1. 25 Aug, 2015 13 commits
    • Peter Zijlstra's avatar
      rcu: Move lockless_dereference() out of rcupdate.h · 554b079b
      Peter Zijlstra authored
      commit 0a04b016 upstream.
      
      I want to use lockless_dereference() from seqlock.h, which would mean
      including rcupdate.h from it, however rcupdate.h already includes
      seqlock.h.
      
      Avoid this by moving lockless_dereference() into compiler.h. This is
      somewhat tricky since it uses smp_read_barrier_depends() which isn't
      available there, but its a CPP macro so we can get away with it.
      
      The alternative would be moving it into asm/barrier.h, but that would
      be updating each arch (I can do if people feel that is more
      appropriate).
      
      Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      554b079b
    • Paul E. McKenney's avatar
      rcu: Provide counterpart to rcu_dereference() for non-RCU situations · afadae32
      Paul E. McKenney authored
      commit 54ef6df3 upstream.
      
      Although rcu_dereference() and friends can be used in situations where
      object lifetimes are being managed by something other than RCU, the
      resulting sparse and lockdep-RCU noise can be annoying.  This commit
      therefore supplies a lockless_dereference(), which provides the
      protection for dereferences without the RCU-related debugging noise.
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      afadae32
    • Peter Zijlstra's avatar
      arch: Introduce smp_load_acquire(), smp_store_release() · ad3b8fca
      Peter Zijlstra authored
      commit 47933ad4 upstream.
      
      A number of situations currently require the heavyweight smp_mb(),
      even though there is no need to order prior stores against later
      loads.  Many architectures have much cheaper ways to handle these
      situations, but the Linux kernel currently has no portable way
      to make use of them.
      
      This commit therefore supplies smp_load_acquire() and
      smp_store_release() to remedy this situation.  The new
      smp_load_acquire() primitive orders the specified load against
      any subsequent reads or writes, while the new smp_store_release()
      primitive orders the specifed store against any prior reads or
      writes.  These primitives allow array-based circular FIFOs to be
      implemented without an smp_mb(), and also allow a theoretical
      hole in rcu_assign_pointer() to be closed at no additional
      expense on most architectures.
      
      In addition, the RCU experience transitioning from explicit
      smp_read_barrier_depends() and smp_wmb() to rcu_dereference()
      and rcu_assign_pointer(), respectively resulted in substantial
      improvements in readability.  It therefore seems likely that
      replacing other explicit barriers with smp_load_acquire() and
      smp_store_release() will provide similar benefits.  It appears
      that roughly half of the explicit barriers in core kernel code
      might be so replaced.
      
      [Changelog by PaulMck]
      Reviewed-by: default avatar"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
      Cc: Michael Ellerman <michael@ellerman.id.au>
      Cc: Michael Neuling <mikey@neuling.org>
      Cc: Russell King <linux@arm.linux.org.uk>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Victor Kaplansky <VICTORK@il.ibm.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Link: http://lkml.kernel.org/r/20131213150640.908486364@infradead.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ad3b8fca
    • Andy Lutomirski's avatar
      x86/nmi/64: Switch stacks on userspace NMI entry · e0de15fc
      Andy Lutomirski authored
      commit 9b6e6a83 upstream.
      
      Returning to userspace is tricky: IRET can fail, and ESPFIX can
      rearrange the stack prior to IRET.
      
      The NMI nesting fixup relies on a precise stack layout and
      atomic IRET.  Rather than trying to teach the NMI nesting fixup
      to handle ESPFIX and failed IRET, punt: run NMIs that came from
      user mode on the normal kernel stack.
      
      This will make some nested NMIs visible to C code, but the C
      code is okay with that.
      
      As a side effect, this should speed up perf: it eliminates an
      RDMSR when NMIs come from user mode.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Reviewed-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e0de15fc
    • Andy Lutomirski's avatar
      x86/nmi/64: Remove asm code that saves CR2 · 3682103f
      Andy Lutomirski authored
      commit 0e181bb5 upstream.
      
      Now that do_nmi saves CR2, we don't need to save it in asm.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Acked-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3682103f
    • Andy Lutomirski's avatar
      x86/nmi: Enable nested do_nmi() handling for 64-bit kernels · 012ace61
      Andy Lutomirski authored
      commit 9d050416 upstream.
      
      32-bit kernels handle nested NMIs in C.  Enable the exact same
      handling on 64-bit kernels as well.  This isn't currently
      necessary, but it will become necessary once the asm code starts
      allowing limited nesting.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      012ace61
    • NeilBrown's avatar
      md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies · 44174364
      NeilBrown authored
      commit 423f04d6 upstream.
      
      raid1_end_read_request() assumes that the In_sync bits are consistent
      with the ->degaded count.
      raid1_spare_active updates the In_sync bit before the ->degraded count
      and so exposes an inconsistency, as does error()
      So extend the spinlock in raid1_spare_active() and error() to hide those
      inconsistencies.
      
      This should probably be part of
        Commit: 34cab6f4 ("md/raid1: fix test for 'was read error from
        last working device'.")
      as it addresses the same issue.  It fixes the same bug and should go
      to -stable for same reasons.
      
      Fixes: 76073054 ("md/raid1: clean up read_balance.")
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      44174364
    • Joseph Qi's avatar
      ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() · df691629
      Joseph Qi authored
      commit 209f7512 upstream.
      
