1. 20 Aug, 2016 11 commits
    • Herbert Xu's avatar
      crypto: scatterwalk - Fix test in scatterwalk_done · 81292598
      Herbert Xu authored
      [ Upstream commit 5f070e81 ]
      
      When there is more data to be processed, the current test in
      scatterwalk_done may prevent us from calling pagedone even when
      we should.
      
      In particular, if we're on an SG entry spanning multiple pages
      where the last page is not a full page, we will incorrectly skip
      calling pagedone on the second last page.
      
      This patch fixes this by adding a separate test for whether we've
      reached the end of a page.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      81292598
    • Amadeusz Sławiński's avatar
      Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU · 98953c4c
      Amadeusz Sławiński authored
      [ Upstream commit 23bc6ab0 ]
      
      When we retrieve imtu value from userspace we should use 16 bit pointer
      cast instead of 32 as it's defined that way in headers. Fixes setsockopt
      calls on big-endian platforms.
      Signed-off-by: default avatarAmadeusz Sławiński <amadeusz.slawinski@tieto.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      98953c4c
    • Cao, Lei's avatar
      KVM: VMX: handle PML full VMEXIT that occurs during event delivery · 5436aa6c
      Cao, Lei authored
      [ Upstream commit b244c9fc ]
      
      With PML enabled, guest will shut down if a PML full VMEXIT occurs during
      event delivery. According to Intel SDM 27.2.3, PML full VMEXIT can occur when
      event is being delivered through IDT, so KVM should not exit to user space
      with error. Instead, it should let EXIT_REASON_PML_FULL go through and the
      event will be re-injected on the next VMENTRY.
      Signed-off-by: default avatarLei Cao <lei.cao@stratus.com>
      Cc: stable@vger.kernel.org
      Fixes: 843e4330 ("KVM: VMX: Add PML support in VMX")
      [Shortened the summary and Cc'd stable.]
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5436aa6c
    • Daniele Palmas's avatar
      USB: serial: option: add support for Telit LE910 PID 0x1206 · aef1e06d
      Daniele Palmas authored
      [ Upstream commit 3c0415fa ]
      
      This patch adds support for 0x1206 PID of Telit LE910.
      
      Since the interfaces positions are the same than the ones for
      0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used.
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      aef1e06d
    • Michael Neuling's avatar
      powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint() · 4af80d9f
      Michael Neuling authored
      [ Upstream commit 6bcb8014 ]
      
      At the start of __tm_recheckpoint() we save the kernel stack pointer
      (r1) in SPRG SCRATCH0 (SPRG2) so that we can restore it after the
      trecheckpoint.
      
      Unfortunately, the same SPRG is used in the SLB miss handler.  If an
      SLB miss is taken between the save and restore of r1 to the SPRG, the
      SPRG is changed and hence r1 is also corrupted.  We can end up with
      the following crash when we start using r1 again after the restore
      from the SPRG:
      
        Oops: Bad kernel stack pointer, sig: 6 [#1]
        SMP NR_CPUS=2048 NUMA pSeries
        CPU: 658 PID: 143777 Comm: htm_demo Tainted: G            EL   X 4.4.13-0-default #1
        task: c0000b56993a7810 ti: c00000000cfec000 task.ti: c0000b56993bc000
        NIP: c00000000004f188 LR: 00000000100040b8 CTR: 0000000010002570
        REGS: c00000000cfefd40 TRAP: 0300   Tainted: G            EL   X  (4.4.13-0-default)
        MSR: 8000000300001033 <SF,ME,IR,DR,RI,LE>  CR: 02000424  XER: 20000000
        CFAR: c000000000008468 DAR: 00003ffd84e66880 DSISR: 40000000 SOFTE: 0
        PACATMSCRATCH: 00003ffbc865e680
        GPR00: fffffffcfabc4268 00003ffd84e667a0 00000000100d8c38 000000030544bb80
        GPR04: 0000000000000002 00000000100cf200 0000000000000449 00000000100cf100
        GPR08: 000000000000c350 0000000000002569 0000000000002569 00000000100d6c30
        GPR12: 00000000100d6c28 c00000000e6a6b00 00003ffd84660000 0000000000000000
        GPR16: 0000000000000003 0000000000000449 0000000010002570 0000010009684f20
        GPR20: 0000000000800000 00003ffd84e5f110 00003ffd84e5f7a0 00000000100d0f40
        GPR24: 0000000000000000 0000000000000000 0000000000000000 00003ffff0673f50
        GPR28: 00003ffd84e5e960 00000000003d0f00 00003ffd84e667a0 00003ffd84e5e680
        NIP [c00000000004f188] restore_gprs+0x110/0x17c
        LR [00000000100040b8] 0x100040b8
        Call Trace:
        Instruction dump:
        f8a1fff0 e8e700a8 38a00000 7ca10164 e8a1fff8 e821fff0 7c0007dd 7c421378
        7db142a6 7c3242a6 38800002 7c810164 <e9c100e0> e9e100e8 ea0100f0 ea2100f8
      
      We hit this on large memory machines (> 2TB) but it can also be hit on
      smaller machines when 1TB segments are disabled.
      
