7 years agoIB/mlx4: Initialize hop_limit when creating address handle
Matan Barak [Thu, 14 Jan 2016 15:47:02 +0000 (17:47 +0200)]
IB/mlx4: Initialize hop_limit when creating address handle

commit 4e4081673445485aa6bc90383bdb83e7a96cc48a upstream.

Hop limit value wasn't copied from attributes  when ah was created.
This may influence packets for unconnected services to get dropped in
routers when endpoints are not in the same subnet.

Fixes: fa417f7b520e ("IB/mlx4: Add support for IBoE")
Signed-off-by: Matan Barak <>
Signed-off-by: Doug Ledford <>
Signed-off-by: Ben Hutchings <>
7 years agoIB/qib: fix mcast detach when qp not attached
Mike Marciniszyn [Thu, 7 Jan 2016 21:44:10 +0000 (16:44 -0500)]
IB/qib: fix mcast detach when qp not attached

commit 09dc9cd6528f5b52bcbd3292a6312e762c85260f upstream.

The code produces the following trace:

[1750924.419007] general protection fault: 0000 [#3] SMP
[1750924.420364] Modules linked in: nfnetlink autofs4 rpcsec_gss_krb5 nfsv4
dcdbas rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl dm_multipath nfs lockd
scsi_dh sunrpc fscache radeon ttm drm_kms_helper drm serio_raw parport_pc
ppdev i2c_algo_bit lpc_ich ipmi_si ib_mthca ib_qib dca lp parport ib_ipoib
mac_hid ib_cm i3000_edac ib_sa ib_uverbs edac_core ib_umad ib_mad ib_core
ib_addr tg3 ptp dm_mirror dm_region_hash dm_log psmouse pps_core
[1750924.420364] CPU: 1 PID: 8401 Comm: python Tainted: G D
3.13.0-39-generic #66-Ubuntu
[1750924.420364] Hardware name: Dell Computer Corporation PowerEdge
860/0XM089, BIOS A04 07/24/2007
[1750924.420364] task: ffff8800366a9800 ti: ffff88007af1c000 task.ti:
[1750924.420364] RIP: 0010:[<ffffffffa0131d51>] [<ffffffffa0131d51>]
qib_mcast_qp_free+0x11/0x50 [ib_qib]
[1750924.420364] RSP: 0018:ffff88007af1dd70  EFLAGS: 00010246
[1750924.420364] RAX: 0000000000000001 RBX: ffff88007b822688 RCX:
[1750924.420364] RDX: ffff88007b822688 RSI: ffff8800366c15a0 RDI:
[1750924.420364] RBP: ffff88007af1dd78 R08: 0000000000000001 R09:
[1750924.420364] R10: 0000000000000011 R11: 0000000000000246 R12:
[1750924.420364] R13: ffff88003ecab000 R14: ffff88007b822660 R15:
[1750924.420364] FS:  00007ffff7fd8740(0000) GS:ffff88007fc80000(0000)
[1750924.420364] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1750924.420364] CR2: 00007ffff597c750 CR3: 000000006860b000 CR4:
[1750924.420364] Stack:
[1750924.420364]  ffff88007b822688 ffff88007af1ddf0 ffffffffa0132429
[1750924.420364]  ffff88007baa1dc8 ffff88007baa0000 ffff88007af1de70
[1750924.420364]  00007fffffffde88 0000000000000000 0000000000000008
[1750924.420364] Call Trace:
[1750924.420364]  [<ffffffffa0132429>] qib_multicast_detach+0x1e9/0x350
[1750924.568035]  [<ffffffffa00cb313>] ? ib_uverbs_modify_qp+0x323/0x3d0
[1750924.568035]  [<ffffffffa0092d61>] ib_detach_mcast+0x31/0x50 [ib_core]
[1750924.568035]  [<ffffffffa00cc213>] ib_uverbs_detach_mcast+0x93/0x170
[1750924.568035]  [<ffffffffa00c61f6>] ib_uverbs_write+0xc6/0x2c0 [ib_uverbs]
[1750924.568035]  [<ffffffff81312e68>] ? apparmor_file_permission+0x18/0x20
[1750924.568035]  [<ffffffff812d4cd3>] ? security_file_permission+0x23/0xa0
[1750924.568035]  [<ffffffff811bd214>] vfs_write+0xb4/0x1f0
[1750924.568035]  [<ffffffff811bdc49>] SyS_write+0x49/0xa0
[1750924.568035]  [<ffffffff8172f7ed>] system_call_fastpath+0x1a/0x1f
[1750924.568035] Code: 66 2e 0f 1f 84 00 00 00 00 00 31 c0 5d c3 66 2e 0f 1f
84 00 00 00 00 00 66 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 8b 7f 10
<f0> ff 8f 40 01 00 00 74 0e 48 89 df e8 8e f8 06 e1 5b 5d c3 0f
[1750924.568035] RIP  [<ffffffffa0131d51>] qib_mcast_qp_free+0x11/0x50
[1750924.568035]  RSP <ffff88007af1dd70>
[1750924.650439] ---[ end trace 73d5d4b3f8ad4851 ]

The fix is to note the qib_mcast_qp that was found.   If none is found, then
return EINVAL indicating the error.

