1. 31 Mar, 2014 8 commits
  2. 24 Mar, 2014 32 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.4.84 · b1cee752
      Greg Kroah-Hartman authored
      b1cee752
    • Paul E. McKenney's avatar
      jiffies: Avoid undefined behavior from signed overflow · 7c0a02e9
      Paul E. McKenney authored
      commit 5a581b36 upstream.
      
      According to the C standard 3.4.3p3, overflow of a signed integer results
      in undefined behavior.  This commit therefore changes the definitions
      of time_after(), time_after_eq(), time_after64(), and time_after_eq64()
      to avoid this undefined behavior.  The trick is that the subtraction
      is done using unsigned arithmetic, which according to 6.2.5p9 cannot
      overflow because it is defined as modulo arithmetic.  This has the added
      (though admittedly quite small) benefit of shortening four lines of code
      by four characters each.
      
      Note that the C standard considers the cast from unsigned to
      signed to be implementation-defined, see 6.3.1.3p3.  However, on a
      two's-complement system, an implementation that defines anything other
      than a reinterpretation of the bits is free to come to me, and I will be
      happy to act as a witness for its being committed to an insane asylum.
      (Although I have nothing against saturating arithmetic or signals in some
      cases, these things really should not be the default when compiling an
      operating-system kernel.)
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Kevin Easton <kevin@guarana.org>
      [ paulmck: Included time_after64() and time_after_eq64(), as suggested
        by Eric Dumazet, also fixed commit message.]
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Ruchi Kandoi <kandoiruchi@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c0a02e9
    • Roman Volkov's avatar
      ALSA: oxygen: modify adjust_dg_dac_routing function · 212b4654
      Roman Volkov authored
      commit 1f91ecc1 upstream.
      
      When selecting the audio output destinations (headphones,
      FP headphones, multichannel output), the channel routing
      should be changed depending on what destination selected.
      Also unnecessary I2S channels are digitally muted. This
      function called when the user selects the destination
      in the ALSA mixer.
      Signed-off-by: default avatarRoman Volkov <v1ron@mail.ru>
      Signed-off-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      212b4654
    • Filipe David Borba Manana's avatar
      Btrfs: fix data corruption when reading/updating compressed extents · dba79490
      Filipe David Borba Manana authored
      commit a2aa75e1 upstream.
      
      When using a mix of compressed file extents and prealloc extents, it
      is possible to fill a page of a file with random, garbage data from
      some unrelated previous use of the page, instead of a sequence of zeroes.
      
      A simple sequence of steps to get into such case, taken from the test
      case I made for xfstests, is:
      
         _scratch_mkfs
         _scratch_mount "-o compress-force=lzo"
         $XFS_IO_PROG -f -c "pwrite -S 0x06 -b 18670 266978 18670" $SCRATCH_MNT/foobar
         $XFS_IO_PROG -c "falloc 26450 665194" $SCRATCH_MNT/foobar
         $XFS_IO_PROG -c "truncate 542872" $SCRATCH_MNT/foobar
         $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foobar
      
      This results in the following file items in the fs tree:
      
         item 4 key (257 INODE_ITEM 0) itemoff 15879 itemsize 160
             inode generation 6 transid 6 size 542872 block group 0 mode 100600
         item 5 key (257 INODE_REF 256) itemoff 15863 itemsize 16
             inode ref index 2 namelen 6 name: foobar
         item 6 key (257 EXTENT_DATA 0) itemoff 15810 itemsize 53
             extent data disk byte 0 nr 0 gen 6
             extent data offset 0 nr 24576 ram 266240
             extent compression 0
         item 7 key (257 EXTENT_DATA 24576) itemoff 15757 itemsize 53
             prealloc data disk byte 12849152 nr 241664 gen 6
             prealloc data offset 0 nr 241664
         item 8 key (257 EXTENT_DATA 266240) itemoff 15704 itemsize 53
             extent data disk byte 12845056 nr 4096 gen 6
             extent data offset 0 nr 20480 ram 20480
             extent compression 2
         item 9 key (257 EXTENT_DATA 286720) itemoff 15651 itemsize 53
             prealloc data disk byte 13090816 nr 405504 gen 6
             prealloc data offset 0 nr 258048
      
      The on disk extent at offset 266240 (which corresponds to 1 single disk block),
      contains 5 compressed chunks of file data. Each of the first 4 compress 4096
      bytes of file data, while the last one only compresses 3024 bytes of file data.
      Therefore a read into the file region [285648 ; 286720[ (length = 4096 - 3024 =
      1072 bytes) should always return zeroes (our next extent is a prealloc one).
      