      To hit this, you also need to be virtualised to ensure SLBs are
      periodically removed by the hypervisor.
      
      This patches moves the saving of r1 to the SPRG to the region where we
      are guaranteed not to take any further SLB misses.
      
      Fixes: 98ae22e1 ("powerpc: Add helper functions for transactional memory context switching")
      Cc: stable@vger.kernel.org # v3.9+
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Acked-by: default avatarCyril Bur <cyrilbur@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      4af80d9f
    • Michael Neuling's avatar
      powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 · 572c8b69
      Michael Neuling authored
      [ Upstream commit 190ce869 ]
      
      Currently we have 2 segments that are bolted for the kernel linear
      mapping (ie 0xc000... addresses). This is 0 to 1TB and also the kernel
      stacks. Anything accessed outside of these regions may need to be
      faulted in. (In practice machines with TM always have 1T segments)
      
      If a machine has < 2TB of memory we never fault on the kernel linear
      mapping as these two segments cover all physical memory. If a machine
      has > 2TB of memory, there may be structures outside of these two
      segments that need to be faulted in. This faulting can occur when
      running as a guest as the hypervisor may remove any SLB that's not
      bolted.
      
      When we treclaim and trecheckpoint we have a window where we need to
      run with the userspace GPRs. This means that we no longer have a valid
      stack pointer in r1. For this window we therefore clear MSR RI to
      indicate that any exceptions taken at this point won't be able to be
      handled. This means that we can't take segment misses in this RI=0
      window.
      
      In this RI=0 region, we currently access the thread_struct for the
      process being context switched to or from. This thread_struct access
      may cause a segment fault since it's not guaranteed to be covered by
      the two bolted segment entries described above.
      
      We've seen this with a crash when running as a guest with > 2TB of
      memory on PowerVM:
      
        Unrecoverable exception 4100 at c00000000004f138
        Oops: Unrecoverable exception, sig: 6 [#1]
        SMP NR_CPUS=2048 NUMA pSeries
        CPU: 1280 PID: 7755 Comm: kworker/1280:1 Tainted: G                 X 4.4.13-46-default #1
        task: c000189001df4210 ti: c000189001d5c000 task.ti: c000189001d5c000
        NIP: c00000000004f138 LR: 0000000010003a24 CTR: 0000000010001b20
        REGS: c000189001d5f730 TRAP: 4100   Tainted: G                 X  (4.4.13-46-default)
        MSR: 8000000100001031 <SF,ME,IR,DR,LE>  CR: 24000048  XER: 00000000
        CFAR: c00000000004ed18 SOFTE: 0
        GPR00: ffffffffc58d7b60 c000189001d5f9b0 00000000100d7d00 000000003a738288
        GPR04: 0000000000002781 0000000000000006 0000000000000000 c0000d1f4d889620
        GPR08: 000000000000c350 00000000000008ab 00000000000008ab 00000000100d7af0
        GPR12: 00000000100d7ae8 00003ffe787e67a0 0000000000000000 0000000000000211
        GPR16: 0000000010001b20 0000000000000000 0000000000800000 00003ffe787df110
        GPR20: 0000000000000001 00000000100d1e10 0000000000000000 00003ffe787df050
        GPR24: 0000000000000003 0000000000010000 0000000000000000 00003fffe79e2e30
        GPR28: 00003fffe79e2e68 00000000003d0f00 00003ffe787e67a0 00003ffe787de680
        NIP [c00000000004f138] restore_gprs+0xd0/0x16c
        LR [0000000010003a24] 0x10003a24
        Call Trace:
        [c000189001d5f9b0] [c000189001d5f9f0] 0xc000189001d5f9f0 (unreliable)
        [c000189001d5fb90] [c00000000001583c] tm_recheckpoint+0x6c/0xa0
        [c000189001d5fbd0] [c000000000015c40] __switch_to+0x2c0/0x350
        [c000189001d5fc30] [c0000000007e647c] __schedule+0x32c/0x9c0
        [c000189001d5fcb0] [c0000000007e6b58] schedule+0x48/0xc0
        [c000189001d5fce0] [c0000000000deabc] worker_thread+0x22c/0x5b0
        [c000189001d5fd80] [c0000000000e7000] kthread+0x110/0x130
        [c000189001d5fe30] [c000000000009538] ret_from_kernel_thread+0x5c/0xa4
        Instruction dump:
        7cb103a6 7cc0e3a6 7ca222a6 78a58402 38c00800 7cc62838 08860000 7cc000a6
        38a00006 78c60022 7cc62838 0b060000 <e8c701a0> 7ccff120 e8270078 e8a70098
        ---[ end trace 602126d0a1dedd54 ]---
      
      This fixes this by copying the required data from the thread_struct to
      the stack before we clear MSR RI. Then once we clear RI, we only access
      the stack, guaranteeing there's no segment miss.
      