Reviewed-by: Dennis Dalessandro <>
Reported-by: Jason Gunthorpe <>
Signed-off-by: Mike Marciniszyn <>
Signed-off-by: Doug Ledford <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
Takashi Iwai [Mon, 18 Jan 2016 13:12:40 +0000 (14:12 +0100)]
ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0

commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream.

When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call.  The check was
intended obviously only for a kernel driver, but not for a user
interaction.  Let's fix it.

This was spotted by syzkaller fuzzer.

Reported-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
Nicolas Boichat [Mon, 18 Jan 2016 13:35:01 +0000 (21:35 +0800)]
ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode

commit 9586495dc3011a80602329094e746dbce16cb1f1 upstream.

This reverts one hunk of
commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which
replaced a number of kmalloc followed by memcpy with memdup calls.

In this case, we are copying from a struct snd_seq_port_info32 to a
struct snd_seq_port_info, but the latter is 4 bytes longer than the
32-bit version, so we need to separate kmalloc and copy calls.

Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()')
Signed-off-by: Nicolas Boichat <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
Nicolas Boichat [Mon, 18 Jan 2016 13:35:00 +0000 (21:35 +0800)]
ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode

commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream.

This reverts one hunk of
commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which
replaced a number of kmalloc followed by memcpy with memdup calls.

In this case, we are copying from a struct snd_pcm_hw_params32 to
a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
the 32-bit version, so we need to separate kmalloc and copy calls.

This actually leads to an out-of-bounds memory access later on
in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).

Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()')
Signed-off-by: Nicolas Boichat <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: hrtimer: Fix stall by hrtimer_cancel()
Takashi Iwai [Mon, 18 Jan 2016 12:52:47 +0000 (13:52 +0100)]
ALSA: hrtimer: Fix stall by hrtimer_cancel()

commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 upstream.

hrtimer_cancel() waits for the completion from the callback, thus it
must not be called inside the callback itself.  This was already a
problem in the past with ALSA hrtimer driver, and the early commit
[fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.

However, the previous fix is still insufficient: it may still cause a
lockup when the ALSA timer instance reprograms itself in its callback.
Then it invokes the start function even in snd_timer_interrupt() that
is called in hrtimer callback itself, results in a CPU stall.  This is
no hypothetical problem but actually triggered by syzkaller fuzzer.

This patch tries to fix the issue again.  Now we call
hrtimer_try_to_cancel() at both start and stop functions so that it
won't fall into a deadlock, yet giving some chance to cancel the queue
if the functions have been called outside the callback.  The proper
hrtimer_cancel() is called in anyway at closing, so this should be

Reported-and-tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agocrypto: af_alg - Fix socket double-free when accept fails
Herbert Xu [Wed, 30 Dec 2015 12:24:17 +0000 (20:24 +0800)]
crypto: af_alg - Fix socket double-free when accept fails

commit a383292c86663bbc31ac62cc0c04fc77504636a6 upstream.

When we fail an accept(2) call we will end up freeing the socket
twice, once due to the direct sk_free call and once again through

This patch fixes this by removing the sk_free call.

Reported-by: Dmitry Vyukov <>
Signed-off-by: Herbert Xu <>
Signed-off-by: Ben Hutchings <>
7 years agoprintk: help pr_debug and pr_devel to optimize out arguments
Aaron Conole [Sat, 16 Jan 2016 00:59:12 +0000 (16:59 -0800)]
printk: help pr_debug and pr_devel to optimize out arguments

commit fe22cd9b7c980b8b948ec85f034a8668c57ec867 upstream.

Currently, pr_debug and pr_devel will not elide function call arguments
appearing in calls to the no_printk for these macros.  This is because
all side effects must be honored before proceeding to the 0-value
assignment in no_printk.

The behavior is contrary to documentation found in the CodingStyle and
the header file where these functions are declared.

This patch corrects that behavior by shunting out the call to no_printk
completely.  The format string is still checked by gcc for correctness,
but no code seems to be emitted in common cases.