      The solution here is the compression code path to zero the remaining (untouched)
      bytes of the last page it uncompressed data into, as the information about how
      much space the file data consumes in the last page is not known in the upper layer
      fs/btrfs/extent_io.c:__do_readpage(). In __do_readpage we were correctly zeroing
      the remainder of the page but only if it corresponds to the last page of the inode
      and if the inode's size is not a multiple of the page size.
      
      This would cause not only returning random data on reads, but also permanently
      storing random data when updating parts of the region that should be zeroed.
      For the example above, it means updating a single byte in the region [285648 ; 286720[
      would store that byte correctly but also store random data on disk.
      
      A test case for xfstests follows soon.
      Signed-off-by: default avatarFilipe David Borba Manana <fdmanana@gmail.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dba79490
    • Ales Novak's avatar
      SCSI: storvsc: NULL pointer dereference fix · 7c1de350
      Ales Novak authored
      commit b12bb60d upstream.
      
      If the initialization of storvsc fails, the storvsc_device_destroy()
      causes NULL pointer dereference.
      
      storvsc_bus_scan()
        scsi_scan_target()
          __scsi_scan_target()
            scsi_probe_and_add_lun(hostdata=NULL)
              scsi_alloc_sdev(hostdata=NULL)
      
      	  sdev->hostdata = hostdata
      
      	  now the host allocation fails
      
                __scsi_remove_device(sdev)
      
      	  calls sdev->host->hostt->slave_destroy() ==
      	  storvsc_device_destroy(sdev)
      	    access of sdev->hostdata->request_mempool
      Signed-off-by: default avatarAles Novak <alnovak@suse.cz>
      Signed-off-by: default avatarThomas Abraham <tabraham@suse.com>
      Reviewed-by: default avatarJiri Kosina <jkosina@suse.cz>
      Acked-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c1de350
    • Giridhar Malavali's avatar
    • Lukasz Dorau's avatar
      SCSI: isci: correct erroneous for_each_isci_host macro · d9e8942e
      Lukasz Dorau authored
      commit c59053a2 upstream.
      
      In the first place, the loop 'for' in the macro 'for_each_isci_host'
      (drivers/scsi/isci/host.h:314) is incorrect, because it accesses
      the 3rd element of 2 element array. After the 2nd iteration it executes
      the instruction:
              ihost = to_pci_info(pdev)->hosts[2]
      (while the size of the 'hosts' array equals 2) and reads an
      out of range element.
      
      In the second place, this loop is incorrectly optimized by GCC v4.8
      (see http://marc.info/?l=linux-kernel&m=138998871911336&w=2).
      As a result, on platforms with two SCU controllers,
      the loop is executed more times than it can be (for i=0,1 and 2).
      It causes kernel panic during entering the S3 state
      and the following oops after 'rmmod isci':
      
      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP: [<ffffffff8131360b>] __list_add+0x1b/0xc0
      Oops: 0000 [#1] SMP
      RIP: 0010:[<ffffffff8131360b>]  [<ffffffff8131360b>] __list_add+0x1b/0xc0
      Call Trace:
        [<ffffffff81661b84>] __mutex_lock_slowpath+0x114/0x1b0
        [<ffffffff81661c3f>] mutex_lock+0x1f/0x30
        [<ffffffffa03e97cb>] sas_disable_events+0x1b/0x50 [libsas]
        [<ffffffffa03e9818>] sas_unregister_ha+0x18/0x60 [libsas]
        [<ffffffffa040316e>] isci_unregister+0x1e/0x40 [isci]
        [<ffffffffa0403efd>] isci_pci_remove+0x5d/0x100 [isci]
        [<ffffffff813391cb>] pci_device_remove+0x3b/0xb0
        [<ffffffff813fbf7f>] __device_release_driver+0x7f/0xf0
        [<ffffffff813fc8f8>] driver_detach+0xa8/0xb0
        [<ffffffff813fbb8b>] bus_remove_driver+0x9b/0x120
        [<ffffffff813fcf2c>] driver_unregister+0x2c/0x50
        [<ffffffff813381f3>] pci_unregister_driver+0x23/0x80
        [<ffffffffa04152f8>] isci_exit+0x10/0x1e [isci]
        [<ffffffff810d199b>] SyS_delete_module+0x16b/0x2d0
        [<ffffffff81012a21>] ? do_notify_resume+0x61/0xa0
        [<ffffffff8166ce29>] system_call_fastpath+0x16/0x1b
      
      The loop has been corrected.
      This patch fixes kernel panic during entering the S3 state
      and the above oops.
      Signed-off-by: default avatarLukasz Dorau <lukasz.dorau@intel.com>
      Reviewed-by: default avatarMaciej Patelczyk <maciej.patelczyk@intel.com>
      Tested-by: default avatarLukasz Dorau <lukasz.dorau@intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d9e8942e
    • Dan Williams's avatar
      SCSI: isci: fix reset timeout handling · ff441dfa
      Dan Williams authored
      commit ddfadd77 upstream.
      
