1. 27 Apr, 2015 7 commits
  2. 22 Apr, 2015 33 commits
    • Mark Brown's avatar
      video: vgacon: Don't build on arm64 · 1d458a6c
      Mark Brown authored
      commit ee23794b upstream.
      
      arm64 is unlikely to have a VGA console and does not export screen_info
      causing build failures if the driver is build, for example in all*config.
      Add a dependency on !ARM64 to prevent this.
      
      This list is getting quite long, it may be easier to depend on a symbol
      which architectures that do support the driver can select.
      Signed-off-by: default avatarMark Brown <broonie@linaro.org>
      [tomi.valkeinen@ti.com: moved && to first modified line]
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1d458a6c
    • Chen Gang's avatar
      [media] drivers: media: usb: b2c2: use usb_*_coherent() instead of... · 147ff1a3
      Chen Gang authored
      [media] drivers: media: usb: b2c2: use usb_*_coherent() instead of pci_*_consistent() in flexcop-usb.c
      
      commit 6c7e3469 upstream.
      
      Some architectures do not support PCI, but still support USB, so need
      let our usb driver try to use usb_* instead of pci_* to support these
      architectures, or can not pass compiling.
      The related error (with allmodconfig for arc):
          CC [M]  drivers/media/usb/b2c2/flexcop-usb.o
        drivers/media/usb/b2c2/flexcop-usb.c: In function ‘flexcop_usb_transfer_exit’:
        drivers/media/usb/b2c2/flexcop-usb.c:393: error: implicit declaration of function ‘pci_free_consistent’
        drivers/media/usb/b2c2/flexcop-usb.c: In function ‘flexcop_usb_transfer_init’:
        drivers/media/usb/b2c2/flexcop-usb.c:410: error: implicit declaration of function ‘pci_alloc_consistent’
      Signed-off-by: default avatarChen Gang <gang.chen@asianux.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      147ff1a3
    • Majd Dibbiny's avatar
      IB/mlx4: Saturate RoCE port PMA counters in case of overflow · c2b885ae
      Majd Dibbiny authored
      commit 61a3855b upstream.
      
      For RoCE ports, we set the u32 PMA values based on u64 HCA counters. In case of
      overflow, according to the IB spec, we have to saturate a counter to its
      max value, do that.
      
      Fixes: c3779134 ('IB/mlx4: Support PMA counters for IBoE')
      Signed-off-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarHadar Hen Zion <hadarh@mellanox.com>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c2b885ae
    • Sasha Levin's avatar
      net: llc: use correct size for sysctl timeout entries · 553dd569
      Sasha Levin authored
      commit 6b8d9117 upstream.
      
      The timeout entries are sizeof(int) rather than sizeof(long), which
      means that when they were getting read we'd also leak kernel memory
      to userspace along with the timeout values.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      553dd569
    • Sasha Levin's avatar
      net: rds: use correct size for max unacked packets and bytes · b4482b53
      Sasha Levin authored
      commit db27ebb1 upstream.
      
      Max unacked packets/bytes is an int while sizeof(long) was used in the
      sysctl table.
      
      This means that when they were getting read we'd also leak kernel memory
      to userspace along with the timeout values.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b4482b53
    • Marek Szyprowski's avatar
      media: s5p-mfc: fix mmap support for 64bit arch · 95ed43f1
      Marek Szyprowski authored
      commit 05b676ab upstream.
      
      TASK_SIZE is depends on the systems architecture (32 or 64 bits) and it
      should not be used for defining offset boundary for mmaping buffers for
      CAPTURE and OUTPUT queues. This patch fixes support for MMAP calls on
      the CAPTURE queue on 64bit architectures (like ARM64).
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarKamil Debski <k.debski@samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      95ed43f1
    • Hans Verkuil's avatar
      sh_veu: v4l2_dev wasn't set · 145fc8e8
      Hans Verkuil authored
      commit ab312030 upstream.
      
      The v4l2_dev field of struct video_device must be set correctly.
      This was never done for this driver, so no video nodes were created
      anymore.
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      145fc8e8
    • Mike Christie's avatar
      iscsi target: fix oops when adding reject pdu · e0e2e64b
      Mike Christie authored
      commit b815fc12 upstream.
      
