1. 22 Aug, 2016 40 commits
    • Andrew Goodbody's avatar
      usb: musb: Stop bulk endpoint while queue is rotated · 7ba4a8aa
      Andrew Goodbody authored
      commit 7b2c17f8 upstream.
      
      Ensure that the endpoint is stopped by clearing REQPKT before
      clearing DATAERR_NAKTIMEOUT before rotating the queue on the
      dedicated bulk endpoint.
      This addresses an issue where a race could result in the endpoint
      receiving data before it was reprogrammed resulting in a warning
      about such data from musb_rx_reinit before it was thrown away.
      The data thrown away was a valid packet that had been correctly
      ACKed which meant the host and device got out of sync.
      Signed-off-by: default avatarAndrew Goodbody <andrew.goodbody@cambrionix.com>
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7ba4a8aa
    • Andrew Goodbody's avatar
      usb: musb: Ensure rx reinit occurs for shared_fifo endpoints · 442f839f
      Andrew Goodbody authored
      commit f3eec0cf upstream.
      
      shared_fifo endpoints would only get a previous tx state cleared
      out, the rx state was only cleared for non shared_fifo endpoints
      Change this so that the rx state is cleared for all endpoints.
      This addresses an issue that resulted in rx packets being dropped
      silently.
      Signed-off-by: default avatarAndrew Goodbody <andrew.goodbody@cambrionix.com>
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      442f839f
    • Dan Carpenter's avatar
      usb: f_fs: off by one bug in _ffs_func_bind() · c1bc1076
      Dan Carpenter authored
      commit 0015f915 upstream.
      
      This loop is supposed to set all the .num[] values to -1 but it's off by
      one so it skips the first element and sets one element past the end of
      the array.
      
      I've cleaned up the loop a little as well.
      
      Fixes: ddf8abd2 ('USB: f_fs: the FunctionFS driver')
      Acked-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      [bwh: Backported to 3.2:
       - Adjust filename, context
       - Add 'i' for iteration but don't bother with 'eps_ptr' as the calculation is
         simpler here]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c1bc1076
    • Al Viro's avatar
      fix d_walk()/non-delayed __d_free() race · 37f4f9e6
      Al Viro authored
      commit 3d56c25e upstream.
      
      Ascend-to-parent logics in d_walk() depends on all encountered child
      dentries not getting freed without an RCU delay.  Unfortunately, in
      quite a few cases it is not true, with hard-to-hit oopsable race as
      the result.
      
      Fortunately, the fix is simiple; right now the rule is "if it ever
      been hashed, freeing must be delayed" and changing it to "if it
      ever had a parent, freeing must be delayed" closes that hole and
      covers all cases the old rule used to cover.  Moreover, pipes and
      sockets remain _not_ covered, so we do not introduce RCU delay in
      the cases which are the reason for having that delay conditional
      in the first place.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2:
       - Adjust context
       - Also set the flag in __d_materialise_dentry())]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      37f4f9e6
    • H. Peter Anvin's avatar
      x86, build: copy ldlinux.c32 to image.iso · 44854a56
      H. Peter Anvin authored
      commit 9c77679c upstream.
      
      For newer versions of Syslinux, we need ldlinux.c32 in addition to
      isolinux.bin to reside on the boot disk, so if the latter is found,
      copy it, too, to the isoimage tree.
      Signed-off-by: default avatarH. Peter Anvin <hpa@zytor.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      44854a56
    • Helge Deller's avatar
      parisc: Fix pagefault crash in unaligned __get_user() call · cc7d767c
      Helge Deller authored
      commit 8b78f260 upstream.
      
      One of the debian buildd servers had this crash in the syslog without
      any other information:
      
       Unaligned handler failed, ret = -2
       clock_adjtime (pid 22578): Unaligned data reference (code 28)
       CPU: 1 PID: 22578 Comm: clock_adjtime Tainted: G  E  4.5.0-2-parisc64-smp #1 Debian 4.5.4-1
       task: 000000007d9960f8 ti: 00000001bde7c000 task.ti: 00000001bde7c000
      
            YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
       PSW: 00001000000001001111100000001111 Tainted: G            E
       r00-03  000000ff0804f80f 00000001bde7c2b0 00000000402d2be8 00000001bde7c2b0
       r04-07  00000000409e1fd0 00000000fa6f7fff 00000001bde7c148 00000000fa6f7fff
       r08-11  0000000000000000 00000000ffffffff 00000000fac9bb7b 000000000002b4d4
       r12-15  000000000015241c 000000000015242c 000000000000002d 00000000fac9bb7b
       r16-19  0000000000028800 0000000000000001 0000000000000070 00000001bde7c218
       r20-23  0000000000000000 00000001bde7c210 0000000000000002 0000000000000000
       r24-27  0000000000000000 0000000000000000 00000001bde7c148 00000000409e1fd0
       r28-31  0000000000000001 00000001bde7c320 00000001bde7c350 00000001bde7c218
       sr00-03  0000000001200000 0000000001200000 0000000000000000 0000000001200000
       sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000
      
       IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d2e84 00000000402d2e88
        IIR: 0ca0d089    ISR: 0000000001200000  IOR: 00000000fa6f7fff
        CPU:        1   CR30: 00000001bde7c000 CR31: ffffffffffffffff
        ORIG_R28: 00000002369fe628
        IAOQ[0]: compat_get_timex+0x2dc/0x3c0
        IAOQ[1]: compat_get_timex+0x2e0/0x3c0
        RP(r2): compat_get_timex+0x40/0x3c0
       Backtrace:
        [<00000000402d4608>] compat_SyS_clock_adjtime+0x40/0xc0
        [<0000000040205024>] syscall_exit+0x0/0x14
      
      This means the userspace program clock_adjtime called the clock_adjtime()
      syscall and then crashed inside the compat_get_timex() function.
      Syscalls should never crash programs, but instead return EFAULT.
      
      The IIR register contains the executed instruction, which disassebles
      into "ldw 0(sr3,r5),r9".
      This load-word instruction is part of __get_user() which tried to read the word
      at %r5/IOR (0xfa6f7fff). This means the unaligned handler jumped in.  The
      unaligned handler is able to emulate all ldw instructions, but it fails if it
      fails to read the source e.g. because of page fault.
      
