1. 26 Aug, 2017 40 commits
    • Amir Goldstein's avatar
      fanotify: don't expose EOPENSTALE to userspace · 3ea33dcc
      Amir Goldstein authored
      commit 4ff33aaf upstream.
      
      When delivering an event to userspace for a file on an NFS share,
      if the file is deleted on server side before user reads the event,
      user will not get the event.
      
      If the event queue contained several events, the stale event is
      quietly dropped and read() returns to user with events read so far
      in the buffer.
      
      If the event queue contains a single stale event or if the stale
      event is a permission event, read() returns to user with the kernel
      internal error code 518 (EOPENSTALE), which is not a POSIX error code.
      
      Check the internal return value -EOPENSTALE in fanotify_read(), just
      the same as it is checked in path_openat() and drop the event in the
      cases that it is not already dropped.
      
      This is a reproducer from Marko Rauhamaa:
      
      Just take the example program listed under "man fanotify" ("fantest")
      and follow these steps:
      
          ==============================================================
          NFS Server    NFS Client(1)     NFS Client(2)
          ==============================================================
          # echo foo >/nfsshare/bar.txt
                        # cat /nfsshare/bar.txt
                        foo
                                          # ./fantest /nfsshare
                                          Press enter key to terminate.
                                          Listening for events.
          # rm -f /nfsshare/bar.txt
                        # cat /nfsshare/bar.txt
                                          read: Unknown error 518
                        cat: /nfsshare/bar.txt: Operation not permitted
          ==============================================================
      
      where NFS Client (1) and (2) are two terminal sessions on a single NFS
      Client machine.
      Reported-by: default avatarMarko Rauhamaa <marko.rauhamaa@f-secure.com>
      Tested-by: default avatarMarko Rauhamaa <marko.rauhamaa@f-secure.com>
      Cc: <linux-api@vger.kernel.org>
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3ea33dcc
    • Stefan Assmann's avatar
      PCI: Disable boot interrupt quirk for ASUS M2N-LR · 6ec3f14b
      Stefan Assmann authored
      commit c4e649b0 upstream.
      
      The ASUS M2N-LR should not trigger boot interrupt quirks although it
      carries an Intel 6702PXH.  On this board the boot interrupt quirks cause
      incorrect IRQ assignments and should be disabled.
      
      Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=43074Tested-by: default avatarSolomon Peachy <pizza@shaftnet.org>
      Signed-off-by: default avatarStefan Assmann <sassmann@kpanic.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6ec3f14b
    • Somasundaram Krishnasamy's avatar
      dm era: save spacemap metadata root after the pre-commit · b731d873
      Somasundaram Krishnasamy authored
      commit 117aceb0 upstream.
      
      When committing era metadata to disk, it doesn't always save the latest
      spacemap metadata root in superblock. Due to this, metadata is getting
      corrupted sometimes when reopening the device. The correct order of update
      should be, pre-commit (shadows spacemap root), save the spacemap root
      (newly shadowed block) to in-core superblock and then the final commit.
      Signed-off-by: default avatarSomasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b731d873
    • Vinothkumar Raja's avatar
      dm btree: fix for dm_btree_find_lowest_key() · 891d43b9
      Vinothkumar Raja authored
      commit 7d1fedb6 upstream.
      
      dm_btree_find_lowest_key() is giving incorrect results.  find_key()
      traverses the btree correctly for finding the highest key, but there is
      an error in the way it traverses the btree for retrieving the lowest
      key.  dm_btree_find_lowest_key() fetches the first key of the rightmost
      block of the btree instead of fetching the first key from the leftmost
      block.
      
      Fix this by conditionally passing the correct parameter to value64()
      based on the @find_highest flag.
      Signed-off-by: default avatarErez Zadok <ezk@fsl.cs.sunysb.edu>
      Signed-off-by: default avatarVinothkumar Raja <vinraja@cs.stonybrook.edu>
      Signed-off-by: default avatarNidhi Panpalia <npanpalia@cs.stonybrook.edu>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      891d43b9
    • Liping Zhang's avatar
      netfilter: ctnetlink: make it safer when updating ct->status · 00834185
      Liping Zhang authored
      commit 53b56da8 upstream.
      
      After converting to use rcu for conntrack hash, one CPU may update
      the ct->status via ctnetlink, while another CPU may process the
      packets and update the ct->status.
      
      So the non-atomic operation "ct->status |= status;" via ctnetlink
      becomes unsafe, and this may clear the IPS_DYING_BIT bit set by
      another CPU unexpectedly. For example:
               CPU0                            CPU1
        ctnetlink_change_status        __nf_conntrack_find_get
            old = ct->status              nf_ct_gc_expired
                -                         nf_ct_kill
                -                      test_and_set_bit(IPS_DYING_BIT
            new = old | status;                 -
        ct->status = new; <-- oops, _DYING_ is cleared!
      
      Now using a series of atomic bit operation to solve the above issue.
      
      Also note, user shouldn't set IPS_TEMPLATE, IPS_SEQ_ADJUST directly,
      so make these two bits be unchangable too.
      
      If we set the IPS_TEMPLATE_BIT, ct will be freed by nf_ct_tmpl_free,
      but actually it is alloced by nf_conntrack_alloc.
      If we set the IPS_SEQ_ADJUST_BIT, this may cause the NULL pointer
      deference, as the nfct_seqadj(ct) maybe NULL.
      
      Last, add some comments to describe the logic change due to the
      commit a963d710 ("netfilter: ctnetlink: Fix regression in CTA_STATUS
      processing"), which makes me feel a little confusing.
      
      Fixes: 76507f69 ("[NETFILTER]: nf_conntrack: use RCU for conntrack hash")
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      [bwh: Backported to 3.16: IPS_UNCHANGEABLE_MASK was not previously defined and
       ctnetlink_update_status() is not needed]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      00834185
    • Liping Zhang's avatar
      netfilter: ctnetlink: fix deadlock due to acquire _expect_lock twice · e40bd023
      Liping Zhang authored
      commit 88be4c09 upstream.
      
