1. 25 Aug, 2015 7 commits
    • Chris Wilson's avatar
      drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop · a38baaad
      Chris Wilson authored
      commit ee0a227b upstream.
      
      Since we may conceivably encounter situations where the upper part of the
      64bit register changes between reads, for example when a timestamp
      counter overflows, change the WARN into a retry loop.
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Michał Winiarski <michal.winiarski@intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a38baaad
    • Yao-Wen Mao's avatar
      ALSA: usb-audio: add dB range mapping for some devices · 8e5ad4f5
      Yao-Wen Mao authored
      commit 2d1cb7f6 upstream.
      
      Add the correct dB ranges of Bose Companion 5 and Drangonfly DAC 1.2.
      Signed-off-by: default avatarYao-Wen Mao <yaowen@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8e5ad4f5
    • Takashi Iwai's avatar
      ALSA: hda - Apply a fixup to Dell Vostro 5480 · e4c88184
      Takashi Iwai authored
      commit 3a05d12f upstream.
      
      Dell Vostro 5480 (1028:069a) needs the very same quirk used for Vostro
      5470 model to make bass speakers properly working.
      Reported-and-tested-by: default avatarPaulo Roberto de Oliveira Castro <p.oliveira.castro@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e4c88184
    • Dave Chinner's avatar
      xfs: remote attributes need to be considered data · 7f6db5ac
      Dave Chinner authored
      commit df150ed1 upstream.
      
      We don't log remote attribute contents, and instead write them
      synchronously before we commit the block allocation and attribute
      tree update transaction. As a result we are writing to the allocated
      space before the allcoation has been made permanent.
      
      As a result, we cannot consider this allocation to be a metadata
      allocation. Metadata allocation can take blocks from the free list
      and so reuse them before the transaction that freed the block is
      committed to disk. This behaviour is perfectly fine for journalled
      metadata changes as log recovery will ensure the free operation is
      replayed before the overwrite, but for remote attribute writes this
      is not the case.
      
      Hence we have to consider the remote attribute blocks to contain
      data and allocate accordingly. We do this by dropping the
      XFS_BMAPI_METADATA flag from the block allocation. This means the
      allocation will not use blocks that are on the busy list without
      first ensuring that the freeing transaction has been committed to
      disk and the blocks removed from the busy list. This ensures we will
      never overwrite a freed block without first ensuring that it is
      really free.
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      [ luis: backported to 3.16:
        - file rename: fs/xfs/libxfs/xfs_attr_remote.c -> fs/xfs/xfs_attr_remote.c ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7f6db5ac
    • Dave Chinner's avatar
      xfs: remote attribute headers contain an invalid LSN · 2f0b55e0
      Dave Chinner authored
      commit e3c32ee9 upstream.
      
      In recent testing, a system that crashed failed log recovery on
      restart with a bad symlink buffer magic number:
      
      XFS (vda): Starting recovery (logdev: internal)
      XFS (vda): Bad symlink block magic!
      XFS: Assertion failed: 0, file: fs/xfs/xfs_log_recover.c, line: 2060
      
      On examination of the log via xfs_logprint, none of the symlink
      buffers in the log had a bad magic number, nor were any other types
      of buffer log format headers mis-identified as symlink buffers.
      Tracing was used to find the buffer the kernel was tripping over,
      and xfs_db identified it's contents as:
      
      000: 5841524d 00000000 00000346 64d82b48 8983e692 d71e4680 a5f49e2c b317576e
      020: 00000000 00602038 00000000 006034ce d0020000 00000000 4d4d4d4d 4d4d4d4d
      040: 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d
      060: 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d
      .....
      
      This is a remote attribute buffer, which are notable in that they
      are not logged but are instead written synchronously by the remote
      attribute code so that they exist on disk before the attribute
      transactions are committed to the journal.
      
      The above remote attribute block has an invalid LSN in it - cycle
      0xd002000, block 0 - which means when log recovery comes along to
      determine if the transaction that writes to the underlying block
      should be replayed, it sees a block that has a future LSN and so
      does not replay the buffer data in the transaction. Instead, it
      validates the buffer magic number and attaches the buffer verifier
      to it.  It is this buffer magic number check that is failing in the
      above assert, indicating that we skipped replay due to the LSN of
      the underlying buffer.
      
      The problem here is that the remote attribute buffers cannot have a
      valid LSN placed into them, because the transaction that contains
      the attribute tree pointer changes and the block allocation that the
      attribute data is being written to hasn't yet been committed. Hence
      the LSN field in the attribute block is completely unwritten,
      thereby leaving the underlying contents of the block in the LSN
      field. It could have any value, and hence a future overwrite of the
      block by log recovery may or may not work correctly.
      
      Fix this by always writing an invalid LSN to the remote attribute
      block, as any buffer in log recovery that needs to write over the
      remote attribute should occur. We are protected from having old data
      written over the attribute by the fact that freeing the block before
      the remote attribute is written will result in the buffer being
      marked stale in the log and so all changes prior to the buffer stale
      transaction will be cancelled by log recovery.
      
      Hence it is safe to ignore the LSN in the case or synchronously
      written, unlogged metadata such as remote attribute blocks, and to
      ensure we do that correctly, we need to write an invalid LSN to all
      remote attribute blocks to trigger immediate recovery of metadata
      that is written over the top.
      