      This fixes a oops due to a double list add when adding a reject PDU for
      iscsit_allocate_iovecs allocation failures. The cmd has already been
      added to the conn_cmd_list in iscsit_setup_scsi_cmd, so this has us call
      iscsit_reject_cmd.
      
      Note that for ERL0 the reject PDU is not actually sent, so this patch
      is not completely tested. Just verified we do not oops. The problem is the
      add reject functions return -1 which is returned all the way up to
      iscsi_target_rx_thread which for ERL0 will drop the connection.
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e0e2e64b
    • Al Viro's avatar
      ioctx_alloc(): fix vma (and file) leak on failure · f9324979
      Al Viro authored
      commit deeb8525 upstream.
      
      If we fail past the aio_setup_ring(), we need to destroy the
      mapping.  We don't need to care about anybody having found ctx,
      or added requests to it, since the last failure exit is exactly
      the failure to make ctx visible to lookups.
      
      Reproducer (based on one by Joe Mario <jmario@redhat.com>):
      
      void count(char *p)
      {
      	char s[80];
      	printf("%s: ", p);
      	fflush(stdout);
      	sprintf(s, "/bin/cat /proc/%d/maps|/bin/fgrep -c '/[aio] (deleted)'", getpid());
      	system(s);
      }
      
      int main()
      {
      	io_context_t *ctx;
      	int created, limit, i, destroyed;
      	FILE *f;
      
      	count("before");
      	if ((f = fopen("/proc/sys/fs/aio-max-nr", "r")) == NULL)
      		perror("opening aio-max-nr");
      	else if (fscanf(f, "%d", &limit) != 1)
      		fprintf(stderr, "can't parse aio-max-nr\n");
      	else if ((ctx = calloc(limit, sizeof(io_context_t))) == NULL)
      		perror("allocating aio_context_t array");
      	else {
      		for (i = 0, created = 0; i < limit; i++) {
      			if (io_setup(1000, ctx + created) == 0)
      				created++;
      		}
      		for (i = 0, destroyed = 0; i < created; i++)
      			if (io_destroy(ctx[i]) == 0)
      				destroyed++;
      		printf("created %d, failed %d, destroyed %d\n",
      			created, limit - created, destroyed);
      		count("after");
      	}
      }
      Found-by: default avatarJoe Mario <jmario@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f9324979
    • Al Viro's avatar
      ocfs2: _really_ sync the right range · 6b71b6af
      Al Viro authored
      commit 64b4e252 upstream.
      
      "ocfs2 syncs the wrong range" had been broken; prior to it the
      code was doing the wrong thing in case of O_APPEND, all right,
      but _after_ it we were syncing the wrong range in 100% cases.
      *ppos, aka iocb->ki_pos is incremented prior to that point,
      so we are always doing sync on the area _after_ the one we'd
      written to.
      
      Spotted by Joseph Qi <joseph.qi@huawei.com> back in January;
      unfortunately, I'd missed his mail back then ;-/
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6b71b6af
    • John Soni Jose's avatar
      be2iscsi: Fix kernel panic when device initialization fails · b76a0413
      John Soni Jose authored
      commit 2e7cee02 upstream.
      
      Kernel panic was happening as iscsi_host_remove() was called on
      a host which was not yet added.
      Signed-off-by: default avatarJohn Soni Jose <sony.john-n@emulex.com>
      Reviewed-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b76a0413
    • David Disseldorp's avatar
      cifs: fix use-after-free bug in find_writable_file · 175bf82c
      David Disseldorp authored
      commit e1e9bda2 upstream.
      
      Under intermittent network outages, find_writable_file() is susceptible
      to the following race condition, which results in a user-after-free in
      the cifs_writepages code-path:
      
      Thread 1                                        Thread 2
      ========                                        ========
      
      inv_file = NULL
      refind = 0
      spin_lock(&cifs_file_list_lock)
      
      // invalidHandle found on openFileList
      
      inv_file = open_file
      // inv_file->count currently 1
      
      cifsFileInfo_get(inv_file)
      // inv_file->count = 2
      
      spin_unlock(&cifs_file_list_lock);
      
      cifs_reopen_file()                            cifs_close()
      // fails (rc != 0)                            ->cifsFileInfo_put()
                                             spin_lock(&cifs_file_list_lock)
                                             // inv_file->count = 1
                                             spin_unlock(&cifs_file_list_lock)
      
      spin_lock(&cifs_file_list_lock);
      list_move_tail(&inv_file->flist,
            &cifs_inode->openFileList);
      spin_unlock(&cifs_file_list_lock);
      
      cifsFileInfo_put(inv_file);
      ->spin_lock(&cifs_file_list_lock)
      
