1. 26 Mar, 2015 40 commits
    • Patrick McHardy's avatar
      netfilter: nf_tables: fix transaction race condition · 0a12e44c
      Patrick McHardy authored
      commit 8670c3a5 upstream.
      
      A race condition exists in the rule transaction code for rules that
      get added and removed within the same transaction.
      
      The new rule starts out as inactive in the current and active in the
      next generation and is inserted into the ruleset. When it is deleted,
      it is additionally set to inactive in the next generation as well.
      
      On commit the next generation is begun, then the actions are finalized.
      For the new rule this would mean clearing out the inactive bit for
      the previously current, now next generation.
      
      However nft_rule_clear() clears out the bits for *both* generations,
      activating the rule in the current generation, where it should be
      deactivated due to being deleted. The rule will thus be active until
      the deletion is finalized, removing the rule from the ruleset.
      
      Similarly, when aborting a transaction for the same case, the undo
      of insertion will remove it from the RCU protected rule list, the
      deletion will clear out all bits. However until the next RCU
      synchronization after all operations have been undone, the rule is
      active on CPUs which can still see the rule on the list.
      
      Generally, there may never be any modifications of the current
      generations' inactive bit since this defeats the entire purpose of
      atomicity. Change nft_rule_clear() to only touch the next generations
      bit to fix this.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a12e44c
    • Eric Dumazet's avatar
      netfilter: xt_socket: fix a stack corruption bug · 680f3aca
      Eric Dumazet authored
      commit 78296c97 upstream.
      
      As soon as extract_icmp6_fields() returns, its local storage (automatic
      variables) is deallocated and can be overwritten.
      
      Lets add an additional parameter to make sure storage is valid long
      enough.
      
      While we are at it, adds some const qualifiers.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Fixes: b64c9256 ("tproxy: added IPv6 support to the socket match")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      680f3aca
    • Pablo Neira Ayuso's avatar
      netfilter: nft_compat: fix module refcount underflow · 29d2b670
      Pablo Neira Ayuso authored
      commit 520aa741 upstream.
      
      Feb 12 18:20:42 nfdev kernel: ------------[ cut here ]------------
      Feb 12 18:20:42 nfdev kernel: WARNING: CPU: 4 PID: 4359 at kernel/module.c:963 module_put+0x9b/0xba()
      Feb 12 18:20:42 nfdev kernel: CPU: 4 PID: 4359 Comm: ebtables-compat Tainted: G        W      3.19.0-rc6+ #43
      [...]
      Feb 12 18:20:42 nfdev kernel: Call Trace:
      Feb 12 18:20:42 nfdev kernel: [<ffffffff815fd911>] dump_stack+0x4c/0x65
      Feb 12 18:20:42 nfdev kernel: [<ffffffff8103e6f7>] warn_slowpath_common+0x9c/0xb6
      Feb 12 18:20:42 nfdev kernel: [<ffffffff8109919f>] ? module_put+0x9b/0xba
      Feb 12 18:20:42 nfdev kernel: [<ffffffff8103e726>] warn_slowpath_null+0x15/0x17
      Feb 12 18:20:42 nfdev kernel: [<ffffffff8109919f>] module_put+0x9b/0xba
      Feb 12 18:20:42 nfdev kernel: [<ffffffff813ecf7c>] nft_match_destroy+0x45/0x4c
      Feb 12 18:20:42 nfdev kernel: [<ffffffff813e683f>] nf_tables_rule_destroy+0x28/0x70
      Reported-by: default avatarArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Tested-by: default avatarArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29d2b670
    • Alexey Andriyanov's avatar
      ipvs: fix inability to remove a mixed-family RS · 2a4e9ebd
      Alexey Andriyanov authored
      commit dd3733b3 upstream.
      
      The current code prevents any operation with a mixed-family dest
      unless IP_VS_CONN_F_TUNNEL flag is set. The problem is that it's impossible
      for the client to follow this rule, because ip_vs_genl_parse_dest does
      not even read the destination conn_flags when cmd = IPVS_CMD_DEL_DEST
      (need_full_dest = 0).
      
      Also, not every client can pass this flag when removing a dest. ipvsadm,
      for example, does not support the "-i" command line option together with
      the "-d" option.
      
      This change disables any checks for mixed-family on IPVS_CMD_DEL_DEST command.
      Signed-off-by: default avatarAlexey Andriyanov <alan@al-an.info>
      Fixes: bc18d37f ("ipvs: Allow heterogeneous pools now that we support them")
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a4e9ebd
    • Julian Anastasov's avatar
      ipvs: add missing ip_vs_pe_put in sync code · 126f113c
      Julian Anastasov authored
      commit 528c943f upstream.
      
      ip_vs_conn_fill_param_sync() gets in param.pe a module
      reference for persistence engine from __ip_vs_pe_getbyname()
      but forgets to put it. Problem occurs in backup for
      sync protocol v1 (2.6.39).
      
      Also, pe_data usually comes in sync messages for
      connection templates and ip_vs_conn_new() copies
      the pointer only in this case. Make sure pe_data
      is not leaked if it comes unexpectedly for normal
      connections. Leak can happen only if bogus messages
      are sent to backup server.
      
      Fixes: fe5e7a1e ("IPVS: Backup, Adding Version 1 receive capability")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      126f113c
    • Nishanth Aravamudan's avatar
      powerpc/iommu: Remove IOMMU device references via bus notifier · c011268d
      Nishanth Aravamudan authored
      commit 4ad04e59 upstream.
      
      After d905c5df ("PPC: POWERNV: move iommu_add_device earlier"), the
      refcnt on the kobject backing the IOMMU group for a PCI device is
      elevated by each call to pci_dma_dev_setup_pSeriesLP() (via
      set_iommu_table_base_and_group). When we go to dlpar a multi-function
      PCI device out:
      
              iommu_reconfig_notifier ->
                      iommu_free_table ->
                              iommu_group_put
                              BUG_ON(tbl->it_group)
      
      We trip this BUG_ON, because there are still references on the table, so
      it is not freed. Fix this by moving the powernv bus notifier to common
      code and calling it for both powernv and pseries.
      
      Fixes: d905c5df ("PPC: POWERNV: move iommu_add_device earlier")
      Signed-off-by: default avatarNishanth Aravamudan <nacc@linux.vnet.ibm.com>
      Tested-by: default avatarNishanth Aravamudan <nacc@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c011268d
    • Michael Ellerman's avatar
      powerpc/smp: Wait until secondaries are active & online · 915b529c
      Michael Ellerman authored
      commit 875ebe94 upstream.
      