      As a further protection for filesystems that may already have remote
      attribute blocks with bad LSNs on disk, change the log recovery code
      to always trigger immediate recovery of metadata over remote
      attribute blocks.
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      [ luis: backported to 3.16:
        - use 'EFSCORRUPTED' instead of '-EFSCORRUPTED' in xfs_buf_ioerror() ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2f0b55e0
    • Ard Biesheuvel's avatar
      arm64/efi: map the entire UEFI vendor string before reading it · 991e893c
      Ard Biesheuvel authored
      commit f91b1fea upstream.
      
      At boot, the UTF-16 UEFI vendor string is copied from the system
      table into a char array with a size of 100 bytes. However, this
      size of 100 bytes is also used for memremapping() the source,
      which may not be sufficient if the vendor string exceeds 50
      UTF-16 characters, and the placement of the vendor string inside
      a 4 KB page happens to leave the end unmapped.
      
      So use the correct '100 * sizeof(efi_char16_t)' for the size of
      the mapping.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Fixes: f84d0275 ("arm64: add EFI runtime services")
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      991e893c
    • Marc-André Lureau's avatar
      vhost: actually track log eventfd file · c433ad7a
      Marc-André Lureau authored
      commit 7932c0bd upstream.
      
      While reviewing vhost log code, I found out that log_file is never
      set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
      Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c433ad7a
  2. 20 Aug, 2015 11 commits
    • Takashi Iwai's avatar
      ALSA: hda - Apply fixup for another Toshiba Satellite S50D · a4f614d5
      Takashi Iwai authored
      commit b9d9c9ef upstream.
      
      Toshiba Satellite S50D has another model with a different PCI SSID
      (1179:fa93) while the previous fixup was for 1179:fa91.  Adjust the
      fixup entry with SND_PCI_QUIRK_MASK() to match with both devices.
      Reported-by: default avatarTim Sample <timsample@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a4f614d5
    • Denis Carikli's avatar
      ARM: dts: i.MX35: Fix can support. · be3e10f8
      Denis Carikli authored
      commit e053f96b upstream.
      
      Since commit 3d42a379
      ("can: flexcan: add 2nd clock to support imx53 and newer")
      the can driver requires a dt nodes to have a second clock.
      Add them to imx35 to fix probing the flex can driver on the
      respective platforms.
      Signed-off-by: default avatarDenis Carikli <denis@eukrea.com>
      Signed-off-by: default avatarShawn Guo <shawnguo@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      be3e10f8
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iser explicit logout TX kthread leak · abc10600
      Nicholas Bellinger authored
      commit 007d038b upstream.
      
      This patch fixes a regression introduced with the following commit
      in v4.0-rc1 code, where an explicit iser-target logout would result
      in ->tx_thread_active being incorrectly cleared by the logout post
      handler, and subsequent TX kthread leak:
      
          commit 88dcd2da
          Author: Nicholas Bellinger <nab@linux-iscsi.org>
          Date:   Thu Feb 26 22:19:15 2015 -0800
      
              iscsi-target: Convert iscsi_thread_set usage to kthread.h
      
      To address this bug, change iscsit_logout_post_handler_closesession()
      and iscsit_logout_post_handler_samecid() to only cmpxchg() on
      ->tx_thread_active for traditional iscsi/tcp connections.
      
      This is required because iscsi/tcp connections are invoking logout
      post handler logic directly from TX kthread context, while iser
      connections are invoking logout post handler logic from a seperate
      workqueue context.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      abc10600
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iscsit_start_kthreads failure OOPs · e76230df
      Nicholas Bellinger authored
      commit e5419865 upstream.
      
      This patch fixes a regression introduced with the following commit
      in v4.0-rc1 code, where a iscsit_start_kthreads() failure triggers
      a NULL pointer dereference OOPs:
      
          commit 88dcd2da
          Author: Nicholas Bellinger <nab@linux-iscsi.org>
          Date:   Thu Feb 26 22:19:15 2015 -0800
      
              iscsi-target: Convert iscsi_thread_set usage to kthread.h
      
      To address this bug, move iscsit_start_kthreads() immediately
      preceeding the transmit of last login response, before signaling
      a successful transition into full-feature-phase within existing
      iscsi_target_do_tx_login_io() logic.
      
      This ensures that no target-side resource allocation failures can
      occur after the final login response has been successfully sent.
      
      Also, it adds a iscsi_conn->rx_login_comp to allow the RX thread
      to sleep to prevent other socket related failures until the final
      iscsi_post_login_handler() call is able to complete.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e76230df
    • Nicholas Bellinger's avatar
      iscsi-target: Fix use-after-free during TPG session shutdown · a19a94df
      Nicholas Bellinger authored
      commit 417c20a9 upstream.
      
      This patch fixes a use-after-free bug in iscsit_release_sessions_for_tpg()
      where se_portal_group->session_lock was incorrectly released/re-acquired
      while walking the active se_portal_group->tpg_sess_list.
      
      The can result in a NULL pointer dereference when iscsit_close_session()
      shutdown happens in the normal path asynchronously to this code, causing
      a bogus dereference of an already freed list entry to occur.
      