      Remove an erroneous BUG_ON() in the case of a hard reset timeout.  The
      reset timeout handler puts the port into the "awaiting link-up" state.
      The timeout causes the device to be disconnected and we need to be in
      the awaiting link-up state to re-connect the port.  The BUG_ON() made
      the incorrect assumption that resets never timeout and we always
      complete the reset in the "resetting" state.
      
      Testing this patch also uncovered that libata continues to attempt to
      reset the port long after the driver has torn down the context.  Once
      the driver has committed to abandoning the link it must indicate to
      libata that recovery ends by returning -ENODEV from
      ->lldd_I_T_nexus_reset().
      Acked-by: default avatarLukasz Dorau <lukasz.dorau@intel.com>
      Reported-by: default avatarDavid Milburn <dmilburn@redhat.com>
      Reported-by: default avatarXun Ni <xun.ni@intel.com>
      Tested-by: default avatarXun Ni <xun.ni@intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff441dfa
    • Marc Kleine-Budde's avatar
      can: flexcan: flexcan_open(): fix error path if flexcan_chip_start() fails · f8d17b6f
      Marc Kleine-Budde authored
      commit 7e9e148a upstream.
      
      If flexcan_chip_start() in flexcan_open() fails, the interrupt is not freed,
      this patch adds the missing cleanup.
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8d17b6f
    • Arnd Bergmann's avatar
      vmxnet3: fix building without CONFIG_PCI_MSI · 5e764c59
      Arnd Bergmann authored
      commit 0a8d8c44 upstream.
      
      Since commit d25f06ea "vmxnet3: fix netpoll race condition",
      the vmxnet3 driver fails to build when CONFIG_PCI_MSI is disabled,
      because it unconditionally references the vmxnet3_msix_rx()
      function.
      
      To fix this, use the same #ifdef in the caller that exists around
      the function definition.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Cc: Shreyas Bhatewara <sbhatewara@vmware.com>
      Cc: "VMware, Inc." <pv-drivers@vmware.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e764c59
    • Neil Horman's avatar
      vmxnet3: fix netpoll race condition · 6b4741d6
      Neil Horman authored
      commit d25f06ea upstream.
      
      vmxnet3's netpoll driver is incorrectly coded.  It directly calls
      vmxnet3_do_poll, which is the driver internal napi poll routine.  As the netpoll
      controller method doesn't block real napi polls in any way, there is a potential
      for race conditions in which the netpoll controller method and the napi poll
      method run concurrently.  The result is data corruption causing panics such as this
      one recently observed:
      PID: 1371   TASK: ffff88023762caa0  CPU: 1   COMMAND: "rs:main Q:Reg"
       #0 [ffff88023abd5780] machine_kexec at ffffffff81038f3b
       #1 [ffff88023abd57e0] crash_kexec at ffffffff810c5d92
       #2 [ffff88023abd58b0] oops_end at ffffffff8152b570
       #3 [ffff88023abd58e0] die at ffffffff81010e0b
       #4 [ffff88023abd5910] do_trap at ffffffff8152add4
       #5 [ffff88023abd5970] do_invalid_op at ffffffff8100cf95
       #6 [ffff88023abd5a10] invalid_op at ffffffff8100bf9b
          [exception RIP: vmxnet3_rq_rx_complete+1968]
          RIP: ffffffffa00f1e80  RSP: ffff88023abd5ac8  RFLAGS: 00010086
          RAX: 0000000000000000  RBX: ffff88023b5dcee0  RCX: 00000000000000c0
          RDX: 0000000000000000  RSI: 00000000000005f2  RDI: ffff88023b5dcee0
          RBP: ffff88023abd5b48   R8: 0000000000000000   R9: ffff88023a3b6048
          R10: 0000000000000000  R11: 0000000000000002  R12: ffff8802398d4cd8
          R13: ffff88023af35140  R14: ffff88023b60c890  R15: 0000000000000000
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
       #7 [ffff88023abd5b50] vmxnet3_do_poll at ffffffffa00f204a [vmxnet3]
       #8 [ffff88023abd5b80] vmxnet3_netpoll at ffffffffa00f209c [vmxnet3]
       #9 [ffff88023abd5ba0] netpoll_poll_dev at ffffffff81472bb7
      
      The fix is to do as other drivers do, and have the poll controller call the top
      half interrupt handler, which schedules a napi poll properly to recieve frames
      
      Tested by myself, successfully.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      CC: Shreyas Bhatewara <sbhatewara@vmware.com>
      CC: "VMware, Inc." <pv-drivers@vmware.com>
      CC: "David S. Miller" <davem@davemloft.net>
      Reviewed-by: default avatarShreyas N Bhatewara <sbhatewara@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b4741d6
    • Radim Krčmář's avatar
      KVM: SVM: fix cr8 intercept window · 18bd55f6
      Radim Krčmář authored
      commit 596f3142 upstream.
      