[ remove braces, per Joe]
Fixes: 5264f2f75d86 ("include/linux/printk.h: use and neaten no_printk")
Signed-off-by: Aaron Conole <>
Reported-by: Dmitry Vyukov <>
Cc: Joe Perches <>
Cc: Jason Baron <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
7 years agomemcg: only free spare array when readers are done
Martijn Coenen [Sat, 16 Jan 2016 00:57:49 +0000 (16:57 -0800)]
memcg: only free spare array when readers are done

commit 6611d8d76132f86faa501de9451a89bf23fb2371 upstream.

A spare array holding mem cgroup threshold events is kept around to make
sure we can always safely deregister an event and have an array to store
the new set of events in.

In the scenario where we're going from 1 to 0 registered events, the
pointer to the primary array containing 1 event is copied to the spare
slot, and then the spare slot is freed because no events are left.
However, it is freed before calling synchronize_rcu(), which means
readers may still be accessing threshold->primary after it is freed.

Fixed by only freeing after synchronize_rcu().

Signed-off-by: Martijn Coenen <>
Cc: Johannes Weiner <>
Acked-by: Michal Hocko <>
Cc: Vladimir Davydov <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: timer: Harden slave timer list handling
Takashi Iwai [Thu, 14 Jan 2016 15:30:58 +0000 (16:30 +0100)]
ALSA: timer: Harden slave timer list handling

commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.

A slave timer instance might be still accessible in a racy way while
operating the master instance as it lacks of locking.  Since the
master operation is mostly protected with timer->lock, we should cope
with it while changing the slave instance, too.  Also, some linked
lists (active_list and ack_list) of slave instances aren't unlinked
immediately at stopping or closing, and this may lead to unexpected

This patch tries to address these issues.  It adds spin lock of
timer->lock (either from master or slave, which is equivalent) in a
few places.  For avoiding a deadlock, we ensure that the global
slave_active_lock is always locked at first before each timer lock.

Also, ack and active_list of slave instances are properly unlinked at
snd_timer_stop() and snd_timer_close().

Last but not least, remove the superfluous call of _snd_timer_stop()
at removing slave links.  This is a noop, and calling it may confuse
readers wrt locking.  Further cleanup will follow in a later patch.

Actually we've got reports of use-after-free by syzkaller fuzzer, and
this hopefully fixes these issues.

Reported-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agoocfs2/dlm: ignore cleaning the migration mle that is inuse
xuejiufei [Thu, 14 Jan 2016 23:17:38 +0000 (15:17 -0800)]
ocfs2/dlm: ignore cleaning the migration mle that is inuse

commit bef5502de074b6f6fa647b94b73155d675694420 upstream.

We have found that migration source will trigger a BUG that the refcount
of mle is already zero before put when the target is down during
migration.  The situation is as follows:

  <<<<<< Now the refcount of the mle is 2.
  dlm_send_one_lockres and wait for the target to become the
  new master.
  <<<<<< o2hb detect the target down and clean the migration
  mle. Now the refcount is 1.

dlm_migrate_lockres woken, and put the mle twice when found the target
goes down which trigger the BUG with the following message:

  "ERROR: bad mle: ".

Signed-off-by: Jiufei Xue <>
Reviewed-by: Joseph Qi <>
Cc: Mark Fasheh <>
Cc: Joel Becker <>
Cc: Junxiao Bi <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
7 years agoscripts/bloat-o-meter: fix python3 syntax error
Sergey Senozhatsky [Thu, 14 Jan 2016 23:16:53 +0000 (15:16 -0800)]
scripts/bloat-o-meter: fix python3 syntax error

commit 72214a24a7677d4c7501eecc9517ed681b5f2db2 upstream.

In Python3+ print is a function so the old syntax is not correct

  $ ./scripts/bloat-o-meter vmlinux.o vmlinux.o.old
    File "./scripts/bloat-o-meter", line 61
      print "add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \
  SyntaxError: invalid syntax

Fix by calling print as a function.

Tested on python 2.7.11, 3.5.1

Signed-off-by: Sergey Senozhatsky <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
7 years agodma-debug: switch check from _text to _stext
Laura Abbott [Thu, 14 Jan 2016 23:16:50 +0000 (15:16 -0800)]
dma-debug: switch check from _text to _stext

commit ea535e418c01837d07b6c94e817540f50bfdadb0 upstream.

In include/asm-generic/sections.h:

   * Usage guidelines:
   * _text, _data: architecture specific, don't use them in
   * arch-independent code
   * [_stext, _etext]: contains .text.* sections, may also contain
   * .rodata.*
   *                   and/or .init.* sections

_text is not guaranteed across architectures.  Architectures such as ARM
may reuse parts which are not actually text and erroneously trigger a bug.
Switch to using _stext which is guaranteed to contain text sections.