      To address this bug, walk the session list checking for the same state
      as before, but move entries to a local list to avoid dropping the lock
      while walking the active list.
      
      As before, signal using iscsi_session->session_restatement=1 for those
      list entries to be released locally by iscsit_free_session() code.
      Reported-by: default avatarSunilkumar Nadumuttlu <sjn@datera.io>
      Cc: Sunilkumar Nadumuttlu <sjn@datera.io>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a19a94df
    • Axel Lin's avatar
      ASoC: pcm1681: Fix setting de-emphasis sampling rate selection · 809f410c
      Axel Lin authored
      commit fa8173a3 upstream.
      
      The de-emphasis sampling rate selection is controlled by BIT[3:4] of
      PCM1681_DEEMPH_CONTROL register. Do proper left shift to set it.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Acked-by: default avatarMarek Belisko <marek.belisko@streamunlimited.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      809f410c
    • Roger Quadros's avatar
      ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc · 02c82959
      Roger Quadros authored
      commit 9a258afa upstream.
      
      For hwmods without sysc, _init_mpu_rt_base(oh) won't be called and so
      _find_mpu_rt_port(oh) will return NULL thus preventing ready state check
      on those modules after the module is enabled.
      
      This can potentially cause a bus access error if the module is accessed
      before the module is ready.
      
      Fix this by unconditionally calling _init_mpu_rt_base() during hwmod
      _init(). Do ioremap only if we need SYSC access.
      
      Eventhough _wait_target_ready() check doesn't really need MPU RT port but
      just the PRCM registers, we still mandate that the hwmod must have an
      MPU RT port if ready state check needs to be done. Else it would mean that
      the module is not accessible by MPU so there is no point in waiting
      for target to be ready.
      
      e.g. this fixes the below DCAN bus access error on AM437x-gp-evm.
      