      We always disable cr8 intercept in its handler, but only re-enable it
      if handling KVM_REQ_EVENT, so there can be a window where we do not
      intercept cr8 writes, which allows an interrupt to disrupt a higher
      priority task.
      
      Fix this by disabling intercepts in the same function that re-enables
      them when needed. This fixes BSOD in Windows 2008.
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Reviewed-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18bd55f6
    • Alex Deucher's avatar
      drm/radeon/atom: select the proper number of lanes in transmitter setup · 7dab5063
      Alex Deucher authored
      commit d03874c8 upstream.
      
      We need to check for DVI vs. HDMI when setting up duallink since
      HDMI is single link only.  Fixes 4k modes on newer asics.
      
      bug:
      https://bugs.freedesktop.org/show_bug.cgi?id=75223Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7dab5063
    • Artem Fetishev's avatar
      fs/proc/base.c: fix GPF in /proc/$PID/map_files · bfe635e5
      Artem Fetishev authored
      commit 70335abb upstream.
      
      The expected logic of proc_map_files_get_link() is either to return 0
      and initialize 'path' or return an error and leave 'path' uninitialized.
      
      By the time dname_to_vma_addr() returns 0 the corresponding vma may have
      already be gone.  In this case the path is not initialized but the
      return value is still 0.  This results in 'general protection fault'
      inside d_path().
      
      Steps to reproduce:
      
        CONFIG_CHECKPOINT_RESTORE=y
      
          fd = open(...);
          while (1) {
              mmap(fd, ...);
              munmap(fd, ...);
          }
      
        ls -la /proc/$PID/map_files
      
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991Signed-off-by: default avatarArtem Fetishev <artem_fetishev@epam.com>
      Signed-off-by: default avatarAleksandr Terekhov <aleksandr_terekhov@epam.com>
      Reported-by: <wiebittewas@gmail.com>
      Acked-by: default avatarPavel Emelyanov <xemul@parallels.com>
      Acked-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Reviewed-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bfe635e5
    • Trond Myklebust's avatar
      NFS: Fix a delegation callback race · e877d416
      Trond Myklebust authored
      commit 755a48a7 upstream.
      
      The clean-up in commit 36281caa ended up removing a NULL pointer check
      that is needed in order to prevent an Oops in
      nfs_async_inode_return_delegation().
      Reported-by: default avatar"Yan, Zheng" <zheng.z.yan@intel.com>
      Link: http://lkml.kernel.org/r/5313E9F6.2020405@intel.com
      Fixes: 36281caa (NFSv4: Further clean-ups of delegation stateid validation)
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e877d416
    • Michele Baldessari's avatar
      libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus SpinPoint M8 (2BA30001) · 02a4ed4a
      Michele Baldessari authored
      commit b28a613e upstream.
      
      Via commit 87809942 "libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk
      for Seagate Momentus SpinPoint M8" we added a quirk for disks named
      "ST1000LM024 HN-M101MBB" with firmware revision "2AR10001".
      
      As reported on https://bugzilla.redhat.com/show_bug.cgi?id=1073901,
      we need to also add firmware revision 2BA30001 as it is broken as well.
      Reported-by: default avatarNicholas <arealityfarbetween@googlemail.com>
      Signed-off-by: default avatarMichele Baldessari <michele@acksyn.org>
      Tested-by: default avatarGuilherme Amadio <guilherme.amadio@gmail.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      02a4ed4a
    • Tejun Heo's avatar
      firewire: don't use PREPARE_DELAYED_WORK · f8637162
      Tejun Heo authored
      commit 70044d71 upstream.
      
      PREPARE_[DELAYED_]WORK() are being phased out.  They have few users
      and a nasty surprise in terms of reentrancy guarantee as workqueue
      considers work items to be different if they don't have the same work
      function.
      
      firewire core-device and sbp2 have been been multiplexing work items
      with multiple work functions.  Introduce fw_device_workfn() and
      sbp2_lu_workfn() which invoke fw_device->workfn and
      sbp2_logical_unit->workfn respectively and always use the two
      functions as the work functions and update the users to set the
      ->workfn fields instead of overriding work functions using
      PREPARE_DELAYED_WORK().
      
      This fixes a variety of possible regressions since a2c1c57b
      "workqueue: consider work function when searching for busy work items"
      due to which fw_workqueue lost its required non-reentrancy property.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Cc: linux1394-devel@lists.sourceforge.net
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8637162
    • Stefan Richter's avatar
      firewire: net: fix use after free · f37058b8
      Stefan Richter authored
      commit 89875833 upstream.
      