      Anton has a busy ppc64le KVM box where guests sometimes hit the infamous
      "kernel BUG at kernel/smpboot.c:134!" issue during boot:
      
        BUG_ON(td->cpu != smp_processor_id());
      
      Basically a per CPU hotplug thread scheduled on the wrong CPU. The oops
      output confirms it:
      
        CPU: 0
        Comm: watchdog/130
      
      The problem is that we aren't ensuring the CPU active bit is set for the
      secondary before allowing the master to continue on. The master unparks
      the secondary CPU's kthreads and the scheduler looks for a CPU to run
      on. It calls select_task_rq() and realises the suggested CPU is not in
      the cpus_allowed mask. It then ends up in select_fallback_rq(), and
      since the active bit isnt't set we choose some other CPU to run on.
      
      This seems to have been introduced by 6acbfb96 "sched: Fix hotplug
      vs. set_cpus_allowed_ptr()", which changed from setting active before
      online to setting active after online. However that was in turn fixing a
      bug where other code assumed an active CPU was also online, so we can't
      just revert that fix.
      
      The simplest fix is just to spin waiting for both active & online to be
      set. We already have a barrier prior to set_cpu_online() (which also
      sets active), to ensure all other setup is completed before online &
      active are set.
      
      Fixes: 6acbfb96 ("sched: Fix hotplug vs. set_cpus_allowed_ptr()")
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      915b529c
    • Daniel J Blueman's avatar
      x86/apic/numachip: Fix sibling map with NumaChip · b93ee036
      Daniel J Blueman authored
      commit c8a470ca upstream.
      
      On NumaChip systems, the physical processor ID assignment wasn't
      accounting for the number of nodes in AMD multi-module
      processors, giving an incorrect sibling map:
      
        $ cd /sys/devices/system/cpu/cpu29/topology
        $ grep . *
        core_id:5
        core_siblings:00000000,ff000000
        core_siblings_list:24-31
        physical_package_id:3
        thread_siblings:00000000,30000000
        thread_siblings_list:28-29
      
      This fixes it:
      
        $ cd /sys/devices/system/cpu/cpu29/topology
        $ grep . *
        core_id:5
        core_siblings:00000000,ffff0000
        core_siblings_list:16-31
        physical_package_id:1
        thread_siblings:00000000,30000000
        thread_siblings_list:28-29
      Signed-off-by: default avatarDaniel J Blueman <daniel@numascale.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Steffen Persvold <sp@numascale.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1426135950-10110-1-git-send-email-daniel@numascale.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b93ee036
    • Andy Lutomirski's avatar
      x86/asm/entry/32: Fix user_mode() misuses · b8a148e2
      Andy Lutomirski authored
      commit 394838c9 upstream.
      
      The one in do_debug() is probably harmless, but better safe than sorry.
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/d67deaa9df5458363623001f252d1aee3215d014.1425948056.git.luto@amacapital.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b8a148e2
    • Jiri Slaby's avatar
      x86/vdso: Fix the build on GCC5 · 427c08dc
      Jiri Slaby authored
      commit e8932869 upstream.
      
      On gcc5 the kernel does not link:
      
        ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670.
      
      Because prior GCC versions always emitted NOPs on ALIGN directives, but
      gcc5 started omitting them.
      
      .LSTARTFDEDLSI1 says:
      
              /* HACK: The dwarf2 unwind routines will subtract 1 from the
                 return address to get an address in the middle of the
                 presumed call instruction.  Since we didn't get here via
                 a call, we need to include the nop before the real start
                 to make up for it.  */
              .long .LSTART_sigreturn-1-.     /* PC-relative start address */
      
      But commit 69d0627a ("x86 vDSO: reorder vdso32 code") from 2.6.25
      replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before
      __kernel_sigreturn.
      
      Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses
      vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN".
      
      So fix this by adding to that point at least a single NOP and make the
      function ALIGN possibly with more NOPs then.
      
      Kudos for reporting and diagnosing should go to Richard.
      Reported-by: default avatarRichard Biener <rguenther@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.czSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      427c08dc
    • Paolo Bonzini's avatar
      kvm: move advertising of KVM_CAP_IRQFD to common code · 506be1c1
      Paolo Bonzini authored
      commit dc9be0fa upstream.
      
      POWER supports irqfds but forgot to advertise them.  Some userspace does
      not check for the capability, but others check it---thus they work on
      x86 and s390 but not POWER.
      
      To avoid that other architectures in the future make the same mistake, let
      common code handle KVM_CAP_IRQFD the same way as KVM_CAP_IRQFD_RESAMPLE.
      Reported-and-tested-by: default avatarGreg Kurz <gkurz@linux.vnet.ibm.com>
      Fixes: 297e2105Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      506be1c1
    • Oleg Nesterov's avatar
      x86/fpu: Drop_fpu() should not assume that tsk equals current · 4acde8bf
      Oleg Nesterov authored
      commit f4c36863 upstream.
      
      drop_fpu() does clear_used_math() and usually this is correct
      because tsk == current.
      
      However switch_fpu_finish()->restore_fpu_checking() is called before
      __switch_to() updates the "current_task" variable. If it fails,
      we will wrongly clear the PF_USED_MATH flag of the previous task.
      
      So use clear_stopped_child_used_math() instead.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Pekka Riikonen <priikone@iki.fi>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Suresh Siddha <sbsiddha@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4acde8bf
    • Oleg Nesterov's avatar
      x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() · 4e412065
      Oleg Nesterov authored
      commit a7c80ebc upstream.
      
      math_state_restore() assumes it is called with irqs disabled,
      but this is not true if the caller is __restore_xstate_sig().
      
      This means that if ia32_fxstate == T and __copy_from_user()
      fails, __restore_xstate_sig() returns with irqs disabled too.
      
      This triggers:
      
        BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41
         dump_stack
         ___might_sleep
         ? _raw_spin_unlock_irqrestore
         __might_sleep
         down_read
         ? _raw_spin_unlock_irqrestore
         print_vma_addr
         signal_fault
         sys32_rt_sigreturn
      
      Change __restore_xstate_sig() to call set_used_math()
      unconditionally. This avoids enabling and disabling interrupts
      in math_state_restore(). If copy_from_user() fails, we can
      simply do fpu_finit() by hand.
      
      [ Note: this is only the first step. math_state_restore() should
              not check used_math(), it should set this flag. While
      	init_fpu() should simply die. ]
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Pekka Riikonen <priikone@iki.fi>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Suresh Siddha <sbsiddha@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4e412065
    • Stephan Mueller's avatar
      crypto: aesni - fix memory usage in GCM decryption · b90935f1
      Stephan Mueller authored
      commit ccfe8c3f upstream.
      