      The following program reproduces the problem:
      
      #define _GNU_SOURCE
      #include <unistd.h>
      #include <sys/syscall.h>
      #include <sys/mman.h>
      
      int main(void) {
              /* allocate 8k */
              char *ptr = mmap(NULL, 2*4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
              /* free second half (upper 4k) and make it invalid. */
              munmap(ptr+4096, 4096);
              /* syscall where first int is unaligned and clobbers into invalid memory region */
              /* syscall should return EFAULT */
              return syscall(__NR_clock_adjtime, 0, ptr+4095);
      }
      
      To fix this issue we simply need to check if the faulting instruction address
      is in the exception fixup table when the unaligned handler failed. If it
      is, call the fixup routine instead of crashing.
      
      While looking at the unaligned handler I found another issue as well: The
      target register should not be modified if the handler was unsuccessful.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cc7d767c
    • Paolo Bonzini's avatar
      KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS · 50ebd5b3
      Paolo Bonzini authored
      commit d14bdb55 upstream.
      
      MOV to DR6 or DR7 causes a #GP if an attempt is made to write a 1 to
      any of bits 63:32.  However, this is not detected at KVM_SET_DEBUGREGS
      time, and the next KVM_RUN oopses:
      
         general protection fault: 0000 [#1] SMP
         CPU: 2 PID: 14987 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
         Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012
         [...]
         Call Trace:
          [<ffffffffa072c93d>] kvm_arch_vcpu_ioctl_run+0x141d/0x14e0 [kvm]
          [<ffffffffa071405d>] kvm_vcpu_ioctl+0x33d/0x620 [kvm]
          [<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
          [<ffffffff812418a9>] SyS_ioctl+0x79/0x90
          [<ffffffff817a0f2e>] entry_SYSCALL_64_fastpath+0x12/0x71
         Code: 55 83 ff 07 48 89 e5 77 27 89 ff ff 24 fd 90 87 80 81 0f 23 fe 5d c3 0f 23 c6 5d c3 0f 23 ce 5d c3 0f 23 d6 5d c3 0f 23 de 5d c3 <0f> 23 f6 5d c3 0f 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
         RIP  [<ffffffff810639eb>] native_set_debugreg+0x2b/0x40
          RSP <ffff88005836bd50>
      
      Testcase (beautified/reduced from syzkaller output):
      
          #include <unistd.h>
          #include <sys/syscall.h>
          #include <string.h>
          #include <stdint.h>
          #include <linux/kvm.h>
          #include <fcntl.h>
          #include <sys/ioctl.h>
      
          long r[8];
      
          int main()
          {
              struct kvm_debugregs dr = { 0 };
      
              r[2] = open("/dev/kvm", O_RDONLY);
              r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
              r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
      
              memcpy(&dr,
                     "\x5d\x6a\x6b\xe8\x57\x3b\x4b\x7e\xcf\x0d\xa1\x72"
                     "\xa3\x4a\x29\x0c\xfc\x6d\x44\x00\xa7\x52\xc7\xd8"
                     "\x00\xdb\x89\x9d\x78\xb5\x54\x6b\x6b\x13\x1c\xe9"
                     "\x5e\xd3\x0e\x40\x6f\xb4\x66\xf7\x5b\xe3\x36\xcb",
                     48);
              r[7] = ioctl(r[4], KVM_SET_DEBUGREGS, &dr);
              r[6] = ioctl(r[4], KVM_RUN, 0);
          }
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      50ebd5b3
    • Russell King's avatar
      ARM: fix PTRACE_SETVFPREGS on SMP systems · d7f02d28
      Russell King authored
      commit e2dfb4b8 upstream.
      
      PTRACE_SETVFPREGS fails to properly mark the VFP register set to be
      reloaded, because it undoes one of the effects of vfp_flush_hwstate().
      
      Specifically vfp_flush_hwstate() sets thread->vfpstate.hard.cpu to
      an invalid CPU number, but vfp_set() overwrites this with the original
      CPU number, thereby rendering the hardware state as apparently "valid",
      even though the software state is more recent.
      
      Fix this by reverting the previous change.
      
      Fixes: 8130b9d7 ("ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers")
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Tested-by: default avatarSimon Marchi <simon.marchi@ericsson.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d7f02d28
    • Martin Willi's avatar
      mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL · 19c605df
      Martin Willi authored
      commit 62397da5 upstream.
      
      A wmediumd that does not send this attribute causes a NULL pointer
      dereference, as the attribute is accessed even if it does not exist.
      
      The attribute was required but never checked ever since userspace frame
      forwarding has been introduced. The issue gets more problematic once we
      allow wmediumd registration from user namespaces.
      
      Fixes: 7882513b ("mac80211_hwsim driver support userspace frame tx/rx")
      Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [bwh: Backported to 3.2: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      19c605df
    • Manfred Schlaegl's avatar
      Input: pwm-beeper - fix - scheduling while atomic · 0ab9b883
      Manfred Schlaegl authored
      commit f49cf3b8 upstream.
      
      Pwm config may sleep so defer it using a worker.
      
      On a Freescale i.MX53 based board we ran into "BUG: scheduling while
      atomic" because input_inject_event locks interrupts, but
      imx_pwm_config_v2 sleeps.
      
      Tested on Freescale i.MX53 SoC with 4.6.0.
      Signed-off-by: default avatarManfred Schlaegl <manfred.schlaegl@gmx.at>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0ab9b883
    • Olivier Sobrie's avatar
      Input: pwm-beeper - remove useless call to pwm_config() · e8025db4
      Olivier Sobrie authored
      commit d1b12075 upstream.
      
      Calling pwm_config() with a period equal to zero always results in
      error (-EINVAL) and pwm chip config method is never called.
      Signed-off-by: default avatarOlivier Sobrie <olivier@sobrie.be>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e8025db4
    • Cameron Gutman's avatar
      Input: xpad - prevent spurious input from wired Xbox 360 controllers · 6a7bd285
      Cameron Gutman authored
      commit 1ff5fa3c upstream.
      