      Commit 8408dc1c "firewire: net: use dev_printk API" introduced a
      use-after-free in a failure path.  fwnet_transmit_packet_failed(ptask)
      may free ptask, then the dev_err() call dereferenced it.  The fix is
      straightforward; simply reorder the two calls.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f37058b8
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Do not add event files for modules that fail tracepoints · a2998041
      Steven Rostedt (Red Hat) authored
      commit 45ab2813 upstream.
      
      If a module fails to add its tracepoints due to module tainting, do not
      create the module event infrastructure in the debugfs directory. As the events
      will not work and worse yet, they will silently fail, making the user wonder
      why the events they enable do not display anything.
      
      Having a warning on module load and the events not visible to the users
      will make the cause of the problem much clearer.
      
      Link: http://lkml.kernel.org/r/20140227154923.265882695@goodmis.org
      
      Fixes: 6d723736 "tracing/events: add support for modules to TRACE_EVENT"
      Acked-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2998041
    • Li Zefan's avatar
      cpuset: fix a race condition in __cpuset_node_allowed_softwall() · c5ad4fde
      Li Zefan authored
      commit 99afb0fd upstream.
      
      It's not safe to access task's cpuset after releasing task_lock().
      Holding callback_mutex won't help.
      Signed-off-by: default avatarLi Zefan <lizefan@huawei.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5ad4fde
    • Chuansheng Liu's avatar
      genirq: Remove racy waitqueue_active check · b46741f2
      Chuansheng Liu authored
      commit c685689f upstream.
      
      We hit one rare case below:
      
      T1 calling disable_irq(), but hanging at synchronize_irq()
      always;
      The corresponding irq thread is in sleeping state;
      And all CPUs are in idle state;
      
      After analysis, we found there is one possible scenerio which
      causes T1 is waiting there forever:
      CPU0                                       CPU1
       synchronize_irq()
        wait_event()
          spin_lock()
                                                 atomic_dec_and_test(&threads_active)
            insert the __wait into queue
          spin_unlock()
                                                 if(waitqueue_active)
          atomic_read(&threads_active)
                                                   wake_up()
      
      Here after inserted the __wait into queue on CPU0, and before
      test if queue is empty on CPU1, there is no barrier, it maybe
      cause it is not visible for CPU1 immediately, although CPU0 has
      updated the queue list.
      It is similar for CPU0 atomic_read() threads_active also.
      
      So we'd need one smp_mb() before waitqueue_active.that, but removing
      the waitqueue_active() check solves it as wel l and it makes
      things simple and clear.
      Signed-off-by: default avatarChuansheng Liu <chuansheng.liu@intel.com>
      Cc: Xiaoming Wang <xiaoming.wang@intel.com>
      Link: http://lkml.kernel.org/r/1393212590-32543-1-git-send-email-chuansheng.liu@intel.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b46741f2
    • Daniel J Blueman's avatar
      x86/amd/numa: Fix northbridge quirk to assign correct NUMA node · bb7d79fc
      Daniel J Blueman authored
      commit 847d7970 upstream.
      
      For systems with multiple servers and routed fabric, all
      northbridges get assigned to the first server. Fix this by also
      using the node reported from the PCI bus. For single-fabric
      systems, the northbriges are on PCI bus 0 by definition, which
      are on NUMA node 0 by definition, so this is invarient on most
      systems.
      
      Tested on fam10h and fam15h single and multi-fabric systems and
      candidate for stable.
      Signed-off-by: default avatarDaniel J Blueman <daniel@numascale.com>
      Acked-by: default avatarSteffen Persvold <sp@numascale.com>
      Acked-by: default avatarBorislav Petkov <bp@suse.de>
      Link: http://lkml.kernel.org/r/1394710981-3596-1-git-send-email-daniel@numascale.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb7d79fc
    • Linus Walleij's avatar
      ARM: 7991/1: sa1100: fix compile problem on Collie · 8271b4d8
      Linus Walleij authored
      commit 052450fd upstream.
      
      Due to a problem in the MFD Kconfig it was not possible to
      compile the UCB battery driver for the Collie SA1100 system,
      in turn making it impossible to compile in the battery driver.
      (See patch "mfd: include all drivers in subsystem menu".)
      
      After fixing the MFD Kconfig (separate patch) a compile error
      appears in the Collie battery driver due to the <mach/collie.h>
      implicitly requiring <mach/hardware.h> through <linux/gpio.h>
      via <mach/gpio.h> prior to commit
      40ca061b "ARM: 7841/1: sa1100: remove complex GPIO interface".
      
      Fix this up by including the required header into
      <mach/collie.h>.
      