      The kernel crypto API logic requires the caller to provide the
      length of (ciphertext || authentication tag) as cryptlen for the
      AEAD decryption operation. Thus, the cipher implementation must
      calculate the size of the plaintext output itself and cannot simply use
      cryptlen.
      
      The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
      in req->dst. As the destination buffer for decryption only needs to hold
      the plaintext memory but cryptlen references the input buffer holding
      (ciphertext || authentication tag), the assumption of the destination
      buffer length in RFC4106 GCM operation leads to a too large size. This
      patch simply uses the already calculated plaintext size.
      
      In addition, this patch fixes the offset calculation of the AAD buffer
      pointer: as mentioned before, cryptlen already includes the size of the
      tag. Thus, the tag does not need to be added. With the addition, the AAD
      will be written beyond the already allocated buffer.
      
      Note, this fixes a kernel crash that can be triggered from user space
      via AF_ALG(aead) -- simply use the libkcapi test application
      from [1] and update it to use rfc4106-gcm-aes.
      
      Using [1], the changes were tested using CAVS vectors to demonstrate
      that the crypto operation still delivers the right results.
      
      [1] http://www.chronox.de/libkcapi.html
      
      CC: Tadeusz Struk <tadeusz.struk@intel.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b90935f1
    • Ard Biesheuvel's avatar
      crypto: arm/aes update NEON AES module to latest OpenSSL version · 637d00ad
      Ard Biesheuvel authored
      commit 001eabfd upstream.
      
      This updates the bit sliced AES module to the latest version in the
      upstream OpenSSL repository (e620e5ae37bc). This is needed to fix a
      bug in the XTS decryption path, where data chunked in a certain way
      could trigger the ciphertext stealing code, which is not supposed to
      be active in the kernel build (The kernel implementation of XTS only
      supports round multiples of the AES block size of 16 bytes, whereas
      the conformant OpenSSL implementation of XTS supports inputs of
      arbitrary size by applying ciphertext stealing). This is fixed in
      the upstream version by adding the missing #ifndef XTS_CHAIN_TWEAK
      around the offending instructions.
      
      The upstream code also contains the change applied by Russell to
      build the code unconditionally, i.e., even if __LINUX_ARM_ARCH__ < 7,
      but implemented slightly differently.
      
      Fixes: e4e7f10b ("ARM: add support for bit sliced AES using NEON instructions")
      Reported-by: default avatarAdrian Kotelba <adrian.kotelba@gmail.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Tested-by: default avatarMilan Broz <gmazyland@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      637d00ad
    • Kirill A. Shutemov's avatar
      pagemap: do not leak physical addresses to non-privileged userspace · e3b6833d
      Kirill A. Shutemov authored
      commit ab676b7d upstream.
      
      As pointed by recent post[1] on exploiting DRAM physical imperfection,
      /proc/PID/pagemap exposes sensitive information which can be used to do
      attacks.
      
      This disallows anybody without CAP_SYS_ADMIN to read the pagemap.
      
      [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
      
      [ Eventually we might want to do anything more finegrained, but for now
        this is the simple model.   - Linus ]
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarKonstantin Khlebnikov <khlebnikov@openvz.org>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Pavel Emelyanov <xemul@parallels.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Mark Seaborn <mseaborn@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3b6833d
    • Maxime Ripard's avatar
      irqchip: armada-370-xp: Fix chained per-cpu interrupts · 940f85f8
      Maxime Ripard authored
      commit 5724be84 upstream.
      
      On the Cortex-A9-based Armada SoCs, the MPIC is not the primary interrupt
      controller. Yet, it still has to handle some per-cpu interrupt.
      
      To do so, it is chained with the GIC using a per-cpu interrupt. However, the
      current code only call irq_set_chained_handler, which is called and enable that
      interrupt only on the boot CPU, which means that the parent per-CPU interrupt
      is never unmasked on the secondary CPUs, preventing the per-CPU interrupt to
      actually work as expected.
      
      This was not seen until now since the only MPIC PPI users were the Marvell
      timers that were not working, but not used either since the system use the ARM
      TWD by default, and the ethernet controllers, that are faking there interrupts
      as SPI, and don't really expect to have interrupts on the secondary cores
      anyway.
      
      Add a CPU notifier that will enable the PPI on the secondary cores when they
      are brought up.
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Acked-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Link: https://lkml.kernel.org/r/1425378443-28822-1-git-send-email-maxime.ripard@free-electrons.comSigned-off-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      940f85f8
    • Sasha Levin's avatar
      PCI: Don't read past the end of sysfs "driver_override" buffer · 58815a80
      Sasha Levin authored
      commit 4efe874a upstream.
      
      When printing the driver_override parameter when it is 4095 and 4094 bytes
      long, the printing code would access invalid memory because we need count+1
      bytes for printing.
      
      Fixes: 782a985d ("PCI: Introduce new device binding path using pci_dev.driver_override")
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      CC: Alexander Graf <agraf@suse.de>
      CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58815a80
    • James Bottomley's avatar
      libsas: Fix Kernel Crash in smp_execute_task · 9db7ae21
      James Bottomley authored
      commit 6302ce4d upstream.
      
      This crash was reported:
      
      [  366.947370] sd 3:0:1:0: [sdb] Spinning up disk....
      [  368.804046] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [  368.804072] IP: [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.804098] PGD 0
      [  368.804114] Oops: 0002 [#1] SMP
      [  368.804143] CPU 1
      [  368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common
      [  368.804749]
      [  368.804764] Pid: 392, comm: kworker/u:3 Tainted: P        W  O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920
      [  368.804802] RIP: 0010:[<ffffffff81358457>]  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.804827] RSP: 0018:ffff880117001cc0  EFLAGS: 00010246
      [  368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420
      [  368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4
      [  368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe
      [  368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4
      [  368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8
      [  368.804916] FS:  0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000
      [  368.804931] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0
      [  368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0)
      [  368.805009] Stack:
      [  368.805017]  ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c
      [  368.805062]  000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000
      [  368.805100]  ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac
      [  368.805135] Call Trace:
      [  368.805153]  [<ffffffff81056f7c>] ? up+0xb/0x33
      [  368.805168]  [<ffffffff813583ac>] ? mutex_lock+0x16/0x25
      [  368.805194]  [<ffffffffa018c414>] ? smp_execute_task+0x4e/0x222 [libsas]
      [  368.805217]  [<ffffffffa018ce1c>] ? sas_find_bcast_dev+0x3c/0x15d [libsas]
      [  368.805240]  [<ffffffffa018ce4f>] ? sas_find_bcast_dev+0x6f/0x15d [libsas]
      [  368.805264]  [<ffffffffa018e989>] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas]
      [  368.805280]  [<ffffffff81355a2a>] ? printk+0x43/0x48
      [  368.805296]  [<ffffffff81359a65>] ? _raw_spin_unlock_irqrestore+0xc/0xd
      [  368.805318]  [<ffffffffa018b767>] ? sas_revalidate_domain+0x85/0xb6 [libsas]
      [  368.805336]  [<ffffffff8104e5d9>] ? process_one_work+0x151/0x27c
      [  368.805351]  [<ffffffff8104f6cd>] ? worker_thread+0xbb/0x152
      [  368.805366]  [<ffffffff8104f612>] ? manage_workers.isra.29+0x163/0x163
      [  368.805382]  [<ffffffff81052c4e>] ? kthread+0x79/0x81
      [  368.805399]  [<ffffffff8135fea4>] ? kernel_thread_helper+0x4/0x10
      [  368.805416]  [<ffffffff81052bd5>] ? kthread_flush_work_fn+0x9/0x9
      [  368.805431]  [<ffffffff8135fea0>] ? gs_change+0x13/0x13
      [  368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41
      [  368.805851] RIP  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.805877]  RSP <ffff880117001cc0>
      [  368.805886] CR2: 0000000000000000
      [  368.805899] ---[ end trace b720682065d8f4cc ]---
      