      We also tighten the region over which we set RI=0 on the treclaim()
      path. This may have a slight performance impact since we're adding an
      mtmsr instruction.
      
      Fixes: 090b9284 ("powerpc/tm: Clear MSR RI in non-recoverable TM code")
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Reviewed-by: default avatarCyril Bur <cyrilbur@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      572c8b69
    • Vegard Nossum's avatar
      ext4: short-cut orphan cleanup on error · 881052c2
      Vegard Nossum authored
      [ Upstream commit c65d5c6c ]
      
      If we encounter a filesystem error during orphan cleanup, we should stop.
      Otherwise, we may end up in an infinite loop where the same inode is
      processed again and again.
      
          EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
          EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters
          Aborting journal on device loop0-8.
          EXT4-fs (loop0): Remounting filesystem read-only
          EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted
          EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
          EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
          EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure
          EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted
          EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted
          EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
          EXT4-fs (loop0): Inode 16 (00000000618192a0): orphan list check failed!
          [...]
          EXT4-fs (loop0): Inode 16 (0000000061819748): orphan list check failed!
          [...]
          EXT4-fs (loop0): Inode 16 (0000000061819bf0): orphan list check failed!
          [...]
      
      See-also: c9eb13a9 ("ext4: fix hang when processing corrupted orphaned inode list")
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      881052c2
    • Alex Deucher's avatar
      drm/radeon: support backlight control for UNIPHY3 · 3f7ed29b
      Alex Deucher authored
      [ Upstream commit d3200be6 ]
      
      Same interface as other UNIPHY blocks
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      3f7ed29b
    • Jim Mattson's avatar
      KVM: nVMX: Fix memory corruption when using VMCS shadowing · 6c2ca216
      Jim Mattson authored
      [ Upstream commit 2f1fe811 ]
      
      When freeing the nested resources of a vcpu, there is an assumption that
      the vcpu's vmcs01 is the current VMCS on the CPU that executes
      nested_release_vmcs12(). If this assumption is violated, the vcpu's
      vmcs01 may be made active on multiple CPUs at the same time, in
      violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
      not VMCLEARed on every CPU on which it is active, it can linger in a
      CPU's VMCS cache after it has been freed and potentially
      repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
      miss can result in memory corruption.
      
      It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
      the vcpu in question was last loaded on a different CPU, it must be
      migrated to the current CPU before calling vmx_load_vmcs01().
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6c2ca216
    • Joseph Salisbury's avatar
      usb: quirks: Add no-lpm quirk for Elan · 53bb06cb
      Joseph Salisbury authored
      [ Upstream commit 25b1f9ac ]
      
      BugLink: http://bugs.launchpad.net/bugs/1498667
      
      As reported in BugLink, this device has an issue with Linux Power
      Management so adding a quirk.  This quirk was reccomended by Alan Stern:
      
      http://lkml.iu.edu/hypermail/linux/kernel/1606.2/05590.htmlSigned-off-by: default avatarJoseph Salisbury <joseph.salisbury@canonical.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      53bb06cb
    • Adrien Vergé's avatar
      USB: quirks: Fix another ELAN touchscreen · bd0702ff
      Adrien Vergé authored
      [ Upstream commit df36c5be ]
      
      Like other buggy models that had their fixes [1], the touchscreen with
      id 04f3:21b8 from ELAN Microelectronics needs the device-qualifier
      quirk. Otherwise, it fails to respond, blocks the boot for a random
      amount of time and pollutes dmesg with:
      
      [ 2887.373196] usb 1-5: new full-speed USB device number 41 using xhci_hcd
      [ 2889.502000] usb 1-5: unable to read config index 0 descriptor/start: -71
      [ 2889.502005] usb 1-5: can't read configurations, error -71
      [ 2889.654571] usb 1-5: new full-speed USB device number 42 using xhci_hcd
      [ 2891.783438] usb 1-5: unable to read config index 0 descriptor/start: -71
      [ 2891.783443] usb 1-5: can't read configurations, error -71
      
      [1]: See commits c68929f7, 876af5d4, d7499475, a32c99e7 and dc703ec2.
      Tested-by: default avatarAdrien Vergé <adrienverge@gmail.com>
      Signed-off-by: default avatarAdrien Vergé <adrienverge@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      bd0702ff
  2. 17 Aug, 2016 16 commits
  3. 16 Aug, 2016 13 commits