      The "BUG_ON(list_empty(&osb->blocked_lock_list))" in
      ocfs2_downconvert_thread_do_work can be triggered in the following case:
      
      ocfs2dc has firstly saved osb->blocked_lock_count to local varibale
      processed, and then processes the dentry lockres.  During the dentry
      put, it calls iput and then deletes rw, inode and open lockres from
      blocked list in ocfs2_mark_lockres_freeing.  And this causes the
      variable `processed' to not reflect the number of blocked lockres to be
      processed, which triggers the BUG.
      Signed-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      df691629
    • Marcus Gelderie's avatar
      ipc: modify message queue accounting to not take kernel data structures into account · be797479
      Marcus Gelderie authored
      commit de54b9ac upstream.
      
      A while back, the message queue implementation in the kernel was
      improved to use btrees to speed up retrieval of messages, in commit
      d6629859 ("ipc/mqueue: improve performance of send/recv").
      
      That patch introducing the improved kernel handling of message queues
      (using btrees) has, as a by-product, changed the meaning of the QSIZE
      field in the pseudo-file created for the queue.  Before, this field
      reflected the size of the user-data in the queue.  Since, it also takes
      kernel data structures into account.  For example, if 13 bytes of user
      data are in the queue, on my machine the file reports a size of 61
      bytes.
      
      There was some discussion on this topic before (for example
      https://lkml.org/lkml/2014/10/1/115).  Commenting on a th lkml, Michael
      Kerrisk gave the following background
      (https://lkml.org/lkml/2015/6/16/74):
      
          The pseudofiles in the mqueue filesystem (usually mounted at
          /dev/mqueue) expose fields with metadata describing a message
          queue. One of these fields, QSIZE, as originally implemented,
          showed the total number of bytes of user data in all messages in
          the message queue, and this feature was documented from the
          beginning in the mq_overview(7) page. In 3.5, some other (useful)
          work happened to break the user-space API in a couple of places,
          including the value exposed via QSIZE, which now includes a measure
          of kernel overhead bytes for the queue, a figure that renders QSIZE
          useless for its original purpose, since there's no way to deduce
          the number of overhead bytes consumed by the implementation.
          (The other user-space breakage was subsequently fixed.)
      
      This patch removes the accounting of kernel data structures in the
      queue.  Reporting the size of these data-structures in the QSIZE field
      was a breaking change (see Michael's comment above).  Without the QSIZE
      field reporting the total size of user-data in the queue, there is no
      way to deduce this number.
      
      It should be noted that the resource limit RLIMIT_MSGQUEUE is counted
      against the worst-case size of the queue (in both the old and the new
      implementation).  Therefore, the kernel overhead accounting in QSIZE is
      not necessary to help the user understand the limitations RLIMIT imposes
      on the processes.
      Signed-off-by: default avatarMarcus Gelderie <redmnic@gmail.com>
      Acked-by: default avatarDoug Ledford <dledford@redhat.com>
      Acked-by: default avatarMichael Kerrisk <mtk.manpages@gmail.com>
      Acked-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: John Duffy <jb_duffy@btinternet.com>
      Cc: Arto Bendiken <arto@bendiken.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      be797479
    • Dan Carpenter's avatar
      ALSA: hda - fix cs4210_spdif_automute() · 525bd2e4
      Dan Carpenter authored
      commit 44008f08 upstream.
      
      Smatch complains that we have nested checks for "spdif_present".  It
      turns out the current behavior isn't correct, we should remove the first
      check and keep the second.
      
      Fixes: 1077a024 ('ALSA: hda - Use generic parser for Cirrus codec driver')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      525bd2e4
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iscsit_start_kthreads failure OOPs · 7a2c1a8e
      Nicholas Bellinger authored
      commit e5419865 upstream.
      
      This patch fixes a regression introduced with the following commit
      in v4.0-rc1 code, where a iscsit_start_kthreads() failure triggers
      a NULL pointer dereference OOPs:
      
          commit 88dcd2da
          Author: Nicholas Bellinger <nab@linux-iscsi.org>
          Date:   Thu Feb 26 22:19:15 2015 -0800
      
              iscsi-target: Convert iscsi_thread_set usage to kthread.h
      
      To address this bug, move iscsit_start_kthreads() immediately
      preceeding the transmit of last login response, before signaling
      a successful transition into full-feature-phase within existing
      iscsi_target_do_tx_login_io() logic.
      
      This ensures that no target-side resource allocation failures can
      occur after the final login response has been successfully sent.
      
      Also, it adds a iscsi_conn->rx_login_comp to allow the RX thread
      to sleep to prevent other socket related failures until the final
      iscsi_post_login_handler() call is able to complete.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@daterainc.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7a2c1a8e
    • Roger Quadros's avatar
      ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc · 6c1bb29f
      Roger Quadros authored
      commit 9a258afa upstream.
      
      For hwmods without sysc, _init_mpu_rt_base(oh) won't be called and so
      _find_mpu_rt_port(oh) will return NULL thus preventing ready state check
      on those modules after the module is enabled.
      
      This can potentially cause a bus access error if the module is accessed
      before the module is ready.
      
      Fix this by unconditionally calling _init_mpu_rt_base() during hwmod
      _init(). Do ioremap only if we need SYSC access.
      
      Eventhough _wait_target_ready() check doesn't really need MPU RT port but
      just the PRCM registers, we still mandate that the hwmod must have an
      MPU RT port if ready state check needs to be done. Else it would mean that
      the module is not accessible by MPU so there is no point in waiting
      for target to be ready.
      
      e.g. this fixes the below DCAN bus access error on AM437x-gp-evm.
      