      It's directly caused by 89d3cf6a [SCSI] libsas: add mutex for SMP task
      execution, but shows a deeper cause: expander functions expect to be able to
      cast to and treat domain devices as expanders.  The correct fix is to only do
      expander discover when we know we've got an expander device to avoid wrongly
      casting a non-expander device.
      Reported-by: default avatarPraveen Murali <pmurali@logicube.com>
      Tested-by: default avatarPraveen Murali <pmurali@logicube.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9db7ae21
    • Al Viro's avatar
      gadgetfs: use-after-free in ->aio_read() · c0af7a7b
      Al Viro authored
      commit f01d35a1 upstream.
      
      AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
      we are going to access it asynchronously, we'd better get ourselves
      a copy - the one on kernel stack of aio_run_iocb() won't be there
      anymore.  function/f_fs.c take care of doing that, legacy/inode.c
      doesn't...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0af7a7b
    • Brian Norris's avatar
      of: handle both '/' and ':' in path strings · 5f83b8d7
      Brian Norris authored
      commit 721a09e9 upstream.
      
      Commit 106937e8 ("of: fix handling of '/' in options for
      of_find_node_by_path()") caused a regression in OF handling of
      stdout-path. While it fixes some cases which have '/' after the ':', it
      breaks cases where there is more than one '/' *before* the ':'.
      
      For example, it breaks this boot string
      
        stdout-path = "/rdb/serial@f040ab00:115200";
      
      So rather than doing sequentialized checks (first for '/', then for ':';
      or vice versa), to get the correct behavior we need to check for the
      first occurrence of either one of them.
      
      It so happens that the handy strcspn() helper can do just that.
      
      Fixes: 106937e8 ("of: fix handling of '/' in options for of_find_node_by_path()")
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Acked-by: default avatarLeif Lindholm <leif.lindholm@linaro.org>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f83b8d7
    • Leif Lindholm's avatar
      of: fix handling of '/' in options for of_find_node_by_path() · 8b78939b
      Leif Lindholm authored
      commit 106937e8 upstream.
      
      Ensure proper handling of paths with appended options (after ':'),
      where those options may contain a '/'.
      
      Fixes: 7914a7c5 ("of: support passing console options with stdout-path")
      Reported-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarLeif Lindholm <leif.lindholm@linaro.org>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b78939b
    • Jan Beulich's avatar
      xen-pciback: limit guest control of command register · 0cb2cf30
      Jan Beulich authored
      commit af6fc858 upstream.
      
      Otherwise the guest can abuse that control to cause e.g. PCIe
      Unsupported Request responses by disabling memory and/or I/O decoding
      and subsequently causing (CPU side) accesses to the respective address
      ranges, which (depending on system configuration) may be fatal to the
      host.
      
      Note that to alter any of the bits collected together as
      PCI_COMMAND_GUEST permissive mode is now required to be enabled
      globally or on the specific device.
      
      This is CVE-2015-2150 / XSA-120.
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0cb2cf30
    • Juergen Gross's avatar
      x86/xen: correct bug in p2m list initialization · 3d60a2bc
      Juergen Gross authored
      commit b8f05c88 upstream.
      
      Commit 054954eb ("xen: switch to
      linear virtual mapped sparse p2m list") introduced an error.
      
      During initialization of the p2m list a p2m identity area mapped by
      a complete identity pmd entry has to be split up into smaller chunks
      sometimes, if a non-identity pfn is introduced in this area.
      
      If this non-identity pfn is not at index 0 of a p2m page the new
      p2m page needed is initialized with wrong identity entries, as the
      identity pfns don't start with the value corresponding to index 0,
      but with the initial non-identity pfn. This results in weird wrong
      mappings.
      
      Correct the wrong initialization by starting with the correct pfn.
      Reported-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Tested-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d60a2bc
    • Juergen Gross's avatar
      xen/events: avoid NULL pointer dereference in dom0 on large machines · 952b4fea
      Juergen Gross authored
      commit 85e40b05 upstream.
      
      Using the pvops kernel a NULL pointer dereference was detected on a
      large machine (144 processors) when booting as dom0 in
      evtchn_fifo_unmask() during assignment of a pirq.
      
      The event channel in question was the first to need a new entry in
      event_array[] in events_fifo.c. Unfortunately xen_irq_info_pirq_setup()
      is called with evtchn being 0 for a new pirq and the real event channel
      number is assigned to the pirq only during __startup_pirq().
      
      It is mandatory to call xen_evtchn_port_setup() after assigning the
      event channel number to the pirq to make sure all memory needed for the
      event channel is allocated.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      952b4fea
    • Javier Martinez Canillas's avatar
      drivers/rtc/rtc-s3c.c: add .needs_src_clk to s3c6410 RTC data · 79435180
      Javier Martinez Canillas authored
      commit 8792f777 upstream.
      
      Commit df9e26d0 ("rtc: s3c: add support for RTC of Exynos3250 SoC")
      added an "rtc_src" DT property to specify the clock used as a source to
      the S3C real-time clock.
      
      Not all SoCs needs this so commit eaf3a659 ("drivers/rtc/rtc-s3c.c:
      fix initialization failure without rtc source clock") changed to check
      the struct s3c_rtc_data .needs_src_clk to conditionally grab the clock.
      
      But that commit didn't update the data for each IP version so the RTC
      broke on the boards that needs a source clock. This is the case of at
      least Exynos5250 and Exynos5440 which uses the s3c6410 RTC IP block.
      