      [   16.672978] ------------[ cut here ]------------
      [   16.677885] WARNING: CPU: 0 PID: 1580 at drivers/bus/omap_l3_noc.c:147 l3_interrupt_handler+0x234/0x35c()
      [   16.687946] 44000000.ocp:L3 Custom Error: MASTER M2 (64-bit) TARGET L4_PER_0 (Read): Data Access in User mode during Functional access
      [   16.700654] Modules linked in: xhci_hcd btwilink ti_vpfe dwc3 videobuf2_core ov2659 bluetooth v4l2_common videodev ti_am335x_adc kfifo_buf industrialio c_can_platform videobuf2_dma_contig media snd_soc_tlv320aic3x pixcir_i2c_ts c_can dc
      [   16.731144] CPU: 0 PID: 1580 Comm: rpc.statd Not tainted 3.14.26-02561-gf733aa036398 #180
      [   16.739747] Backtrace:
      [   16.742336] [<c0011108>] (dump_backtrace) from [<c00112a4>] (show_stack+0x18/0x1c)
      [   16.750285]  r6:00000093 r5:00000009 r4:eab5b8a8 r3:00000000
      [   16.756252] [<c001128c>] (show_stack) from [<c05a4418>] (dump_stack+0x20/0x28)
      [   16.763870] [<c05a43f8>] (dump_stack) from [<c0037120>] (warn_slowpath_common+0x6c/0x8c)
      [   16.772408] [<c00370b4>] (warn_slowpath_common) from [<c00371e4>] (warn_slowpath_fmt+0x38/0x40)
      [   16.781550]  r8:c05d1f90 r7:c0730844 r6:c0730448 r5:80080003 r4:ed0cd210
      [   16.788626] [<c00371b0>] (warn_slowpath_fmt) from [<c027fa94>] (l3_interrupt_handler+0x234/0x35c)
      [   16.797968]  r3:ed0cd480 r2:c0730508
      [   16.801747] [<c027f860>] (l3_interrupt_handler) from [<c0063758>] (handle_irq_event_percpu+0x54/0x1bc)
      [   16.811533]  r10:ed005600 r9:c084855b r8:0000002a r7:00000000 r6:00000000 r5:0000002a
      [   16.819780]  r4:ed0e6d80
      [   16.822453] [<c0063704>] (handle_irq_event_percpu) from [<c00638f0>] (handle_irq_event+0x30/0x40)
      [   16.831789]  r10:eb2b6938 r9:eb2b6960 r8:bf011420 r7:fa240100 r6:00000000 r5:0000002a
      [   16.840052]  r4:ed005600
      [   16.842744] [<c00638c0>] (handle_irq_event) from [<c00661d8>] (handle_fasteoi_irq+0x74/0x128)
      [   16.851702]  r4:ed005600 r3:00000000
      [   16.855479] [<c0066164>] (handle_fasteoi_irq) from [<c0063068>] (generic_handle_irq+0x28/0x38)
      [   16.864523]  r4:0000002a r3:c0066164
      [   16.868294] [<c0063040>] (generic_handle_irq) from [<c000ef60>] (handle_IRQ+0x38/0x8c)
      [   16.876612]  r4:c081c640 r3:00000202
      [   16.880380] [<c000ef28>] (handle_IRQ) from [<c00084f0>] (gic_handle_irq+0x30/0x5c)
      [   16.888328]  r6:eab5ba38 r5:c0804460 r4:fa24010c r3:00000100
      [   16.894303] [<c00084c0>] (gic_handle_irq) from [<c05a8d80>] (__irq_svc+0x40/0x50)
      [   16.902193] Exception stack(0xeab5ba38 to 0xeab5ba80)
      [   16.907499] ba20:                                                       00000000 00000006
      [   16.916108] ba40: fa1d0000 fa1d0008 ed3d3000 eab5bab4 ed3d3460 c0842af4 bf011420 eb2b6960
      [   16.924716] ba60: eb2b6938 eab5ba8c eab5ba90 eab5ba80 bf035220 bf07702c 600f0013 ffffffff
      [   16.933317]  r7:eab5ba6c r6:ffffffff r5:600f0013 r4:bf07702c
      [   16.939317] [<bf077000>] (c_can_plat_read_reg_aligned_to_16bit [c_can_platform]) from [<bf035220>] (c_can_get_berr_counter+0x38/0x64 [c_can])
      [   16.952696] [<bf0351e8>] (c_can_get_berr_counter [c_can]) from [<bf010294>] (can_fill_info+0x124/0x15c [can_dev])
      [   16.963480]  r5:ec8c9740 r4:ed3d3000
      [   16.967253] [<bf010170>] (can_fill_info [can_dev]) from [<c0502fa8>] (rtnl_fill_ifinfo+0x58c/0x8fc)
      [   16.976749]  r6:ec8c9740 r5:ed3d3000 r4:eb2b6780
      [   16.981613] [<c0502a1c>] (rtnl_fill_ifinfo) from [<c0503408>] (rtnl_dump_ifinfo+0xf0/0x1dc)
      [   16.990401]  r10:ec8c9740 r9:00000000 r8:00000000 r7:00000000 r6:ebd4d1b4 r5:ed3d3000
      [   16.998671]  r4:00000000
      [   17.001342] [<c0503318>] (rtnl_dump_ifinfo) from [<c050e6e4>] (netlink_dump+0xa8/0x1e0)
      [   17.009772]  r10:00000000 r9:00000000 r8:c0503318 r7:ebf3e6c0 r6:ebd4d1b4 r5:ec8c9740
      [   17.018050]  r4:ebd4d000
      [   17.020714] [<c050e63c>] (netlink_dump) from [<c050ec10>] (__netlink_dump_start+0x104/0x154)
      [   17.029591]  r6:eab5bd34 r5:ec8c9980 r4:ebd4d000
      [   17.034454] [<c050eb0c>] (__netlink_dump_start) from [<c0505604>] (rtnetlink_rcv_msg+0x110/0x1f4)
      [   17.043778]  r7:00000000 r6:ec8c9980 r5:00000f40 r4:ebf3e6c0
      [   17.049743] [<c05054f4>] (rtnetlink_rcv_msg) from [<c05108e8>] (netlink_rcv_skb+0xb4/0xc8)
      [   17.058449]  r8:eab5bdac r7:ec8c9980 r6:c05054f4 r5:ec8c9980 r4:ebf3e6c0
      [   17.065534] [<c0510834>] (netlink_rcv_skb) from [<c0504134>] (rtnetlink_rcv+0x24/0x2c)
      [   17.073854]  r6:ebd4d000 r5:00000014 r4:ec8c9980 r3:c0504110
      [   17.079846] [<c0504110>] (rtnetlink_rcv) from [<c05102ac>] (netlink_unicast+0x180/0x1ec)
      [   17.088363]  r4:ed0c6800 r3:c0504110
      [   17.092113] [<c051012c>] (netlink_unicast) from [<c0510670>] (netlink_sendmsg+0x2ac/0x380)
      [   17.100813]  r10:00000000 r8:00000008 r7:ec8c9980 r6:ebd4d000 r5:eab5be70 r4:eab5bee4
      [   17.109083] [<c05103c4>] (netlink_sendmsg) from [<c04dfdb4>] (sock_sendmsg+0x90/0xb0)
      [   17.117305]  r10:00000000 r9:eab5a000 r8:becdda3c r7:0000000c r6:ea978400 r5:eab5be70
      [   17.125563]  r4:c05103c4
      [   17.128225] [<c04dfd24>] (sock_sendmsg) from [<c04e1c28>] (SyS_sendto+0xb8/0xdc)
      [   17.136001]  r6:becdda5c r5:00000014 r4:ecd37040
      [   17.140876] [<c04e1b70>] (SyS_sendto) from [<c000e680>] (ret_fast_syscall+0x0/0x30)
      [   17.148923]  r10:00000000 r8:c000e804 r7:00000122 r6:becdda5c r5:0000000c r4:becdda5c
      [   17.157169] ---[ end trace 2b71e15b38f58bad ]---
      
      Fixes: 6423d6df ("ARM: OMAP2+: hwmod: check for module address space during init")
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarPaul Walmsley <paul@pwsan.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      02c82959
    • Eric W. Biederman's avatar
      sysfs: Create mountpoints with sysfs_create_mount_point · b8ad501a
      Eric W. Biederman authored
      commit f9bb4882 upstream.
      
