1. 05 Jun, 2017 40 commits
    • Andrey Ryabinin's avatar
      net/dccp: fix use after free in tw_timer_handler() · 77a6e76e
      Andrey Ryabinin authored
      commit ec7cb62d upstream.
      
      DCCP doesn't purge timewait sockets on network namespace shutdown.
      So, after net namespace destroyed we could still have an active timer
      which will trigger use after free in tw_timer_handler():
      
          BUG: KASAN: use-after-free in tw_timer_handler+0x4a/0xa0 at addr ffff88010e0d1e10
          Read of size 8 by task swapper/1/0
          Call Trace:
           __asan_load8+0x54/0x90
           tw_timer_handler+0x4a/0xa0
           call_timer_fn+0x127/0x480
           expire_timers+0x1db/0x2e0
           run_timer_softirq+0x12f/0x2a0
           __do_softirq+0x105/0x5b4
           irq_exit+0xdd/0xf0
           smp_apic_timer_interrupt+0x57/0x70
           apic_timer_interrupt+0x90/0xa0
      
          Object at ffff88010e0d1bc0, in cache net_namespace size: 6848
          Allocated:
           save_stack_trace+0x1b/0x20
           kasan_kmalloc+0xee/0x180
           kasan_slab_alloc+0x12/0x20
           kmem_cache_alloc+0x134/0x310
           copy_net_ns+0x8d/0x280
           create_new_namespaces+0x23f/0x340
           unshare_nsproxy_namespaces+0x75/0xf0
           SyS_unshare+0x299/0x4f0
           entry_SYSCALL_64_fastpath+0x18/0xad
          Freed:
           save_stack_trace+0x1b/0x20
           kasan_slab_free+0xae/0x180
           kmem_cache_free+0xb4/0x350
           net_drop_ns+0x3f/0x50
           cleanup_net+0x3df/0x450
           process_one_work+0x419/0xbb0
           worker_thread+0x92/0x850
           kthread+0x192/0x1e0
           ret_from_fork+0x2e/0x40
      
      Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
      timewait sockets on net namespace destruction and prevent above issue.
      
      Fixes: f2bf415c ("mib: add net to NET_ADD_STATS_BH")
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Acked-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: pass twdr parameter to inet_twsk_purge()
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      77a6e76e
    • Ridge Kennedy's avatar
      l2tp: Avoid schedule while atomic in exit_net · f7c534f0
      Ridge Kennedy authored
      commit 12d656af upstream.
      
      While destroying a network namespace that contains a L2TP tunnel a
      "BUG: scheduling while atomic" can be observed.
      
      Enabling lockdep shows that this is happening because l2tp_exit_net()
      is calling l2tp_tunnel_closeall() (via l2tp_tunnel_delete()) from
      within an RCU critical section.
      
      l2tp_exit_net() takes rcu_read_lock_bh()
        << list_for_each_entry_rcu() >>
        l2tp_tunnel_delete()
          l2tp_tunnel_closeall()
            __l2tp_session_unhash()
              synchronize_rcu() << Illegal inside RCU critical section >>
      
      BUG: sleeping function called from invalid context
      in_atomic(): 1, irqs_disabled(): 0, pid: 86, name: kworker/u16:2
      INFO: lockdep is turned off.
      CPU: 2 PID: 86 Comm: kworker/u16:2 Tainted: G        W  O    4.4.6-at1 #2
      Hardware name: Xen HVM domU, BIOS 4.6.1-xs125300 05/09/2016
      Workqueue: netns cleanup_net
       0000000000000000 ffff880202417b90 ffffffff812b0013 ffff880202410ac0
       ffffffff81870de8 ffff880202417bb8 ffffffff8107aee8 ffffffff81870de8
       0000000000000c51 0000000000000000 ffff880202417be0 ffffffff8107b024
      Call Trace:
       [<ffffffff812b0013>] dump_stack+0x85/0xc2
       [<ffffffff8107aee8>] ___might_sleep+0x148/0x240
       [<ffffffff8107b024>] __might_sleep+0x44/0x80
       [<ffffffff810b21bd>] synchronize_sched+0x2d/0xe0
       [<ffffffff8109be6d>] ? trace_hardirqs_on+0xd/0x10
       [<ffffffff8105c7bb>] ? __local_bh_enable_ip+0x6b/0xc0
       [<ffffffff816a1b00>] ? _raw_spin_unlock_bh+0x30/0x40
       [<ffffffff81667482>] __l2tp_session_unhash+0x172/0x220
       [<ffffffff81667397>] ? __l2tp_session_unhash+0x87/0x220
       [<ffffffff8166888b>] l2tp_tunnel_closeall+0x9b/0x140
       [<ffffffff81668c74>] l2tp_tunnel_delete+0x14/0x60
       [<ffffffff81668dd0>] l2tp_exit_net+0x110/0x270
       [<ffffffff81668d5c>] ? l2tp_exit_net+0x9c/0x270
       [<ffffffff815001c3>] ops_exit_list.isra.6+0x33/0x60
       [<ffffffff81501166>] cleanup_net+0x1b6/0x280
       ...
      
      This bug can easily be reproduced with a few steps:
      
       $ sudo unshare -n bash  # Create a shell in a new namespace
       # ip link set lo up
       # ip addr add 127.0.0.1 dev lo
       # ip l2tp add tunnel remote 127.0.0.1 local 127.0.0.1 tunnel_id 1 \
          peer_tunnel_id 1 udp_sport 50000 udp_dport 50000
       # ip l2tp add session name foo tunnel_id 1 session_id 1 \
          peer_session_id 1
       # ip link set foo up
       # exit  # Exit the shell, in turn exiting the namespace
       $ dmesg
       ...
       [942121.089216] BUG: scheduling while atomic: kworker/u16:3/13872/0x00000200
       ...
      