      This commit fixes the S3C rtc on the Exynos5250 Snow and Exynos5420
      Peach Pit and Pi Chromebooks.
      Signed-off-by: default avatarJavier Martinez Canillas <javier.martinez@collabora.co.uk>
      Cc: Marek Szyprowski <m.szyprowski@samsung.com>
      Cc: Chanwoo Choi <cw00.choi@samsung.com>
      Cc: Doug Anderson <dianders@chromium.org>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: Kevin Hilman <khilman@linaro.org>
      Cc: Tyler Baker <tyler.baker@linaro.org>
      Cc: Alessandro Zummo <a.zummo@towertech.it>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      79435180
    • Imre Deak's avatar
      drm/i915: gen4: work around hang during hibernation · 64e8548f
      Imre Deak authored
      commit ab3be73f upstream.
      
      Bjørn reported that his machine hang during hibernation and eventually
      bisected the problem to the following commit:
      
      commit da2bc1b9
      Author: Imre Deak <imre.deak@intel.com>
      Date:   Thu Oct 23 19:23:26 2014 +0300
      
          drm/i915: add poweroff_late handler
      
      The problem seems to be that after the kernel puts the device into D3
      the BIOS still tries to access it, or otherwise assumes that it's in D0.
      This is clearly bogus, since ACPI mandates that devices are put into D3
      by the OSPM if they are not wake-up sources. In the future we want to
      unify more of the driver's runtime and system suspend paths, for example
      by skipping all the system suspend/hibernation hooks if the device is
      runtime suspended already. Accordingly for all other platforms the goal
      is still to properly power down the device during hibernation.
      
      v2:
      - Another GEN4 Lenovo laptop had the same issue, while platforms from
        other vendors (including mobile and desktop, GEN4 and non-GEN4) seem
        to work fine. Based on this apply the workaround on all GEN4 Lenovo
        platforms.
      - add code comment about failing platforms (Ville)
      
      Reference: http://lists.freedesktop.org/archives/intel-gfx/2015-February/060633.htmlReported-and-bisected-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Acked-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64e8548f
    • Imre Deak's avatar
      drm/i915: add dev_to_i915 helper · 61e975e4
      Imre Deak authored
      commit 888d0d42 upstream.
      
      This will be needed by later patches, so factor it out.
      
      No functional change.
      
      v2:
      - s/dev_to_i915_priv/dev_to_i915/ (Jani)
      - don't use the helper in i915_pm_suspend (Chris)
      - simplify the helper (Chris)
      v3:
      - remove redundant upcasting in the helper (Daniel)
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61e975e4
    • Chris Wilson's avatar
      drm: Don't assign fbs for universal cursor support to files · 77f7ef95
      Chris Wilson authored
      commit 9a6f5130 upstream.
      
      The internal framebuffers we create to remap legacy cursor ioctls to
      plane operations for the universal plane support shouldn't be linke to
      the file like normal userspace framebuffers. This bug goes back to the
      original universal cursor plane support introduced in
      
      commit 161d0dc1
      Author: Matt Roper <matthew.d.roper@intel.com>
      Date:   Tue Jun 10 08:28:10 2014 -0700
      
          drm: Support legacy cursor ioctls via universal planes when possible (v4)
      
      The isn't too disastrous since fbs are small, we only create one when the
      cursor bo gets changed and ultimately they'll be reaped when the window
      server restarts.
      
      Conceptually we'd want to just pass NULL for file_priv when creating it,
      but the driver needs the file to lookup the underlying buffer object for
      cursor id. Instead let's move the file_priv linking out of
      add_framebuffer_internal() into the addfb ioctl implementation, which is
      the only place it is needed. And also rename the function for a more
      accurate since it only creates the fb, but doesn't add it anywhere.
      
      Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> (fix & commit msg)
      Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> (provider of lipstick)
      Reviewed-by: default avatarMatt Roper <matthew.d.roper@intel.com>
      Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
      Cc: Matt Roper <matthew.d.roper@intel.com>
      Cc: Rob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77f7ef95
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Fix a couple of lock dependency violations · b197b203
      Thomas Hellstrom authored
      commit 5151adb3 upstream.
      
      Experimental lockdep annotation added to the TTM lock has unveiled a
      couple of lock dependency violations in the vmwgfx driver. In both
      cases it turns out that the device_private::reservation_sem is not
      needed so the offending code is moved out of that lock.
      Acked-by: default avatarSinclair Yeh <syeh@vmware.com>
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b197b203
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Reorder device takedown somewhat · cd32cd8c
      Thomas Hellstrom authored
      commit 3458390b upstream.
      
      To take down the MOB and GMR memory types, the driver may have to issue
      fence objects and thus make sure that the fence manager is taken down
      after those memory types.
      Reorder device init accordingly.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarSinclair Yeh <syeh@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd32cd8c
    • Jakub Kicinski's avatar
      Revert "i2c: core: Dispose OF IRQ mapping at client removal time" · 15f3667a
      Jakub Kicinski authored
      commit a4944572 upstream.
      
      This reverts commit e4df3a0b
      ("i2c: core: Dispose OF IRQ mapping at client removal time")
      
      Calling irq_dispose_mapping() will destroy the mapping and disassociate
      the IRQ from the IRQ chip to which it belongs. Keeping it is OK, because
      existent mappings are reused properly.
      
      Also, this commit breaks drivers using devm* for IRQ management on
      OF-based systems because devm* cleanup happens in device code, after
      bus's remove() method returns.
      Signed-off-by: default avatarJakub Kicinski <kubakici@wp.pl>
      Reported-by: default avatarSébastien Szymanski <sebastien.szymanski@armadeus.com>
      Acked-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Acked-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [wsa: updated the commit message with findings fromt the other bug report]
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Fixes: e4df3a0bSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      15f3667a
    • Danesh Petigara's avatar
      mm: cma: fix CMA aligned offset calculation · 4b71a261
      Danesh Petigara authored
      commit 850fc430 upstream.
      
      The CMA aligned offset calculation is incorrect for non-zero order_per_bit
      values.
      
      For example, if cma->order_per_bit=1, cma->base_pfn= 0x2f800000 and
      align_order=12, the function returns a value of 0x17c00 instead of 0x400.
      
      This patch fixes the CMA aligned offset calculation.
      
      The previous calculation was wrong and would return too-large values for
      the offset, so that when cma_alloc looks for free pages in the bitmap with
      the requested alignment > order_per_bit, it starts too far into the bitmap
      and so CMA allocations will fail despite there actually being plenty of
      free pages remaining.  It will also probably have the wrong alignment.
      With this change, we will get the correct offset into the bitmap.
      
      One affected user is powerpc KVM, which has kvm_cma->order_per_bit set to
      KVM_CMA_CHUNK_ORDER - PAGE_SHIFT, or 18 - 12 = 6.
      