      [   16.672978] ------------[ cut here ]------------
      [   16.677885] WARNING: CPU: 0 PID: 1580 at drivers/bus/omap_l3_noc.c:147 l3_interrupt_handler+0x234/0x35c()
      [   16.687946] 44000000.ocp:L3 Custom Error: MASTER M2 (64-bit) TARGET L4_PER_0 (Read): Data Access in User mode during Functional access
      [   16.700654] Modules linked in: xhci_hcd btwilink ti_vpfe dwc3 videobuf2_core ov2659 bluetooth v4l2_common videodev ti_am335x_adc kfifo_buf industrialio c_can_platform videobuf2_dma_contig media snd_soc_tlv320aic3x pixcir_i2c_ts c_can dc
      [   16.731144] CPU: 0 PID: 1580 Comm: rpc.statd Not tainted 3.14.26-02561-gf733aa036398 #180
      [   16.739747] Backtrace:
      [   16.742336] [<c0011108>] (dump_backtrace) from [<c00112a4>] (show_stack+0x18/0x1c)
      [   16.750285]  r6:00000093 r5:00000009 r4:eab5b8a8 r3:00000000
      [   16.756252] [<c001128c>] (show_stack) from [<c05a4418>] (dump_stack+0x20/0x28)
      [   16.763870] [<c05a43f8>] (dump_stack) from [<c0037120>] (warn_slowpath_common+0x6c/0x8c)
      [   16.772408] [<c00370b4>] (warn_slowpath_common) from [<c00371e4>] (warn_slowpath_fmt+0x38/0x40)
      [   16.781550]  r8:c05d1f90 r7:c0730844 r6:c0730448 r5:80080003 r4:ed0cd210
      [   16.788626] [<c00371b0>] (warn_slowpath_fmt) from [<c027fa94>] (l3_interrupt_handler+0x234/0x35c)
      [   16.797968]  r3:ed0cd480 r2:c0730508
      [   16.801747] [<c027f860>] (l3_interrupt_handler) from [<c0063758>] (handle_irq_event_percpu+0x54/0x1bc)
      [   16.811533]  r10:ed005600 r9:c084855b r8:0000002a r7:00000000 r6:00000000 r5:0000002a
      [   16.819780]  r4:ed0e6d80
      [   16.822453] [<c0063704>] (handle_irq_event_percpu) from [<c00638f0>] (handle_irq_event+0x30/0x40)
      [   16.831789]  r10:eb2b6938 r9:eb2b6960 r8:bf011420 r7:fa240100 r6:00000000 r5:0000002a
      [   16.840052]  r4:ed005600
      [   16.842744] [<c00638c0>] (handle_irq_event) from [<c00661d8>] (handle_fasteoi_irq+0x74/0x128)
      [   16.851702]  r4:ed005600 r3:00000000
      [   16.855479] [<c0066164>] (handle_fasteoi_irq) from [<c0063068>] (generic_handle_irq+0x28/0x38)
      [   16.864523]  r4:0000002a r3:c0066164
      [   16.868294] [<c0063040>] (generic_handle_irq) from [<c000ef60>] (handle_IRQ+0x38/0x8c)
      [   16.876612]  r4:c081c640 r3:00000202
      [   16.880380] [<c000ef28>] (handle_IRQ) from [<c00084f0>] (gic_handle_irq+0x30/0x5c)
      [   16.888328]  r6:eab5ba38 r5:c0804460 r4:fa24010c r3:00000100
      [   16.894303] [<c00084c0>] (gic_handle_irq) from [<c05a8d80>] (__irq_svc+0x40/0x50)
      [   16.902193] Exception stack(0xeab5ba38 to 0xeab5ba80)
      [   16.907499] ba20:                                                       00000000 00000006
      [   16.916108] ba40: fa1d0000 fa1d0008 ed3d3000 eab5bab4 ed3d3460 c0842af4 bf011420 eb2b6960
      [   16.924716] ba60: eb2b6938 eab5ba8c eab5ba90 eab5ba80 bf035220 bf07702c 600f0013 ffffffff
      [   16.933317]  r7:eab5ba6c r6:ffffffff r5:600f0013 r4:bf07702c
      [   16.939317] [<bf077000>] (c_can_plat_read_reg_aligned_to_16bit [c_can_platform]) from [<bf035220>] (c_can_get_berr_counter+0x38/0x64 [c_can])
      [   16.952696] [<bf0351e8>] (c_can_get_berr_counter [c_can]) from [<bf010294>] (can_fill_info+0x124/0x15c [can_dev])
      [   16.963480]  r5:ec8c9740 r4:ed3d3000
      [   16.967253] [<bf010170>] (can_fill_info [can_dev]) from [<c0502fa8>] (rtnl_fill_ifinfo+0x58c/0x8fc)
      [   16.976749]  r6:ec8c9740 r5:ed3d3000 r4:eb2b6780
      [   16.981613] [<c0502a1c>] (rtnl_fill_ifinfo) from [<c0503408>] (rtnl_dump_ifinfo+0xf0/0x1dc)
      [   16.990401]  r10:ec8c9740 r9:00000000 r8:00000000 r7:00000000 r6:ebd4d1b4 r5:ed3d3000
      [   16.998671]  r4:00000000
      [   17.001342] [<c0503318>] (rtnl_dump_ifinfo) from [<c050e6e4>] (netlink_dump+0xa8/0x1e0)
      [   17.009772]  r10:00000000 r9:00000000 r8:c0503318 r7:ebf3e6c0 r6:ebd4d1b4 r5:ec8c9740
      [   17.018050]  r4:ebd4d000
      [   17.020714] [<c050e63c>] (netlink_dump) from [<c050ec10>] (__netlink_dump_start+0x104/0x154)
      [   17.029591]  r6:eab5bd34 r5:ec8c9980 r4:ebd4d000
      [   17.034454] [<c050eb0c>] (__netlink_dump_start) from [<c0505604>] (rtnetlink_rcv_msg+0x110/0x1f4)
      [   17.043778]  r7:00000000 r6:ec8c9980 r5:00000f40 r4:ebf3e6c0
      [   17.049743] [<c05054f4>] (rtnetlink_rcv_msg) from [<c05108e8>] (netlink_rcv_skb+0xb4/0xc8)
      [   17.058449]  r8:eab5bdac r7:ec8c9980 r6:c05054f4 r5:ec8c9980 r4:ebf3e6c0
      [   17.065534] [<c0510834>] (netlink_rcv_skb) from [<c0504134>] (rtnetlink_rcv+0x24/0x2c)
      [   17.073854]  r6:ebd4d000 r5:00000014 r4:ec8c9980 r3:c0504110
      [   17.079846] [<c0504110>] (rtnetlink_rcv) from [<c05102ac>] (netlink_unicast+0x180/0x1ec)
      [   17.088363]  r4:ed0c6800 r3:c0504110
      [   17.092113] [<c051012c>] (netlink_unicast) from [<c0510670>] (netlink_sendmsg+0x2ac/0x380)
      [   17.100813]  r10:00000000 r8:00000008 r7:ec8c9980 r6:ebd4d000 r5:eab5be70 r4:eab5bee4
      [   17.109083] [<c05103c4>] (netlink_sendmsg) from [<c04dfdb4>] (sock_sendmsg+0x90/0xb0)
      [   17.117305]  r10:00000000 r9:eab5a000 r8:becdda3c r7:0000000c r6:ea978400 r5:eab5be70
      [   17.125563]  r4:c05103c4
      [   17.128225] [<c04dfd24>] (sock_sendmsg) from [<c04e1c28>] (SyS_sendto+0xb8/0xdc)
      [   17.136001]  r6:becdda5c r5:00000014 r4:ecd37040
      [   17.140876] [<c04e1b70>] (SyS_sendto) from [<c000e680>] (ret_fast_syscall+0x0/0x30)
      [   17.148923]  r10:00000000 r8:c000e804 r7:00000122 r6:becdda5c r5:0000000c r4:becdda5c
      [   17.157169] ---[ end trace 2b71e15b38f58bad ]---
      