      To fix this, move the call to l2tp_tunnel_closeall() out of the RCU
      critical section, and instead call it from l2tp_tunnel_del_work(), which
      is running from the l2tp_wq workqueue.
      
      Fixes: 2b551c6e ("l2tp: close sessions before initiating tunnel delete")
      Signed-off-by: default avatarRidge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
      Acked-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f7c534f0
    • Steve Wise's avatar
      rdma_cm: fail iwarp accepts w/o connection params · edf8cc53
      Steve Wise authored
      commit f2625f7d upstream.
      
      cma_accept_iw() needs to return an error if conn_params is NULL.
      Since this is coming from user space, we can crash.
      Reported-by: default avatarShaobo He <shaobo@cs.utah.edu>
      Acked-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      edf8cc53
    • Miklos Szeredi's avatar
      fuse: add missing FR_FORCE · 7b5736f6
      Miklos Szeredi authored
      commit 2e38bea9 upstream.
      
      fuse_file_put() was missing the "force" flag for the RELEASE request when
      sending synchronously (fuseblk).
      
      If this flag is not set, then a sync request may be interrupted before it
      is dequeued by the userspace filesystem.  In this case the OPEN won't be
      balanced with a RELEASE.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: 5a18ec17 ("fuse: fix hang of single threaded fuseblk filesystem")
      [bwh: Backported to 3.16:
       - "force" flag is a bitfield
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7b5736f6
    • Trond Myklebust's avatar
      NFSv4: Fix the underestimation of delegation XDR space reservation · 5da99487
      Trond Myklebust authored
      commit 5a1f6d9e upstream.
      
      Account for the "space_limit" field in struct open_write_delegation4.
      
      Fixes: 2cebf828 ("NFSv4: Fix the underestimate of NFSv4 open request size")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Reviewed-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5da99487
    • Nicolai Hähnle's avatar
      drm/ttm: fix use-after-free races in vm fault handling · 72ffee66
      Nicolai Hähnle authored
      commit 3089c1df upstream.
      
      The vm fault handler relies on the fact that the VMA owns a reference
      to the BO. However, once mmap_sem is released, other tasks are free to
      destroy the VMA, which can lead to the BO being freed. Fix two code
      paths where that can happen, both related to vm fault retries.
      
      Found via a lock debugging warning which flagged &bo->wu_mutex as
      locked while being destroyed.
      
      Fixes: cbe12e74 ("drm/ttm: Allow vm fault retries")
      Signed-off-by: default avatarNicolai Hähnle <nicolai.haehnle@amd.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      72ffee66
    • Linus Lüssing's avatar
      batman-adv: Fix transmission of final, 16th fragment · 9bbd855a
      Linus Lüssing authored
      commit 51c6b429 upstream.
      
      Trying to split and transmit a unicast packet in 16 parts will fail for
      the final fragment: After having sent the 15th one with a frag_packet.no
      index of 14, we will increase the the index to 15 - and return with an
      error code immediately, even though one more fragment is due for
      transmission and allowed.
      
      Fixing this issue by moving the check before incrementing the index.
      
      While at it, adding an unlikely(), because the check is actually more of
      an assertion.
      
      Fixes: ee75ed88 ("batman-adv: Fragment and send skbs larger than mtu")
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      [bwh: Backported to 3.16: don't return an error code]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9bbd855a
    • Sven Eckelmann's avatar
      batman-adv: Fix double free during fragment merge error · 38b09ab6
      Sven Eckelmann authored
      commit 248e23b5 upstream.
      
      The function batadv_frag_skb_buffer was supposed not to consume the skbuff
      on errors. This was followed in the helper function
      batadv_frag_insert_packet when the skb would potentially be inserted in the
      fragment queue. But it could happen that the next helper function
      batadv_frag_merge_packets would try to merge the fragments and fail. This
      results in a kfree_skb of all the enqueued fragments (including the just
      inserted one). batadv_recv_frag_packet would detect the error in
      batadv_frag_skb_buffer and try to free the skb again.
      
      The behavior of batadv_frag_skb_buffer (and its helper
      batadv_frag_insert_packet) must therefore be changed to always consume the
      skbuff to have a common behavior and avoid the double kfree_skb.
      
      Fixes: 610bfc6b ("batman-adv: Receive fragmented packets and merge")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      [bwh: Backported to 3.16:
       - Update batadv_recv_frag_packet() as advised by Sven
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      38b09ab6
    • Christoph Hellwig's avatar
      nfsd: special case truncates some more · cc4d5dc7
      Christoph Hellwig authored
      commit 783112f7 upstream.
      
      Both the NFS protocols and the Linux VFS use a setattr operation with a
      bitmap of attributes to set to set various file attributes including the
      file size and the uid/gid.
      
      The Linux syscalls never mix size updates with unrelated updates like
      the uid/gid, and some file systems like XFS and GFS2 rely on the fact
      that truncates don't update random other attributes, and many other file
      systems handle the case but do not update the other attributes in the
      same transaction.  NFSD on the other hand passes the attributes it gets
      on the wire more or less directly through to the VFS, leading to updates
      the file systems don't expect.  XFS at least has an assert on the
      allowed attributes, which caught an unusual NFS client setting the size
      and group at the same time.
      