      This allows for better documentation in the code and
      it allows for a simpler and fully correct version of
      fs_fully_visible to be written.
      
      The mount points converted and their filesystems are:
      /sys/hypervisor/s390/       s390_hypfs
      /sys/kernel/config/         configfs
      /sys/kernel/debug/          debugfs
      /sys/firmware/efi/efivars/  efivarfs
      /sys/fs/fuse/connections/   fusectl
      /sys/fs/pstore/             pstore
      /sys/kernel/tracing/        tracefs
      /sys/fs/cgroup/             cgroup
      /sys/kernel/security/       securityfs
      /sys/fs/selinux/            selinuxfs
      /sys/fs/smackfs/            smackfs
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b8ad501a
    • David S. Miller's avatar
      sparc64: Fix userspace FPU register corruptions. · 3b9378cc
      David S. Miller authored
      commit 44922150 upstream.
      
      If we have a series of events from userpsace, with %fprs=FPRS_FEF,
      like follows:
      
      ETRAP
      	ETRAP
      		VIS_ENTRY(fprs=0x4)
      		VIS_EXIT
      		RTRAP (kernel FPU restore with fpu_saved=0x4)
      	RTRAP
      
      We will not restore the user registers that were clobbered by the FPU
      using kernel code in the inner-most trap.
      
      Traps allocate FPU save slots in the thread struct, and FPU using
      sequences save the "dirty" FPU registers only.
      
      This works at the initial trap level because all of the registers
      get recorded into the top-level FPU save area, and we'll return
      to userspace with the FPU disabled so that any FPU use by the user
      will take an FPU disabled trap wherein we'll load the registers
      back up properly.
      
      But this is not how trap returns from kernel to kernel operate.
      
      The simplest fix for this bug is to always save all FPU register state
      for anything other than the top-most FPU save area.
      
      Getting rid of the optimized inner-slot FPU saving code ends up
      making VISEntryHalf degenerate into plain VISEntry.
      
      Longer term we need to do something smarter to reinstate the partial
      save optimizations.  Perhaps the fundament error is having trap entry
      and exit allocate FPU save slots and restore register state.  Instead,
      the VISEntry et al. calls should be doing that work.
      
      This bug is about two decades old.
      Reported-by: default avatarJames Y Knight <jyknight@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3b9378cc
    • Benjamin Randazzo's avatar
      md: use kzalloc() when bitmap is disabled · 0624b99b
      Benjamin Randazzo authored
      commit b6878d9e upstream.
      
      In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
      mdu_bitmap_file_t called "file".
      
      5769         file = kmalloc(sizeof(*file), GFP_NOIO);
      5770         if (!file)
      5771                 return -ENOMEM;
      
      This structure is copied to user space at the end of the function.
      
      5786         if (err == 0 &&
      5787             copy_to_user(arg, file, sizeof(*file)))
      5788                 err = -EFAULT
      
      But if bitmap is disabled only the first byte of "file" is initialized
      with zero, so it's possible to read some bytes (up to 4095) of kernel
      space memory from user space. This is an information leak.
      
      5775         /* bitmap disabled, zero the first byte and copy out */
      5776         if (!mddev->bitmap_info.file)
      5777                 file->pathname[0] = '\0';
      Signed-off-by: default avatarBenjamin Randazzo <benjamin@randazzo.fr>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Cc: Moritz Mühlenhoff <jmm@inutil.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0624b99b
    • Luis Henriques's avatar
      Linux 3.16.7-ckt16 · 72388a13
      Luis Henriques authored
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      72388a13
  3. 12 Aug, 2015 14 commits
    • Firo Yang's avatar
      md: fix a build warning · aac281ee
      Firo Yang authored
      commit 4e023612 upstream.
      
      Warning like this:
      
      drivers/md/md.c: In function "update_array_info":
      drivers/md/md.c:6394:26: warning: logical not is only applied
      to the left hand side of comparison [-Wlogical-not-parentheses]
            !mddev->persistent  != info->not_persistent||
      
      Fix it as Neil Brown said:
      mddev->persistent != !info->not_persistent ||
      Signed-off-by: default avatarFiro Yang <firogm@gmail.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      aac281ee
    • Alessio Igor Bogani's avatar
      mmc: sdhci: Fix FSL ESDHC reset handling quirk · 725614a0
      Alessio Igor Bogani authored
      commit 304f0a98 upstream.
      
      The commit 0718e59a ("mmc: sdhci: move FSL ESDHC reset handling quirk into
      esdhc code") states that Freescale esdhc is the only controller which needs
      the interrupt registers restored after a reset. So it moves
      SDHCI_QUIRK_RESTORE_IRQS_AFTER_RESET quirk handling code into the
      esdhc-imx driver only. Unfortunately the same controller is used in
      other boards which use the of-esdhc driver instead (like powerpc P2020).
      
      Restore interrupts after reset in the sdhci-of-esdhc driver also.
      Signed-off-by: default avatarAlessio Igor Bogani <alessio.bogani@elettra.eu>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Cc: Jakub Kicinski <kubakici@wp.pl>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      725614a0
    • Heiko Carstens's avatar
      s390/process: fix sfpc inline assembly · 4a957da5
      Heiko Carstens authored
      commit e47994dd upstream.
      