      After initially connecting a wired Xbox 360 controller or sending it
      a command to change LEDs, a status/response packet is interpreted as
      controller input. This causes the state of buttons represented in
      byte 2 of the controller data packet to be incorrect until the next
      valid input packet. Wireless Xbox 360 controllers are not affected.
      
      Writing a new value to the LED device while holding the Start button
      and running jstest is sufficient to reproduce this bug. An event will
      come through with the Start button released.
      
      Xboxdrv also won't attempt to read controller input from a packet
      where byte 0 is non-zero. It also checks that byte 1 is 0x14, but
      that value differs between wired and wireless controllers and this
      code is shared by both. I think just checking byte 0 is enough to
      eliminate unwanted packets.
      
      The following are some examples of 3-byte status packets I saw:
      01 03 02
      02 03 00
      03 03 03
      08 03 00
      Signed-off-by: default avatarCameron Gutman <aicommander@gmail.com>
      Signed-off-by: default avatarPavel Rojtberg <rojtberg@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6a7bd285
    • Honggang Li's avatar
      RDMA/cxgb3: device driver frees DMA memory with different size · 5dcc3d8f
      Honggang Li authored
      commit 0de4cbb3 upstream.
      
      [  598.852037] ------------[ cut here ]------------
      [  598.856698] WARNING: at lib/dma-debug.c:887 check_unmap+0xf8/0x920()
      [  598.863079] cxgb3 0000:01:00.0: DMA-API: device driver frees DMA memory with different size [device address=0x0000000003310000] [map size=17 bytes] [unmap size=16 bytes]
      [  598.878265] Modules linked in: xprtrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_sa ib_mad kvm_amd kvm ipmi_devintf ipmi_ssif dcdbas pcspkr ipmi_si sg ipmi_msghandler acpi_power_meter amd64_edac_mod shpchp edac_core sp5100_tco k10temp edac_mce_amd i2c_piix4 acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_common ata_generic iw_cxgb3 pata_acpi ib_core ib_addr mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm pata_atiixp drm ahci libahci serio_raw i2c_core cxgb3 libata bnx2 mdio dm_mirror dm_region_hash dm_log dm_mod
      [  598.946822] CPU: 3 PID: 11820 Comm: cmtime Not tainted 3.10.0-327.el7.x86_64.debug #1
      [  598.954681] Hardware name: Dell Inc. PowerEdge R415/0GXH08, BIOS 2.0.2 10/22/2012
      [  598.962193]  ffff8808077479a8 000000000381a432 ffff880807747960 ffffffff81700918
      [  598.969663]  ffff880807747998 ffffffff8108b6c0 ffff880807747a80 ffff8808063f55c0
      [  598.977132]  ffffffff833ca850 0000000000000282 ffff88080b1bb800 ffff880807747a00
      [  598.984602] Call Trace:
      [  598.987062]  [<ffffffff81700918>] dump_stack+0x19/0x1b
      [  598.992224]  [<ffffffff8108b6c0>] warn_slowpath_common+0x70/0xb0
      [  598.998254]  [<ffffffff8108b75c>] warn_slowpath_fmt+0x5c/0x80
      [  599.004033]  [<ffffffff813903b8>] check_unmap+0xf8/0x920
      [  599.009369]  [<ffffffff81025959>] ? sched_clock+0x9/0x10
      [  599.014702]  [<ffffffff81390cee>] debug_dma_free_coherent+0x7e/0xa0
      [  599.021008]  [<ffffffffa01ece2c>] cxio_destroy_cq+0xcc/0x160 [iw_cxgb3]
      [  599.027654]  [<ffffffffa01e8da0>] iwch_destroy_cq+0xf0/0x140 [iw_cxgb3]
      [  599.034307]  [<ffffffffa01c4bfe>] ib_destroy_cq+0x1e/0x30 [ib_core]
      [  599.040601]  [<ffffffffa04ff2d2>] ib_uverbs_close+0x302/0x4d0 [ib_uverbs]
      [  599.047417]  [<ffffffff812335a2>] __fput+0x102/0x310
      [  599.052401]  [<ffffffff8123388e>] ____fput+0xe/0x10
      [  599.057297]  [<ffffffff810bbde4>] task_work_run+0xb4/0xe0
      [  599.062719]  [<ffffffff81092a84>] do_exit+0x304/0xc60
      [  599.067789]  [<ffffffff81025905>] ? native_sched_clock+0x35/0x80
      [  599.073820]  [<ffffffff81025959>] ? sched_clock+0x9/0x10
      [  599.079153]  [<ffffffff8170a49c>] ? _raw_spin_unlock_irq+0x2c/0x50
      [  599.085358]  [<ffffffff8109346c>] do_group_exit+0x4c/0xc0
      [  599.090779]  [<ffffffff810a8661>] get_signal_to_deliver+0x2e1/0x960
      [  599.097071]  [<ffffffff8101c497>] do_signal+0x57/0x6e0
      [  599.102229]  [<ffffffff81714bd1>] ? sysret_signal+0x5/0x4e
      [  599.107738]  [<ffffffff8101cb7f>] do_notify_resume+0x5f/0xb0
      [  599.113418]  [<ffffffff81714e7d>] int_signal+0x12/0x17
      [  599.118576] ---[ end trace 1e4653102e7e7019 ]---
      [  599.123211] Mapped at:
      [  599.125577]  [<ffffffff8138ed8b>] debug_dma_alloc_coherent+0x2b/0x80
      [  599.131968]  [<ffffffffa01ec862>] cxio_create_cq+0xf2/0x1f0 [iw_cxgb3]
      [  599.139920]  [<ffffffffa01e9c05>] iwch_create_cq+0x105/0x4e0 [iw_cxgb3]
      [  599.147895]  [<ffffffffa0500584>] create_cq.constprop.14+0x184/0x2e0 [ib_uverbs]
      [  599.156649]  [<ffffffffa05027fb>] ib_uverbs_create_cq+0x10b/0x140 [ib_uverbs]
      
      Fixes: b955150e ('RDMA/cxgb3: When a user QP is marked in error, also mark the CQs in error')
      Signed-off-by: default avatarHonggang Li <honli@redhat.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5dcc3d8f
    • Ross Lagerwall's avatar
      xen/events: Don't move disabled irqs · 4fff8a16
      Ross Lagerwall authored
      commit f0f39387 upstream.
      