      [gregory.0xf0@gmail.com: changelog additions]
      Signed-off-by: default avatarDanesh Petigara <dpetigara@broadcom.com>
      Reviewed-by: default avatarGregory Fong <gregory.0xf0@gmail.com>
      Acked-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b71a261
    • Ryusuke Konishi's avatar
      nilfs2: fix deadlock of segment constructor during recovery · 01d9f895
      Ryusuke Konishi authored
      commit 283ee148 upstream.
      
      According to a report from Yuxuan Shui, nilfs2 in kernel 3.19 got stuck
      during recovery at mount time.  The code path that caused the deadlock was
      as follows:
      
        nilfs_fill_super()
          load_nilfs()
            nilfs_salvage_orphan_logs()
              * Do roll-forwarding, attach segment constructor for recovery,
                and kick it.
      
              nilfs_segctor_thread()
                nilfs_segctor_thread_construct()
                 * A lock is held with nilfs_transaction_lock()
                   nilfs_segctor_do_construct()
                     nilfs_segctor_drop_written_files()
                       iput()
                         iput_final()
                           write_inode_now()
                             writeback_single_inode()
                               __writeback_single_inode()
                                 do_writepages()
                                   nilfs_writepage()
                                     nilfs_construct_dsync_segment()
                                       nilfs_transaction_lock() --> deadlock
      
      This can happen if commit 7ef3ff2f ("nilfs2: fix deadlock of segment
      constructor over I_SYNC flag") is applied and roll-forward recovery was
      performed at mount time.  The roll-forward recovery can happen if datasync
      write is done and the file system crashes immediately after that.  For
      instance, we can reproduce the issue with the following steps:
      
       < nilfs2 is mounted on /nilfs (device: /dev/sdb1) >
       # dd if=/dev/zero of=/nilfs/test bs=4k count=1 && sync
       # dd if=/dev/zero of=/nilfs/test conv=notrunc oflag=dsync bs=4k
       count=1 && reboot -nfh
       < the system will immediately reboot >
       # mount -t nilfs2 /dev/sdb1 /nilfs
      
      The deadlock occurs because iput() can run segment constructor through
      writeback_single_inode() if MS_ACTIVE flag is not set on sb->s_flags.  The
      above commit changed segment constructor so that it calls iput()
      asynchronously for inodes with i_nlink == 0, but that change was
      imperfect.
      
      This fixes the another deadlock by deferring iput() in segment constructor
      even for the case that mount is not finished, that is, for the case that
      MS_ACTIVE flag is not set.
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Reported-by: default avatarYuxuan Shui <yshuiv7@gmail.com>
      Tested-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01d9f895
    • Doug Anderson's avatar
      regulator: core: Fix enable GPIO reference counting · 612b7883
      Doug Anderson authored
      commit 29d62ec5 upstream.
      
      Normally _regulator_do_enable() isn't called on an already-enabled
      rdev.  That's because the main caller, _regulator_enable() always
      calls _regulator_is_enabled() and only calls _regulator_do_enable() if
      the rdev was not already enabled.
      
      However, there is one caller of _regulator_do_enable() that doesn't
      check: regulator_suspend_finish().  While we might want to make
      regulator_suspend_finish() behave more like _regulator_enable(), it's
      probably also a good idea to make _regulator_do_enable() robust if it
      is called on an already enabled rdev.
      
      At the moment, _regulator_do_enable() is _not_ robust for already
      enabled rdevs if we're using an ena_pin.  Each time
      _regulator_do_enable() is called for an rdev using an ena_pin the
      reference count of the ena_pin is incremented even if the rdev was
      already enabled.  This is not as intended because the ena_pin is for
      something else: for keeping track of how many active rdevs there are
      sharing the same ena_pin.
      
      Here's how the reference counting works here:
      
      * Each time _regulator_enable() is called we increment
        rdev->use_count, so _regulator_enable() calls need to be balanced
        with _regulator_disable() calls.
      
      * There is no explicit reference counting in _regulator_do_enable()
        which is normally just a warapper around rdev->desc->ops->enable()
        with code for supporting delays.  It's not expected that the
        "ops->enable()" call do reference counting.
      
      * Since regulator_ena_gpio_ctrl() does have reference counting
        (handling the sharing of the pin amongst multiple rdevs), we
        shouldn't call it if the current rdev is already enabled.
      
      Note that as part of this we cleanup (remove) the initting of
      ena_gpio_state in regulator_register().  In _regulator_do_enable(),
      _regulator_do_disable() and _regulator_is_enabled() is is clear that
      ena_gpio_state should be the state of whether this particular rdev has
      requested the GPIO be enabled.  regulator_register() was initting it
      as the actual state of the pin.
      
      Fixes: 967cfb18 ("regulator: core: manage enable GPIO list")
      Signed-off-by: default avatarDoug Anderson <dianders@chromium.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      612b7883
    • Javier Martinez Canillas's avatar
      regulator: Only enable disabled regulators on resume · dcbd5ea5
      Javier Martinez Canillas authored
      commit 0548bf4f upstream.
      
      The _regulator_do_enable() call ought to be a no-op when called on an
      already-enabled regulator.  However, as an optimization
      _regulator_enable() doesn't call _regulator_do_enable() on an already
      enabled regulator.  That means we never test the case of calling
      _regulator_do_enable() during normal usage and there may be hidden
      bugs or warnings.  We have seen warnings issued by the tps65090 driver
      and bugs when using the GPIO enable pin.
      
      Let's match the same optimization that _regulator_enable() in
      regulator_suspend_finish().  That may speed up suspend/resume and also
      avoids exposing hidden bugs.
      
      [Use much clearer commit message from Doug Anderson]
      Signed-off-by: default avatarJavier Martinez Canillas <javier.martinez@collabora.co.uk>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dcbd5ea5
    • Doug Anderson's avatar
      regulator: rk808: Set the enable time for LDOs · c683a410
      Doug Anderson authored
      commit 28249b0c upstream.
      
      The LDOs are documented in the rk808 datasheet to have a soft start
      time of 400us.  Add that to the driver.  If this time takes longer on
      a certain board the device tree should be able to override with
      "regulator-enable-ramp-delay".
      
      This fixes some dw_mmc probing problems (together with other patches
      posted to the mmc maiing lists) on rk3288.
      Signed-off-by: default avatarDoug Anderson <dianders@chromium.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c683a410
    • Fugang Duan's avatar
      net: fec: fix rcv is not last issue when do suspend/resume test · 8b86cf38
      Fugang Duan authored
      commit 61615cd2 upstream.
      