Came out of<>

Signed-off-by: Laura Abbott <>
Reviewed-by: Kees Cook <>
Cc: Russell King <>
Cc: Arnd Bergmann <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
7 years agom32r: fix m32104ut_defconfig build fail
Sudip Mukherjee [Thu, 14 Jan 2016 23:16:47 +0000 (15:16 -0800)]
m32r: fix m32104ut_defconfig build fail

commit 601f1db653217f205ffa5fb33514b4e1711e56d1 upstream.

The build of m32104ut_defconfig for m32r arch was failing for long long
time with the error:

  ERROR: "memory_start" [fs/udf/udf.ko] undefined!
  ERROR: "memory_end" [fs/udf/udf.ko] undefined!
  ERROR: "memory_end" [drivers/scsi/sg.ko] undefined!
  ERROR: "memory_start" [drivers/scsi/sg.ko] undefined!
  ERROR: "memory_end" [drivers/i2c/i2c-dev.ko] undefined!
  ERROR: "memory_start" [drivers/i2c/i2c-dev.ko] undefined!

As done in other architectures export the symbols to fix the error.

Reported-by: Fengguang Wu <>
Signed-off-by: Sudip Mukherjee <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
7 years agocifs_dbg() outputs an uninitialized buffer in cifs_readdir()
Vasily Averin [Thu, 14 Jan 2016 10:41:14 +0000 (13:41 +0300)]
cifs_dbg() outputs an uninitialized buffer in cifs_readdir()

commit 01b9b0b28626db4a47d7f48744d70abca9914ef1 upstream.

In some cases tmp_bug can be not filled in cifs_filldir and stay uninitialized,
therefore its printk with "%s" modifier can leak content of kernelspace memory.
If old content of this buffer does not contain '\0' access bejond end of
allocated object can crash the host.

Signed-off-by: Vasily Averin <>
Signed-off-by: Steve French <sfrench@localhost.localdomain>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agocifs: fix race between call_async() and reconnect()
Rabin Vincent [Wed, 23 Dec 2015 06:32:41 +0000 (07:32 +0100)]
cifs: fix race between call_async() and reconnect()

commit 820962dc700598ffe8cd21b967e30e7520c34748 upstream.

cifs_call_async() queues the MID to the pending list and calls
smb_send_rqst().  If smb_send_rqst() performs a partial send, it sets
the tcpStatus to CifsNeedReconnect and returns an error code to
cifs_call_async().  In this case, cifs_call_async() removes the MID
from the list and returns to the caller.

However, cifs_call_async() releases the server mutex _before_ removing
the MID.  This means that a cifs_reconnect() can race with this function
and manage to remove the MID from the list and delete the entry before
cifs_call_async() calls cifs_delete_mid().  This leads to various
crashes due to the use after free in cifs_delete_mid().

Task1 Task2

 - rc = -EAGAIN
 - mutex_unlock(srv_mutex)

 - mutex_lock(srv_mutex)
 - mutex_unlock(srv_mutex)
 - list_delete(mid)
 - mid->callback()
  - mutex_lock(srv_mutex)
- delete(mid)
  - mutex_unlock(srv_mutex)

 - cifs_delete_mid(mid) <---- use after free

Fix this by removing the MID in cifs_call_async() before releasing the
srv_mutex.  Also hold the srv_mutex in cifs_reconnect() until the MIDs
are moved out of the pending list.

Signed-off-by: Rabin Vincent <>
Acked-by: Shirish Pargaonkar <>
Signed-off-by: Steve French <sfrench@localhost.localdomain>
[bwh: Backported to 3.2:
 - In cifs_call_async() there are two error paths jumping to 'out_err';
   fix both of them
 - s/cifs_delete_mid/delete_mid/
 - Adjust context]
Signed-off-by: Ben Hutchings <>
7 years agocifs: Ratelimit kernel log messages
Jamie Bainbridge [Sat, 7 Nov 2015 12:13:49 +0000 (22:13 +1000)]
cifs: Ratelimit kernel log messages

commit ec7147a99e33a9e4abad6fc6e1b40d15df045d53 upstream.

Under some conditions, CIFS can repeatedly call the cifs_dbg() logging
wrapper. If done rapidly enough, the console framebuffer can softlockup
or "rcu_sched self-detected stall". Apply the built-in log ratelimiters
to prevent such hangs.