      Fixes: 6423d6df ("ARM: OMAP2+: hwmod: check for module address space during init")
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarPaul Walmsley <paul@pwsan.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6c1bb29f
    • Herbert Xu's avatar
      crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer · 2204205e
      Herbert Xu authored
      commit f898c522 upstream.
      
      This patch removes a bogus BUG_ON in the ablkcipher path that
      triggers when the destination buffer is different from the source
      buffer and is scattered.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2204205e
  2. 19 Aug, 2015 27 commits
    • Andy Lutomirski's avatar
      x86/xen: Probe target addresses in set_aliased_prot() before the hypercall · 21934b88
      Andy Lutomirski authored
      commit aa1acff3 upstream.
      
      The update_va_mapping hypercall can fail if the VA isn't present
      in the guest's page tables.  Under certain loads, this can
      result in an OOPS when the target address is in unpopulated vmap
      space.
      
      While we're at it, add comments to help explain what's going on.
      
      This isn't a great long-term fix.  This code should probably be
      changed to use something like set_memory_ro.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Andrew Cooper <andrew.cooper3@citrix.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: David Vrabel <dvrabel@cantab.net>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jan Beulich <jbeulich@suse.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: security@kernel.org <security@kernel.org>
      Cc: xen-devel <xen-devel@lists.xen.org>
      Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      21934b88
    • Axel Lin's avatar
      ASoC: pcm1681: Fix setting de-emphasis sampling rate selection · 2befcb5c
      Axel Lin authored
      commit fa8173a3 upstream.
      
      The de-emphasis sampling rate selection is controlled by BIT[3:4] of
      PCM1681_DEEMPH_CONTROL register. Do proper left shift to set it.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Acked-by: default avatarMarek Belisko <marek.belisko@streamunlimited.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2befcb5c
    • Benjamin Randazzo's avatar
      md: use kzalloc() when bitmap is disabled · 6578b22c
      Benjamin Randazzo authored
      commit b6878d9e upstream.
      
      In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
      mdu_bitmap_file_t called "file".
      
      5769         file = kmalloc(sizeof(*file), GFP_NOIO);
      5770         if (!file)
      5771                 return -ENOMEM;
      
      This structure is copied to user space at the end of the function.
      
      5786         if (err == 0 &&
      5787             copy_to_user(arg, file, sizeof(*file)))
      5788                 err = -EFAULT
      
      But if bitmap is disabled only the first byte of "file" is initialized
      with zero, so it's possible to read some bytes (up to 4095) of kernel
      space memory from user space. This is an information leak.
      