      Commit ff1e22e7 ("xen/events: Mask a moving irq") open-coded
      irq_move_irq() but left out checking if the IRQ is disabled. This broke
      resuming from suspend since it tries to move a (disabled) irq without
      holding the IRQ's desc->lock. Fix it by adding in a check for disabled
      IRQs.
      
      The resulting stacktrace was:
      kernel BUG at /build/linux-UbQGH5/linux-4.4.0/kernel/irq/migration.c:31!
      invalid opcode: 0000 [#1] SMP
      Modules linked in: xenfs xen_privcmd ...
      CPU: 0 PID: 9 Comm: migration/0 Not tainted 4.4.0-22-generic #39-Ubuntu
      Hardware name: Xen HVM domU, BIOS 4.6.1-xs125180 05/04/2016
      task: ffff88003d75ee00 ti: ffff88003d7bc000 task.ti: ffff88003d7bc000
      RIP: 0010:[<ffffffff810e26e2>]  [<ffffffff810e26e2>] irq_move_masked_irq+0xd2/0xe0
      RSP: 0018:ffff88003d7bfc50  EFLAGS: 00010046
      RAX: 0000000000000000 RBX: ffff88003d40ba00 RCX: 0000000000000001
      RDX: 0000000000000001 RSI: 0000000000000100 RDI: ffff88003d40bad8
      RBP: ffff88003d7bfc68 R08: 0000000000000000 R09: ffff88003d000000
      R10: 0000000000000000 R11: 000000000000023c R12: ffff88003d40bad0
      R13: ffffffff81f3a4a0 R14: 0000000000000010 R15: 00000000ffffffff
      FS:  0000000000000000(0000) GS:ffff88003da00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fd4264de624 CR3: 0000000037922000 CR4: 00000000003406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Stack:
       ffff88003d40ba38 0000000000000024 0000000000000000 ffff88003d7bfca0
       ffffffff814c8d92 00000010813ef89d 00000000805ea732 0000000000000009
       0000000000000024 ffff88003cc39b80 ffff88003d7bfce0 ffffffff814c8f66
      Call Trace:
       [<ffffffff814c8d92>] eoi_pirq+0xb2/0xf0
       [<ffffffff814c8f66>] __startup_pirq+0xe6/0x150
       [<ffffffff814ca659>] xen_irq_resume+0x319/0x360
       [<ffffffff814c7e75>] xen_suspend+0xb5/0x180
       [<ffffffff81120155>] multi_cpu_stop+0xb5/0xe0
       [<ffffffff811200a0>] ? cpu_stop_queue_work+0x80/0x80
       [<ffffffff811203d0>] cpu_stopper_thread+0xb0/0x140
       [<ffffffff810a94e6>] ? finish_task_switch+0x76/0x220
       [<ffffffff810ca731>] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20
       [<ffffffff810a3935>] smpboot_thread_fn+0x105/0x160
       [<ffffffff810a3830>] ? sort_range+0x30/0x30
       [<ffffffff810a0588>] kthread+0xd8/0xf0
       [<ffffffff810a04b0>] ? kthread_create_on_node+0x1e0/0x1e0
       [<ffffffff8182568f>] ret_from_fork+0x3f/0x70
       [<ffffffff810a04b0>] ? kthread_create_on_node+0x1e0/0x1e0
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4fff8a16
    • Oleg Nesterov's avatar
      wait/ptrace: assume __WALL if the child is traced · 5d53f2c2
      Oleg Nesterov authored
      commit bf959931 upstream.
      
      The following program (simplified version of generated by syzkaller)
      
      	#include <pthread.h>
      	#include <unistd.h>
      	#include <sys/ptrace.h>
      	#include <stdio.h>
      	#include <signal.h>
      
      	void *thread_func(void *arg)
      	{
      		ptrace(PTRACE_TRACEME, 0,0,0);
      		return 0;
      	}
      
      	int main(void)
      	{
      		pthread_t thread;
      
      		if (fork())
      			return 0;
      
      		while (getppid() != 1)
      			;
      
      		pthread_create(&thread, NULL, thread_func, NULL);
      		pthread_join(thread, NULL);
      		return 0;
      	}
      
      creates an unreapable zombie if /sbin/init doesn't use __WALL.
      
      This is not a kernel bug, at least in a sense that everything works as
      expected: debugger should reap a traced sub-thread before it can reap the
      leader, but without __WALL/__WCLONE do_wait() ignores sub-threads.
      
      Unfortunately, it seems that /sbin/init in most (all?) distributions
      doesn't use it and we have to change the kernel to avoid the problem.
      Note also that most init's use sys_waitid() which doesn't allow __WALL, so
      the necessary user-space fix is not that trivial.
      
      This patch just adds the "ptrace" check into eligible_child().  To some
      degree this matches the "tsk->ptrace" in exit_notify(), ->exit_signal is
      mostly ignored when the tracee reports to debugger.  Or WSTOPPED, the
      tracer doesn't need to set this flag to wait for the stopped tracee.
      
      This obviously means the user-visible change: __WCLONE and __WALL no
      longer have any meaning for debugger.  And I can only hope that this won't
      break something, but at least strace/gdb won't suffer.
      
      We could make a more conservative change.  Say, we can take __WCLONE into
      account, or !thread_group_leader().  But it would be nice to not
      complicate these historical/confusing checks.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
      Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
      Cc: Pedro Alves <palves@redhat.com>
      Cc: Roland McGrath <roland@hack.frob.com>
      Cc: <syzkaller@googlegroups.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5d53f2c2
    • Ricky Liang's avatar
      Input: uinput - handle compat ioctl for UI_SET_PHYS · b3b03b8c
      Ricky Liang authored
      commit affa80bd upstream.
      
