2015 09:13:45 +0000 (06:13 -0300)]
[media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
[ Upstream commit
c9d57de6103e343f2d4e04ea8d9e417e10a24da7 ]
When in FE_TUNE_MODE_ONESHOT the frontend must report
the actual capabilities so user can take appropriate
action.
With frontends that can't do auto inversion this is done
by dvb-core automatically so CAN_INVERSION_AUTO is valid.
However, when in FE_TUNE_MODE_ONESHOT this is not true.
So only set FE_CAN_INVERSION_AUTO in modes other than
FE_TUNE_MODE_ONESHOT
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Antonio Ospite [Fri, 2 Oct 2015 20:33:13 +0000 (17:33 -0300)]
[media] gspca: ov534/topro: prevent a division by 0
[ Upstream commit
dcc7fdbec53a960588f2c40232db2c6466c09917 ]
v4l2-compliance sends a zeroed struct v4l2_streamparm in
v4l2-test-formats.cpp::testParmType(), and this results in a division by
0 in some gspca subdrivers:
divide error: 0000 [#1] SMP
Modules linked in: gspca_ov534 gspca_main ...
CPU: 0 PID: 17201 Comm: v4l2-compliance Not tainted 4.3.0-rc2-ao2 #1
Hardware name: System manufacturer System Product Name/M2N-E SLI, BIOS
ASUS M2N-E SLI ACPI BIOS Revision 1301 09/16/2010
task:
ffff8800818306c0 ti:
ffff880095c4c000 task.ti:
ffff880095c4c000
RIP: 0010:[<
ffffffffa079bd62>] [<
ffffffffa079bd62>] sd_set_streamparm+0x12/0x60 [gspca_ov534]
RSP: 0018:
ffff880095c4fce8 EFLAGS:
00010296
RAX:
0000000000000000 RBX:
ffff8800c9522000 RCX:
ffffffffa077a140
RDX:
0000000000000000 RSI:
ffff880095e0c100 RDI:
ffff8800c9522000
RBP:
ffff880095e0c100 R08:
ffffffffa077a100 R09:
00000000000000cc
R10:
ffff880067ec7740 R11:
0000000000000016 R12:
ffffffffa07bb400
R13:
0000000000000000 R14:
ffff880081b6a800 R15:
0000000000000000
FS:
00007fda0de78740(0000) GS:
ffff88012fc00000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
00000000014630f8 CR3:
00000000cf349000 CR4:
00000000000006f0
Stack:
ffffffffa07a6431 ffff8800c9522000 ffffffffa077656e 00000000c0cc5616
ffff8800c9522000 ffffffffa07a5e20 ffff880095e0c100 0000000000000000
ffff880067ec7740 ffffffffa077a140 ffff880067ec7740 0000000000000016
Call Trace:
[<
ffffffffa07a6431>] ? v4l_s_parm+0x21/0x50 [videodev]
[<
ffffffffa077656e>] ? vidioc_s_parm+0x4e/0x60 [gspca_main]
[<
ffffffffa07a5e20>] ? __video_do_ioctl+0x280/0x2f0 [videodev]
[<
ffffffffa07a5ba0>] ? video_ioctl2+0x20/0x20 [videodev]
[<
ffffffffa07a59b9>] ? video_usercopy+0x319/0x4e0 [videodev]
[<
ffffffff81182dc1>] ? page_add_new_anon_rmap+0x71/0xa0
[<
ffffffff811afb92>] ? mem_cgroup_commit_charge+0x52/0x90
[<
ffffffff81179b18>] ? handle_mm_fault+0xc18/0x1680
[<
ffffffffa07a15cc>] ? v4l2_ioctl+0xac/0xd0 [videodev]
[<
ffffffff811c846f>] ? do_vfs_ioctl+0x28f/0x480
[<
ffffffff811c86d4>] ? SyS_ioctl+0x74/0x80
[<
ffffffff8154a8b6>] ? entry_SYSCALL_64_fastpath+0x16/0x75
Code: c7 93 d9 79 a0 5b 5d e9 f1 f3 9a e0 0f 1f 00 66 2e 0f 1f 84 00
00 00 00 00 66 66 66 66 90 53 31 d2 48 89 fb 48 83 ec 08 8b 46 10 <f7>
76 0c 80 bf ac 0c 00 00 00 88 87 4e 0e 00 00 74 09 80 bf 4f
RIP [<
ffffffffa079bd62>] sd_set_streamparm+0x12/0x60 [gspca_ov534]
RSP <
ffff880095c4fce8>
---[ end trace
279710c2c6c72080 ]---
Following what the doc says about a zeroed timeperframe (see
http://www.linuxtv.org/downloads/v4l-dvb-apis/vidioc-g-parm.html):
...