Signed-off-by: Jamie Bainbridge <>
Signed-off-by: Steve French <>
[bwh: Backported to 3.2:
 - cifs_dbg() and cifs_vfs_err() do not exist, but make similar changes
   to cifsfyi(), cifswarn() and cifserror()]
 - Include <linux/ratelimit.h> explicitly]
Signed-off-by: Ben Hutchings <>
7 years agosparc64: fix incorrect sign extension in sys_sparc64_personality
Dmitry V. Levin [Sat, 26 Dec 2015 23:13:27 +0000 (02:13 +0300)]
sparc64: fix incorrect sign extension in sys_sparc64_personality

commit 525fd5a94e1be0776fa652df5c687697db508c91 upstream.

The value returned by sys_personality has type "long int".
It is saved to a variable of type "int", which is not a problem
yet because the type of task_struct->pesonality is "unsigned int".
The problem is the sign extension from "int" to "long int"
that happens on return from sys_sparc64_personality.

For example, a userspace call personality((unsigned) -EINVAL) will
result to any subsequent personality call, including absolutely
harmless read-only personality(0xffffffff) call, failing with
errno set to EINVAL.

Signed-off-by: Dmitry V. Levin <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: timer: Fix race among timer ioctls
Takashi Iwai [Wed, 13 Jan 2016 16:48:01 +0000 (17:48 +0100)]
ALSA: timer: Fix race among timer ioctls

commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream.

ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object.  A simplistic fix is to make
each ioctl exclusive.  We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.

The downside is, of course, the worse concurrency.  But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: timer: Fix double unlink of active_list
Takashi Iwai [Wed, 13 Jan 2016 20:35:06 +0000 (21:35 +0100)]
ALSA: timer: Fix double unlink of active_list

commit ee8413b01045c74340aa13ad5bdf905de32be736 upstream.

ALSA timer instance object has a couple of linked lists and they are
unlinked unconditionally at snd_timer_stop().  Meanwhile
snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
the element list itself unchanged.  This ends up with unlinking twice,
and it was caught by syzkaller fuzzer.

The fix is to use list_del_init() variant properly there, too.

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agox86/mm: Improve switch_mm() barrier comments
Andy Lutomirski [Tue, 12 Jan 2016 20:47:40 +0000 (12:47 -0800)]
x86/mm: Improve switch_mm() barrier comments

commit 4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b upstream.

My previous comments were still a bit confusing and there was a
typo. Fix it up.

Reported-by: Peter Zijlstra <>
Signed-off-by: Andy Lutomirski <>
Cc: Andy Lutomirski <>
Cc: Borislav Petkov <>
Cc: Brian Gerst <>
Cc: Dave Hansen <>
Cc: Denys Vlasenko <>
Cc: H. Peter Anvin <>
Cc: Linus Torvalds <>
Cc: Rik van Riel <>
Cc: Thomas Gleixner <>
Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization")
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
7 years agoparisc: Fix __ARCH_SI_PREAMBLE_SIZE
Helge Deller [Sun, 10 Jan 2016 08:30:42 +0000 (09:30 +0100)]

commit e60fc5aa608eb38b47ba4ee058f306f739eb70a0 upstream.

On a 64bit kernel build the compiler aligns the _sifields union in the
struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define
compensates for this alignment and thus fixes the wait testcase of the
strace package.

The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that
_sigchld.si_stime variable is missed to be copied and thus after a
copy_siginfo() will have uninitialized values.

Signed-off-by: Helge Deller <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
7 years agoALSA: seq: Fix race at timer setup and close
Takashi Iwai [Tue, 12 Jan 2016 14:36:27 +0000 (15:36 +0100)]
ALSA: seq: Fix race at timer setup and close

commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream.

ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client.  This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.

This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: seq: Fix missing NULL check at remove_events ioctl
Takashi Iwai [Tue, 12 Jan 2016 11:38:02 +0000 (12:38 +0100)]
ALSA: seq: Fix missing NULL check at remove_events ioctl

commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 upstream.

snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
unconditionally even if there is no FIFO assigned, and this leads to
an Oops due to NULL dereference.  The fix is just to add a proper NULL

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agox86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
Mario Kleiner [Fri, 18 Dec 2015 19:24:06 +0000 (20:24 +0100)]
x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]

commit 2f0c0b2d96b1205efb14347009748d786c2d9ba5 upstream.

Without the reboot=pci method, the iMac 10,1 simply
hangs after printing "Restarting system" at the point
when it should reboot. This fixes it.