        // inv_file->count = 0
        list_del(&cifs_file->flist);
        // cleanup!!
        kfree(cifs_file);
      
        spin_unlock(&cifs_file_list_lock);
      
      spin_lock(&cifs_file_list_lock);
      ++refind;
      // refind = 1
      goto refind_writable;
      
      At this point we loop back through with an invalid inv_file pointer
      and a refind value of 1. On second pass, inv_file is not overwritten on
      openFileList traversal, and is subsequently dereferenced.
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Reviewed-by: default avatarJeff Layton <jlayton@samba.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      175bf82c
    • Peter Hurley's avatar
      n_tty: Fix read buffer overwrite when no newline · ac02633d
      Peter Hurley authored
      commit fb5ef9e7 upstream.
      
      In canon mode, the read buffer head will advance over the buffer tail
      if the input > 4095 bytes without receiving a line termination char.
      
      Discard additional input until a line termination is received.
      Before evaluating for overflow, the 'room' value is normalized for
      I_PARMRK and 1 byte is reserved for line termination (even in !icanon
      mode, in case the mode is switched). The following table shows the
      transform:
      
       actual buffer |  'room' value before overflow calc
        space avail  |    !I_PARMRK    |    I_PARMRK
       --------------------------------------------------
            0        |       -1        |       -1
            1        |        0        |        0
            2        |        1        |        0
            3        |        2        |        0
            4+       |        3        |        1
      
      When !icanon or when icanon and the read buffer contains newlines,
      normalized 'room' values of -1 and 0 are clamped to 0, and
      'overflow' is 0, so read_head is not adjusted and the input i/o loop
      exits (setting no_room if called from flush_to_ldisc()). No input
      is discarded since the reader does have input available to read
      which ensures forward progress.
      
      When icanon and the read buffer does not contain newlines and the
      normalized 'room' value is 0, then overflow and room are reset to 1,
      so that the i/o loop will process the next input char normally
      (except for parity errors which are ignored). Thus, erasures, signalling
      chars, 7-bit mode, etc. will continue to be handled properly.
      
      If the input char processed was not a line termination char, then
      the canon_head index will not have advanced, so the normalized 'room'
      value will now be -1 and 'overflow' will be set, which indicates the
      read_head can safely be reset, effectively erasing the last char
      processed.
      
      If the input char processed was a line termination, then the
      canon_head index will have advanced, so 'overflow' is cleared to 0,
      the read_head is not reset, and 'room' is cleared to 0, which exits
      the i/o loop (because the reader now have input available to read
      which ensures forward progress).
      
      Note that it is possible for a line termination to be received, and
      for the reader to copy the line to the user buffer before the
      input i/o loop is ready to process the next input char. This is
      why the i/o loop recomputes the room/overflow state with every
      input char while handling overflow.
      
      Finally, if the input data was processed without receiving
      a line termination (so that overflow is still set), the pty
      driver must receive a write wakeup. A pty writer may be waiting
      to write more data in n_tty_write() but without unthrottling
      here that wakeup will not arrive, and forward progress will halt.
      (Normally, the pty writer is woken when the reader reads data out
      of the buffer and more space become available).
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      (backported from commit fb5ef9e7)
      Signed-off-by: default avatarJoseph Salisbury <joseph.salisbury@canonical.com>
      ac02633d
    • Stefan Agner's avatar
      tty: serial: fsl_lpuart: clear receive flag on FIFO flush · dabdec3b
      Stefan Agner authored
      commit 8e4934c6 upstream.
      
      When the receiver was enabled during startup, a character could
      have been in the FIFO when the UART get initially used. The
      driver configures the (receive) watermark level, and flushes the
      FIFO. However, the receive flag (RDRF) could still be set at that
      stage (as mentioned in the register description of UARTx_RWFIFO).
      This leads to an interrupt which won't be handled properly in
      interrupt mode: The receive interrupt function lpuart_rxint checks
      the FIFO count, which is 0 at that point (due to the flush
      during initialization). The problem does not manifest when using
      DMA to receive characters.
      