      Currently, ctnetlink_change_conntrack is always protected by _expect_lock,
      but this will cause a deadlock when deleting the helper from a conntrack,
      as the _expect_lock will be acquired again by nf_ct_remove_expectations:
      
               CPU0
              ----
        lock(nf_conntrack_expect_lock);
        lock(nf_conntrack_expect_lock);
      
        *** DEADLOCK ***
        May be due to missing lock nesting notation
      
        2 locks held by lt-conntrack_gr/12853:
        #0:  (&table[i].mutex){+.+.+.}, at: [<ffffffffa05e2009>]
             nfnetlink_rcv_msg+0x399/0x6a9 [nfnetlink]
        #1:  (nf_conntrack_expect_lock){+.....}, at: [<ffffffffa05f2c1f>]
             ctnetlink_new_conntrack+0x17f/0x408 [nf_conntrack_netlink]
      
        Call Trace:
         dump_stack+0x85/0xc2
         __lock_acquire+0x1608/0x1680
         ? ctnetlink_parse_tuple_proto+0x10f/0x1c0 [nf_conntrack_netlink]
         lock_acquire+0x100/0x1f0
         ? nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
         _raw_spin_lock_bh+0x3f/0x50
         ? nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
         nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
         ctnetlink_change_helper+0xc6/0x190 [nf_conntrack_netlink]
         ctnetlink_new_conntrack+0x1b2/0x408 [nf_conntrack_netlink]
         nfnetlink_rcv_msg+0x60a/0x6a9 [nfnetlink]
         ? nfnetlink_rcv_msg+0x1b9/0x6a9 [nfnetlink]
         ? nfnetlink_bind+0x1a0/0x1a0 [nfnetlink]
         netlink_rcv_skb+0xa4/0xc0
         nfnetlink_rcv+0x87/0x770 [nfnetlink]
      
      Since the operations are unrelated to nf_ct_expect, so we can drop the
      _expect_lock. Also note, after removing the _expect_lock protection,
      another CPU may invoke nf_conntrack_helper_unregister, so we should
      use rcu_read_lock to protect __nf_conntrack_helper_find invoked by
      ctnetlink_change_helper.
      
      Fixes: ca7433df ("netfilter: conntrack: seperate expect locking from nf_conntrack_lock")
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      [bwh: Backported to 3.16:
       - ctnetlink_change_helper() still auto-loads modules, so update the unlocking
         and re-locking there
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e40bd023
    • Tyrel Datwyler's avatar
      powerpc/sysfs: Fix reference leak of cpu device_nodes present at boot · f0be7fe7
      Tyrel Datwyler authored
      commit e76ca277 upstream.
      
      For CPUs present at boot each logical CPU acquires a reference to the
      associated device node of the core. This happens in register_cpu() which
      is called by topology_init(). The result of this is that we end up with
      a reference held by each thread of the core. However, these references
      are never freed if the CPU core is DLPAR removed.
      
      This patch fixes the reference leaks by acquiring and releasing the references
      in the CPU hotplug callbacks un/register_cpu_online(). With this patch symmetric
      reference counting is observed with both CPUs present at boot, and those DLPAR
      added after boot.
      
      Fixes: f86e4718 ("driver/core: cpu: initialize of_node in cpu's device struture")
      Signed-off-by: default avatarTyrel Datwyler <tyreld@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f0be7fe7
    • Tyrel Datwyler's avatar
      powerpc/pseries: Fix of_node_put() underflow during DLPAR remove · e733d462
      Tyrel Datwyler authored
      commit 68baf692 upstream.
      
      Historically struct device_node references were tracked using a kref embedded as
      a struct field. Commit 75b57ecf ("of: Make device nodes kobjects so they
      show up in sysfs") (Mar 2014) refactored device_nodes to be kobjects such that
      the device tree could by more simply exposed to userspace using sysfs.
      
      Commit 0829f6d1 ("of: device_node kobject lifecycle fixes") (Mar 2014)
      followed up these changes to better control the kobject lifecycle and in
      particular the referecne counting via of_node_get(), of_node_put(), and
      of_node_init().
      
      A result of this second commit was that it introduced an of_node_put() call when
      a dynamic node is detached, in of_node_remove(), that removes the initial kobj
      reference created by of_node_init().
      
      Traditionally as the original dynamic device node user the pseries code had
      assumed responsibilty for releasing this final reference in its platform
      specific DLPAR detach code.
      
      This patch fixes a refcount underflow introduced by commit 0829f6d1, and
      recently exposed by the upstreaming of the recount API.
      
      Messages like the following are no longer seen in the kernel log with this
      patch following DLPAR remove operations of cpus and pci devices.
      
        rpadlpar_io: slot PHB 72 removed
        refcount_t: underflow; use-after-free.
        ------------[ cut here ]------------
        WARNING: CPU: 5 PID: 3335 at lib/refcount.c:128 refcount_sub_and_test+0xf4/0x110
      
      Fixes: 0829f6d1 ("of: device_node kobject lifecycle fixes")
      Signed-off-by: default avatarTyrel Datwyler <tyreld@linux.vnet.ibm.com>
      [mpe: Make change log commit references more verbose]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e733d462
    • Jack Morgenstein's avatar
      IB/mlx4: Fix ib device initialization error flow · 1f3d0ed6
      Jack Morgenstein authored
      commit 99e68909 upstream.
      
      In mlx4_ib_add, procedure mlx4_ib_alloc_eqs is called to allocate EQs.
      
      However, in the mlx4_ib_add error flow, procedure mlx4_ib_free_eqs is not
      called to free the allocated EQs.
      
      Fixes: e605b743 ("IB/mlx4: Increase the number of vectors (EQs) available for ULPs")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1f3d0ed6
    • Dan Carpenter's avatar
      HSI: ssi_protocol: double free in ssip_pn_xmit() · 28bc3299
      Dan Carpenter authored
      commit 30260501 upstream.
      
      If skb_pad() fails then it frees skb and we don't need to free it again
      at the end of the function.
      
      Fixes: dc7bf5d7 ("HSI: Introduce driver for SSI Protocol")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      28bc3299
    • Feras Daoud's avatar
      IB/ipoib: Update broadcast object if PKey value was changed in index 0 · 971609e1
      Feras Daoud authored
      commit 9a9b8112 upstream.
      