      5775         /* bitmap disabled, zero the first byte and copy out */
      5776         if (!mddev->bitmap_info.file)
      5777                 file->pathname[0] = '\0';
      Signed-off-by: default avatarBenjamin Randazzo <benjamin@randazzo.fr>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6578b22c
    • David S. Miller's avatar
      sparc64: Fix userspace FPU register corruptions. · 94649903
      David S. Miller authored
      [ Upstream commit 44922150 ]
      
      If we have a series of events from userpsace, with %fprs=FPRS_FEF,
      like follows:
      
      ETRAP
      	ETRAP
      		VIS_ENTRY(fprs=0x4)
      		VIS_EXIT
      		RTRAP (kernel FPU restore with fpu_saved=0x4)
      	RTRAP
      
      We will not restore the user registers that were clobbered by the FPU
      using kernel code in the inner-most trap.
      
      Traps allocate FPU save slots in the thread struct, and FPU using
      sequences save the "dirty" FPU registers only.
      
      This works at the initial trap level because all of the registers
      get recorded into the top-level FPU save area, and we'll return
      to userspace with the FPU disabled so that any FPU use by the user
      will take an FPU disabled trap wherein we'll load the registers
      back up properly.
      
      But this is not how trap returns from kernel to kernel operate.
      
      The simplest fix for this bug is to always save all FPU register state
      for anything other than the top-most FPU save area.
      
      Getting rid of the optimized inner-slot FPU saving code ends up
      making VISEntryHalf degenerate into plain VISEntry.
      
      Longer term we need to do something smarter to reinstate the partial
      save optimizations.  Perhaps the fundament error is having trap entry
      and exit allocate FPU save slots and restore register state.  Instead,
      the VISEntry et al. calls should be doing that work.
      
      This bug is about two decades old.
      Reported-by: default avatarJames Y Knight <jyknight@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      94649903
    • Xie XiuQi's avatar
      ipmi: fix timeout calculation when bmc is disconnected · 1602b97c
      Xie XiuQi authored
      commit e21404dc upstream.
      
      Loading ipmi_si module while bmc is disconnected, we found the timeout
      is longer than 5 secs.  Actually it takes about 3 mins and 20
      secs.(HZ=250)
      
      error message as below:
        Dec 12 19:08:59 linux kernel: IPMI BT: timeout in RD_WAIT [ ] 1 retries left
        Dec 12 19:08:59 linux kernel: BT: write 4 bytes seq=0x01 03 18 00 01
        [...]
        Dec 12 19:12:19 linux kernel: IPMI BT: timeout in RD_WAIT [ ]
        Dec 12 19:12:19 linux kernel: failed 2 retries, sending error response
        Dec 12 19:12:19 linux kernel: IPMI: BT reset (takes 5 secs)
        Dec 12 19:12:19 linux kernel: IPMI BT: flag reset [ ]
      
      Function wait_for_msg_done() use schedule_timeout_uninterruptible(1) to
      sleep 1 tick, so we should subtract jiffies_to_usecs(1) instead of 100
      usecs from timeout.
      Reported-by: default avatarHu Shiyuan <hushiyuan@huawei.com>
      Signed-off-by: default avatarXie XiuQi <xiexiuqi@huawei.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1602b97c
    • Mimi Zohar's avatar
      ima: extend "mask" policy matching support · a5423d5e
      Mimi Zohar authored
      commit 4351c294 upstream.
      
      The current "mask" policy option matches files opened as MAY_READ,
      MAY_WRITE, MAY_APPEND or MAY_EXEC.  This patch extends the "mask"
      option to match files opened containing one of these modes.  For
      example, "mask=^MAY_READ" would match files opened read-write.
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarDr. Greg Wettstein <gw@idfusion.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a5423d5e
    • Mimi Zohar's avatar
      ima: add support for new "euid" policy condition · cee24cef
      Mimi Zohar authored
      commit 139069ef upstream.
      
      The new "euid" policy condition measures files with the specified
      effective uid (euid).  In addition, for CAP_SETUID files it measures
      files with the specified uid or suid.
      
      Changelog:
      - fixed checkpatch.pl warnings
      - fixed avc denied {setuid} messages - based on Roberto's feedback
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarDr. Greg Wettstein <gw@idfusion.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cee24cef
    • Dirk Behme's avatar
      USB: sierra: add 1199:68AB device ID · bf7fe0ad
      Dirk Behme authored
      commit 74472233 upstream.
      
      Add support for the Sierra Wireless AR8550 device with
      USB descriptor 0x1199, 0x68AB.
      
      It is common with MC879x modules 1199:683c/683d which
      also are composite devices with 7 interfaces (0..6)
      and also MDM62xx based as the AR8550.
      
      The major difference are only the interface attributes
      02/02/01 on interfaces 3 and 4 on the AR8550. They are
      vendor specific ff/ff/ff on MC879x modules.
      
      lsusb reports:
      