      Fix this situation by explicitly read the status register, which
      leads to clearing of the RDRF flag. Due to the flush just after
      the status flag read, a explicit data read is not to required.
      Signed-off-by: default avatarStefan Agner <stefan@agner.ch>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      dabdec3b
    • Lu Baolu's avatar
      usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers · 0bd26503
      Lu Baolu authored
      commit 227a4fd8 upstream.
      
      When a device with an isochronous endpoint is plugged into the Intel
      xHCI host controller, and the driver submits multiple frames per URB,
      the xHCI driver will set the Block Event Interrupt (BEI) flag on all
      but the last TD for the URB. This causes the host controller to place
      an event on the event ring, but not send an interrupt. When the last
      TD for the URB completes, BEI is cleared, and we get an interrupt for
      the whole URB.
      
      However, under Intel xHCI host controllers, if the event ring is full
      of events from transfers with BEI set,  an "Event Ring is Full" event
      will be posted to the last entry of the event ring,  but no interrupt
      is generated. Host will cease all transfer and command executions and
      wait until software completes handling the pending events in the event
      ring.  That means xHC stops, but event of "event ring is full" is not
      notified. As the result, the xHC looks like dead to user.
      
      This patch is to apply XHCI_AVOID_BEI quirk to Intel xHC devices. And
      it should be backported to kernels as old as 3.0, that contains the
      commit 69e848c2 ("Intel xhci: Support EHCI/xHCI port switching.").
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Tested-by: default avatarAlistair Grant <akgrant0710@gmail.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0bd26503
    • Lu Baolu's avatar
      usb: xhci: handle Config Error Change (CEC) in xhci driver · 55d572b9
      Lu Baolu authored
      commit 9425183d upstream.
      
      Linux xHCI driver doesn't report and handle port cofig error change.
      If Port Configure Error for root hub port occurs, CEC bit in PORTSC
      would be set by xHC and remains 1. This happends when the root port
      fails to configure its link partner, e.g. the port fails to exchange
      port capabilities information using Port Capability LMPs.
      
      Then the Port Status Change Events will be blocked until all status
      change bits(CEC is one of the change bits) are cleared('0') (refer to
      xHCI spec 4.19.2). Otherwise, the port status change event for this
      root port will not be generated anymore, then root port would look
      like dead for user and can't be recovered until a Host Controller
      Reset(HCRST).
      
      This patch is to check CEC bit in PORTSC in xhci_get_port_status()
      and set a Config Error in the return status if CEC is set. This will
      cause a ClearPortFeature request, where CEC bit is cleared in
      xhci_clear_port_change_bit().
      
      [The commit log is based on initial Marvell patch posted at
      http://marc.info/?l=linux-kernel&m=142323612321434&w=2]
      Reported-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      55d572b9
    • Andreas Werner's avatar
      can: flexcan: Deferred on Regulator return EPROBE_DEFER · a261251a
      Andreas Werner authored
      commit 555828ef upstream.
      
      Return EPROBE_DEFER if Regulator returns EPROBE_DEFER
      
      If the Flexcan driver is built into kernel and a regulator is used to
      enable the CAN transceiver, the Flexcan driver may not use the regulator.
      
      When initializing the Flexcan device with a regulator defined in the device
      tree, but not initialized, the regulator subsystem returns EPROBE_DEFER, hence
      the Flexcan init fails.
      
      The solution for this is to return EPROBE_DEFER if regulator is not initialized
      and wait until the regulator is initialized.
      Signed-off-by: default avatarAndreas Werner <kernel@andy89.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a261251a
    • Stefan Lippers-Hollmann's avatar
      x86/reboot: Add ASRock Q1900DC-ITX mainboard reboot quirk · fb2f660d
      Stefan Lippers-Hollmann authored
      commit 80313b30 upstream.
      
      The ASRock Q1900DC-ITX mainboard (Baytrail-D) hangs randomly in
      both BIOS and UEFI mode while rebooting unless reboot=pci is
      used. Add a quirk to reboot via the pci method.
      
      The problem is very intermittent and hard to debug, it might succeed
      rebooting just fine 40 times in a row - but fails half a dozen times
      the next day. It seems to be slightly less common in BIOS CSM mode
      than native UEFI (with the CSM disabled), but it does happen in either
      mode. Since I've started testing this patch in late january, rebooting
      has been 100% reliable.
      