      To handle this issue properly this splits the notify_change call in
      nfsd_setattr into two separate ones.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Tested-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cc4d5dc7
    • Christoph Hellwig's avatar
      nfsd: minor nfsd_setattr cleanup · 24d81671
      Christoph Hellwig authored
      commit 758e99fe upstream.
      
      Simplify exit paths, size_change use.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      24d81671
    • Christoph Hellwig's avatar
      nfsd: update mtime on truncate · 7cf01c94
      Christoph Hellwig authored
      commit f0c63124 upstream.
      
      This fixes a failure in xfstests generic/313 because nfs doesn't update
      mtime on a truncate.  The protocol requires this to be done implicity
      for a size changing setattr.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7cf01c94
    • Chao Peng's avatar
      KVM: VMX: use correct vmcs_read/write for guest segment selector/base · 51d19229
      Chao Peng authored
      commit 96794e4e upstream.
      
      Guest segment selector is 16 bit field and guest segment base is natural
      width field. Fix two incorrect invocations accordingly.
      
      Without this patch, build fails when aggressive inlining is used with ICC.
      Signed-off-by: default avatarChao Peng <chao.p.peng@linux.intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.16: drop change in kvm_flush_pml_buffers()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51d19229
    • Eric Dumazet's avatar
      mlx4: reduce OOM risk on arches with large pages · 3959fd35
      Eric Dumazet authored
      commit 3608b13c upstream.
      
      Since mlx4 NIC are used on PowerPC with 64K pages, we need to adapt
      MLX4_EN_ALLOC_PREFER_ORDER definition.
      
      Otherwise, a fragment sitting in an out of order TCP queue can hold
      0.5 Mbytes and it is a serious OOM risk.
      
      Fixes: 51151a16 ("mlx4: allow order-0 memory allocations in RX path")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3959fd35
    • John Keeping's avatar
      PM / QoS: Fix memory leak on resume_latency.notifiers · 5f328a5b
      John Keeping authored
      commit e84b4a84 upstream.
      
      Since commit 2d984ad1 (PM / QoS: Introcuce latency tolerance device
      PM QoS type) we reassign "c" to point at qos->latency_tolerance before
      freeing c->notifiers, but the notifiers field of latency_tolerance is
      never used.
      
      Restore the original behaviour of freeing the notifiers pointer on
      qos->resume_latency, which is used, and fix the following kmemleak
      warning.
      
      unreferenced object 0xed9dba00 (size 64):
        comm "kworker/0:1", pid 36, jiffies 4294670128 (age 15202.983s)
        hex dump (first 32 bytes):
          00 00 00 00 04 ba 9d ed 04 ba 9d ed 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<c06f6084>] kmemleak_alloc+0x74/0xb8
          [<c011c964>] kmem_cache_alloc_trace+0x170/0x25c
          [<c035f448>] dev_pm_qos_constraints_allocate+0x3c/0xe4
          [<c035f574>] __dev_pm_qos_add_request+0x84/0x1a0
          [<c035f6cc>] dev_pm_qos_add_request+0x3c/0x54
          [<c03c3fc4>] usb_hub_create_port_device+0x110/0x2b8
          [<c03b2a60>] hub_probe+0xadc/0xc80
          [<c03bb050>] usb_probe_interface+0x1b4/0x260
          [<c035773c>] driver_probe_device+0x198/0x40c
          [<c0357b14>] __device_attach_driver+0x8c/0x98
          [<c0355bbc>] bus_for_each_drv+0x8c/0x9c
          [<c0357494>] __device_attach+0x98/0x138
          [<c0357c64>] device_initial_probe+0x14/0x18
          [<c03569dc>] bus_probe_device+0x30/0x88
          [<c0354c54>] device_add+0x430/0x554
          [<c03b92d8>] usb_set_configuration+0x660/0x6fc
      
      Fixes: 2d984ad1 (PM / QoS: Introcuce latency tolerance device PM QoS type)
      Signed-off-by: default avatarJohn Keeping <john@metanate.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5f328a5b
    • Peter Dunning's avatar
      sfc: do not device_attach if a reset is pending · f0626c87
      Peter Dunning authored
      commit 9c568fd8 upstream.
      
      efx_start_all can return without initialising queues as a reset is pending.
       This means that when netif_device_attach is called, the kernel can start
       sending traffic without having an initialised TX queue to send to.
      This patch avoids this by not calling netif_device_attach if there is a
       pending reset.
      
      Fixes: e283546c ("sfc:On MCDI timeout, issue an FLR (and mark MCDI to fail-fast)")
      Signed-off-by: default avatarEdward Cree <ecree@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16:
       - Drop changes in ef10.c and ef10_sriov.c
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f0626c87
    • Mirko Parthey's avatar
      MIPS: BCM47XX: Fix button inversion for Asus WL-500W · 8287542f
      Mirko Parthey authored
      commit bdfdaf1a upstream.
      
      The Asus WL-500W buttons are active high, but the software treats them
      as active low. Fix the inverted logic.
      
      Fixes: 3be97255 ("MIPS: BCM47XX: Import buttons database from OpenWrt")
      Signed-off-by: default avatarMirko Parthey <mirko.parthey@web.de>
      Acked-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Cc: Hauke Mehrtens <hauke@hauke-m.de>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/15295/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8287542f
    • Arnd Bergmann's avatar
      MIPS: ip27: Disable qlge driver in defconfig · e5040ece
      Arnd Bergmann authored
      commit b6176494 upstream.
      