      Bus 001 Device 004: ID 1199:68ab Sierra Wireless, Inc.
      Device Descriptor:
        bLength                18
        bDescriptorType         1
        bcdUSB               2.00
        bDeviceClass            0 (Defined at Interface level)
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        idVendor           0x1199 Sierra Wireless, Inc.
        idProduct          0x68ab
        bcdDevice            0.06
        iManufacturer           3 Sierra Wireless, Incorporated
        iProduct                2 AR8550
        iSerial                 0
        bNumConfigurations      1
        Configuration Descriptor:
          bLength                 9
          bDescriptorType         2
          wTotalLength          198
          bNumInterfaces          7
          bConfigurationValue     1
          iConfiguration          1 Sierra Configuration
          bmAttributes         0xe0
            Self Powered
            Remote Wakeup
          MaxPower                0mA
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        0
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x81  EP 1 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x01  EP 1 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        1
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x82  EP 2 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x02  EP 2 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        2
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x83  EP 3 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x03  EP 3 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        3
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass         2 Communications
            bInterfaceSubClass      2 Abstract (modem)
            bInterfaceProtocol      1 AT-commands (v.25ter)
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x84  EP 4 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               5
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x85  EP 5 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x04  EP 4 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        4
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass         2 Communications
            bInterfaceSubClass      2 Abstract (modem)
            bInterfaceProtocol      1 AT-commands (v.25ter)
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x86  EP 6 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               5
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x87  EP 7 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x05  EP 5 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        5
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x88  EP 8 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               5
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x89  EP 9 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x06  EP 6 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        6
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x8a  EP 10 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               5
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x8b  EP 11 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x07  EP 7 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
      Device Qualifier (for other device speed):
        bLength                10
        bDescriptorType         6
        bcdUSB               2.00
        bDeviceClass            0 (Defined at Interface level)
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        bNumConfigurations      1
      Device Status:     0x0001
        Self Powered
      Signed-off-by: default avatarDirk Behme <dirk.behme@de.bosch.com>
      Cc: Lars Melin <larsm17@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bf7fe0ad
    • Mathias Nyman's avatar
      xhci: fix off by one error in TRB DMA address boundary check · ae6f7c87
      Mathias Nyman authored
      commit 7895086a upstream.
      
      We need to check that a TRB is part of the current segment
      before calculating its DMA address.
      
      Previously a ring segment didn't use a full memory page, and every
      new ring segment got a new memory page, so the off by one
      error in checking the upper bound was never seen.
      
      Now that we use a full memory page, 256 TRBs (4096 bytes), the off by one
      didn't catch the case when a TRB was the first element of the next segment.
      
      This is triggered if the virtual memory pages for a ring segment are
      next to each in increasing order where the ring buffer wraps around and
      causes errors like:
      
      [  106.398223] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1
      [  106.398230] xhci_hcd 0000:00:14.0: Looking for event-dma fffd3000 trb-start fffd4fd0 trb-end fffd5000 seg-start fffd4000 seg-end fffd4ff0
      
      The trb-end address is one outside the end-seg address.
      Tested-by: default avatarArkadiusz Miśkiewicz <arekm@maven.pl>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ae6f7c87
    • Brian King's avatar
      ipr: Fix invalid array indexing for HRRQ · 3a126802
      Brian King authored
      commit 3f1c0581 upstream.
      
      Fixes another signed / unsigned array indexing bug in the ipr driver.
      Currently, when hrrq_index wraps, it becomes a negative number. We
      do the modulo, but still have a negative number, so we end up indexing
      backwards in the array. Given where the hrrq array is located in memory,
      we probably won't actually reference memory we don't own, but nonetheless
      ipr is still looking at data within struct ipr_ioa_cfg and interpreting it as
      struct ipr_hrr_queue data, so bad things could certainly happen.
      
      Each ipr adapter has anywhere from 1 to 16 HRRQs. By default, we use 2 on new
      adapters.  Let's take an example:
      
      Assume ioa_cfg->hrrq_index=0x7fffffffe and ioa_cfg->hrrq_num=4:
      
      The atomic_add_return will then return -1. We mod this with 3 and get -2, add
      one and get -1 for an array index.
      
      On adapters which support more than a single HRRQ, we dedicate HRRQ to adapter
      initialization and error interrupts so that we can optimize the other queues
      for fast path I/O. So all normal I/O uses HRRQ 1-15. So we want to spread the
      I/O requests across those HRRQs.
      
      With the default module parameter settings, this bug won't hit, only when
      someone sets the ipr.number_of_msix parameter to a value larger than 3 is when
      bad things start to happen.
      Tested-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarGabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3a126802
    • Brian King's avatar
      ipr: Fix incorrect trace indexing · 627c32b0
      Brian King authored
      commit bb7c5433 upstream.
      
      When ipr's internal driver trace was changed to an atomic, a signed/unsigned
      bug slipped in which results in us indexing backwards in our memory buffer
      writing on memory that does not belong to us. This patch fixes this by removing
      the modulo and instead just mask off the low bits.
      Tested-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarGabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      627c32b0
    • Brian King's avatar
      ipr: Fix locking for unit attention handling · 7408687f
      Brian King authored
      commit 36b8e180 upstream.
      
      Make sure we have the host lock held when calling scsi_report_bus_reset. Fixes
      a crash seen as the __devices list in the scsi host was changing as we were
      iterating through it.
      Reviewed-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarGabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7408687f
    • Alex Deucher's avatar
      drm/radeon/combios: add some validation of lvds values · e422e401
      Alex Deucher authored
      commit 0a90a0cf upstream.
      
      Fixes a broken hsync start value uncovered by:
      abc0b144
      (drm: Perform basic sanity checks on probed modes)
      
      The driver handled the bad hsync start elsewhere, but
      the above commit prevented it from getting added.
      
      bug:
      https://bugs.freedesktop.org/show_bug.cgi?id=91401Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e422e401
    • Jan Kara's avatar
      fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() · 194d4357
      Jan Kara authored
      commit 8f2f3eb5 upstream.
      
      fsnotify_clear_marks_by_group_flags() can race with
      fsnotify_destroy_marks() so that when fsnotify_destroy_mark_locked()
      drops mark_mutex, a mark from the list iterated by
      fsnotify_clear_marks_by_group_flags() can be freed and thus the next
      entry pointer we have cached may become stale and we dereference free
      memory.
      