      Cc: Andrea Adami <andrea.adami@gmail.com>
      Cc: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8271b4d8
    • Anton Blanchard's avatar
      powerpc: Align p_dyn, p_rela and p_st symbols · ec012303
      Anton Blanchard authored
      commit a5b2cf5b upstream.
      
      The 64bit relocation code places a few symbols in the text segment.
      These symbols are only 4 byte aligned where they need to be 8 byte
      aligned. Add an explicit alignment.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Tested-by: default avatarLaurent Dufour <ldufour@linux.vnet.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec012303
    • Takashi Iwai's avatar
      ALSA: usb-audio: Add quirk for Logitech Webcam C500 · 377f8ac2
      Takashi Iwai authored
      commit e805ca8b upstream.
      
      Logitech C500 (046d:0807) needs the same workaround like other
      Logitech Webcams.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      377f8ac2
    • Roman Volkov's avatar
      ALSA: oxygen: Xonar DG(X): capture from I2S channel 1, not 2 · 99792c01
      Roman Volkov authored
      commit 3dd77654 upstream.
      
      Actually CS4245 connected to the I2S channel 1 for
      capture, not channel 2. Otherwise capturing and
      playback does not work for CS4245.
      Signed-off-by: default avatarRoman Volkov <v1ron@mail.ru>
      Signed-off-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99792c01
    • Rob Clark's avatar
      drm/ttm: don't oops if no invalidate_caches() · cf828d9f
      Rob Clark authored
      commit 9ef7506f upstream.
      
      A few of the simpler TTM drivers (cirrus, ast, mgag200) do not implement
      this function.  Yet can end up somehow with an evicted bo:
      
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        PGD 16e761067 PUD 16e6cf067 PMD 0
        Oops: 0010 [#1] SMP
        Modules linked in: bnep bluetooth rfkill fuse ip6t_rpfilter ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter ip_tables sg btrfs zlib_deflate raid6_pq xor dm_queue_length iTCO_wdt iTCO_vendor_support coretemp kvm dcdbas dm_service_time microcode serio_raw pcspkr lpc_ich mfd_core i7core_edac edac_core ses enclosure ipmi_si ipmi_msghandler shpchp acpi_power_meter mperf nfsd auth_rpcgss nfs_acl lockd uinput sunrpc dm_multipath xfs libcrc32c ata_generic pata_acpi sr_mod cdrom
         sd_mod usb_storage mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit lpfc drm_kms_helper ttm crc32c_intel ata_piix bfa drm ixgbe libata i2c_core mdio crc_t10dif ptp crct10dif_common pps_core scsi_transport_fc dca scsi_tgt megaraid_sas bnx2 dm_mirror dm_region_hash dm_log dm_mod
        CPU: 16 PID: 2572 Comm: X Not tainted 3.10.0-86.el7.x86_64 #1
        Hardware name: Dell Inc. PowerEdge R810/0H235N, BIOS 0.3.0 11/14/2009
        task: ffff8801799dabc0 ti: ffff88016c884000 task.ti: ffff88016c884000
        RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
        RSP: 0018:ffff88016c885ad8  EFLAGS: 00010202
        RAX: ffffffffa04e94c0 RBX: ffff880178937a20 RCX: 0000000000000000
        RDX: 0000000000000000 RSI: 0000000000240004 RDI: ffff880178937a00
        RBP: ffff88016c885b60 R08: 00000000000171a0 R09: ffff88007cf171a0
        R10: ffffea0005842540 R11: ffffffff810487b9 R12: ffff880178937b30
        R13: ffff880178937a00 R14: ffff88016c885b78 R15: ffff880179929400
        FS:  00007f81ba2ef980(0000) GS:ffff88007cf00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 000000016e763000 CR4: 00000000000007e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
        Stack:
         ffffffffa0306fae ffff8801799295c0 0000000000260004 0000000000000001
         ffff88016c885b60 ffffffffa0307669 00ff88007cf17738 ffff88017cf17700
         ffff880178937a00 ffff880100000000 ffff880100000000 0000000079929400
        Call Trace:
         [<ffffffffa0306fae>] ? ttm_bo_handle_move_mem+0x54e/0x5b0 [ttm]
         [<ffffffffa0307669>] ? ttm_bo_mem_space+0x169/0x340 [ttm]
         [<ffffffffa0307bd7>] ttm_bo_move_buffer+0x117/0x130 [ttm]
         [<ffffffff81130001>] ? perf_event_init_context+0x141/0x220
         [<ffffffffa0307cb1>] ttm_bo_validate+0xc1/0x130 [ttm]
         [<ffffffffa04e7377>] mgag200_bo_pin+0x87/0xc0 [mgag200]
         [<ffffffffa04e56c4>] mga_crtc_cursor_set+0x474/0xbb0 [mgag200]
         [<ffffffff811971d2>] ? __mem_cgroup_commit_charge+0x152/0x3b0
         [<ffffffff815c4182>] ? mutex_lock+0x12/0x2f
         [<ffffffffa0201433>] drm_mode_cursor_common+0x123/0x170 [drm]
         [<ffffffffa0205231>] drm_mode_cursor_ioctl+0x41/0x50 [drm]
         [<ffffffffa01f5ca2>] drm_ioctl+0x502/0x630 [drm]
         [<ffffffff815cbab4>] ? __do_page_fault+0x1f4/0x510
         [<ffffffff8101cb68>] ? __restore_xstate_sig+0x218/0x4f0
         [<ffffffff811b4445>] do_vfs_ioctl+0x2e5/0x4d0
         [<ffffffff8124488e>] ? file_has_perm+0x8e/0xa0
         [<ffffffff811b46b1>] SyS_ioctl+0x81/0xa0
         [<ffffffff815d05d9>] system_call_fastpath+0x16/0x1b
        Code:  Bad RIP value.
        RIP  [<          (null)>]           (null)
         RSP <ffff88016c885ad8>
        CR2: 0000000000000000
      Signed-off-by: default avatarRob Clark <rclark@redhat.com>
      Reviewed-by: default avatarJérôme Glisse <jglisse@redhat.com>
      Reviewed-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf828d9f
    • Amitkumar Karwar's avatar
      mwifiex: copy AP's HT capability info correctly · c7fc368e
      Amitkumar Karwar authored
      commit c99b1861 upstream.
      