      When do suspend/resume stress test, some log shows "rcv is not +last".
      The issue is that enet suspend will disable phy clock, phy link down,
      after resume back, enet MAC redo initial and ready to tx/rx packet,
      but phy still is not ready which is doing auto-negotiation. When phy
      link is not up, don't schdule napi soft irq.
      
      [Peter]
      It has fixed kernel panic after long time suspend/resume test
      with nfs rootfs.
      
      [ 8864.429458] fec 2188000.ethernet eth0: rcv is not +last
      [ 8864.434799] fec 2188000.ethernet eth0: rcv is not +last
      [ 8864.440088] fec 2188000.ethernet eth0: rcv is not +last
      [ 8864.445424] fec 2188000.ethernet eth0: rcv is not +last
      [ 8864.450782] fec 2188000.ethernet eth0: rcv is not +last
      [ 8864.456111] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      [ 8864.464225] pgd = 80004000
      [ 8864.466997] [00000000] *pgd=00000000
      [ 8864.470627] Internal error: Oops: 17 [#1] SMP ARM
      [ 8864.475353] Modules linked in: evbug
      [ 8864.479006] CPU: 0 PID: 3 Comm: ksoftirqd/0 Not tainted 4.0.0-rc1-00044-g7a2a1d2 #234
      [ 8864.486854] Hardware name: Freescale i.MX6 SoloX (Device Tree)
      [ 8864.492709] task: be069380 ti: be07a000 task.ti: be07a000
      [ 8864.498137] PC is at memcpy+0x80/0x330
      [ 8864.501919] LR is at gro_pull_from_frag0+0x34/0xa8
      [ 8864.506735] pc : [<802bb080>]    lr : [<8057c204>]    psr: 00000113
      [ 8864.506735] sp : be07bbd4  ip : 00000010  fp : be07bc0c
      [ 8864.518235] r10: 0000000e  r9 : 00000000  r8 : 809c7754
      [ 8864.523479] r7 : 809c7754  r6 : bb43c040  r5 : bd280cc0  r4 : 00000012
      [ 8864.530025] r3 : 00000804  r2 : fffffff2  r1 : 00000000  r0 : bb43b83c
      [ 8864.536575] Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      [ 8864.543904] Control: 10c5387d  Table: bd14c04a  DAC: 00000015
      [ 8864.549669] Process ksoftirqd/0 (pid: 3, stack limit = 0xbe07a210)
      [ 8864.555869] Stack: (0xbe07bbd4 to 0xbe07c000)
      [ 8864.560250] bbc0:                                              bd280cc0 bb43c040 809c7754
      [ 8864.568455] bbe0: 809c7754 bb43b83c 00000012 8057c204 00000000 bd280cc0 bd8a0718 00000003
      [ 8864.576658] bc00: be07bc5c be07bc10 8057ebf0 8057c1dc 00000000 00000000 8057ecc4 bef59760
      [ 8864.584863] bc20: 00000002 bd8a0000 be07bc64 809c7754 00000000 bd8a0718 bd280cc0 bd8a0000
      [ 8864.593066] bc40: 00000000 0000001c 00000000 bd8a0000 be07bc74 be07bc60 8057f148 8057eb90
      [ 8864.601268] bc60: bf0810a0 00000000 be07bcf4 be07bc78 8044e7b4 8057f12c 00000000 8007df6c
      [ 8864.609470] bc80: bd8a0718 00000040 00000000 bd280a80 00000002 00000019 bd8a0600 bd8a1214
      [ 8864.617672] bca0: bd8a0690 bf0810a0 00000000 00000000 bd8a1000 00000000 00000027 bd280cc0
      [ 8864.625874] bcc0: 80062708 800625cc 000943db bd8a0718 00000001 000d1166 00000040 be7c1ec0
      [ 8864.634077] bce0: 0000012c be07bd00 be07bd3c be07bcf8 8057fc98 8044e3ac 809c2ec0 3ddff000
      [ 8864.642280] bd00: be07bd00 be07bd00 be07bd08 be07bd08 00000000 00000020 809c608c 00000003
      [ 8864.650481] bd20: 809c6080 40000001 809c6088 00200100 be07bd84 be07bd40 8002e690 8057fac8
      [ 8864.658684] bd40: be07bd64 be07bd50 00000001 04208040 000d1165 0000000a be07bd84 809c0d7c
      [ 8864.666885] bd60: 00000000 809c6af8 00000000 00000001 be008000 00000000 be07bd9c be07bd88
      [ 8864.675087] bd80: 8002eb64 8002e564 00000125 809c0d7c be07bdc4 be07bda0 8006f100 8002eaac
      [ 8864.683291] bda0: c080e10c be07bde8 809c6c6c c080e100 00000002 00000000 be07bde4 be07bdc8
      [ 8864.691492] bdc0: 800087a0 8006f098 806f2934 20000013 ffffffff be07be1c be07be44 be07bde8
      [ 8864.699695] bde0: 800133a4 80008784 00000001 00000001 00000000 00000000 be7c1680 00000000
      [ 8864.707896] be00: be0cfe00 bd93eb40 00000002 00000000 00000000 be07be44 be07be00 be07be30
      [ 8864.716098] be20: 8006278c 806f2934 20000013 ffffffff be069380 be7c1680 be07be7c be07be48
      [ 8864.724300] be40: 80049cfc 806f2910 00000001 00000000 80049cb4 00000000 be07be7c be7c1680
      [ 8864.732502] be60: be3289c0 be069380 bd23b600 be0cfe00 be07bebc be07be80 806ed614 80049c68
      [ 8864.740706] be80: be07a000 0000020a 809c608c 00000003 00000001 8002e858 be07a000 be035740
      [ 8864.748907] bea0: 00000000 00000001 809d4598 00000000 be07bed4 be07bec0 806edd0c 806ed440
      [ 8864.757110] bec0: be07a000 be07a000 be07bee4 be07bed8 806edd68 806edcf0 be07bef4 be07bee8
      [ 8864.765311] bee0: 8002e860 806edd34 be07bf24 be07bef8 800494b0 8002e828 be069380 00000000
      [ 8864.773512] bf00: be035780 be035740 8004938c 00000000 00000000 00000000 be07bfac be07bf28
      [ 8864.781715] bf20: 80045928 80049398 be07bf44 00000001 00000000 be035740 00000000 00030003
      [ 8864.789917] bf40: dead4ead ffffffff ffffffff 80a2716c 80b59b00 00000000 8088c954 be07bf5c
      [ 8864.798120] bf60: be07bf5c 00000000 00000000 dead4ead ffffffff ffffffff 80a2716c 00000000
      [ 8864.806320] bf80: 00000000 8088c954 be07bf88 be07bf88 be035780 8004584c 00000000 00000000
      [ 8864.814523] bfa0: 00000000 be07bfb0 8000ed10 80045858 00000000 00000000 00000000 00000000
      [ 8864.822723] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [ 8864.830925] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 5ffbb5f7 f9fcf5e7