      When running a 32-bit userspace on a 64-bit kernel, the UI_SET_PHYS
      ioctl needs to be treated with special care, as it has the pointer
      size encoded in the command.
      Signed-off-by: default avatarRicky Liang <jcliang@chromium.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b3b03b8c
    • xypron.glpk@gmx.de's avatar
      net: ehea: avoid null pointer dereference · d8fcbf62
      xypron.glpk@gmx.de authored
      commit 1740c29a upstream.
      
      ehea_get_port may return NULL. Do not dereference NULL value.
      
      Fixes: 8c4877a4 ("ehea: Use the standard logging functions")
      Signed-off-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
      Acked-by: default avatarThadeu Lima de Souza Cascardo <cascardo@debian.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d8fcbf62
    • Chuck Lever's avatar
      sunrpc: Update RPCBIND_MAXNETIDLEN · 4ce65741
      Chuck Lever authored
      commit 4b9c7f9d upstream.
      
      Commit 176e21ee ("SUNRPC: Support for RPC over AF_LOCAL
      transports") added a 5-character netid, but did not bump
      RPCBIND_MAXNETIDLEN from 4 to 5.
      
      Fixes: 176e21ee ("SUNRPC: Support for RPC over AF_LOCAL ...")
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4ce65741
    • Stefan Metzmacher's avatar
      fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication · 4c0ff9c2
      Stefan Metzmacher authored
      commit 1a967d6c upstream.
      
      Only server which map unknown users to guest will allow
      access using a non-null NTLMv2_Response.
      
      For Samba it's the "map to guest = bad user" option.
      
      BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913Signed-off-by: default avatarStefan Metzmacher <metze@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      [bwh: Backported to 3.2:
       - Adjust context, indentation
       - Keep using cERROR()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4c0ff9c2
    • Stefan Metzmacher's avatar
      fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication · 04d4726b
      Stefan Metzmacher authored
      commit 777f69b8 upstream.
      
      Only server which map unknown users to guest will allow
      access using a non-null NTChallengeResponse.
      
      For Samba it's the "map to guest = bad user" option.
      
      BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913Signed-off-by: default avatarStefan Metzmacher <metze@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      [bwh: Backported to 3.2:
       - Adjust context, indentation
       - Keep using cERROR()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      04d4726b
    • Stefan Metzmacher's avatar
      fs/cifs: correctly to anonymous authentication for the LANMAN authentication · 9c818d99
      Stefan Metzmacher authored
      commit fa8f3a35 upstream.
      
      Only server which map unknown users to guest will allow
      access using a non-null LMChallengeResponse.
      
      For Samba it's the "map to guest = bad user" option.
      
      BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913Signed-off-by: default avatarStefan Metzmacher <metze@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      [bwh: Backported to 3.2:
       - Adjust context, indentation
       - Keep ses->flags assignment out of the new if-statement]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9c818d99
    • Stefan Metzmacher's avatar
      fs/cifs: correctly to anonymous authentication via NTLMSSP · 621a46ab
      Stefan Metzmacher authored
      commit cfda35d9 upstream.
      
      See [MS-NLMP] 3.2.5.1.2 Server Receives an AUTHENTICATE_MESSAGE from the Client:
      
         ...
         Set NullSession to FALSE
         If (AUTHENTICATE_MESSAGE.UserNameLen == 0 AND
            AUTHENTICATE_MESSAGE.NtChallengeResponse.Length == 0 AND
            (AUTHENTICATE_MESSAGE.LmChallengeResponse == Z(1)
             OR
             AUTHENTICATE_MESSAGE.LmChallengeResponse.Length == 0))
             -- Special case: client requested anonymous authentication
             Set NullSession to TRUE
         ...
      
      Only server which map unknown users to guest will allow
      access using a non-null NTChallengeResponse.
      
      For Samba it's the "map to guest = bad user" option.
      
      BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913Signed-off-by: default avatarStefan Metzmacher <metze@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      [bwh: Backported to 3.2: keep using cERROR()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      621a46ab
    • Prarit Bhargava's avatar
      PCI: Disable all BAR sizing for devices with non-compliant BARs · 74fcab22
      Prarit Bhargava authored
      commit ad67b437 upstream.
      
      b84106b4 ("PCI: Disable IO/MEM decoding for devices with non-compliant
      BARs") disabled BAR sizing for BARs 0-5 of devices that don't comply with
      the PCI spec.  But it didn't do anything for expansion ROM BARs, so we
      still try to size them, resulting in warnings like this on Broadwell-EP:
      
        pci 0000:ff:12.0: BAR 6: failed to assign [mem size 0x00000001 pref]
      
      Move the non-compliant BAR check from __pci_read_base() up to
      pci_read_bases() so it applies to the expansion ROM BAR as well as
      to BARs 0-5.
      
      Note that direct callers of __pci_read_base(), like sriov_init(), will now
      bypass this check.  We haven't had reports of devices with broken SR-IOV
      BARs yet.
      
      [bhelgaas: changelog]
      Fixes: b84106b4 ("PCI: Disable IO/MEM decoding for devices with non-compliant BARs")
      Signed-off-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Thomas Gleixner <tglx@linutronix.de>
      CC: Ingo Molnar <mingo@redhat.com>
      CC: "H. Peter Anvin" <hpa@zytor.com>
      CC: Andi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      74fcab22
    • Prarit Bhargava's avatar
      x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs · 33703833
      Prarit Bhargava authored
      commit da77b671 upstream.
      
      Commit b8941571 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having
      non-compliant BARs") marked Home Agent 0 & PCU has having non-compliant
      BARs.  Home Agent 1 also has non-compliant BARs.
      
      Mark Home Agent 1 as having non-compliant BARs so the PCI core doesn't
      touch them.
      
      The problem with these devices is documented in the Xeon v4 specification
      update:
      
        BDF2          PCI BARs in the Home Agent Will Return Non-Zero Values
                      During Enumeration
      
        Problem:      During system initialization the Operating System may access
                      the standard PCI BARs (Base Address Registers).  Due to
                      this erratum, accesses to the Home Agent BAR registers (Bus
                      1; Device 18; Function 0,4; Offsets (0x14-0x24) will return
                      non-zero values.
      