      One of the last remaining failures in kernelci.org is for a gcc bug:
      
      drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: error: insn does not satisfy its constraints:
      drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: internal compiler error: in extract_constrain_insn, at recog.c:2190
      
      This is apparently broken in gcc-6 but fixed in gcc-7, and I cannot
      reproduce the problem here. However, it is clear that ip27_defconfig
      does not actually need this driver as the platform has only PCI-X but
      not PCIe, and the qlge adapter in turn is PCIe-only.
      
      The driver was originally enabled in 2010 along with lots of other
      drivers.
      
      Fixes: 59d302b3 ("MIPS: IP27: Make defconfig useful again.")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/15197/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e5040ece
    • James Cowgill's avatar
      MIPS: OCTEON: Fix copy_from_user fault handling for large buffers · 5d41c3a1
      James Cowgill authored
      commit 884b4269 upstream.
      
      If copy_from_user is called with a large buffer (>= 128 bytes) and the
      userspace buffer refers partially to unreadable memory, then it is
      possible for Octeon's copy_from_user to report the wrong number of bytes
      have been copied. In the case where the buffer size is an exact multiple
      of 128 and the fault occurs in the last 64 bytes, copy_from_user will
      report that all the bytes were copied successfully but leave some
      garbage in the destination buffer.
      
      The bug is in the main __copy_user_common loop in octeon-memcpy.S where
      in the middle of the loop, src and dst are incremented by 128 bytes. The
      l_exc_copy fault handler is used after this but that assumes that
      "src < THREAD_BUADDR($28)". This is not the case if src has already been
      incremented.
      
      Fix by adding an extra fault handler which rewinds the src and dst
      pointers 128 bytes before falling though to l_exc_copy.
      
      Thanks to the pwritev test from the strace test suite for originally
      highlighting this bug!
      
      Fixes: 5b3b1688 ("MIPS: Add Cavium OCTEON processor support ...")
      Signed-off-by: default avatarJames Cowgill <James.Cowgill@imgtec.com>
      Acked-by: default avatarDavid Daney <david.daney@cavium.com>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14978/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5d41c3a1
    • Ralf Baechle's avatar
      MIPS: Fix special case in 64 bit IP checksumming. · 617a73ef
      Ralf Baechle authored
      commit 66fd848c upstream.
      
      For certain arguments such as saddr = 0xc0a8fd60, daddr = 0xc0a8fda1,
      len = 80, proto = 17, sum = 0x7eae049d there will be a carry when
      folding the intermediate 64 bit checksum to 32 bit but the code doesn't
      add the carry back to the one's complement sum, thus an incorrect result
      will be generated.
      Reported-by: default avatarMark Zhang <bomb.zhang@gmail.com>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      617a73ef
    • Chris Brandt's avatar
      clk: renesas: mstp: ensure register writes complete · 12984626
      Chris Brandt authored
      commit f59de563 upstream.
      
      When there is no status bit, it is possible for the clock enable/disable
      operation to have not completed by the time the driver code resumes
      execution. This is due to the fact that write operations are sometimes
      queued and delayed internally. Doing a read ensures the write operations
      has completed.
      
      Fixes: b6face40 ("ARM: shmobile: r7s72100: add essential clock nodes to dtsi")
      Signed-off-by: default avatarChris Brandt <chris.brandt@renesas.com>
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      [bwh: Backported to 3.16:
       - Use barrier() instead of barrier_data()
       - Adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      12984626
    • Joe Thornber's avatar
      dm cache: fix corruption seen when using cache > 2TB · be1aa88a
      Joe Thornber authored
      commit ca763d0a upstream.
      
      A rounding bug due to compiler generated temporary being 32bit was found
      in remap_to_cache().  A localized cast in remap_to_cache() fixes the
      corruption but this preferred fix (changing from uint32_t to sector_t)
      eliminates potential for future rounding errors elsewhere.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      be1aa88a
    • Dmitry Tunin's avatar
      Bluetooth: Add another AR3012 04ca:3018 device · 553601b8
      Dmitry Tunin authored
      commit 441ad62d upstream.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#=  5 Spd=12  MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=04ca ProdID=3018 Rev=00.01
      C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      553601b8
    • Thomas Gleixner's avatar
      goldfish: Sanitize the broken interrupt handler · 6b7fe466
      Thomas Gleixner authored
      commit 6cf18e69 upstream.
      
      This interrupt handler is broken in several ways:
      
        - It loops forever when the op code is not decodeable
      
        - It never returns IRQ_HANDLED because the only way to exit the loop
          returns IRQ_NONE unconditionally.
      
      The whole concept of this is broken. Creating devices in an interrupt
      handler is beyond any point of sanity.
      
      Make it at least behave halfways sane so accidental users do not have to
      deal with a hard to debug lockup.
      
      Fixes: e809c22b ("goldfish: add the goldfish virtual bus")
      Reported-by: default avatarGabriel C <nix.or.die@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6b7fe466
    • Thomas Gleixner's avatar
      x86/platform/goldfish: Prevent unconditional loading · 843fd93d
      Thomas Gleixner authored
      commit 47512cfd upstream.
      
      The goldfish platform code registers the platform device unconditionally
      which causes havoc in several ways if the goldfish_pdev_bus driver is
      enabled:
      
       - Access to the hardcoded physical memory region, which is either not
         available or contains stuff which is completely unrelated.
      
       - Prevents that the interrupt of the serial port can be requested
      
       - In case of a spurious interrupt it goes into a infinite loop in the
         interrupt handler of the pdev_bus driver (which needs to be fixed
         seperately).
      
      Add a 'goldfish' command line option to make the registration opt-in when
      the platform is compiled in.
      