      Fix the problem by first moving marks to free to a special private list
      and then always free the first entry in the special list.  This method
      is safe even when entries from the list can disappear once we drop the
      lock.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Reported-by: default avatarAshish Sangwan <a.sangwan@samsung.com>
      Reviewed-by: default avatarAshish Sangwan <a.sangwan@samsung.com>
      Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      194d4357
    • David Daney's avatar
      MIPS: Make set_pte() SMP safe. · 91aca356
      David Daney authored
      commit 46011e6e upstream.
      
      On MIPS the GLOBAL bit of the PTE must have the same value in any
      aligned pair of PTEs.  These pairs of PTEs are referred to as
      "buddies".  In a SMP system is is possible for two CPUs to be calling
      set_pte() on adjacent PTEs at the same time.  There is a race between
      setting the PTE and a different CPU setting the GLOBAL bit in its
      buddy PTE.
      
      This race can be observed when multiple CPUs are executing
      vmap()/vfree() at the same time.
      
      Make setting the buddy PTE's GLOBAL bit an atomic operation to close
      the race condition.
      
      The case of CONFIG_64BIT_PHYS_ADDR && CONFIG_CPU_MIPS32 is *not*
      handled.
      Signed-off-by: default avatarDavid Daney <david.daney@cavium.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/10835/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      91aca356
    • Felix Fietkau's avatar
      MIPS: Fix sched_getaffinity with MT FPAFF enabled · 6e20868a
      Felix Fietkau authored
      commit 1d62d737 upstream.
      
      p->thread.user_cpus_allowed is zero-initialized and is only filled on
      the first sched_setaffinity call.
      
      To avoid adding overhead in the task initialization codepath, simply OR
      the returned mask in sched_getaffinity with p->cpus_allowed.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/10740/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6e20868a
    • Arnd Bergmann's avatar
      ARM: realview: fix sparsemem build · 7eebdf0e
      Arnd Bergmann authored
      commit dd94d355 upstream.
      
      Commit b713aa0b "ARM: fix asm/memory.h build error" broke some
      configurations on mach-realview with sparsemem enabled, which
      is missing a definition of PHYS_OFFSET:
      
      arch/arm/include/asm/memory.h:268:42: error: 'PHYS_OFFSET' undeclared (first use in this function)
       #define PHYS_PFN_OFFSET ((unsigned long)(PHYS_OFFSET >> PAGE_SHIFT))
      arch/arm/include/asm/dma-mapping.h:104:9: note: in expansion of macro 'PHYS_PFN_OFFSET'
        return PHYS_PFN_OFFSET + dma_to_pfn(dev, *dev->dma_mask);
      
      An easy workaround is for realview to define PHYS_OFFSET itself,
      in the same way we define it for platforms that don't have a private
      __virt_to_phys function.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Russell King <linux@arm.linux.org.uk>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7eebdf0e
    • Ben Hutchings's avatar
      hwrng: via-rng - Mark device ID table as __maybe_unused · 07524cea
      Ben Hutchings authored
      commit a44bc80e upstream.
      
      It is only used in modular builds.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      07524cea
    • Arnd Bergmann's avatar
      3w-xxxx: fix mis-aligned struct accesses · e75c8f5a
      Arnd Bergmann authored
      commit 4bfaa5c4 upstream.
      
      Building an allmodconfig ARM kernel, I get multiple such
      warnings because of a spinlock contained in packed structure
      in the 3w-xxxx driver:
      
      ../drivers/scsi/3w-xxxx.c: In function 'tw_chrdev_ioctl':
      ../drivers/scsi/3w-xxxx.c:1001:68: warning: mis-aligned access used for structure member [-fstrict-volatile-bitfields]
          timeout = wait_event_timeout(tw_dev->ioctl_wqueue, tw_dev->chrdev_request_id == TW_IOCTL_CHRDEV_FREE, timeout);
                                                                          ^
      ../drivers/scsi/3w-xxxx.c:1001:68: note: when a volatile object spans multiple type-sized locations, the compiler must choose between using a single mis-aligned access to preserve the volatility, or using multiple aligned accesses to avoid runtime faults; this code may fail at runtime if the hardware does not allow this access
      
      The same bug apparently was present in 3w-sas and 3w-9xxx, but has been
      fixed in the past. This patch uses the same fix by moving the pragma
      in front of the TW_Device_Extension definition, so it only covers
      hardware structures.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarAdam Radford <aradford@gmail.com>
      Cc: Adam Radford <linuxraid@lsi.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e75c8f5a
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iser explicit logout TX kthread leak · be07157c
      Nicholas Bellinger authored
      commit 007d038b upstream.
      
      This patch fixes a regression introduced with the following commit
      in v4.0-rc1 code, where an explicit iser-target logout would result
      in ->tx_thread_active being incorrectly cleared by the logout post
      handler, and subsequent TX kthread leak:
      
          commit 88dcd2da
          Author: Nicholas Bellinger <nab@linux-iscsi.org>
          Date:   Thu Feb 26 22:19:15 2015 -0800
      
              iscsi-target: Convert iscsi_thread_set usage to kthread.h
      
      To address this bug, change iscsit_logout_post_handler_closesession()
      and iscsit_logout_post_handler_samecid() to only cmpxchg() on
      ->tx_thread_active for traditional iscsi/tcp connections.
      