        Implication:  The operating system may issue a warning.  Intel has not
                      observed any functional failures due to this erratum.
      
      Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
      Fixes: b8941571 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs")
      Signed-off-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Thomas Gleixner <tglx@linutronix.de>
      CC: Ingo Molnar <mingo@redhat.com>
      CC: "H. Peter Anvin" <hpa@zytor.com>
      CC: Andi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      33703833
    • Tariq Toukan's avatar
      net/mlx4_core: Fix access to uninitialized index · 15013039
      Tariq Toukan authored
      commit 2bb07e15 upstream.
      
      Prevent using uninitialized or negative index when handling
      steering entries.
      
      Fixes: b12d93d6 ('mlx4: Add support for promiscuous mode in the new steering model.')
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      15013039
    • Adrian Hunter's avatar
      mmc: mmc: Fix partition switch timeout for some eMMCs · 2d1bbf04
      Adrian Hunter authored
      commit 1c447116 upstream.
      
      Some eMMCs set the partition switch timeout too low.
      
      Now typically eMMCs are considered a critical component (e.g. because
      they store the root file system) and consequently are expected to be
      reliable.  Thus we can neglect the use case where eMMCs can't switch
      reliably and we might want a lower timeout to facilitate speedy
      recovery.
      
      Although we could employ a quirk for the cards that are affected (if
      we could identify them all), as described above, there is little
      benefit to having a low timeout, so instead simply set a minimum
      timeout.
      
      The minimum is set to 300ms somewhat arbitrarily - the examples that
      have been seen had a timeout of 10ms but were sometimes taking 60-70ms.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2d1bbf04
    • Vik Heyndrickx's avatar
      sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems · 245d83e3
      Vik Heyndrickx authored
      commit 20878232 upstream.
      
      Systems show a minimal load average of 0.00, 0.01, 0.05 even when they
      have no load at all.
      
      Uptime and /proc/loadavg on all systems with kernels released during the
      last five years up until kernel version 4.6-rc5, show a 5- and 15-minute
      minimum loadavg of 0.01 and 0.05 respectively. This should be 0.00 on
      idle systems, but the way the kernel calculates this value prevents it
      from getting lower than the mentioned values.
      
      Likewise but not as obviously noticeable, a fully loaded system with no
      processes waiting, shows a maximum 1/5/15 loadavg of 1.00, 0.99, 0.95
      (multiplied by number of cores).
      
      Once the (old) load becomes 93 or higher, it mathematically can never
      get lower than 93, even when the active (load) remains 0 forever.
      This results in the strange 0.00, 0.01, 0.05 uptime values on idle
      systems.  Note: 93/2048 = 0.0454..., which rounds up to 0.05.
      
      It is not correct to add a 0.5 rounding (=1024/2048) here, since the
      result from this function is fed back into the next iteration again,
      so the result of that +0.5 rounding value then gets multiplied by
      (2048-2037), and then rounded again, so there is a virtual "ghost"
      load created, next to the old and active load terms.
      
      By changing the way the internally kept value is rounded, that internal
      value equivalent now can reach 0.00 on idle, and 1.00 on full load. Upon
      increasing load, the internally kept load value is rounded up, when the
      load is decreasing, the load value is rounded down.
      
      The modified code was tested on nohz=off and nohz kernels. It was tested
      on vanilla kernel 4.6-rc5 and on centos 7.1 kernel 3.10.0-327. It was
      tested on single, dual, and octal cores system. It was tested on virtual
      hosts and bare hardware. No unwanted effects have been observed, and the
      problems that the patch intended to fix were indeed gone.
      Tested-by: default avatarDamien Wyart <damien.wyart@free.fr>
      Signed-off-by: default avatarVik Heyndrickx <vik.heyndrickx@veribox.net>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Doug Smythies <dsmythies@telus.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 0f004f5a ("sched: Cure more NO_HZ load average woes")
      Link: http://lkml.kernel.org/r/e8d32bff-d544-7748-72b5-3c86cc71f09f@veribox.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      245d83e3
    • Michael Ellerman's avatar
      powerpc/mm/hash64: Fix subpage protection with 4K HPTE config · 45a50dee
      Michael Ellerman authored
      commit aac55d75 upstream.
      
      With Linux page size of 64K and hardware only supporting 4K HPTE, if we
      use subpage protection, we always fail for the subpage 0 as shown
      below (using the selftest subpage_prot test):
      
        520175565:  (4520111850): Failed at 0x3fffad4b0000 (p=13,sp=0,w=0), want=fault, got=pass !
        4520890210: (4520826495): Failed at 0x3fffad5b0000 (p=29,sp=0,w=0), want=fault, got=pass !
        4521574251: (4521510536): Failed at 0x3fffad6b0000 (p=45,sp=0,w=0), want=fault, got=pass !
        4522258324: (4522194609): Failed at 0x3fffad7b0000 (p=61,sp=0,w=0), want=fault, got=pass !
      
      This is because hash preload wrongly inserts the HPTE entry for subpage
      0 without looking at the subpage protection information.
      
      Fix it by teaching should_hash_preload() not to preload if we have
      subpage protection configured for that range.
      
      It appears this has been broken since it was introduced in 2008.
      
      Fixes: fa28237c ("[POWERPC] Provide a way to protect 4k subpages when using 64k pages")
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      [mpe: Rework into should_hash_preload() to avoid build fails w/SLICES=n]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      45a50dee
    • Michael Ellerman's avatar
      powerpc/mm/hash64: Factor out hash preload psize check · b9b441d1
      Michael Ellerman authored
      commit 8bbc9b7b upstream.
      
      Currently we have a check in hash_preload() against the psize, which is
      only included when CONFIG_PPC_MM_SLICES is enabled. We want to expand
      this check in a subsequent patch, so factor it out to allow that. As a
      bonus it removes the #ifdef in the C code.
      
      Unfortunately we can't put this in the existing CONFIG_PPC_MM_SLICES
      block because it would require a forward declaration.
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b9b441d1
    • Mans Rullgard's avatar
      ata: sata_dwc_460ex: remove incorrect locking · b7581238
      Mans Rullgard authored
      commit 55e610cd upstream.
      