      I'm seriously grumpy about this engineering trainwreck, which has seven
      SOBs from Intel developers for 50 lines of code. And none of them figured
      out that this is broken. Impressive fail!
      
      Fixes: ddd70cf9 ("goldfish: platform device for x86")
      Reported-by: default avatarGabriel C <nix.or.die@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      843fd93d
    • Christian Lamparter's avatar
      ath9k: use correct OTP register offsets for the AR9340 and AR9550 · d602d73a
      Christian Lamparter authored
      commit c9f1e326 upstream.
      
      This patch fixes the OTP register definitions for the AR934x and AR9550
      WMAC SoC.
      
      Previously, the ath9k driver was unable to initialize the integrated
      WMAC on an Aerohive AP121:
      
      | ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
      | ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
      | ath: phy0: Unable to initialize hardware; initialization status: -5
      | ath9k ar934x_wmac: failed to initialize device
      | ath9k: probe of ar934x_wmac failed with error -5
      
      It turns out that the AR9300_OTP_STATUS and AR9300_OTP_DATA
      definitions contain a typo.
      
      Cc: Gabor Juhos <juhosg@openwrt.org>
      Fixes: add295a4 "ath9k: use correct OTP register offsets for AR9550"
      Signed-off-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarChris Blake <chrisrblake93@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d602d73a
    • Ravi Bangoria's avatar
      powerpc/xmon: Fix data-breakpoint · 8a37188f
      Ravi Bangoria authored
      commit c21a493a upstream.
      
      Currently xmon data-breakpoint feature is broken.
      
      Whenever there is a watchpoint match occurs, hw_breakpoint_handler will
      be called by do_break via notifier chains mechanism. If watchpoint is
      registered by xmon, hw_breakpoint_handler won't find any associated
      perf_event and returns immediately with NOTIFY_STOP. Similarly, do_break
      also returns without notifying to xmon.
      
      Solve this by returning NOTIFY_DONE when hw_breakpoint_handler does not
      find any perf_event associated with matched watchpoint, rather than
      NOTIFY_STOP, which tells the core code to continue calling the other
      breakpoint handlers including the xmon one.
      Signed-off-by: default avatarRavi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8a37188f
    • Theodore Ts'o's avatar
      ext4: fix fencepost in s_first_meta_bg validation · 6cc435bb
      Theodore Ts'o authored
      commit 2ba3e6e8 upstream.
      
      It is OK for s_first_meta_bg to be equal to the number of block group
      descriptor blocks.  (It rarely happens, but it shouldn't cause any
      problems.)
      
      https://bugzilla.kernel.org/show_bug.cgi?id=194567
      
      Fixes: 3a4b77cdSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6cc435bb
    • Leon Romanovsky's avatar
      IB/mlx5: Return error for unsupported signature type · b6d98c33
      Leon Romanovsky authored
      commit 12bbf1ea upstream.
      
      In case of unsupported singature, we returned positive
      value, while the better approach is to return -EINVAL.
      
      In addition, in this change, the error print is enriched
      to provide an actual supplied signature type.
      
      Fixes: e6631814 ("IB/mlx5: Support IB_WR_REG_SIG_MR")
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b6d98c33
    • Leon Romanovsky's avatar
      IB/mlx5: Fix out-of-bound access · 633eb2ae
      Leon Romanovsky authored
      commit 0fd27a88 upstream.
      
      When we initialize buffer to create SRQ in kernel,
      the number of pages was less than actually used in
      following mlx5_fill_page_array().
      
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarEli Cohen <eli@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      633eb2ae
    • Trond Myklebust's avatar
      nlm: Ensure callback code also checks that the files match · bdf08630
      Trond Myklebust authored
      commit 251af29c upstream.
      
      It is not sufficient to just check that the lock pids match when
      granting a callback, we also need to ensure that we're granting
      the callback on the right file.
      Reported-by: default avatarPankaj Singh <psingh.ait@gmail.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bdf08630
    • NeilBrown's avatar
      md: ensure md devices are freed before module is unloaded. · 249bb213
      NeilBrown authored
      commit 9356863c upstream.
      
      Commit: cbd19983 ("md: Fix unfortunate interaction with evms")
      change mddev_put() so that it would not destroy an md device while
      ->ctime was non-zero.
      
      Unfortunately, we didn't make sure to clear ->ctime when unloading
      the module, so it is possible for an md device to remain after
      module unload.  An attempt to open such a device will trigger
      an invalid memory reference in:
        get_gendisk -> kobj_lookup -> exact_lock -> get_disk
      
      when tring to access disk->fops, which was in the module that has
      been removed.
      
      So ensure we clear ->ctime in md_exit(), and explain how that is useful,
      as it isn't immediately obvious when looking at the code.
      
      Fixes: cbd19983 ("md: Fix unfortunate interaction with evms")
      Tested-by: default avatarGuoqing Jiang <gqjiang@suse.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      249bb213
    • colyli@suse.de's avatar
      md linear: fix a race between linear_add() and linear_congested() · 80e4a627
      colyli@suse.de authored
      commit 03a9e24e upstream.
      
      Recently I receive a bug report that on Linux v3.0 based kerenl, hot add
      disk to a md linear device causes kernel crash at linear_congested(). From
      the crash image analysis, I find in linear_congested(), mddev->raid_disks
      contains value N, but conf->disks[] only has N-1 pointers available. Then
      a NULL pointer deference crashes the kernel.
      
      There is a race between linear_add() and linear_congested(), RCU stuffs
      used in these two functions cannot avoid the race. Since Linuv v4.0
      RCU code is replaced by introducing mddev_suspend().  After checking the
      upstream code, it seems linear_congested() is not called in
      generic_make_request() code patch, so mddev_suspend() cannot provent it
      from being called. The possible race still exists.
      