      Update the broadcast address in the priv->broadcast object when the
      Pkey value changes in index 0, otherwise the multicast GID value will
      keep the previous value of the PKey, and will not be updated.
      This leads to interface state down because the interface will keep the
      old PKey value.
      
      For example, in SR-IOV environment, if the PF changes the value of PKey
      index 0 for one of the VFs, then the VF receives PKey change event that
      triggers heavy flush. This flush calls update_parent_pkey that update the
      broadcast object and its relevant members. If in this case the multicast
      GID will not be updated, the interface state will be down.
      
      Fixes: c2904141 ("IPoIB: Fix pkey change flow for virtualization environments")
      Signed-off-by: default avatarFeras Daoud <ferasda@mellanox.com>
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Reviewed-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      971609e1
    • Benjamin Coddington's avatar
      NFS: Use GFP_NOIO for two allocations in writeback · a078aea0
      Benjamin Coddington authored
      commit ae97aa52 upstream.
      
      Prevent a deadlock that can occur if we wait on allocations
      that try to write back our pages.
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Fixes: 00bfa30a ("NFS: Create a common pgio_alloc and pgio_release...")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      [bwh: Backported to 3.16:
       - Drop changes in nfs_pageio_init()
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a078aea0
    • Ashish Kalra's avatar
      x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup · 3ec4f40c
      Ashish Kalra authored
      commit d594aa02 upstream.
      
      The minimum size for a new stack (512 bytes) setup for arch/x86/boot components
      when the bootloader does not setup/provide a stack for the early boot components
      is not "enough".
      
      The setup code executing as part of early kernel startup code, uses the stack
      beyond 512 bytes and accidentally overwrites and corrupts part of the BSS
      section. This is exposed mostly in the early video setup code, where
      it was corrupting BSS variables like force_x, force_y, which in-turn affected
      kernel parameters such as screen_info (screen_info.orig_video_cols) and
      later caused an exception/panic in console_init().
      
      Most recent boot loaders setup the stack for early boot components, so this
      stack overwriting into BSS section issue has not been exposed.
      Signed-off-by: default avatarAshish Kalra <ashish@bluestacks.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20170419152015.10011-1-ashishkalra@Ashishs-MacBook-Pro.localSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3ec4f40c
    • Brian Norris's avatar
      mwifiex: pcie: fix cmd_buf use-after-free in remove/reset · 3e42a214
      Brian Norris authored
      commit 3c8cb9ad upstream.
      
      Command buffers (skb's) are allocated by the main driver, and freed upon
      the last use. That last use is often in mwifiex_free_cmd_buffer(). In
      the meantime, if the command buffer gets used by the PCI driver, we map
      it as DMA-able, and store the mapping information in the 'cb' memory.
      
      However, if a command was in-flight when resetting the device (and
      therefore was still mapped), we don't get a chance to unmap this memory
      until after the core has cleaned up its command handling.
      
      Let's keep a refcount within the PCI driver, so we ensure the memory
      only gets freed after we've finished unmapping it.
      
      Noticed by KASAN when forcing a reset via:
      
        echo 1 > /sys/bus/pci/.../reset
      
      The same code path can presumably be exercised in remove() and
      shutdown().
      
      [  205.390377] mwifiex_pcie 0000:01:00.0: info: shutdown mwifiex...
      [  205.400393] ==================================================================
      [  205.407719] BUG: KASAN: use-after-free in mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie] at addr ffffffc0ad471b28
      [  205.419040] Read of size 16 by task bash/1913
      [  205.423421] =============================================================================
      [  205.431625] BUG skbuff_head_cache (Tainted: G    B          ): kasan: bad access detected
      [  205.439815] -----------------------------------------------------------------------------
      [  205.439815]
      [  205.449534] INFO: Allocated in __build_skb+0x48/0x114 age=1311 cpu=4 pid=1913
      [  205.456709] 	alloc_debug_processing+0x124/0x178
      [  205.461282] 	___slab_alloc.constprop.58+0x528/0x608
      [  205.466196] 	__slab_alloc.isra.54.constprop.57+0x44/0x54
      [  205.471542] 	kmem_cache_alloc+0xcc/0x278
      [  205.475497] 	__build_skb+0x48/0x114
      [  205.479019] 	__netdev_alloc_skb+0xe0/0x170
      [  205.483244] 	mwifiex_alloc_cmd_buffer+0x68/0xdc [mwifiex]
      [  205.488759] 	mwifiex_init_fw+0x40/0x6cc [mwifiex]
      [  205.493584] 	_mwifiex_fw_dpc+0x158/0x520 [mwifiex]
      [  205.498491] 	mwifiex_reinit_sw+0x2c4/0x398 [mwifiex]
      [  205.503510] 	mwifiex_pcie_reset_notify+0x114/0x15c [mwifiex_pcie]
      [  205.509643] 	pci_reset_notify+0x5c/0x6c
      [  205.513519] 	pci_reset_function+0x6c/0x7c
      [  205.517567] 	reset_store+0x68/0x98
      [  205.521003] 	dev_attr_store+0x54/0x60
      [  205.524705] 	sysfs_kf_write+0x9c/0xb0
      [  205.528413] INFO: Freed in __kfree_skb+0xb0/0xbc age=131 cpu=4 pid=1913
      [  205.535064] 	free_debug_processing+0x264/0x370
      [  205.539550] 	__slab_free+0x84/0x40c
      [  205.543075] 	kmem_cache_free+0x1c8/0x2a0
      [  205.547030] 	__kfree_skb+0xb0/0xbc
      [  205.550465] 	consume_skb+0x164/0x178
      [  205.554079] 	__dev_kfree_skb_any+0x58/0x64
      [  205.558304] 	mwifiex_free_cmd_buffer+0xa0/0x158 [mwifiex]
      [  205.563817] 	mwifiex_shutdown_drv+0x578/0x5c4 [mwifiex]
      [  205.569164] 	mwifiex_shutdown_sw+0x178/0x310 [mwifiex]
      [  205.574353] 	mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie]
      [  205.580398] 	pci_reset_notify+0x5c/0x6c
      [  205.584274] 	pci_dev_save_and_disable+0x24/0x6c
      [  205.588837] 	pci_reset_function+0x30/0x7c
      [  205.592885] 	reset_store+0x68/0x98
      [  205.596324] 	dev_attr_store+0x54/0x60
      [  205.600017] 	sysfs_kf_write+0x9c/0xb0
      ...
      [  205.800488] Call trace:
      [  205.802980] [<ffffffc00020a69c>] dump_backtrace+0x0/0x190
      [  205.808415] [<ffffffc00020a96c>] show_stack+0x20/0x28
      [  205.813506] [<ffffffc0005d020c>] dump_stack+0xa4/0xcc
      [  205.818598] [<ffffffc0003be44c>] print_trailer+0x158/0x168
      [  205.824120] [<ffffffc0003be5f0>] object_err+0x4c/0x5c
      [  205.829210] [<ffffffc0003c45bc>] kasan_report+0x334/0x500
      [  205.834641] [<ffffffc0003c3994>] check_memory_region+0x20/0x14c
      [  205.840593] [<ffffffc0003c3b14>] __asan_loadN+0x14/0x1c
      [  205.845879] [<ffffffbffc46171c>] mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie]
      [  205.854282] [<ffffffbffc461864>] mwifiex_pcie_delete_cmdrsp_buf+0x94/0xa8 [mwifiex_pcie]
      [  205.862421] [<ffffffbffc462028>] mwifiex_pcie_free_buffers+0x11c/0x158 [mwifiex_pcie]
      [  205.870302] [<ffffffbffc4620d4>] mwifiex_pcie_down_dev+0x70/0x80 [mwifiex_pcie]
      [  205.877736] [<ffffffbffc1397a8>] mwifiex_shutdown_sw+0x190/0x310 [mwifiex]
      [  205.884658] [<ffffffbffc4606b4>] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie]
      [  205.892446] [<ffffffc000635f54>] pci_reset_notify+0x5c/0x6c
      [  205.898048] [<ffffffc00063a044>] pci_dev_save_and_disable+0x24/0x6c
      [  205.904350] [<ffffffc00063cf0c>] pci_reset_function+0x30/0x7c
      [  205.910134] [<ffffffc000641118>] reset_store+0x68/0x98
      [  205.915312] [<ffffffc000771588>] dev_attr_store+0x54/0x60
      [  205.920750] [<ffffffc00046f53c>] sysfs_kf_write+0x9c/0xb0
      [  205.926182] [<ffffffc00046dfb0>] kernfs_fop_write+0x184/0x1f8
      [  205.931963] [<ffffffc0003d64f4>] __vfs_write+0x6c/0x17c
      [  205.937221] [<ffffffc0003d7164>] vfs_write+0xf0/0x1c4
      [  205.942310] [<ffffffc0003d7da0>] SyS_write+0x78/0xd8
      [  205.947312] [<ffffffc000204634>] el0_svc_naked+0x24/0x28
      ...
      [  205.998268] ==================================================================
      