Signed-off-by: Mario Kleiner <>
Cc: Andy Lutomirski <>
Cc: Borislav Petkov <>
Cc: Brian Gerst <>
Cc: Dave Jones <>
Cc: Denys Vlasenko <>
Cc: H. Peter Anvin <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Signed-off-by: Ingo Molnar <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agox86/boot: Double BOOT_HEAP_SIZE to 64KB
H.J. Lu [Mon, 4 Jan 2016 18:17:09 +0000 (10:17 -0800)]
x86/boot: Double BOOT_HEAP_SIZE to 64KB

commit 8c31902cffc4d716450be549c66a67a8a3dd479c upstream.

When decompressing kernel image during x86 bootup, malloc memory
for ELF program headers may run out of heap space, which leads
to system halt.  This patch doubles BOOT_HEAP_SIZE to 64KB.

Tested with 32-bit kernel which failed to boot without this patch.

Signed-off-by: H.J. Lu <>
Acked-by: H. Peter Anvin <>
Cc: Andy Lutomirski <>
Cc: Borislav Petkov <>
Cc: Brian Gerst <>
Cc: Denys Vlasenko <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
7 years agox86/mm: Add barriers and document switch_mm()-vs-flush synchronization
Andy Lutomirski [Wed, 6 Jan 2016 20:21:01 +0000 (12:21 -0800)]
x86/mm: Add barriers and document switch_mm()-vs-flush synchronization

commit 71b3c126e61177eb693423f2e18a1914205b165e upstream.

When switch_mm() activates a new PGD, it also sets a bit that
tells other CPUs that the PGD is in use so that TLB flush IPIs
will be sent.  In order for that to work correctly, the bit
needs to be visible prior to loading the PGD and therefore
starting to fill the local TLB.

Document all the barriers that make this work correctly and add
a couple that were missing.

Signed-off-by: Andy Lutomirski <>
Cc: Andrew Morton <>
Cc: Andy Lutomirski <>
Cc: Borislav Petkov <>
Cc: Brian Gerst <>
Cc: Dave Hansen <>
Cc: Denys Vlasenko <>
Cc: H. Peter Anvin <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Rik van Riel <>
Cc: Thomas Gleixner <>
Signed-off-by: Ingo Molnar <>
[bwh: Backported to 3.2:
 - There's no flush_tlb_mm_range(), only flush_tlb_mm() which does not use
 - Adjust context]
Signed-off-by: Ben Hutchings <>
7 years agoipv6: tcp: add rcu locking in tcp_v6_send_synack()
Eric Dumazet [Fri, 8 Jan 2016 17:35:51 +0000 (09:35 -0800)]
ipv6: tcp: add rcu locking in tcp_v6_send_synack()

commit 3e4006f0b86a5ae5eb0e8215f9a9e1db24506977 upstream.

When first SYNACK is sent, we already hold rcu_read_lock(), but this
is not true if a SYNACK is retransmitted, as a timer (soft) interrupt
does not hold rcu_read_lock()

Fixes: 45f6fad84cc30 ("ipv6: add complete rcu protection around np->opt")
Reported-by: Dave Jones <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agouml: flush stdout before forking
Vegard Nossum [Fri, 18 Dec 2015 20:28:53 +0000 (21:28 +0100)]
uml: flush stdout before forking

commit 0754fb298f2f2719f0393491d010d46cfb25d043 upstream.

I was seeing some really weird behaviour where piping UML's output
somewhere would cause output to get duplicated:

  $ ./vmlinux | head -n 40
  Checking that ptrace can change system call numbers...Core dump limits :
          soft - 0
          hard - NONE
  Checking syscall emulation patch for ptrace...Core dump limits :
          soft - 0
          hard - NONE
  Checking advanced syscall emulation patch for ptrace...Core dump limits :
          soft - 0
          hard - NONE
  Core dump limits :
          soft - 0
          hard - NONE

This is because these tests do a fork() which duplicates the non-empty
stdout buffer, then glibc flushes the duplicated buffer as each child

A simple workaround is to flush before forking.

Signed-off-by: Vegard Nossum <>
Signed-off-by: Richard Weinberger <>
Signed-off-by: Ben Hutchings <>
7 years agouml: fix hostfs mknod()
Vegard Nossum [Wed, 16 Dec 2015 20:59:56 +0000 (21:59 +0100)]
uml: fix hostfs mknod()

commit 9f2dfda2f2f1c6181c3732c16b85c59ab2d195e0 upstream.

An inverted return value check in hostfs_mknod() caused the function
to return success after handling it as an error (and cleaning up).