      Most of the time it already hangs during POST, but occasionally it
      might even make it through the bootloader and the kernel might even
      start booting, but then hangs before the mode switch. The same symptoms
      occur with grub-efi, gummiboot and grub-pc, just as well as (at least)
      kernel 3.16-3.19 and 4.0-rc6 (I haven't tried older kernels than 3.16).
      Upgrading to the most current mainboard firmware of the ASRock
      Q1900DC-ITX, version 1.20, does not improve the situation.
      
      ( Searching the web seems to suggest that other Bay Trail-D mainboards
        might be affected as well. )
      --
      Signed-off-by: default avatarStefan Lippers-Hollmann <s.l-h@gmx.de>
      Cc: Matt Fleming <matt.fleming@intel.com>
      Link: http://lkml.kernel.org/r/20150330224427.0fb58e42@mirSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      fb2f660d
    • Peter Ujfalusi's avatar
      dmaengine: omap-dma: Fix memory leak when terminating running transfer · c38aa9bb
      Peter Ujfalusi authored
      commit 02d88b73 upstream.
      
      In omap_dma_start_desc the vdesc->node is removed from the virt-dma
      framework managed lists (to be precise from the desc_issued list).
      If a terminate_all comes before the transfer finishes the omap_desc will
      not be freed up because it is not in any of the lists and we stopped the
      DMA channel so the transfer will not going to complete.
      There is no special sequence for leaking memory when using cyclic (audio)
      transfer: with every start and stop of a cyclic transfer the driver leaks
      struct omap_desc worth of memory.
      
      Free up the allocated memory directly in omap_dma_terminate_all() since the
      framework will not going to do that for us.
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      CC: <linux-omap@vger.kernel.org>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c38aa9bb
    • Darshana Padmadas's avatar
      iio: imu: Use iio_trigger_get for indio_dev->trig assignment · d85168be
      Darshana Padmadas authored
      commit 4ce7ca89 upstream.
      
      This patch uses iio_trigger_get to increment the reference
      count of trigger device, to avoid incorrect assignment.
      Can result in a null pointer dereference during removal if the
      trigger has been changed before removal.
      
      This patch refers to a similar situation encountered through the
      following discussion:
      http://www.spinics.net/lists/linux-iio/msg13669.htmlSigned-off-by: default avatarDarshana Padmadas <darshanapadmadas@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d85168be
    • Viorel Suman's avatar
      iio: inv_mpu6050: Clear timestamps fifo while resetting hardware fifo · 6e106485
      Viorel Suman authored
      commit 4dac0a8e upstream.
      
      A hardware fifo reset always imply an invalidation of the
      existing timestamps, so we'll clear timestamps fifo on
      successfull hardware fifo reset.
      Signed-off-by: default avatarViorel Suman <viorel.suman@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6e106485
    • Bart Van Assche's avatar
      Defer processing of REQ_PREEMPT requests for blocked devices · b71eafb8
      Bart Van Assche authored
      commit bba0bdd7 upstream.
      
      SCSI transport drivers and SCSI LLDs block a SCSI device if the
      transport layer is not operational. This means that in this state
      no requests should be processed, even if the REQ_PREEMPT flag has
      been set. This patch avoids that a rescan shortly after a cable
      pull sporadically triggers the following kernel oops:
      