      This bug has been around in different forms for a while. It was sort of
      noticed in commit 955ab095 ("mwifiex: Do not kfree cmd buf while
      unregistering PCIe"), but it just fixed the double-free, without
      acknowledging the potential for use-after-free.
      
      Fixes: fc331460 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3e42a214
    • Peter Chen's avatar
      usb: host: xhci: print correct command ring address · 518bb4f2
      Peter Chen authored
      commit 6fc091fb upstream.
      
      Print correct command ring address using 'val_64'.
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      518bb4f2
    • Andrew Jones's avatar
      KVM: arm/arm64: fix races in kvm_psci_vcpu_on · 7c2173a8
      Andrew Jones authored
      commit 6c7a5dce upstream.
      
      Fix potential races in kvm_psci_vcpu_on() by taking the kvm->lock
      mutex.  In general, it's a bad idea to allow more than one PSCI_CPU_ON
      to process the same target VCPU at the same time.  One such problem
      that may arise is that one PSCI_CPU_ON could be resetting the target
      vcpu, which fills the entire sys_regs array with a temporary value
      including the MPIDR register, while another looks up the VCPU based
      on the MPIDR value, resulting in no target VCPU found.  Resolves both
      races found with the kvm-unit-tests/arm/psci unit test.
      Reviewed-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Reported-by: default avatarLevente Kurusa <lkurusa@redhat.com>
      Suggested-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarAndrew Jones <drjones@redhat.com>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7c2173a8
    • Dan Carpenter's avatar
      ath9k: off by one in ath9k_hw_nvram_read_array() · 2c30708e
      Dan Carpenter authored
      commit b7dcf68f upstream.
      
      The > should be >= or we read one space beyond the end of the array.
      
      Fixes: ab5c4f71 ("ath9k: allow to load EEPROM content via firmware API")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2c30708e
    • Frank Schaefer's avatar
      ov2640: fix vflip control · 3881e59f
      Frank Schaefer authored
      commit 7f140fc2 upstream.
      
      Enabling vflip currently causes wrong colors.
      It seems that (at least with the current sensor setup) REG04_VFLIP_IMG only
      changes the vertical readout direction.
      Because pixels are arranged RGRG... in odd lines and GBGB... in even lines,
      either a one line shift or even/odd line swap is required, too, but
      apparently this doesn't happen.
      
      I finally figured out that this can be done manually by setting
      REG04_VREF_EN.
      Looking at hflip, it turns out that bit REG04_HREF_EN is set there
      permanetly, but according to my tests has no effect on the pixel readout
      order.
      So my conclusion is that the current documentation of sensor register 0x04
      is wrong (has changed after preliminary datasheet version 2.2).
      
      I'm pretty sure that automatic vertical line shift/switch can be enabled,
      too, but until anyone finds ot how this works, we have to stick with manual
      switching.
      Signed-off-by: default avatarFrank Schäfer <fschaefer.oss@googlemail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3881e59f
    • Alyssa Milburn's avatar
      dw2102: limit messages to buffer size · 044c45f3
      Alyssa Milburn authored
      commit 950e252c upstream.
      
      Otherwise the i2c transfer functions can read or write beyond the end of
      stack or heap buffers.
      Signed-off-by: default avatarAlyssa Milburn <amilburn@zall.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.16:
       - Use obuf instead of state->data
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      044c45f3
    • Alyssa Milburn's avatar
      ttusb2: limit messages to buffer size · 28616936
      Alyssa Milburn authored
      commit a12b8ab8 upstream.
      
      Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and
      heap buffers.
      Signed-off-by: default avatarAlyssa Milburn <amilburn@zall.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      28616936
    • Marek Vasut's avatar
      USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit · 679828bf
      Marek Vasut authored
      commit 31c5d192 upstream.
      
      This development kit has an FT4232 on it with a custom USB VID/PID.
      The FT4232 provides four UARTs, but only two are used. The UART 0
      is used by the FlashPro5 programmer and UART 2 is connected to the
      SmartFusion2 CortexM3 SoC UART port.
      
      Note that the USB VID is registered to Actel according to Linux USB
      VID database, but that was acquired by Microsemi.
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      679828bf
    • Lukas Wunner's avatar
      PCI: Freeze PME scan before suspending devices · c8bb3bba
      Lukas Wunner authored
      commit ea00353f upstream.
      
      Laurent Pinchart reported that the Renesas R-Car H2 Lager board (r8a7790)
      crashes during suspend tests.  Geert Uytterhoeven managed to reproduce the
      issue on an M2-W Koelsch board (r8a7791):
      
        It occurs when the PME scan runs, once per second.  During PME scan, the
        PCI host bridge (rcar-pci) registers are accessed while its module clock
        has already been disabled, leading to the crash.
      
      One reproducer is to configure s2ram to use "s2idle" instead of "deep"
      suspend:
      
        # echo 0 > /sys/module/printk/parameters/console_suspend
        # echo s2idle > /sys/power/mem_sleep
        # echo mem > /sys/power/state
      
      Another reproducer is to write either "platform" or "processors" to
      /sys/power/pm_test.  It does not (or is less likely) to happen during full
      system suspend ("core" or "none") because system suspend also disables
      timers, and thus the workqueue handling PME scans no longer runs.  Geert
      believes the issue may still happen in the small window between disabling
      module clocks and disabling timers:
      
        # echo 0 > /sys/module/printk/parameters/console_suspend
        # echo platform > /sys/power/pm_test    # Or "processors"
        # echo mem > /sys/power/state
      
      (Make sure CONFIG_PCI_RCAR_GEN2 and CONFIG_USB_OHCI_HCD_PCI are enabled.)
      
      Rafael Wysocki agrees that PME scans should be suspended before the host
      bridge registers become inaccessible.  To that end, queue the task on a
      workqueue that gets frozen before devices suspend.
      
      Rafael notes however that as a result, some wakeup events may be missed if
      they are delivered via PME from a device without working IRQ (which hence
      must be polled) and occur after the workqueue has been frozen.  If that
      turns out to be an issue in practice, it may be possible to solve it by
      calling pci_pme_list_scan() once directly from one of the host bridge's
      pm_ops callbacks.
      
      Stacktrace for posterity:
      
        PM: Syncing filesystems ... [   38.566237] done.
        PM: Preparing system for sleep (mem)
        Freezing user space processes ... [   38.579813] (elapsed 0.001 seconds) done.
        Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
        PM: Suspending system (mem)
        PM: suspend of devices complete after 152.456 msecs
        PM: late suspend of devices complete after 2.809 msecs
        PM: noirq suspend of devices complete after 29.863 msecs
        suspend debug: Waiting for 5 second(s).
        Unhandled fault: asynchronous external abort (0x1211) at 0x00000000
        pgd = c0003000
        [00000000] *pgd=80000040004003, *pmd=00000000
        Internal error: : 1211 [#1] SMP ARM
        Modules linked in:
        CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted
        4.9.0-rc1-koelsch-00011-g68db9bc8 #3383
        Hardware name: Generic R8A7791 (Flattened Device Tree)
        Workqueue: events pci_pme_list_scan
        task: eb56e140 task.stack: eb58e000
        PC is at pci_generic_config_read+0x64/0x6c
        LR is at rcar_pci_cfg_base+0x64/0x84
        pc : [<c041d7b4>]    lr : [<c04309a0>]    psr: 600d0093
        sp : eb58fe98  ip : c041d750  fp : 00000008
        r10: c0e2283c  r9 : 00000000  r8 : 600d0013
        r7 : 00000008  r6 : eb58fed6  r5 : 00000002  r4 : eb58feb4
        r3 : 00000000  r2 : 00000044  r1 : 00000008  r0 : 00000000
        Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
        Control: 30c5387d  Table: 6a9f6c80  DAC: 55555555
        Process kworker/1:1 (pid: 20, stack limit = 0xeb58e210)
        Stack: (0xeb58fe98 to 0xeb590000)
        fe80:                                                       00000002 00000044
        fea0: eb6f5800 c041d9b0 eb58feb4 00000008 00000044 00000000 eb78a000 eb78a000
        fec0: 00000044 00000000 eb9aff00 c0424bf0 eb78a000 00000000 eb78a000 c0e22830
        fee0: ea8a6fc0 c0424c5c eaae79c0 c0424ce0 eb55f380 c0e22838 eb9a9800 c0235fbc
        ff00: eb55f380 c0e22838 eb55f380 eb9a9800 eb9a9800 eb58e000 eb9a9824 c0e02100
        ff20: eb55f398 c02366c4 eb56e140 eb5631c0 00000000 eb55f380 c023641c 00000000
        ff40: 00000000 00000000 00000000 c023a928 cd105598 00000000 40506a34 eb55f380
        ff60: 00000000 00000000 dead4ead ffffffff ffffffff eb58ff74 eb58ff74 00000000
        ff80: 00000000 dead4ead ffffffff ffffffff eb58ff90 eb58ff90 eb58ffac eb5631c0
        ffa0: c023a844 00000000 00000000 c0206d68 00000000 00000000 00000000 00000000
        ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
        ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 3a81336c 10ccd1dd
        [<c041d7b4>] (pci_generic_config_read) from [<c041d9b0>]
        (pci_bus_read_config_word+0x58/0x80)
        [<c041d9b0>] (pci_bus_read_config_word) from [<c0424bf0>]
        (pci_check_pme_status+0x34/0x78)
        [<c0424bf0>] (pci_check_pme_status) from [<c0424c5c>] (pci_pme_wakeup+0x28/0x54)
        [<c0424c5c>] (pci_pme_wakeup) from [<c0424ce0>] (pci_pme_list_scan+0x58/0xb4)
        [<c0424ce0>] (pci_pme_list_scan) from [<c0235fbc>]
        (process_one_work+0x1bc/0x308)
        [<c0235fbc>] (process_one_work) from [<c02366c4>] (worker_thread+0x2a8/0x3e0)
        [<c02366c4>] (worker_thread) from [<c023a928>] (kthread+0xe4/0xfc)
        [<c023a928>] (kthread) from [<c0206d68>] (ret_from_fork+0x14/0x2c)
        Code: ea000000 e5903000 f57ff04f e3a00000 (e5843000)
        ---[ end trace 667d43ba3aa9e589 ]---
      