      The sfpc inline assembly within execve_tail() may incorrectly set bits
      28-31 of the sfpc instruction to a value which is not zero.
      These bits however are currently unused and therefore should be zero
      so we won't get surprised if these bits will be used in the future.
      
      Therefore remove the second operand from the inline assembly.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4a957da5
    • Martin Schwidefsky's avatar
      s390/sclp: clear upper register halves in _sclp_print_early · 65f9f71d
      Martin Schwidefsky authored
      commit f9c87a6f upstream.
      
      If the kernel is compiled with gcc 5.1 and the XZ compression option
      the decompress_kernel function calls _sclp_print_early in 64-bit mode
      while the content of the upper register half of %r6 is non-zero.
      This causes a specification exception on the servc instruction in
      _sclp_servc.
      
      The _sclp_print_early function saves and restores the upper registers
      halves but it fails to clear them for the 31-bit code of the mini sclp
      driver.
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      65f9f71d
    • Al Viro's avatar
      freeing unlinked file indefinitely delayed · e2f9d514
      Al Viro authored
      commit 75a6f82a upstream.
      
      	Normally opening a file, unlinking it and then closing will have
      the inode freed upon close() (provided that it's not otherwise busy and
      has no remaining links, of course).  However, there's one case where that
      does *not* happen.  Namely, if you open it by fhandle with cold dcache,
      then unlink() and close().
      
      	In normal case you get d_delete() in unlink(2) notice that dentry
      is busy and unhash it; on the final dput() it will be forcibly evicted from
      dcache, triggering iput() and inode removal.  In this case, though, we end
      up with *two* dentries - disconnected (created by open-by-fhandle) and
      regular one (used by unlink()).  The latter will have its reference to inode
      dropped just fine, but the former will not - it's considered hashed (it
      is on the ->s_anon list), so it will stay around until the memory pressure
      will finally do it in.  As the result, we have the final iput() delayed
      indefinitely.  It's trivial to reproduce -
      
      void flush_dcache(void)
      {
              system("mount -o remount,rw /");
      }
      
      static char buf[20 * 1024 * 1024];
      
      main()
      {
              int fd;
              union {
                      struct file_handle f;
                      char buf[MAX_HANDLE_SZ];
              } x;
              int m;
      
              x.f.handle_bytes = sizeof(x);
              chdir("/root");
              mkdir("foo", 0700);
              fd = open("foo/bar", O_CREAT | O_RDWR, 0600);
              close(fd);
              name_to_handle_at(AT_FDCWD, "foo/bar", &x.f, &m, 0);
              flush_dcache();
              fd = open_by_handle_at(AT_FDCWD, &x.f, O_RDWR);
              unlink("foo/bar");
              write(fd, buf, sizeof(buf));
              system("df .");			/* 20Mb eaten */
              close(fd);
              system("df .");			/* should've freed those 20Mb */
              flush_dcache();
              system("df .");			/* should be the same as #2 */
      }
      
      will spit out something like
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 303843      1131 100% /
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 303843      1131 100% /
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 283282     21692  93% /
      - inode gets freed only when dentry is finally evicted (here we trigger
      than by remount; normally it would've happened in response to memory
      pressure hell knows when).
      Acked-by: default avatarJ. Bruce Fields <bfields@fieldses.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [ kamal: backport to 3.19-stable: no fast_dput() ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e2f9d514
    • Jingju Hou's avatar
      mmc: sdhci-pxav3: fix platform_data is not initialized · 858f7ef5
      Jingju Hou authored
      commit 9cd76049 upstream.
      
      pdev->dev.platform_data is not initialized if match is true in function
      sdhci_pxav3_probe. Just local variable pdata is assigned the return value
      from function pxav3_get_mmc_pdata().
      
      static int sdhci_pxav3_probe(struct platform_device *pdev) {
      
          struct sdhci_pxa_platdata *pdata = pdev->dev.platform_data;
          ...
          if (match) {
      		ret = mmc_of_parse(host->mmc);
      		if (ret)
      			goto err_of_parse;
      		sdhci_get_of_property(pdev);
      		pdata = pxav3_get_mmc_pdata(dev);
           }
           ...
      }
      Signed-off-by: default avatarJingju Hou <houjingj@marvell.com>
      Fixes: b650352d("mmc: sdhci-pxa: Add device tree support")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      858f7ef5
    • Joakim Tjernlund's avatar
      mmc: sdhci-esdhc: Make 8BIT bus work · a2f985af
      Joakim Tjernlund authored
      commit 8e91125f upstream.
      
      Support for 8BIT bus with was added some time ago to sdhci-esdhc but
      then missed to remove the 8BIT from the reserved bit mask which made
      8BIT non functional.
      
      Fixes: 66b50a00 ("mmc: esdhc: Add support for 8-bit bus width and..")
      Signed-off-by: default avatarJoakim Tjernlund <joakim.tjernlund@transmode.se>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a2f985af
    • Tomas Winkler's avatar
      mmc: block: Add missing mmc_blk_put() in power_ro_lock_show() · 1f7d2349
      Tomas Winkler authored
      commit 9098f84c upstream.
      
      Enclosing mmc_blk_put() is missing in power_ro_lock_show() sysfs handler,
      let's add it.
      