      While preparing association request, intersection of device's HT
      capability information and corresponding fields advertised by AP
      is used.
      
      This patch fixes an error while copying this field from AP's
      beacon.
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7fc368e
    • Sujith Manoharan's avatar
      ath9k: Fix ETSI compliance for AR9462 2.0 · 8509583a
      Sujith Manoharan authored
      commit b3050248 upstream.
      
      The minimum CCA power threshold values have to be adjusted
      for existing cards to be in compliance with new regulations.
      Newer cards will make use of the values obtained from EEPROM,
      support for this was added earlier. To make sure that cards
      that are already in use and don't have proper values in EEPROM,
      do not violate regulations, use the initvals instead.
      Reported-by: default avatarJeang Daniel <dyjeong@qca.qualcomm.com>
      Signed-off-by: default avatarSujith Manoharan <c_manoha@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8509583a
    • Emmanuel Grumbach's avatar
      mac80211: fix AP powersave TX vs. wakeup race · 46a5a549
      Emmanuel Grumbach authored
      commit 1d147bfa upstream.
      
      There is a race between the TX path and the STA wakeup: while
      a station is sleeping, mac80211 buffers frames until it wakes
      up, then the frames are transmitted. However, the RX and TX
      path are concurrent, so the packet indicating wakeup can be
      processed while a packet is being transmitted.
      
      This can lead to a situation where the buffered frames list
      is emptied on the one side, while a frame is being added on
      the other side, as the station is still seen as sleeping in
      the TX path.
      
      As a result, the newly added frame will not be send anytime
      soon. It might be sent much later (and out of order) when the
      station goes to sleep and wakes up the next time.
      
      Additionally, it can lead to the crash below.
      
      Fix all this by synchronising both paths with a new lock.
      Both path are not fastpath since they handle PS situations.
      
      In a later patch we'll remove the extra skb queue locks to
      reduce locking overhead.
      
      BUG: unable to handle kernel
      NULL pointer dereference at 000000b0
      IP: [<ff6f1791>] ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
      *pde = 00000000
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      EIP: 0060:[<ff6f1791>] EFLAGS: 00210282 CPU: 1
      EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
      EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000
      ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
      Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000)
      iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9
      Stack:
       e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0
       ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210
       ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002
      Call Trace:
       [<ff6f1b75>] ieee80211_free_txskb+0x15/0x20 [mac80211]
       [<ff723dc1>] invoke_tx_handlers+0x1661/0x1780 [mac80211]
       [<ff7248a5>] ieee80211_tx+0x75/0x100 [mac80211]
       [<ff7249bf>] ieee80211_xmit+0x8f/0xc0 [mac80211]
       [<ff72550e>] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211]
       [<c149ef70>] dev_hard_start_xmit+0x450/0x950
       [<c14b9aa9>] sch_direct_xmit+0xa9/0x250
       [<c14b9c9b>] __qdisc_run+0x4b/0x150
       [<c149f732>] dev_queue_xmit+0x2c2/0xca0
      Reported-by: default avatarYaara Rozenblum <yaara.rozenblum@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Reviewed-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      [reword commit log, use a separate lock]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46a5a549
    • Daniel Borkmann's avatar
      net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable · 18684dfb
      Daniel Borkmann authored
      [ Upstream commit ec0223ec ]
      