      BUG: unable to handle kernel paging request at ffffc9001a6bc084
      IP: [<ffffffffa04e08f2>] mlx4_ib_post_send+0xd2/0xb30 [mlx4_ib]
      Process rescan-scsi-bus (pid: 9241, threadinfo ffff88053484a000, task ffff880534aae100)
      Call Trace:
       [<ffffffffa0718135>] srp_post_send+0x65/0x70 [ib_srp]
       [<ffffffffa071b9df>] srp_queuecommand+0x1cf/0x3e0 [ib_srp]
       [<ffffffffa0001ff1>] scsi_dispatch_cmd+0x101/0x280 [scsi_mod]
       [<ffffffffa0009ad1>] scsi_request_fn+0x411/0x4d0 [scsi_mod]
       [<ffffffff81223b37>] __blk_run_queue+0x27/0x30
       [<ffffffff8122a8d2>] blk_execute_rq_nowait+0x82/0x110
       [<ffffffff8122a9c2>] blk_execute_rq+0x62/0xf0
       [<ffffffffa000b0e8>] scsi_execute+0xe8/0x190 [scsi_mod]
       [<ffffffffa000b2f3>] scsi_execute_req+0xa3/0x130 [scsi_mod]
       [<ffffffffa000c1aa>] scsi_probe_lun+0x17a/0x450 [scsi_mod]
       [<ffffffffa000ce86>] scsi_probe_and_add_lun+0x156/0x480 [scsi_mod]
       [<ffffffffa000dc2f>] __scsi_scan_target+0xdf/0x1f0 [scsi_mod]
       [<ffffffffa000dfa3>] scsi_scan_host_selected+0x183/0x1c0 [scsi_mod]
       [<ffffffffa000edfb>] scsi_scan+0xdb/0xe0 [scsi_mod]
       [<ffffffffa000ee13>] store_scan+0x13/0x20 [scsi_mod]
       [<ffffffff811c8d9b>] sysfs_write_file+0xcb/0x160
       [<ffffffff811589de>] vfs_write+0xce/0x140
       [<ffffffff81158b53>] sys_write+0x53/0xa0
       [<ffffffff81464592>] system_call_fastpath+0x16/0x1b
       [<00007f611c9d9300>] 0x7f611c9d92ff
      Reported-by: default avatarMax Gurtuvoy <maxg@mellanox.com>
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Reviewed-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b71eafb8
    • Doug Goldstein's avatar
      USB: ftdi_sio: Use jtag quirk for SNAP Connect E10 · 708d0b88
      Doug Goldstein authored
      commit b229a0f8 upstream.
      
      This patch uses the existing CALAO Systems ftdi_8u2232c_probe in order
      to avoid attaching a TTY to the JTAG port as this board is based on the
      CALAO Systems reference design and needs the same fix up.
      Signed-off-by: default avatarDoug Goldstein <cardoe@cardoe.com>
      [johan: clean up probe logic ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      708d0b88
    • Doug Goldstein's avatar
      USB: ftdi_sio: Added custom PID for Synapse Wireless product · 4b54431d
      Doug Goldstein authored
      commit 4899c054 upstream.
      
      Synapse Wireless uses the FTDI VID with a custom PID of 0x9090 for their
      SNAP Stick 200 product.
      Signed-off-by: default avatarDoug Goldstein <cardoe@cardoe.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4b54431d
    • David Miller's avatar
      radeon: Do not directly dereference pointers to BIOS area. · 7854b0fb
      David Miller authored
      commit f2c9e560 upstream.
      
      Use readb() and memcpy_fromio() accessors instead.
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7854b0fb
    • Tejun Heo's avatar
      writeback: fix possible underflow in write bandwidth calculation · c75b0a8b
      Tejun Heo authored
      commit c72efb65 upstream.
      
      From 1ebf33901ecc75d9496862dceb1ef0377980587c Mon Sep 17 00:00:00 2001
      From: Tejun Heo <tj@kernel.org>
      Date: Mon, 23 Mar 2015 00:08:19 -0400
      
      2f800fbd ("writeback: fix dirtied pages accounting on redirty")
      introduced account_page_redirty() which reverts stat updates for a
      redirtied page, making BDI_DIRTIED no longer monotonically increasing.
      
      bdi_update_write_bandwidth() uses the delta in BDI_DIRTIED as the
      basis for bandwidth calculation.  While unlikely, since the above
      patch, the newer value may be lower than the recorded past value and
      underflow the bandwidth calculation leading to a wild result.
      
      Fix it by subtracing min of the old and new values when calculating
      delta.  AFAIK, there hasn't been any report of it happening but the
      resulting erratic behavior would be non-critical and temporary, so
      it's possible that the issue is happening without being reported.  The
      risk of the fix is very low, so tagged for -stable.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Greg Thelen <gthelen@google.com>
      Fixes: 2f800fbd ("writeback: fix dirtied pages accounting on redirty")
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c75b0a8b
    • Tejun Heo's avatar
      writeback: add missing INITIAL_JIFFIES init in global_update_bandwidth() · 0d4958ff
      Tejun Heo authored
      commit 7d70e154 upstream.
      
      global_update_bandwidth() uses static variable update_time as the
      timestamp for the last update but forgets to initialize it to
      INITIALIZE_JIFFIES.
      