To reset manually applications can just set this field to zero.
fix the issue by resetting the frame rate to a default value in case of
an unusable timeperframe.
The fix is done in the subdrivers instead of gspca.c because only the
subdrivers have notion of a default frame rate to reset the camera to.
Signed-off-by: Antonio Ospite <ao2@ao2.it>
Cc: stable@vger.kernel.org
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Sasha Levin [Mon, 1 Feb 2016 16:27:06 +0000 (11:27 -0500)]
[media] vb2: fix a regression in poll() behavior for output,streams
[ Upstream commit
4623e5967448444a4ea1e77beb58898c4af48693 ]
In the 3.17 kernel the poll() behavior changed for output streams:
as long as not all buffers were queued up poll() would return that
userspace can write. This is fine for the write() call, but when
using stream I/O this changed the behavior since the expectation
was that it would wait for buffers to become available for dequeuing.
This patch only enables the check whether you can queue buffers
for file I/O only, and skips it for stream I/O.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: <stable@vger.kernel.org> # for v3.17 and up
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Vito Caputo [Sat, 24 Oct 2015 12:19:46 +0000 (07:19 -0500)]
ovl: use a minimal buffer in ovl_copy_xattr
[ Upstream commit
e4ad29fa0d224d05e08b2858e65f112fd8edd4fe ]
Rather than always allocating the high-order XATTR_SIZE_MAX buffer
which is costly and prone to failure, only allocate what is needed and
realloc if necessary.
Fixes https://github.com/coreos/bugs/issues/489
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Miklos Szeredi [Tue, 10 Nov 2015 16:08:41 +0000 (17:08 +0100)]
ovl: allow zero size xattr
[ Upstream commit
97daf8b97ad6f913a34c82515be64dc9ac08d63e ]
When ovl_copy_xattr() encountered a zero size xattr no more xattrs were
copied and the function returned success. This is clearly not the desired
behavior.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Greg Kroah-Hartman [Sun, 31 Jan 2016 19:23:48 +0000 (11:23 -0800)]
Linux 4.1.17
libin [Tue, 3 Nov 2015 00:58:47 +0000 (08:58 +0800)]
recordmcount: Fix endianness handling bug for nop_mcount
commit
c84da8b9ad3761eef43811181c7e896e9834b26b upstream.
In nop_mcount, shdr->sh_offset and welp->r_offset should handle
endianness properly, otherwise it will trigger Segmentation fault
if the recordmcount main and file.o have different endianness.
Link: http://lkml.kernel.org/r/563806C7.7070606@huawei.com
Signed-off-by: Li Bin <huawei.libin@huawei.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yang Shi [Wed, 18 Nov 2015 18:48:55 +0000 (10:48 -0800)]
arm64: restore bogomips information in /proc/cpuinfo
commit
92e788b749862ebe9920360513a718e5dd4da7a9 upstream.
As previously reported, some userspace applications depend on bogomips
showed by /proc/cpuinfo. Although there is much less legacy impact on
aarch64 than arm, it does break libvirt.
This patch reverts commit
326b16db9f69 ("arm64: delay: don't bother
reporting bogomips in /proc/cpuinfo"), but with some tweak due to
context change and without the pr_info().
Fixes:
326b16db9f69 ("arm64: delay: don't bother reporting bogomips in /proc/cpuinfo")
Signed-off-by: Yang Shi <yang.shi@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: <stable@vger.kernel.org> # 3.12+
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Guenter Roeck [Sat, 28 Nov 2015 16:52:04 +0000 (08:52 -0800)]
mn10300: Select CONFIG_HAVE_UID16 to fix build failure
commit
c86576ea114a9a881cf7328dc7181052070ca311 upstream.
mn10300 builds fail with
fs/stat.c: In function 'cp_old_stat':
fs/stat.c:163:2: error: 'old_uid_t' undeclared
ipc/util.c: In function 'ipc64_perm_to_ipc_perm':
ipc/util.c:540:2: error: 'old_uid_t' undeclared
Select CONFIG_HAVE_UID16 and remove local definition of CONFIG_UID16
to fix the problem.
Fixes:
fbc416ff8618 ("arm64: fix building without CONFIG_UID16")
Cc: Arnd Bergmann <arnd@arndb.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
projects / platform / kernel / linux-exynos.git / log