      [ 8864.839115] Backtrace:
      [ 8864.841631] [<8057c1d0>] (gro_pull_from_frag0) from [<8057ebf0>] (dev_gro_receive+0x6c/0x3f8)
      [ 8864.850173]  r6:00000003 r5:bd8a0718 r4:bd280cc0 r3:00000000
      [ 8864.855958] [<8057eb84>] (dev_gro_receive) from [<8057f148>] (napi_gro_receive+0x28/0xac)
      [ 8864.864152]  r10:bd8a0000 r9:00000000 r8:0000001c r7:00000000 r6:bd8a0000 r5:bd280cc0
      [ 8864.872115]  r4:bd8a0718
      [ 8864.874713] [<8057f120>] (napi_gro_receive) from [<8044e7b4>] (fec_enet_rx_napi+0x414/0xc74)
      [ 8864.883167]  r5:00000000 r4:bf0810a0
      [ 8864.886823] [<8044e3a0>] (fec_enet_rx_napi) from [<8057fc98>] (net_rx_action+0x1dc/0x2ec)
      [ 8864.895016]  r10:be07bd00 r9:0000012c r8:be7c1ec0 r7:00000040 r6:000d1166 r5:00000001
      [ 8864.902982]  r4:bd8a0718
      [ 8864.905570] [<8057fabc>] (net_rx_action) from [<8002e690>] (__do_softirq+0x138/0x2c4)
      [ 8864.913417]  r10:00200100 r9:809c6088 r8:40000001 r7:809c6080 r6:00000003 r5:809c608c
      [ 8864.921382]  r4:00000020
      [ 8864.923966] [<8002e558>] (__do_softirq) from [<8002eb64>] (irq_exit+0xc4/0x138)
      [ 8864.931289]  r10:00000000 r9:be008000 r8:00000001 r7:00000000 r6:809c6af8 r5:00000000
      [ 8864.939252]  r4:809c0d7c
      [ 8864.941841] [<8002eaa0>] (irq_exit) from [<8006f100>] (__handle_domain_irq+0x74/0xe8)
      [ 8864.949688]  r4:809c0d7c r3:00000125
      [ 8864.953342] [<8006f08c>] (__handle_domain_irq) from [<800087a0>] (gic_handle_irq+0x28/0x68)
      [ 8864.961707]  r9:00000000 r8:00000002 r7:c080e100 r6:809c6c6c r5:be07bde8 r4:c080e10c
      [ 8864.969597] [<80008778>] (gic_handle_irq) from [<800133a4>] (__irq_svc+0x44/0x5c)
      [ 8864.977097] Exception stack(0xbe07bde8 to 0xbe07be30)
      [ 8864.982173] bde0:                   00000001 00000001 00000000 00000000 be7c1680 00000000
      [ 8864.990377] be00: be0cfe00 bd93eb40 00000002 00000000 00000000 be07be44 be07be00 be07be30
      [ 8864.998573] be20: 8006278c 806f2934 20000013 ffffffff
      [ 8865.003638]  r7:be07be1c r6:ffffffff r5:20000013 r4:806f2934
      [ 8865.009447] [<806f2904>] (_raw_spin_unlock_irq) from [<80049cfc>] (finish_task_switch+0xa0/0x160)
      [ 8865.018334]  r4:be7c1680 r3:be069380
      [ 8865.021993] [<80049c5c>] (finish_task_switch) from [<806ed614>] (__schedule+0x1e0/0x5dc)
      [ 8865.030098]  r8:be0cfe00 r7:bd23b600 r6:be069380 r5:be3289c0 r4:be7c1680
      [ 8865.036942] [<806ed434>] (__schedule) from [<806edd0c>] (preempt_schedule_common+0x28/0x44)
      [ 8865.045307]  r9:00000000 r8:809d4598 r7:00000001 r6:00000000 r5:be035740 r4:be07a000
      [ 8865.053197] [<806edce4>] (preempt_schedule_common) from [<806edd68>] (_cond_resched+0x40/0x48)
      [ 8865.061822]  r4:be07a000 r3:be07a000
      [ 8865.065472] [<806edd28>] (_cond_resched) from [<8002e860>] (run_ksoftirqd+0x44/0x64)
      [ 8865.073252] [<8002e81c>] (run_ksoftirqd) from [<800494b0>] (smpboot_thread_fn+0x124/0x190)
      [ 8865.081550] [<8004938c>] (smpboot_thread_fn) from [<80045928>] (kthread+0xdc/0xf8)
      [ 8865.089133]  r10:00000000 r9:00000000 r8:00000000 r7:8004938c r6:be035740 r5:be035780
      [ 8865.097097]  r4:00000000 r3:be069380
      [ 8865.100752] [<8004584c>] (kthread) from [<8000ed10>] (ret_from_fork+0x14/0x24)
      [ 8865.107990]  r7:00000000 r6:00000000 r5:8004584c r4:be035780
      [ 8865.113767] Code: e320f000 e4913004 e4914004 e4915004 (e4916004)
      [ 8865.120006] ---[ end trace b0a4c6bd499288ca ]---
      [ 8865.124697] Kernel panic - not syncing: Fatal exception in interrupt
      [ 8865.131084] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
      Tested-by: default avatarPeter Chen <peter.chen@freescale.com>
      Signed-off-by: default avatarPeter Chen <peter.chen@freescale.com>
      Signed-off-by: default avatarFugang Duan <B38611@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b86cf38
    • Brian King's avatar
      bnx2x: Force fundamental reset for EEH recovery · 4f500c93
      Brian King authored
      commit da293700 upstream.
      
      EEH recovery for bnx2x based adapters is not reliable on all Power
      systems using the default hot reset, which can result in an
      unrecoverable EEH error. Forcing the use of fundamental reset
      during EEH recovery fixes this.
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f500c93
    • Maxime Ripard's avatar
      mtd: nand: pxa3xx: Fix PIO FIFO draining · e93d9bd1
      Maxime Ripard authored
      commit 8dad0386 upstream.
      
      The NDDB register holds the data that are needed by the read and write
      commands.
      
      However, during a read PIO access, the datasheet specifies that after each 32
      bytes read in that register, when BCH is enabled, we have to make sure that the
      RDDREQ bit is set in the NDSR register.
      
      This fixes an issue that was seen on the Armada 385, and presumably other mvebu
      SoCs, when a read on a newly erased page would end up in the driver reporting a
      timeout from the NAND.
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Reviewed-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Acked-by: default avatarEzequiel Garcia <ezequiel.garcia@free-electrons.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e93d9bd1