      This is required because iscsi/tcp connections are invoking logout
      post handler logic directly from TX kthread context, while iser
      connections are invoking logout post handler logic from a seperate
      workqueue context.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      be07157c
    • Nicholas Bellinger's avatar
      iscsi-target: Fix use-after-free during TPG session shutdown · 22da75f2
      Nicholas Bellinger authored
      commit 417c20a9 upstream.
      
      This patch fixes a use-after-free bug in iscsit_release_sessions_for_tpg()
      where se_portal_group->session_lock was incorrectly released/re-acquired
      while walking the active se_portal_group->tpg_sess_list.
      
      The can result in a NULL pointer dereference when iscsit_close_session()
      shutdown happens in the normal path asynchronously to this code, causing
      a bogus dereference of an already freed list entry to occur.
      
      To address this bug, walk the session list checking for the same state
      as before, but move entries to a local list to avoid dropping the lock
      while walking the active list.
      
      As before, signal using iscsi_session->session_restatement=1 for those
      list entries to be released locally by iscsit_free_session() code.
      Reported-by: default avatarSunilkumar Nadumuttlu <sjn@datera.io>
      Cc: Sunilkumar Nadumuttlu <sjn@datera.io>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      22da75f2
    • Marc-André Lureau's avatar
      vhost: actually track log eventfd file · a5b3343b
      Marc-André Lureau authored
      commit 7932c0bd upstream.
      
      While reviewing vhost log code, I found out that log_file is never
      set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
      Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a5b3343b
    • Wengang Wang's avatar
      rds: rds_ib_device.refcount overflow · cbebfd10
      Wengang Wang authored
      commit 4fabb594 upstream.
      
      Fixes: 3e0249f9 ("RDS/IB: add refcount tracking to struct rds_ib_device")
      
      There lacks a dropping on rds_ib_device.refcount in case rds_ib_alloc_fmr
      failed(mr pool running out). this lead to the refcount overflow.
      
      A complain in line 117(see following) is seen. From vmcore:
      s_ib_rdma_mr_pool_depleted is 2147485544 and rds_ibdev->refcount is -2147475448.
      That is the evidence the mr pool is used up. so rds_ib_alloc_fmr is very likely
      to return ERR_PTR(-EAGAIN).
      
      115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
      116 {
      117         BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
      118         if (atomic_dec_and_test(&rds_ibdev->refcount))
      119                 queue_work(rds_wq, &rds_ibdev->free_work);
      120 }
      
      fix is to drop refcount when rds_ib_alloc_fmr failed.
      Signed-off-by: default avatarWengang Wang <wen.gang.wang@oracle.com>
      Reviewed-by: default avatarHaggai Eran <haggaie@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cbebfd10
    • Zhuang Jin Can's avatar
      xhci: do not report PLC when link is in internal resume state · cb770fae
      Zhuang Jin Can authored
      commit aca3a048 upstream.
      
      Port link change with port in resume state should not be
      reported to usbcore, as this is an internal state to be
      handled by xhci driver. Reporting PLC to usbcore may
      cause usbcore clearing PLC first and port change event irq
      won't be generated.
      Signed-off-by: default avatarZhuang Jin Can <jin.can.zhuang@intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cb770fae
    • Zhuang Jin Can's avatar
      xhci: prevent bus_suspend if SS port resuming in phase 1 · 6c89fe35
      Zhuang Jin Can authored
      commit fac4271d upstream.
      
      When the link is just waken, it's in Resume state, and driver sets PLS to
      U0. This refers to Phase 1. Phase 2 refers to when the link has completed
      the transition from Resume state to U0.
      
      With the fix of xhci: report U3 when link is in resume state, it also
      exposes an issue that usb3 roothub and controller can suspend right
      after phase 1, and this causes a hard hang in controller.
      
      To fix the issue, we need to prevent usb3 bus suspend if any port is
      resuming in phase 1.
      
      [merge separate USB2 and USB3 port resume checking to one -Mathias]
      Signed-off-by: default avatarZhuang Jin Can <jin.can.zhuang@intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6c89fe35
    • Zhuang Jin Can's avatar
      xhci: report U3 when link is in resume state · 975235a6
      Zhuang Jin Can authored
      commit 243292a2 upstream.
      
      xhci_hub_report_usb3_link_state() returns pls as U0 when the link
      is in resume state, and this causes usb core to think the link is in
      U0 while actually it's in resume state. When usb core transfers
      control request on the link, it fails with TRB error as the link
      is not ready for transfer.
      
      To fix the issue, report U3 when the link is in resume state, thus
      usb core knows the link it's not ready for transfer.
      Signed-off-by: default avatarZhuang Jin Can <jin.can.zhuang@intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      975235a6
    • Brian Campbell's avatar
      xhci: Calculate old endpoints correctly on device reset · 567ddd57
      Brian Campbell authored
      commit 326124a0 upstream.
      
      When resetting a device the number of active TTs may need to be
      corrected by xhci_update_tt_active_eps, but the number of old active
      endpoints supplied to it was always zero, so the number of TTs and the
      bandwidth reserved for them was not updated, and could rise
      unnecessarily.
      
      This affected systems using Intel's Patherpoint chipset, which rely on
      software bandwidth checking.  For example, a Lenovo X230 would lose the
      ability to use ports on the docking station after enough suspend/resume
      cycles because the bandwidth calculated would rise with every cycle when
      a suitable device is attached.
      
      The correct number of active endpoints is calculated in the same way as
      in xhci_reserve_bandwidth.
      Signed-off-by: default avatarBrian Campbell <bacam@z273.org.uk>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      567ddd57