      This lock is already taken in ata_scsi_queuecmd() a few levels up the
      call stack so attempting to take it here is an error.  Moreover, it is
      pointless in the first place since it only protects a single, atomic
      assignment.
      
      Enabling lock debugging gives the following output:
      
      =============================================
      [ INFO: possible recursive locking detected ]
      4.4.0-rc5+ #189 Not tainted
      ---------------------------------------------
      kworker/u2:3/37 is trying to acquire lock:
       (&(&host->lock)->rlock){-.-...}, at: [<90283294>] sata_dwc_exec_command_by_tag.constprop.14+0x44/0x8c
      
      but task is already holding lock:
       (&(&host->lock)->rlock){-.-...}, at: [<902761ac>] ata_scsi_queuecmd+0x2c/0x330
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&host->lock)->rlock);
        lock(&(&host->lock)->rlock);
      
       *** DEADLOCK ***
       May be due to missing lock nesting notation
      
      4 locks held by kworker/u2:3/37:
       #0:  ("events_unbound"){.+.+.+}, at: [<9003a0a4>] process_one_work+0x12c/0x430
       #1:  ((&entry->work)){+.+.+.}, at: [<9003a0a4>] process_one_work+0x12c/0x430
       #2:  (&bdev->bd_mutex){+.+.+.}, at: [<9011fd54>] __blkdev_get+0x50/0x380
       #3:  (&(&host->lock)->rlock){-.-...}, at: [<902761ac>] ata_scsi_queuecmd+0x2c/0x330
      
      stack backtrace:
      CPU: 0 PID: 37 Comm: kworker/u2:3 Not tainted 4.4.0-rc5+ #189
      Workqueue: events_unbound async_run_entry_fn
      Stack : 90b38e30 00000021 00000003 9b2a6040 00000000 9005f3f0 904fc8dc 00000025
              906b96e4 00000000 90528648 9b3336c4 904fc8dc 9009bf18 00000002 00000004
              00000000 00000000 9b3336c4 9b3336e4 904fc8dc 9003d074 00000000 90500000
              9005e738 00000000 00000000 00000000 00000000 00000000 00000000 00000000
              6e657665 755f7374 756f626e 0000646e 00000000 00000000 9b00ca00 9b025000
                ...
      Call Trace:
      [<90009d6c>] show_stack+0x88/0xa4
      [<90057744>] __lock_acquire+0x1ce8/0x2154
      [<900583e4>] lock_acquire+0x64/0x8c
      [<9045ff10>] _raw_spin_lock_irqsave+0x54/0x78
      [<90283294>] sata_dwc_exec_command_by_tag.constprop.14+0x44/0x8c
      [<90283484>] sata_dwc_qc_issue+0x1a8/0x24c
      [<9026b39c>] ata_qc_issue+0x1f0/0x410
      [<90273c6c>] ata_scsi_translate+0xb4/0x200
      [<90276234>] ata_scsi_queuecmd+0xb4/0x330
      [<9025800c>] scsi_dispatch_cmd+0xd0/0x128
      [<90259934>] scsi_request_fn+0x58c/0x638
      [<901a3e50>] __blk_run_queue+0x40/0x5c
      [<901a83d4>] blk_queue_bio+0x27c/0x28c
      [<901a5914>] generic_make_request+0xf0/0x188
      [<901a5a54>] submit_bio+0xa8/0x194
      [<9011adcc>] submit_bh_wbc.isra.23+0x15c/0x17c
      [<9011c908>] block_read_full_page+0x3e4/0x428
      [<9009e2e0>] do_read_cache_page+0xac/0x210
      [<9009fd90>] read_cache_page+0x18/0x24
      [<901bbd18>] read_dev_sector+0x38/0xb0
      [<901bd174>] msdos_partition+0xb4/0x5c0
      [<901bcb8c>] check_partition+0x140/0x274
      [<901bba60>] rescan_partitions+0xa0/0x2b0
      [<9011ff68>] __blkdev_get+0x264/0x380
      [<901201ac>] blkdev_get+0x128/0x36c
      [<901b9378>] add_disk+0x3c0/0x4bc
      [<90268268>] sd_probe_async+0x100/0x224
      [<90043a44>] async_run_entry_fn+0x50/0x124
      [<9003a11c>] process_one_work+0x1a4/0x430
      [<9003a4f4>] worker_thread+0x14c/0x4fc
      [<900408f4>] kthread+0xd0/0xe8
      [<90004338>] ret_from_kernel_thread+0x14/0x1c
      
      Fixes: 62936009 ("[libata] Add 460EX on-chip SATA driver, sata_dwc_460ex")
      Tested-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarMans Rullgard <mans@mansr.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b7581238
    • Arnd Bergmann's avatar
      gcov: disable tree-loop-im to reduce stack usage · defacd21
      Arnd Bergmann authored
      commit c87bf431 upstream.
      
      Enabling CONFIG_GCOV_PROFILE_ALL produces us a lot of warnings like
      
      lib/lz4/lz4hc_compress.c: In function 'lz4_compresshcctx':
      lib/lz4/lz4hc_compress.c:514:1: warning: the frame size of 1504 bytes is larger than 1024 bytes [-Wframe-larger-than=]
      
      After some investigation, I found that this behavior started with gcc-4.9,
      and opened https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69702.
      A suggested workaround for it is to use the -fno-tree-loop-im
      flag that turns off one of the optimization stages in gcc, so the
      code runs a little slower but does not use excessive amounts
      of stack.
      
      We could make this conditional on the gcc version, but I could not
      find an easy way to do this in Kbuild and the benefit would be
      fairly small, given that most of the gcc version in production are
      affected now.
      
      I'm marking this for 'stable' backports because it addresses a bug
      with code generation in gcc that exists in all kernel versions
      with the affected gcc releases.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarPeter Oberparleiter <oberpar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      defacd21
    • Joshua Kinard's avatar
      MIPS: Adjust set_pte() SMP fix to handle R10000_LLSC_WAR · a5254486
      Joshua Kinard authored
      commit 12863939 upstream.
      