      Fixes: add710ea ("mmc: boot partition ro lock support")
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1f7d2349
    • Edward Hyunkoo Jee's avatar
      inet: frags: fix defragmented packet's IP header for af_packet · f65e2502
      Edward Hyunkoo Jee authored
      commit 0848f642 upstream.
      
      When ip_frag_queue() computes positions, it assumes that the passed
      sk_buff does not contain L2 headers.
      
      However, when PACKET_FANOUT_FLAG_DEFRAG is used, IP reassembly
      functions can be called on outgoing packets that contain L2 headers.
      
      Also, IPv4 checksum is not corrected after reassembly.
      
      Fixes: 7736d33f ("packet: Add pre-defragmentation support for ipv4 fanouts.")
      Signed-off-by: default avatarEdward Hyunkoo Jee <edjee@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Cc: Jerry Chu <hkchu@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f65e2502
    • Nikolay Aleksandrov's avatar
      bonding: correctly handle bonding type change on enslave failure · cda1c86b
      Nikolay Aleksandrov authored
      commit 7d5cd2ce upstream.
      
      If the bond is enslaving a device with different type it will be setup
      by it, but if after being setup the enslave fails the bond doesn't
      switch back its type and also keeps pointers to foreign structures that can
      be long gone. Thus revert back any type changes if the enslave failed and
      the bond had to change its type.
      Example:
       Before patch:
      $ echo lo > bond0/bonding/slaves
      -bash: echo: write error: Cannot assign requested address
      $ ip l sh bond0
      20: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN
      mode DEFAULT group default
          link/loopback 16:54:78:34:bd:41 brd 00:00:00:00:00:00
      $ echo +eth1 > bond0/bonding/slaves
      $ ip l sh bond0
      20: bond0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode
      DEFAULT group default qlen 1000
          link/ether 52:54:00:3f:47:69 brd ff:ff:ff:ff:ff:ff
      (notice the MASTER flag is gone)
      
       After patch:
      $ echo lo > bond0/bonding/slaves
      -bash: echo: write error: Cannot assign requested address
      $ ip l sh bond0
      21: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN
      mode DEFAULT group default qlen 1000
          link/ether 6e:66:94:f6:07:fc brd ff:ff:ff:ff:ff:ff
      $ echo +eth1 > bond0/bonding/slaves
      $ ip l sh bond0
      21: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN
      mode DEFAULT group default qlen 1000
          link/ether 52:54:00:3f:47:69 brd ff:ff:ff:ff:ff:ff
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Fixes: e36b9d16 ("bonding: clean muticast addresses when device changes type")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cda1c86b
    • Nikolay Aleksandrov's avatar
      bonding: fix destruction of bond with devices different from arphrd_ether · cc065253
      Nikolay Aleksandrov authored
      commit 06f6d109 upstream.
      
      When the bonding is being unloaded and the netdevice notifier is
      unregistered it executes NETDEV_UNREGISTER for each device which should
      remove the bond's proc entry but if the device enslaved is not of
      ARPHRD_ETHER type and is in front of the bonding, it may execute
      bond_release_and_destroy() first which would release the last slave and
      destroy the bond device leaving the proc entry and thus we will get the
      following error (with dynamic debug on for bond_netdev_event to see the
      events order):
      [  908.963051] eql: event: 9
      [  908.963052] eql: IFF_SLAVE
      [  908.963054] eql: event: 2
      [  908.963056] eql: IFF_SLAVE
      [  908.963058] eql: event: 6
      [  908.963059] eql: IFF_SLAVE
      [  908.963110] bond0: Releasing active interface eql
      [  908.976168] bond0: Destroying bond bond0
      [  908.976266] bond0 (unregistering): Released all slaves
      [  908.984097] ------------[ cut here ]------------
      [  908.984107] WARNING: CPU: 0 PID: 1787 at fs/proc/generic.c:575
      remove_proc_entry+0x112/0x160()
      [  908.984110] remove_proc_entry: removing non-empty directory
      'net/bonding', leaking at least 'bond0'
      [  908.984111] Modules linked in: bonding(-) eql(O) 9p nfsd auth_rpcgss
      oid_registry nfs_acl nfs lockd grace fscache sunrpc crct10dif_pclmul
      crc32_pclmul crc32c_intel ghash_clmulni_intel ppdev qxl drm_kms_helper
      snd_hda_codec_generic aesni_intel ttm aes_x86_64 glue_helper pcspkr lrw
      gf128mul ablk_helper cryptd snd_hda_intel virtio_console snd_hda_codec
      psmouse serio_raw snd_hwdep snd_hda_core 9pnet_virtio 9pnet evdev joydev
      drm virtio_balloon snd_pcm snd_timer snd soundcore i2c_piix4 i2c_core
      pvpanic acpi_cpufreq parport_pc parport processor thermal_sys button
      autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid hid sg sr_mod cdrom
      ata_generic virtio_blk virtio_net floppy ata_piix e1000 libata ehci_pci
      virtio_pci scsi_mod uhci_hcd ehci_hcd virtio_ring virtio usbcore
      usb_common [last unloaded: bonding]
      