It resulted in the following segfault when trying to bind() a named
unix socket:

  Pid: 198, comm: a.out Not tainted 4.4.0-rc4
  RIP: 0033:[<0000000061077df6>]
  RSP: 00000000daae5d60  EFLAGS: 00010202
  RAX: 0000000000000000 RBX: 000000006092a460 RCX: 00000000dfc54208
  RDX: 0000000061073ef1 RSI: 0000000000000070 RDI: 00000000e027d600
  RBP: 00000000daae5de0 R08: 00000000da980ac0 R09: 0000000000000000
  R10: 0000000000000003 R11: 00007fb1ae08f72a R12: 0000000000000000
  R13: 000000006092a460 R14: 00000000daaa97c0 R15: 00000000daaa9a88
  Kernel panic - not syncing: Kernel mode fault at addr 0x40, ip 0x61077df6
  CPU: 0 PID: 198 Comm: a.out Not tainted 4.4.0-rc4 #1
   e027d620 dfc54208 0000006f da981398
   61bee000 0000c1ed daae5de0 0000006e
   e027d620 dfcd4208 00000005 6092a460
  Call Trace:
   [<60dedc67>] SyS_bind+0xf7/0x110
   [<600587be>] handle_syscall+0x7e/0x80
   [<60066ad7>] userspace+0x3e7/0x4e0
   [<6006321f>] ? save_registers+0x1f/0x40
   [<6006c88e>] ? arch_prctl+0x1be/0x1f0
   [<60054985>] fork_handler+0x85/0x90

Let's also get rid of the "cosmic ray protection" while we're at it.

Fixes: e9193059b1b3 "hostfs: fix races in dentry_name() and inode_name()"
Signed-off-by: Vegard Nossum <>
Cc: Jeff Dike <>
Cc: Al Viro <>
Signed-off-by: Richard Weinberger <>
Signed-off-by: Ben Hutchings <>
7 years agodm snapshot: fix hung bios when copy error occurs
Mikulas Patocka [Sat, 9 Jan 2016 00:07:55 +0000 (19:07 -0500)]
dm snapshot: fix hung bios when copy error occurs

commit 385277bfb57faac44e92497104ba542cdd82d5fe upstream.

When there is an error copying a chunk dm-snapshot can incorrectly hold
associated bios indefinitely, resulting in hung IO.

The function copy_callback sets pe->error if there was error copying the
chunk, and then calls complete_exception.  complete_exception calls
pending_complete on error, otherwise it calls commit_exception with
commit_callback (and commit_callback calls complete_exception).

The persistent exception store (dm-snap-persistent.c) assumes that calls
to prepare_exception and commit_exception are paired.
persistent_prepare_exception increases ps->pending_count and
persistent_commit_exception decreases it.

If there is a copy error, persistent_prepare_exception is called but
persistent_commit_exception is not.  This results in the variable
ps->pending_count never returning to zero and that causes some pending
exceptions (and their associated bios) to be held forever.

Fix this by unconditionally calling commit_exception regardless of
whether the copy was successful.  A new "valid" parameter is added to
commit_exception -- when the copy fails this parameter is set to zero so
that the chunk that failed to copy (and all following chunks) is not
recorded in the snapshot store.  Also, remove commit_callback now that
it is merely a wrapper around pending_complete.

Signed-off-by: Mikulas Patocka <>
Signed-off-by: Mike Snitzer <>
Signed-off-by: Ben Hutchings <>
7 years agolocks: fix unlock when fcntl_setlk races with a close
Jeff Layton [Thu, 7 Jan 2016 21:38:10 +0000 (16:38 -0500)]
locks: fix unlock when fcntl_setlk races with a close

commit 7f3697e24dc3820b10f445a4a7d914fc356012d1 upstream.

Dmitry reported that he was able to reproduce the WARN_ON_ONCE that
fires in locks_free_lock_context when the flc_posix list isn't empty.

The problem turns out to be that we're basically rebuilding the
file_lock from scratch in fcntl_setlk when we discover that the setlk
has raced with a close. If the l_whence field is SEEK_CUR or SEEK_END,
then we may end up with fl_start and fl_end values that differ from
when the lock was initially set, if the file position or length of the
file has changed in the interim.

Fix this by just reusing the same lock request structure, and simply
override fl_type value with F_UNLCK as appropriate. That ensures that
we really are unlocking the lock that was initially set.

While we're there, make sure that we do pop a WARN_ON_ONCE if the
removal ever fails. Also return -EBADF in this event, since that's
what we would have returned if the close had happened earlier.

Cc: Alexander Viro <>
Fixes: c293621bbf67 (stale POSIX lock handling)
Reported-by: Dmitry Vyukov <>
Signed-off-by: Jeff Layton <>
Acked-by: "J. Bruce Fields" <>
[bwh: Backported to 3.2: s/i_flctx->flc_posix/inode->i_flock/ in comments]
Signed-off-by: Ben Hutchings <>
7 years agopower: test_power: correctly handle empty writes
Sasha Levin [Tue, 22 Dec 2015 17:43:36 +0000 (12:43 -0500)]
power: test_power: correctly handle empty writes

commit 6b9140f39c2aaf76791197fbab0839c0e4af56e8 upstream.