      Fixes: df17e62e ("PCI: Add support for polling PME state on suspended legacy PCI devices")
      Reported-and-tested-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Reported-and-tested-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Acked-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
      Cc: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
      Cc: Simon Horman <horms+renesas@verge.net.au>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: Matthew Garrett <mjg59@srcf.ucam.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c8bb3bba
    • David Woodhouse's avatar
      PCI: Only allow WC mmap on prefetchable resources · 0a70edd3
      David Woodhouse authored
      commit cef4d023 upstream.
      
      The /proc/bus/pci mmap interface allows the user to specify whether they
      want WC or not.  Don't let them do so on non-prefetchable BARs.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0a70edd3
    • David Woodhouse's avatar
      PCI: Fix another sanity check bug in /proc/pci mmap · 5e034ace
      David Woodhouse authored
      commit 17caf567 upstream.
      
      Don't match MMIO maps with I/O BARs and vice versa.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5e034ace
    • Bjorn Helgaas's avatar
      PCI: Ignore write combining when mapping I/O port space · 98d0dd43
      Bjorn Helgaas authored
      commit 3a92c319 upstream.
      
      PCI exposes files like /proc/bus/pci/00/00.0 in procfs.  These files
      support operations like this:
      
        ioctl(fd, PCIIOC_MMAP_IS_IO);           # request I/O port space
        ioctl(fd, PCIIOC_WRITE_COMBINE, 1);     # request write-combining
        mmap(fd, ...)
      
      Write combining is useful on PCI memory space, but I don't think it makes
      sense on PCI I/O port space.
      
      We *could* change proc_bus_pci_ioctl() to make it impossible to set
      mmap_state == pci_mmap_io and write_combine at the same time, but that
      would break the following sequence, which is currently legal:
      
        mmap(fd, ...)                           # default is I/O, non-combining
        ioctl(fd, PCIIOC_WRITE_COMBINE, 1);     # request write-combining
        ioctl(fd, PCIIOC_MMAP_IS_MEM);          # request memory space
        mmap(fd, ...)                           # get write-combining mapping
      
      Ignore the write-combining flag when mapping I/O port space.
      
      This patch should have no functional effect, based on this analysis of all
      implementations of pci_mmap_page_range():
      
        - ia64 mips parisc sh unicore32 x86 do not support mapping of I/O port
          space at all.
      
        - arm cris microblaze mn10300 sparc xtensa support mapping of I/O port
          space, but ignore the write_combine argument to pci_mmap_page_range().
      
        - powerpc supports mapping of I/O port space and uses write_combine, and
          it disables write combining for I/O port space in
          __pci_mmap_set_pgprot().
      
      This patch makes it possible to remove __pci_mmap_set_pgprot() from
      powerpc, which simplifies that path.
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      98d0dd43
    • Richard Cochran's avatar
      regulator: tps65023: Fix inverted core enable logic. · 747b82e1
      Richard Cochran authored
      commit c90722b5 upstream.
      
      Commit 43530b69 ("regulator: Use
      regmap_read/write(), regmap_update_bits functions directly") intended
      to replace working inline helper functions with standard regmap
      calls.  However, it also inverted the set/clear logic of the "CORE ADJ
      Allowed" bit.  That patch was clearly never tested, since without that
      bit cleared, the core VDCDC1 voltage output does not react to I2C
      configuration changes.
      
      This patch fixes the issue by clearing the bit as in the original,
      correct implementation.  Note for stable back porting that, due to
      subsequent driver churn, this patch will not apply on every kernel
      version.
      
      Fixes: 43530b69 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly")
      Signed-off-by: default avatarRichard Cochran <rcochran@linutronix.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      747b82e1
    • Alyssa Milburn's avatar
      zr364xx: enforce minimum size when reading header · 100a3f44
      Alyssa Milburn authored
      commit ee0fe833 upstream.
      
      This code copies actual_length-128 bytes from the header, which will
      underflow if the received buffer is too small.
      Signed-off-by: default avatarAlyssa Milburn <amilburn@zall.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      100a3f44
    • Alyssa Milburn's avatar
      digitv: limit messages to buffer size · f369ecd8
      Alyssa Milburn authored
      commit 821117dc upstream.
      
      Return an error rather than memcpy()ing beyond the end of the buffer.
      Internal callers use appropriate sizes, but digitv_i2c_xfer may not.
      Signed-off-by: default avatarAlyssa Milburn <amilburn@zall.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f369ecd8
    • David Ahern's avatar
      net: ipv6: send unsolicited NA on admin up · 33705f52
      David Ahern authored
      commit 4a6e3c5d upstream.
      
      ndisc_notify is the ipv6 equivalent to arp_notify. When arp_notify is
      set to 1, gratuitous arp requests are sent when the device is brought up.
      The same is expected when ndisc_notify is set to 1 (per ndisc_notify in
      Documentation/networking/ip-sysctl.txt). The NA is not sent on NETDEV_UP
      event; add it.
      
      Fixes: 5cb04436 ("ipv6: add knob to send unsolicited ND on link-layer address change")
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      33705f52
    • Steven Rostedt (VMware)'s avatar
      ftrace: Fix removing of second function probe · 78ff1aa9
      Steven Rostedt (VMware) authored
      commit 82cc4fc2 upstream.
      
      When two function probes are added to set_ftrace_filter, and then one of
      them is removed, the update to the function locations is not performed, and
      the record keeping of the function states are corrupted, and causes an
      ftrace_bug() to occur.
      
      This is easily reproducable by adding two probes, removing one, and then
      adding it back again.
      