      [  908.984168] CPU: 0 PID: 1787 Comm: rmmod Tainted: G        W  O
      4.2.0-rc2+ #8
      [  908.984170] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [  908.984172]  0000000000000000 ffffffff81732d41 ffffffff81525b34
      ffff8800358dfda8
      [  908.984175]  ffffffff8106c521 ffff88003595af78 ffff88003595af40
      ffff88003e3a4280
      [  908.984178]  ffffffffa058d040 0000000000000000 ffffffff8106c59a
      ffffffff8172ebd0
      [  908.984181] Call Trace:
      [  908.984188]  [<ffffffff81525b34>] ? dump_stack+0x40/0x50
      [  908.984193]  [<ffffffff8106c521>] ? warn_slowpath_common+0x81/0xb0
      [  908.984196]  [<ffffffff8106c59a>] ? warn_slowpath_fmt+0x4a/0x50
      [  908.984199]  [<ffffffff81218352>] ? remove_proc_entry+0x112/0x160
      [  908.984205]  [<ffffffffa05850e6>] ? bond_destroy_proc_dir+0x26/0x30
      [bonding]
      [  908.984208]  [<ffffffffa057540e>] ? bond_net_exit+0x8e/0xa0 [bonding]
      [  908.984217]  [<ffffffff8142f407>] ? ops_exit_list.isra.4+0x37/0x70
      [  908.984225]  [<ffffffff8142f52d>] ?
      unregister_pernet_operations+0x8d/0xd0
      [  908.984228]  [<ffffffff8142f58d>] ?
      unregister_pernet_subsys+0x1d/0x30
      [  908.984232]  [<ffffffffa0585269>] ? bonding_exit+0x23/0xdba [bonding]
      [  908.984236]  [<ffffffff810e28ba>] ? SyS_delete_module+0x18a/0x250
      [  908.984241]  [<ffffffff81086f99>] ? task_work_run+0x89/0xc0
      [  908.984244]  [<ffffffff8152b732>] ?
      entry_SYSCALL_64_fastpath+0x16/0x75
      [  908.984247] ---[ end trace 7c006ed4abbef24b ]---
      
      Thus remove the proc entry manually if bond_release_and_destroy() is
      used. Because of the checks in bond_remove_proc_entry() it's not a
      problem for a bond device to change namespaces (the bug fixed by the
      Fixes commit) but since commit
      f9399814 ("bonding: Don't allow bond devices to change network
      namespaces.") that can't happen anyway.
      Reported-by: default avatarCarol Soto <clsoto@linux.vnet.ibm.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Fixes: a64d49c3 ("bonding: Manage /proc/net/bonding/ entries from
                            the netdev events")
      Tested-by: default avatarCarol L Soto <clsoto@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cc065253
    • Alexey Khoroshilov's avatar
      usb: gadget: mv_udc_core: fix phy_regs I/O memory leak · 1bd8a666
      Alexey Khoroshilov authored
      commit 53e20f2e upstream.
      
      There was an omission in transition to devm_xxx resource handling.
      iounmap(udc->phy_regs) were removed, but ioremap() was left
      without devm_.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Fixes: 3517c31a ("usb: gadget: mv_udc: use devm_xxx for probe")
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      [ luis: backported to 3.16:
        - file rename: drivers/usb/gadget/udc/mv_udc_core.c ->
          drivers/usb/gadget/mv_udc_core.c ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1bd8a666
    • Tilman Schmidt's avatar
      isdn/gigaset: reset tty->receive_room when attaching ser_gigaset · 39b01edc
      Tilman Schmidt authored
      commit fd98e941 upstream.
      
      Commit 79901317 ("n_tty: Don't flush buffer when closing ldisc"),
      first merged in kernel release 3.10, caused the following regression
      in the Gigaset M101 driver:
      
      Before that commit, when closing the N_TTY line discipline in
      preparation to switching to N_GIGASET_M101, receive_room would be
      reset to a non-zero value by the call to n_tty_flush_buffer() in
      n_tty's close method. With the removal of that call, receive_room
      might be left at zero, blocking data reception on the serial line.
      
      The present patch fixes that regression by setting receive_room
      to an appropriate value in the ldisc open method.
      
      Fixes: 79901317 ("n_tty: Don't flush buffer when closing ldisc")
      Signed-off-by: default avatarTilman Schmidt <tilman@imap.cc>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      39b01edc
    • Nikolay Aleksandrov's avatar
      bridge: mdb: fix double add notification · 230ecc15
      Nikolay Aleksandrov authored
      commit 5ebc7846 upstream.
      
      Since the mdb add/del code was introduced there have been 2 br_mdb_notify
      calls when doing br_mdb_add() resulting in 2 notifications on each add.
      
      Example:
       Command: bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
       Before patch:
       root@debian:~# bridge monitor all
       [MDB]dev br0 port eth1 grp 239.0.0.1 permanent
       [MDB]dev br0 port eth1 grp 239.0.0.1 permanent
      
       After patch:
       root@debian:~# bridge monitor all
       [MDB]dev br0 port eth1 grp 239.0.0.1 permanent
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Fixes: cfd56754 ("bridge: add support of adding and deleting mdb entries")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      230ecc15
  4. 11 Aug, 2015 8 commits