      This means that global_dirty_limit will be 5 mins into the future on
      32bit and some large amount jiffies into the past on 64bit.  This
      isn't critical as the only effect is that global_dirty_limit won't be
      updated for the first 5 mins after booting on 32bit machines,
      especially given the auxiliary nature of global_dirty_limit's role -
      protecting against global dirty threshold's sudden dips; however, it
      does lead to unintended suboptimal behavior.  Fix it.
      
      Fixes: c42843f2 ("writeback: introduce smoothed global dirty limit")
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarJan Kara <jack@suse.cz>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0d4958ff
    • Brian Silverman's avatar
      sched: Fix RLIMIT_RTTIME when PI-boosting to RT · f9212814
      Brian Silverman authored
      commit 746db944 upstream.
      
      When non-realtime tasks get priority-inheritance boosted to a realtime
      scheduling class, RLIMIT_RTTIME starts to apply to them. However, the
      counter used for checking this (the same one used for SCHED_RR
      timeslices) was not getting reset. This meant that tasks running with a
      non-realtime scheduling class which are repeatedly boosted to a realtime
      one, but never block while they are running realtime, eventually hit the
      timeout without ever running for a time over the limit. This patch
      resets the realtime timeslice counter when un-PI-boosting from an RT to
      a non-RT scheduling class.
      
      I have some test code with two threads and a shared PTHREAD_PRIO_INHERIT
      mutex which induces priority boosting and spins while boosted that gets
      killed by a SIGXCPU on non-fixed kernels but doesn't with this patch
      applied. It happens much faster with a CONFIG_PREEMPT_RT kernel, and
      does happen eventually with PREEMPT_VOLUNTARY kernels.
      Signed-off-by: default avatarBrian Silverman <brian@peloton-tech.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: austin@peloton-tech.com
      Link: http://lkml.kernel.org/r/1424305436-6716-1-git-send-email-brian@peloton-tech.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f9212814
    • Gu Zheng's avatar
      mm/memory hotplug: postpone the reset of obsolete pgdat · f875b0d3
      Gu Zheng authored
      commit b0dc3a34 upstream.
      
      Qiu Xishi reported the following BUG when testing hot-add/hot-remove node under
      stress condition:
      
        BUG: unable to handle kernel paging request at 0000000000025f60
        IP: next_online_pgdat+0x1/0x50
        PGD 0
        Oops: 0000 [#1] SMP
        ACPI: Device does not support D3cold
        Modules linked in: fuse nls_iso8859_1 nls_cp437 vfat fat loop dm_mod coretemp mperf crc32c_intel ghash_clmulni_intel aesni_intel ablk_helper cryptd lrw gf128mul glue_helper aes_x86_64 pcspkr microcode igb dca i2c_algo_bit ipv6 megaraid_sas iTCO_wdt i2c_i801 i2c_core iTCO_vendor_support tg3 sg hwmon ptp lpc_ich pps_core mfd_core acpi_pad rtc_cmos button ext3 jbd mbcache sd_mod crc_t10dif scsi_dh_alua scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh ahci libahci libata scsi_mod [last unloaded: rasf]
        CPU: 23 PID: 238 Comm: kworker/23:1 Tainted: G           O 3.10.15-5885-euler0302 #1
        Hardware name: HUAWEI TECHNOLOGIES CO.,LTD. Huawei N1/Huawei N1, BIOS V100R001 03/02/2015
        Workqueue: events vmstat_update
        task: ffffa800d32c0000 ti: ffffa800d32ae000 task.ti: ffffa800d32ae000
        RIP: 0010: next_online_pgdat+0x1/0x50
        RSP: 0018:ffffa800d32afce8  EFLAGS: 00010286
        RAX: 0000000000001440 RBX: ffffffff81da53b8 RCX: 0000000000000082
        RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000000
        RBP: ffffa800d32afd28 R08: ffffffff81c93bfc R09: ffffffff81cbdc96
        R10: 00000000000040ec R11: 00000000000000a0 R12: ffffa800fffb3440
        R13: ffffa800d32afd38 R14: 0000000000000017 R15: ffffa800e6616800
        FS:  0000000000000000(0000) GS:ffffa800e6600000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000025f60 CR3: 0000000001a0b000 CR4: 00000000001407e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
          refresh_cpu_vm_stats+0xd0/0x140
          vmstat_update+0x11/0x50
          process_one_work+0x194/0x3d0
          worker_thread+0x12b/0x410
          kthread+0xc6/0xd0
          ret_from_fork+0x7c/0xb0
      