       # cd /sys/kernel/debug/tracing
       # echo schedule:traceoff > set_ftrace_filter
       # echo do_IRQ:traceoff > set_ftrace_filter
       # echo \!do_IRQ:traceoff > /debug/tracing/set_ftrace_filter
       # echo do_IRQ:traceoff > set_ftrace_filter
      
      Causes:
       ------------[ cut here ]------------
       WARNING: CPU: 2 PID: 1098 at kernel/trace/ftrace.c:2369 ftrace_get_addr_curr+0x143/0x220
       Modules linked in: [...]
       CPU: 2 PID: 1098 Comm: bash Not tainted 4.10.0-test+ #405
       Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
       Call Trace:
        dump_stack+0x68/0x9f
        __warn+0x111/0x130
        ? trace_irq_work_interrupt+0xa0/0xa0
        warn_slowpath_null+0x1d/0x20
        ftrace_get_addr_curr+0x143/0x220
        ? __fentry__+0x10/0x10
        ftrace_replace_code+0xe3/0x4f0
        ? ftrace_int3_handler+0x90/0x90
        ? printk+0x99/0xb5
        ? 0xffffffff81000000
        ftrace_modify_all_code+0x97/0x110
        arch_ftrace_update_code+0x10/0x20
        ftrace_run_update_code+0x1c/0x60
        ftrace_run_modify_code.isra.48.constprop.62+0x8e/0xd0
        register_ftrace_function_probe+0x4b6/0x590
        ? ftrace_startup+0x310/0x310
        ? debug_lockdep_rcu_enabled.part.4+0x1a/0x30
        ? update_stack_state+0x88/0x110
        ? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
        ? preempt_count_sub+0x18/0xd0
        ? mutex_lock_nested+0x104/0x800
        ? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
        ? __unwind_start+0x1c0/0x1c0
        ? _mutex_lock_nest_lock+0x800/0x800
        ftrace_trace_probe_callback.isra.3+0xc0/0x130
        ? func_set_flag+0xe0/0xe0
        ? __lock_acquire+0x642/0x1790
        ? __might_fault+0x1e/0x20
        ? trace_get_user+0x398/0x470
        ? strcmp+0x35/0x60
        ftrace_trace_onoff_callback+0x48/0x70
        ftrace_regex_write.isra.43.part.44+0x251/0x320
        ? match_records+0x420/0x420
        ftrace_filter_write+0x2b/0x30
        __vfs_write+0xd7/0x330
        ? do_loop_readv_writev+0x120/0x120
        ? locks_remove_posix+0x90/0x2f0
        ? do_lock_file_wait+0x160/0x160
        ? __lock_is_held+0x93/0x100
        ? rcu_read_lock_sched_held+0x5c/0xb0
        ? preempt_count_sub+0x18/0xd0
        ? __sb_start_write+0x10a/0x230
        ? vfs_write+0x222/0x240
        vfs_write+0xef/0x240
        SyS_write+0xab/0x130
        ? SyS_read+0x130/0x130
        ? trace_hardirqs_on_caller+0x182/0x280
        ? trace_hardirqs_on_thunk+0x1a/0x1c
        entry_SYSCALL_64_fastpath+0x18/0xad
       RIP: 0033:0x7fe61c157c30
       RSP: 002b:00007ffe87890258 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
       RAX: ffffffffffffffda RBX: ffffffff8114a410 RCX: 00007fe61c157c30
       RDX: 0000000000000010 RSI: 000055814798f5e0 RDI: 0000000000000001
       RBP: ffff8800c9027f98 R08: 00007fe61c422740 R09: 00007fe61ca53700
       R10: 0000000000000073 R11: 0000000000000246 R12: 0000558147a36400
       R13: 00007ffe8788f160 R14: 0000000000000024 R15: 00007ffe8788f15c
        ? trace_hardirqs_off_caller+0xc0/0x110
       ---[ end trace 99fa09b3d9869c2c ]---
       Bad trampoline accounting at: ffffffff81cc3b00 (do_IRQ+0x0/0x150)
      
      Fixes: 59df055f ("ftrace: trace different functions with a different tracer")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      [bwh: Backported to 3.16:
       - Use ftrace_run_update_code() instead of ftrace_run_modify_code(), and
         don't define old_hash
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      78ff1aa9
    • Matt Ranostay's avatar
      iio: proximity: as3935: fix as3935_write · 5e7c69bf
      Matt Ranostay authored
      commit 84ca8e36 upstream.
      
      AS3935_WRITE_DATA macro bit is incorrect and the actual write
      sequence is two leading zeros.
      
      Cc: George McCollister <george.mccollister@gmail.com>
      Signed-off-by: default avatarMatt Ranostay <matt.ranostay@konsulko.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5e7c69bf
    • Pavel Roskin's avatar
      iio: dac: ad7303: fix channel description · cc7026a2
      Pavel Roskin authored
      commit ce420fd4 upstream.
      
      realbits, storagebits and shift should be numbers, not ASCII characters.
      Signed-off-by: default avatarPavel Roskin <plroskin@gmail.com>
      Reviewed-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cc7026a2
    • Kan Liang's avatar
      perf/x86: Fix spurious NMI with PEBS Load Latency event · c2e9149e
      Kan Liang authored
      commit fd583ad1 upstream.
      
      Spurious NMIs will be observed with the following command:
      
        while :; do
          perf record -bae "cpu/umask=0x01,event=0xcd,ldlat=0x80/pp"
                        -e "cpu/umask=0x03,event=0x0/"
                        -e "cpu/umask=0x02,event=0x0/"
                        -e cycles,branches,cache-misses
                        -e cache-references -- sleep 10
        done
      
      The bug was introduced by commit:
      
        8077eca0 ("perf/x86/pebs: Add workaround for broken OVFL status on HSW+")
      
      That commit clears the status bits for the counters used for PEBS
      events, by masking the whole 64 bits pebs_enabled. However, only the
      low 32 bits of both status and pebs_enabled are reserved for PEBS-able
      counters.
      
      For status bits 32-34 are fixed counter overflow bits. For
      pebs_enabled bits 32-34 are for PEBS Load Latency.
      