      Update the recent changes to set_pte() that were added in 46011e6e
      to handle R10000_LLSC_WAR, and format the assembly to match other areas
      of the MIPS tree using the same WAR.
      
      This also incorporates a patch recently sent in my Markos Chandras,
      "Remove local LL/SC preprocessor variants", so that patch doesn't need
      to be applied if this one is accepted.
      Signed-off-by: default avatarJoshua Kinard <kumba@gentoo.org>
      Fixes: 46011e6e ("MIPS: Make set_pte() SMP safe.)
      Cc: David Daney <david.daney@cavium.com>
      Cc: Linux/MIPS <linux-mips@linux-mips.org>
      Patchwork: https://patchwork.linux-mips.org/patch/11103/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      [bwh: Backported to 3.2:
       - Use {LL,SC}_INSN not __{LL,SC}
       - Use literal arch=r4000 instead of MIPS_ISA_ARCH_LEVEL since R6 is not
         supported]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a5254486
    • Dan Carpenter's avatar
      ACPI / sysfs: fix error code in get_status() · ae9dc44c
      Dan Carpenter authored
      commit f18ebc21 upstream.
      
      The problem with ornamental, do-nothing gotos is that they lead to
      "forgot to set the error code" bugs.  We should be returning -EINVAL
      here but we don't.  It leads to an uninitalized variable in
      counter_show():
      
          drivers/acpi/sysfs.c:603 counter_show()
          error: uninitialized symbol 'status'.
      
      Fixes: 1c8fce27 (ACPI: introduce drivers/acpi/sysfs.c)
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ae9dc44c
    • Lei Liu's avatar
      USB: serial: option: add even more ZTE device ids · bdcc4ee4
      Lei Liu authored
      commit 74d2a91a upstream.
      
      Add even more ZTE device ids.
      Signed-off-by: default avatarlei liu <liu.lei78@zte.com.cn>
      [johan: rebase and replace commit message ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bdcc4ee4
    • lei liu's avatar
      USB: serial: option: add more ZTE device ids · 1782e204
      lei liu authored
      commit f0d09463 upstream.
      
      More ZTE device ids.
      Signed-off-by: default avatarlei liu <liu.lei78@zte.com.cn>
      [properly sort them - gregkh]
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1782e204
    • Jiri Slaby's avatar
      tty: vt, return error when con_startup fails · bc8d9d42
      Jiri Slaby authored
      commit 6798df4c upstream.
      
      When csw->con_startup() fails in do_register_con_driver, we return no
      error (i.e. 0). This was changed back in 2006 by commit 3e795de7.
      Before that we used to return -ENODEV.
      
      So fix the return value to be -ENODEV in that case again.
      
      Fixes: 3e795de7 ("VT binding: Add binding/unbinding support for the VT console")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Reported-by: default avatar"Dan Carpenter" <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bc8d9d42
    • Geert Uytterhoeven's avatar
      char: Drop bogus dependency of DEVPORT on !M68K · dae2881c
      Geert Uytterhoeven authored
      commit 309124e2 upstream.
      
      According to full-history-linux commit d3794f4fa7c3edc3 ("[PATCH] M68k
      update (part 25)"), port operations are allowed on m68k if CONFIG_ISA is
      defined.
      
      However, commit 153dcc54 ("[PATCH] mem driver: fix conditional
      on isa i/o support") accidentally changed an "||" into an "&&",
      disabling it completely on m68k. This logic was retained when
      introducing the DEVPORT symbol in commit 4f911d64 ("Make
      /dev/port conditional on config symbol").
      
      Drop the bogus dependency on !M68K to fix this.
      
      Fixes: 153dcc54 ("[PATCH] mem driver: fix conditional on isa i/o support")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Tested-by: default avatarAl Stone <ahs3@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dae2881c
    • Theodore Ts'o's avatar
      ext4: fix hang when processing corrupted orphaned inode list · cb7a13ce
      Theodore Ts'o authored
      commit c9eb13a9 upstream.
      
      If the orphaned inode list contains inode #5, ext4_iget() returns a
      bad inode (since the bootloader inode should never be referenced
      directly).  Because of the bad inode, we end up processing the inode
      repeatedly and this hangs the machine.
      
      This can be reproduced via:
      
         mke2fs -t ext4 /tmp/foo.img 100
         debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
         mount -o loop /tmp/foo.img /mnt
      
      (But don't do this if you are using an unpatched kernel if you care
      about the system staying functional.  :-)
      
      This bug was found by the port of American Fuzzy Lop into the kernel
      to find file system problems[1].  (Since it *only* happens if inode #5
      shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
      surprising that AFL needed two hours before it found it.)
      
      [1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
      
      Reported by: Vegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cb7a13ce
    • Raghava Aditya Renukunta's avatar
      aacraid: Fix for aac_command_thread hang · aecf3aa4
      Raghava Aditya Renukunta authored
      commit fc4bf75e upstream.
      
      Typically under error conditions, it is possible for aac_command_thread()
      to miss the wakeup from kthread_stop() and go back to sleep, causing it
      to hang aac_shutdown.
      
      In the observed scenario, the adapter is not functioning correctly and so
      aac_fib_send() never completes (or time-outs depending on how it was
      called). Shortly after aac_command_thread() starts it performs
      aac_fib_send(SendHostTime) which hangs. When aac_probe_one
      /aac_get_adapter_info send time outs, kthread_stop is called which breaks
      the command thread out of it's hang.
      
      The code will still go back to sleep in schedule_timeout() without
      checking kthread_should_stop() so it causes aac_probe_one to hang until
      the schedule_timeout() which is 30 minutes.
      
      Fixed by: Adding another kthread_should_stop() before schedule_timeout()
      Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      aecf3aa4
    • Luke Dashjr's avatar
      btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl · b3c5772b
      Luke Dashjr authored
      commit 4c63c245 upstream.
      
      32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can
      be handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr
      fail.
      Signed-off-by: default avatarLuke Dashjr <luke-jr+git@utopios.org>
      Reviewed-by: default avatarJosef Bacik <jbacik@fb.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b3c5772b