      RFC4895 introduced AUTH chunks for SCTP; during the SCTP
      handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
      being optional though):
      
        ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
        <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
        -------------------- COOKIE-ECHO -------------------->
        <-------------------- COOKIE-ACK ---------------------
      
      A special case is when an endpoint requires COOKIE-ECHO
      chunks to be authenticated:
      
        ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
        <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
        ------------------ AUTH; COOKIE-ECHO ---------------->
        <-------------------- COOKIE-ACK ---------------------
      
      RFC4895, section 6.3. Receiving Authenticated Chunks says:
      
        The receiver MUST use the HMAC algorithm indicated in
        the HMAC Identifier field. If this algorithm was not
        specified by the receiver in the HMAC-ALGO parameter in
        the INIT or INIT-ACK chunk during association setup, the
        AUTH chunk and all the chunks after it MUST be discarded
        and an ERROR chunk SHOULD be sent with the error cause
        defined in Section 4.1. [...] If no endpoint pair shared
        key has been configured for that Shared Key Identifier,
        all authenticated chunks MUST be silently discarded. [...]
      
        When an endpoint requires COOKIE-ECHO chunks to be
        authenticated, some special procedures have to be followed
        because the reception of a COOKIE-ECHO chunk might result
        in the creation of an SCTP association. If a packet arrives
        containing an AUTH chunk as a first chunk, a COOKIE-ECHO
        chunk as the second chunk, and possibly more chunks after
        them, and the receiver does not have an STCB for that
        packet, then authentication is based on the contents of
        the COOKIE-ECHO chunk. In this situation, the receiver MUST
        authenticate the chunks in the packet by using the RANDOM
        parameters, CHUNKS parameters and HMAC_ALGO parameters
        obtained from the COOKIE-ECHO chunk, and possibly a local
        shared secret as inputs to the authentication procedure
        specified in Section 6.3. If authentication fails, then
        the packet is discarded. If the authentication is successful,
        the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
        MUST be processed. If the receiver has an STCB, it MUST
        process the AUTH chunk as described above using the STCB
        from the existing association to authenticate the
        COOKIE-ECHO chunk and all the chunks after it. [...]
      
      Commit bbd0d598 introduced the possibility to receive
      and verification of AUTH chunk, including the edge case for
      authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
      the function sctp_sf_do_5_1D_ce() handles processing,
      unpacks and creates a new association if it passed sanity
      checks and also tests for authentication chunks being
      present. After a new association has been processed, it
      invokes sctp_process_init() on the new association and
      walks through the parameter list it received from the INIT
      chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
      and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
      meta data (peer_random, peer_hmacs, peer_chunks) in case
      sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
      SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
      peer_random != NULL and peer_hmacs != NULL the peer is to be
      assumed asoc->peer.auth_capable=1, in any other case
      asoc->peer.auth_capable=0.
      
      Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
      available, we set up a fake auth chunk and pass that on to
      sctp_sf_authenticate(), which at latest in
      sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
      at position 0..0008 when setting up the crypto key in
      crypto_hash_setkey() by using asoc->asoc_shared_key that is
      NULL as condition key_id == asoc->active_key_id is true if
      the AUTH chunk was injected correctly from remote. This
      happens no matter what net.sctp.auth_enable sysctl says.
      
      The fix is to check for net->sctp.auth_enable and for
      asoc->peer.auth_capable before doing any operations like
      sctp_sf_authenticate() as no key is activated in
      sctp_auth_asoc_init_active_key() for each case.
      
      Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
      passed from the INIT chunk was not used in the AUTH chunk, we
      SHOULD send an error; however in this case it would be better
      to just silently discard such a maliciously prepared handshake
      as we didn't even receive a parameter at all. Also, as our
      endpoint has no shared key configured, section 6.3 says that
      MUST silently discard, which we are doing from now onwards.
      
      Before calling sctp_sf_pdiscard(), we need not only to free
      the association, but also the chunk->auth_chunk skb, as
      commit bbd0d598 created a skb clone in that case.
      
      I have tested this locally by using netfilter's nfqueue and
      re-injecting packets into the local stack after maliciously
      modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
      and the SCTP packet containing the COOKIE_ECHO (injecting
      AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
      
      Fixes: bbd0d598 ("[SCTP]: Implement the receive and verification of AUTH chunk")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <yasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18684dfb
    • Michael Chan's avatar
      tg3: Don't check undefined error bits in RXBD · fc8927f2
      Michael Chan authored
      [ Upstream commit d7b95315 ]
      
      Redefine the RXD_ERR_MASK to include only relevant error bits. This fixes
      a customer reported issue of randomly dropping packets on the 5719.
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fc8927f2