      In the test case, the PEBS Load Latency event and fixed counter event
      could overflow at the same time. The fixed counter overflow bit will
      be cleared by mistake. Once it is cleared, the fixed counter overflow
      never be processed, which finally trigger spurious NMI.
      
      Correct the PEBS enabled mask by ignoring the non-PEBS bits.
      Signed-off-by: default avatarKan Liang <kan.liang@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Fixes: 8077eca0 ("perf/x86/pebs: Add workaround for broken OVFL status on HSW+")
      Link: http://lkml.kernel.org/r/1491333246-3965-1-git-send-email-kan.liang@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [bwh: Backported to 3.16:
       - Drop change in get_next_pebs_record_by_bit()
       - Adjust filenames]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c2e9149e
    • Stephane Eranian's avatar
      perf/x86/pebs: Fix handling of PEBS buffer overflows · d509667f
      Stephane Eranian authored
      commit daa864b8 upstream.
      
      This patch solves a race condition between PEBS and the PMU handler.
      
      In case multiple PEBS events are sampled at the same time,
      it is possible to have GLOBAL_STATUS bit 62 set indicating
      PEBS buffer overflow and also seeing at most 3 PEBS counters
      having their bits set in the status register. This is a sign
      that there was at least one PEBS record pending at the time
      of the PMU interrupt. PEBS counters must only be processed
      via the drain_pebs() calls, and not via the regular sample
      processing loop coming after that the function, otherwise
      phony regular samples may be generated in the sampling buffer
      not marked with the EXACT tag.
      
      Another possibility is to have one PEBS event and at least
      one non-PEBS event whic hoverflows while PEBS has armed. In this
      case, bit 62 of GLOBAL_STATUS will not be set, yet the overflow
      status bit for the PEBS counter will be on Skylake.
      
      To avoid this problem, we systematically ignore the PEBS-enabled
      counters from the GLOBAL_STATUS mask and we always process PEBS
      events via drain_pebs().
      
      The problem manifested itself by having non-exact samples when
      sampling only PEBS events, i.e., the PERF_SAMPLE_RECORD would
      not have the EXACT flag set.
      
      Note that this problem is only present on Skylake processor.
      This fix is harmless on older processors.
      Reported-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarStephane Eranian <eranian@google.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Link: http://lkml.kernel.org/r/1482395366-8992-1-git-send-email-eranian@google.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [bwh: Backported to 3.16: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d509667f
    • Ludovic Desroches's avatar
      ARM: dts: at91: sama5d3_xplained: not all ADC channels are available · b9cc9b04
      Ludovic Desroches authored
      commit d3df1ec0 upstream.
      
      Remove ADC channels that are not available by default on the sama5d3_xplained
      board (resistor not populated) in order to not create confusion.
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b9cc9b04
    • Ludovic Desroches's avatar
      ARM: dts: at91: sama5d3_xplained: fix ADC vref · aa415725
      Ludovic Desroches authored
      commit 9cdd31e5 upstream.
      
      The voltage reference for the ADC is not 3V but 3.3V since it is connected to
      VDDANA.
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      aa415725
    • Giedrius Statkevičius's avatar
      power: supply: lp8788: prevent out of bounds array access · 1d4198c5
      Giedrius Statkevičius authored
      commit bdd9968d upstream.
      
      val might become 7 in which case stime[7] (array of length 7) would be
      accessed during the scnprintf call later and that will cause issues.
      Obviously, string concatenation is not intended here so just a comma needs
      to be added to fix the issue.
      
      Fixes: 98a27664 ("power_supply: Add new lp8788 charger driver")
      Signed-off-by: default avatarGiedrius Statkevičius <giedrius.statkevicius@gmail.com>
      Acked-by: default avatarMilo Kim <milo.kim@ti.com>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1d4198c5
    • Alex Williamson's avatar
      vfio/type1: Remove locked page accounting workqueue · ae57d146
      Alex Williamson authored
      commit 0cfef2b7 upstream.
      
      If the mmap_sem is contented then the vfio type1 IOMMU backend will
      defer locked page accounting updates to a workqueue task.  This has a
      few problems and depending on which side the user tries to play, they
      might be over-penalized for unmaps that haven't yet been accounted or
      race the workqueue to enter more mappings than they're allowed.  The
      original intent of this workqueue mechanism seems to be focused on
      reducing latency through the ioctl, but we cannot do so at the cost
      of correctness.  Remove this workqueue mechanism and update the
      callers to allow for failure.  We can also now recheck the limit under
      write lock to make sure we don't exceed it.
      
      vfio_pin_pages_remote() also now necessarily includes an unwind path
      which we can jump to directly if the consecutive page pinning finds
      that we're exceeding the user's memory limits.  This avoids the
      current lazy approach which does accounting and mapping up to the
      fault, only to return an error on the next iteration to unwind the
      entire vfio_dma.
      Reviewed-by: default avatarPeter Xu <peterx@redhat.com>
      Reviewed-by: default avatarKirti Wankhede <kwankhede@nvidia.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      [bwh: Backported to 3.16:
       - vfio_lock_acct() always operates on current->mm
       - Drop changes to vfio_{,un}pin_page_external() and
         vfio_iommu_unmap_unpin_reaccount()
       - Drop test of rsvd flag
       - Fix up the disable_hugepages case in vfio_pin_pages()
       - Use down_write() instead of down_write_killable()
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ae57d146
    • David Woodhouse's avatar
      PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms · 44c57410
      David Woodhouse authored
      commit 6bccc7f4 upstream.
      
      In the PCI_MMAP_PROCFS case when the address being passed by the user is a
      'user visible' resource address based on the bus window, and not the actual
      contents of the resource, that's what we need to be checking it against.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      44c57410
    • Johan Hovold's avatar
      serial: omap: suspend device on probe errors · d1bdf06f
      Johan Hovold authored
      commit 77e6fe7f upstream.
      
      Make sure to actually suspend the device before returning after a failed
      (or deferred) probe.
      
      Note that autosuspend must be disabled before runtime pm is disabled in
      order to balance the usage count due to a negative autosuspend delay as
      well as to make the final put suspend the device synchronously.
      
      Fixes: 388bc262 ("omap-serial: Fix the error handling in the omap_serial probe")
      Cc: Shubhrajyoti D <shubhrajyoti@ti.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d1bdf06f