      Here I explain how the race still exists in current code.  For a machine
      has many CPUs, on one CPU, linear_add() is called to add a hard disk to a
      md linear device; at the same time on other CPU, linear_congested() is
      called to detect whether this md linear device is congested before issuing
      an I/O request onto it.
      
      Now I use a possible code execution time sequence to demo how the possible
      race happens,
      
      seq    linear_add()                linear_congested()
       0                                 conf=mddev->private
       1   oldconf=mddev->private
       2   mddev->raid_disks++
       3                              for (i=0; i<mddev->raid_disks;i++)
       4                                bdev_get_queue(conf->disks[i].rdev->bdev)
       5   mddev->private=newconf
      
      In linear_add() mddev->raid_disks is increased in time seq 2, and on
      another CPU in linear_congested() the for-loop iterates conf->disks[i] by
      the increased mddev->raid_disks in time seq 3,4. But conf with one more
      element (which is a pointer to struct dev_info type) to conf->disks[] is
      not updated yet, accessing its structure member in time seq 4 will cause a
      NULL pointer deference fault.
      
      To fix this race, there are 2 parts of modification in the patch,
       1) Add 'int raid_disks' in struct linear_conf, as a copy of
          mddev->raid_disks. It is initialized in linear_conf(), always being
          consistent with pointers number of 'struct dev_info disks[]'. When
          iterating conf->disks[] in linear_congested(), use conf->raid_disks to
          replace mddev->raid_disks in the for-loop, then NULL pointer deference
          will not happen again.
       2) RCU stuffs are back again, and use kfree_rcu() in linear_add() to
          free oldconf memory. Because oldconf may be referenced as mddev->private
          in linear_congested(), kfree_rcu() makes sure that its memory will not
          be released until no one uses it any more.
      Also some code comments are added in this patch, to make this modification
      to be easier understandable.
      
      This patch can be applied for kernels since v4.0 after commit:
      3be260cc ("md/linear: remove rcu protections in favour of
      suspend/resume"). But this bug is reported on Linux v3.0 based kernel, for
      people who maintain kernels before Linux v4.0, they need to do some back
      back port to this patch.
      
      Changelog:
       - V3: add 'int raid_disks' in struct linear_conf, and use kfree_rcu() to
             replace rcu_call() in linear_add().
       - v2: add RCU stuffs by suggestion from Shaohua and Neil.
       - v1: initial effort.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Cc: Shaohua Li <shli@fb.com>
      Cc: Neil Brown <neilb@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      [bwh: Backported to 3.16: no need to restore RCU protections]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      80e4a627
    • Ravikumar Kattekola's avatar
      mmc: host: omap_hsmmc: avoid possible overflow of timeout value · f9b8eb52
      Ravikumar Kattekola authored
      commit a53210f5 upstream.
      
      Fixes: a45c6cb8 ("[ARM] 5369/1: omap mmc: Add new omap
      hsmmc controller for 2430 and 34xx, v3")
      
      when using really large timeout (up to 4*60*1000 ms for bkops)
      there is a possibility of data overflow using
      unsigned int so use 64 bit unsigned long long.
      Signed-off-by: default avatarRavikumar Kattekola <rk@ti.com>
      Signed-off-by: default avatarSekhar Nori <nsekhar@ti.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      [bwh: Backported to 3.16: drop change in omap_hsmmc_prepare_data()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f9b8eb52
    • Peter Rosin's avatar
      iio: pressure: mpl115: do not rely on structure field ordering · 0b95c2aa
      Peter Rosin authored
      commit 6a6e1d56 upstream.
      
      Fixes a regression triggered by a change in the layout of
      struct iio_chan_spec, but the real bug is in the driver which assumed
      a specific structure layout in the first place. Hint: the three bits were
      not OR:ed together as implied by the indentation prior to this patch,
      there was a comma between the first two, which accidentally moved the
      ..._SCALE and ..._OFFSET bits to the next structure field. That field
      was .info_mask_shared_by_type before the _available attributes was added
      by commit 51239600 ("iio:core: add a callback to allow drivers to
      provide _available attributes") and .info_mask_separate_available
      afterwards, and the regression happened.
      
      info_mask_shared_by_type is actually a better choice than the originally
      intended info_mask_separate for the ..._SCALE and ..._OFFSET bits since
      a constant is returned from mpl115_read_raw for the scale/offset. Using
      info_mask_shared_by_type also preserves the behavior from before the
      regression and is therefore less likely to cause other interesting side
      effects.
      
      The above mentioned regression causes unintended sysfs attibutes to
      show up that are not backed by code, in turn causing a NULL pointer
      defererence to happen on access.
      
      Fixes: 3017d90e ("iio: Add Freescale MPL115A2 pressure / temperature sensor driver")
      Fixes: 51239600 ("iio:core: add a callback to allow drivers to provide _available attributes")
      Signed-off-by: default avatarPeter Rosin <peda@axentia.se>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0b95c2aa
    • Peter Rosin's avatar
      iio: pressure: mpl3115: do not rely on structure field ordering · a19f5fd2
      Peter Rosin authored
      commit 9cf6cdba upstream.
      