      The cause is the "memset(pgdat, 0, sizeof(*pgdat))" at the end of
      try_offline_node, which will reset all the content of pgdat to 0, as the
      pgdat is accessed lock-free, so that the users still using the pgdat
      will panic, such as the vmstat_update routine.
      
      process A:				offline node XX:
      
      vmstat_updat()
         refresh_cpu_vm_stats()
           for_each_populated_zone()
             find online node XX
           cond_resched()
      					offline cpu and memory, then try_offline_node()
      					node_set_offline(nid), and memset(pgdat, 0, sizeof(*pgdat))
             zone = next_zone(zone)
               pg_data_t *pgdat = zone->zone_pgdat;  // here pgdat is NULL now
                 next_online_pgdat(pgdat)
                   next_online_node(pgdat->node_id);  // NULL pointer access
      
      So the solution here is postponing the reset of obsolete pgdat from
      try_offline_node() to hotadd_new_pgdat(), and just resetting
      pgdat->nr_zones and pgdat->classzone_idx to be 0 rather than the memset
      0 to avoid breaking pointer information in pgdat.
      Signed-off-by: default avatarGu Zheng <guz.fnst@cn.fujitsu.com>
      Reported-by: default avatarXishi Qiu <qiuxishi@huawei.com>
      Suggested-by: default avatarKAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: Taku Izumi <izumi.taku@jp.fujitsu.com>
      Cc: Tang Chen <tangchen@cn.fujitsu.com>
      Cc: Xie XiuQi <xiexiuqi@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f875b0d3
    • Sudip Mukherjee's avatar
      nbd: fix possible memory leak · dc74756d
      Sudip Mukherjee authored
      commit ff6b8090 upstream.
      
      we have already allocated memory for nbd_dev, but we were not
      releasing that memory and just returning the error value.
      Signed-off-by: default avatarSudip Mukherjee <sudip@vectorindia.org>
      Acked-by: default avatarPaul Clements <Paul.Clements@SteelEye.com>
      Signed-off-by: default avatarMarkus Pargmann <mpa@pengutronix.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      dc74756d
    • Emmanuel Grumbach's avatar
      iwlwifi: dvm: run INIT firmware again upon .start() · c866e10c
      Emmanuel Grumbach authored
      commit 9c8928f5 upstream.
      
      The assumption before this patch was that we don't need to
      run again the INIT firmware after the system booted. The
      INIT firmware runs calibrations which impact the physical
      layer's behavior.
      Users reported that it may be helpful to run these
      calibrations again every time the interface is brought up.
      The penatly is minimal, since the calibrations run fast.
      This fixes:
      https://bugzilla.kernel.org/show_bug.cgi?id=94341Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c866e10c
    • Shachar Raindel's avatar
      IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic · f6094cba
      Shachar Raindel authored
      commit 8494057a upstream.
      
      Properly verify that the resulting page aligned end address is larger
      than both the start address and the length of the memory area requested.
      
      Both the start and length arguments for ib_umem_get are controlled by
      the user. A misbehaving user can provide values which will cause an
      integer overflow when calculating the page aligned end address.
      
      This overflow can cause also miscalculation of the number of pages
      mapped, and additional logic issues.
      
      Addresses: CVE-2014-8159
      Signed-off-by: default avatarShachar Raindel <raindel@mellanox.com>
      Signed-off-by: default avatarJack Morgenstein <jackm@mellanox.com>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f6094cba
    • Ben Hutchings's avatar
      tcp: Fix crash in TCP Fast Open · 221ff9c5
      Ben Hutchings authored
      Commit 355a901e ("tcp: make connect() mem charging friendly")
      changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
      skb rather than using skb_copy_expand().
      
      The open-coded copy does not cover the skb_shared_info::gso_segs
      field, so in the new skb it is left set to 0.  When this commit was
      backported into stable branches between 3.10.y and 3.16.7-ckty
      inclusive, it triggered the BUG() in tcp_transmit_skb().
      
      Since Linux 3.18 the GSO segment count is kept in the
      tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
      tcp_skb_cb structure to the new skb, so mainline and newer stable
      branches are not affected.
      
      Set skb_shared_info::gso_segs to the correct value of 1.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      221ff9c5