      Fixes a regression triggered by a change in the layout of
      struct iio_chan_spec, but the real bug is in the driver which assumed
      a specific structure layout in the first place. Hint: the two bits were
      not OR:ed together as implied by the indentation prior to this patch,
      there was a comma between them, which accidentally moved the ..._SCALE
      bit to the next structure field. That field was .info_mask_shared_by_type
      before the _available attributes was added by commit 51239600
      ("iio:core: add a callback to allow drivers to provide _available
      attributes") and .info_mask_separate_available afterwards, and the
      regression happened.
      
      info_mask_shared_by_type is actually a better choice than the originally
      intended info_mask_separate for the ..._SCALE bit since a constant is
      returned from mpl3115_read_raw for the scale. Using
      info_mask_shared_by_type also preserves the behavior from before the
      regression and is therefore less likely to cause other interesting side
      effects.
      
      The above mentioned regression causes an unintended sysfs attibute to
      show up that is not backed by code, in turn causing the following NULL
      pointer defererence to happen on access.
      
      Segmentation fault
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = ecc3c000
      [00000000] *pgd=87f91831
      Internal error: Oops: 80000007 [#1] SMP ARM
      Modules linked in:
      CPU: 1 PID: 1051 Comm: cat Not tainted 4.10.0-rc5-00009-gffd8858-dirty #3
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      task: ed54ec00 task.stack: ee2bc000
      PC is at 0x0
      LR is at iio_read_channel_info_avail+0x40/0x280
      pc : [<00000000>]    lr : [<c06fbc1c>]    psr: a0070013
      sp : ee2bdda8  ip : 00000000  fp : ee2bddf4
      r10: c0a53c74  r9 : ed79f000  r8 : ee8d1018
      r7 : 00001000  r6 : 00000fff  r5 : ee8b9a00  r4 : ed79f000
      r3 : ee2bddc4  r2 : ee2bddbc  r1 : c0a86dcc  r0 : ee8d1000
      Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      Control: 10c5387d  Table: 3cc3c04a  DAC: 00000051
      Process cat (pid: 1051, stack limit = 0xee2bc210)
      Stack: (0xee2bdda8 to 0xee2be000)
      dda0:                   ee2bddc0 00000002 c016d720 c016d394 ed54ec00 00000000
      ddc0: 60070013 ed413780 00000001 edffd480 ee8b9a00 00000fff 00001000 ee8d1018
      dde0: ed79f000 c0a53c74 ee2bde0c ee2bddf8 c0513c58 c06fbbe8 edffd480 edffd540
      de00: ee2bde3c ee2bde10 c0293474 c0513c40 c02933e4 ee2bde60 00000001 ed413780
      de20: 00000001 ed413780 00000000 edffd480 ee2bde4c ee2bde40 c0291d00 c02933f0
      de40: ee2bde9c ee2bde50 c024679c c0291ce0 edffd4b0 b6e37000 00020000 ee2bdf78
      de60: 00000000 00000000 ed54ec00 ed013200 00000817 c0a111fc edffd540 ed413780
      de80: b6e37000 00020000 00020000 ee2bdf78 ee2bded4 ee2bdea0 c0292890 c0246604
      dea0: c0117940 c016ba50 00000025 c0a111fc b6e37000 ed413780 ee2bdf78 00020000
      dec0: ee2bc000 b6e37000 ee2bdf44 ee2bded8 c021d158 c0292770 c0117764 b6e36004
      dee0: c0f0d7c4 ee2bdfb0 b6f89228 00021008 ee2bdfac ee2bdf00 c0101374 c0117770
      df00: 00000000 00000000 ee2bc000 00000000 ee2bdf34 ee2bdf20 c016ba04 c0171080
      df20: 00000000 00020000 ed413780 b6e37000 00000000 ee2bdf78 ee2bdf74 ee2bdf48
      df40: c021e7a0 c021d130 c023e300 c023e280 ee2bdf74 00000000 00000000 ed413780
      df60: ed413780 00020000 ee2bdfa4 ee2bdf78 c021e870 c021e71c 00000000 00000000
      df80: 00020000 00020000 b6e37000 00000003 c0108084 00000000 00000000 ee2bdfa8
      dfa0: c0107ee0 c021e838 00020000 00020000 00000003 b6e37000 00020000 0001a2b4
      dfc0: 00020000 00020000 b6e37000 00000003 7fffe000 00000000 00000000 00020000
      dfe0: 00000000 be98eb4c 0000c740 b6f1985c 60070010 00000003 00000000 00000000
      Backtrace:
      [<c06fbbdc>] (iio_read_channel_info_avail) from [<c0513c58>] (dev_attr_show+0x24/0x50)
       r10:c0a53c74 r9:ed79f000 r8:ee8d1018 r7:00001000 r6:00000fff r5:ee8b9a00
       r4:edffd480
      [<c0513c34>] (dev_attr_show) from [<c0293474>] (sysfs_kf_seq_show+0x90/0x110)
       r5:edffd540 r4:edffd480
      [<c02933e4>] (sysfs_kf_seq_show) from [<c0291d00>] (kernfs_seq_show+0x2c/0x30)
       r10:edffd480 r9:00000000 r8:ed413780 r7:00000001 r6:ed413780 r5:00000001
       r4:ee2bde60 r3:c02933e4
      [<c0291cd4>] (kernfs_seq_show) from [<c024679c>] (seq_read+0x1a4/0x4e0)
      [<c02465f8>] (seq_read) from [<c0292890>] (kernfs_fop_read+0x12c/0x1cc)
       r10:ee2bdf78 r9:00020000 r8:00020000 r7:b6e37000 r6:ed413780 r5:edffd540
       r4:c0a111fc
      [<c0292764>] (kernfs_fop_read) from [<c021d158>] (__vfs_read+0x34/0x118)
       r10:b6e37000 r9:ee2bc000 r8:00020000 r7:ee2bdf78 r6:ed413780 r5:b6e37000
       r4:c0a111fc
      [<c021d124>] (__vfs_read) from [<c021e7a0>] (vfs_read+0x90/0x11c)
       r8:ee2bdf78 r7:00000000 r6:b6e37000 r5:ed413780 r4:00020000
      [<c021e710>] (vfs_read) from [<c021e870>] (SyS_read+0x44/0x90)
       r8:00020000 r7:ed413780 r6:ed413780 r5:00000000 r4:00000000
      [<c021e82c>] (SyS_read) from [<c0107ee0>] (ret_fast_syscall+0x0/0x1c)
       r10:00000000 r8:c0108084 r7:00000003 r6:b6e37000 r5:00020000 r4:00020000
      Code: bad PC value
      ---[ end trace 9c4938ccd0389004 ]---
      
      Fixes: cc26ad45 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver")
      Fixes: 51239600 ("iio:core: add a callback to allow drivers to provide _available attributes")
      Reported-by: default avatarKen Lin <ken.lin@advantech.com>
      Tested-by: default avatarKen Lin <ken.lin@advantech.com>
      Signed-off-by: default avatarPeter Rosin <peda@axentia.se>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a19f5fd2
    • K. Y. Srinivasan's avatar
      drivers: hv: Turn off write permission on the hypercall page · 43506f19
      K. Y. Srinivasan authored
      commit 372b1e91 upstream.
      
      The hypercall page only needs to be executable but currently it is setup to
      be writable as well. Fix the issue.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Tested-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      43506f19
    • Jan Kiszka's avatar
      serial: exar: Fix initialization of EXAR registers for ports > 0 · b324f309
      Jan Kiszka authored
      commit 5b5f252d upstream.
      
      So far, pci_xr17v35x_setup always initialized 8XMODE, FCTR & Co. for
      port 0 because it used the address of that port instead of moving the
      pointer according to the port number. Fix this and remove the unneeded
      temporary ioremap by moving default_setup up and reusing the membase it
      fills into the port structure.
      
      Fixes: 14faa8cc ("tty/8250 Add support for Commtech's Fastcom Async-335 and Fastcom Async-PCIe cards")
      Signed-off-by: default avatarJan Kiszka <jan.kiszka@siemens.com>
      Reviewed-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16:
       - Adjust filename, context
       - Add 'ret' variable]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b324f309
    • Dan Carpenter's avatar
      KEYS: Fix an error code in request_master_key() · 1ccc2276
      Dan Carpenter authored
      commit 57cb17e7 upstream.
      
      This function has two callers and neither are able to handle a NULL
      return.  Really, -EINVAL is the correct thing return here anyway.  This
      fixes some static checker warnings like:
      
      	security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
      	error: uninitialized symbol 'master_key'.
      
      Fixes: 7e70cb49 ("keys: add new key-type encrypted")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1ccc2276
    • Arnaldo Carvalho de Melo's avatar
      perf tests: Avoid possible truncation with dirent->d_name + snprintf · 6f7c08b2
      Arnaldo Carvalho de Melo authored
      commit 2e2bbc03 upstream.
      
      Addressing a few cases spotted by a new warning in gcc 7:
      
        tests/parse-events.c: In function 'test_pmu_events':
        tests/parse-events.c:1790:39: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 90 [-Werror=format-truncation=]
           snprintf(name, MAX_NAME, "cpu/event=%s/u", ent->d_name);
                                             ^~
        In file included from /usr/include/stdio.h:939:0,
                         from /git/linux/tools/perf/util/map.h:9,
                         from /git/linux/tools/perf/util/symbol.h:7,
                         from /git/linux/tools/perf/util/evsel.h:10,
                         from tests/parse-events.c:3:
        /usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 13 and 268 bytes into a destination of size 100
           return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                __bos (__s), __fmt, __va_arg_pack ());
                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        tests/parse-events.c:1798:29: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 100 [-Werror=format-truncation=]
           snprintf(name, MAX_NAME, "%s:u,cpu/event=%s/u", ent->d_name, ent->d_name);
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Wang Nan <wangnan0@huawei.com>
      Fixes: 945aea22 ("perf tests: Move test objects into 'tests' directory")
      Link: http://lkml.kernel.org/n/tip-ty4q2p8zp1dp3mskvubxskm5@git.kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      [bwh: Backported to 3.16: only one snprintf() call needs fixing]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6f7c08b2
    • Chris Brandt's avatar
      i2c: riic: correctly finish transfers · 5f1c2e6a
      Chris Brandt authored
      commit 71ccea09 upstream.
      
      This fixes the condition where the controller has not fully completed its
      final transfer and leaves the bus and controller in a undesirable state.
      
      At the end of the last transmitted byte, the existing driver would just
      signal for a STOP condition to be transmitted then immediately signal
      completion. However, the full STOP procedure might not have fully taken
      place by the time the runtime PM shuts off the peripheral clock, leaving
      the bus in a suspended state.
      
      Alternatively, the STOP condition on the bus may have completed, but when
      the next transaction is requested by the upper layer, not all the
      necessary register cleanup was finished from the last transfer which made
      the driver return BUS BUSY when it really wasn't.
      
      This patch now makes all transmit and receive transactions wait for the
      STOP condition to fully complete before signaling a completed transaction.
      With this new method, runtime PM no longer seems to be an issue.
      
      Fixes: 310c18a4 ("i2c: riic: add driver")
      Signed-off-by: default avatarChris Brandt <chris.brandt@renesas.com>
      Reviewed-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5f1c2e6a