Writing 0 length data into test_power makes it access an invalid array
location and kill the system.

Fixes: f17ef9b2d ("power: Make test_power driver more dynamic.")
Signed-off-by: Sasha Levin <>
Signed-off-by: Sebastian Reichel <>
Signed-off-by: Ben Hutchings <>
7 years agoudf: Check output buffer length when converting name to CS0
Andrew Gabbasov [Thu, 24 Dec 2015 16:25:33 +0000 (10:25 -0600)]
udf: Check output buffer length when converting name to CS0

commit bb00c898ad1ce40c4bb422a8207ae562e9aea7ae upstream.

If a name contains at least some characters with Unicode values
exceeding single byte, the CS0 output should have 2 bytes per character.
And if other input characters have single byte Unicode values, then
the single input byte is converted to 2 output bytes, and the length
of output becomes larger than the length of input. And if the input
name is long enough, the output length may exceed the allocated buffer

All this means that conversion from UTF8 or NLS to CS0 requires
checking of output length in order to stop when it exceeds the given
output buffer size.

[JK: Make code return -ENAMETOOLONG instead of silently truncating the

Signed-off-by: Andrew Gabbasov <>
Signed-off-by: Jan Kara <>
Signed-off-by: Ben Hutchings <>
7 years agoudf: Prevent buffer overrun with multi-byte characters
Andrew Gabbasov [Thu, 24 Dec 2015 16:25:32 +0000 (10:25 -0600)]
udf: Prevent buffer overrun with multi-byte characters

commit ad402b265ecf6fa22d04043b41444cdfcdf4f52d upstream.

udf_CS0toUTF8 function stops the conversion when the output buffer
length reaches UDF_NAME_LEN-2, which is correct maximum name length,
but, when checking, it leaves the space for a single byte only,
while multi-bytes output characters can take more space, causing
buffer overflow.

Similar error exists in udf_CS0toNLS function, that restricts
the output length to UDF_NAME_LEN, while actual maximum allowed
length is UDF_NAME_LEN-2.

In these cases the output can override not only the current buffer
length field, causing corruption of the name buffer itself, but also
following allocation structures, causing kernel crash.

Adjust the output length checks in both functions to prevent buffer
overruns in case of multi-bytes UTF8 or NLS characters.

Signed-off-by: Andrew Gabbasov <>
Signed-off-by: Jan Kara <>
Signed-off-by: Ben Hutchings <>
7 years agox86/xen: don't reset vcpu_info on a cancelled suspend
Ouyang Zhaowei (Charles) [Wed, 6 May 2015 01:47:04 +0000 (09:47 +0800)]
x86/xen: don't reset vcpu_info on a cancelled suspend

commit 6a1f513776b78c994045287073e55bae44ed9f8c upstream.

On a cancelled suspend the vcpu_info location does not change (it's
still in the per-cpu area registered by xen_vcpu_setup()).  So do not
call xen_hvm_init_shared_info() which would make the kernel think its
back in the shared info.  With the wrong vcpu_info, events cannot be
received and the domain will hang after a cancelled suspend.

Signed-off-by: Charles Ouyang <>
Reviewed-by: Boris Ostrovsky <>
Signed-off-by: David Vrabel <>
Signed-off-by: Ben Hutchings <>
7 years agoInput: i8042 - add Fujitsu Lifebook U745 to the nomux list
Aurélien Francillon [Sun, 3 Jan 2016 04:39:54 +0000 (20:39 -0800)]
Input: i8042 - add Fujitsu Lifebook U745 to the nomux list

commit dd0d0d4de582a6a61c032332c91f4f4cb2bab569 upstream.

Without i8042.nomux=1 the Elantech touch pad is not working at all on
a Fujitsu Lifebook U745. This patch does not seem necessary for all
U745 (maybe because of different BIOS versions?). However, it was
verified that the patch does not break those (see opensuse bug 883192:

Signed-off-by: Aurélien Francillon <>
Signed-off-by: Dmitry Torokhov <>
Signed-off-by: Ben Hutchings <>
7 years agoNFS: Fix attribute cache revalidation
Trond Myklebust [Tue, 29 Dec 2015 23:55:19 +0000 (18:55 -0500)]
NFS: Fix attribute cache revalidation

commit ade14a7df796d4e86bd9d181193c883a57b13db0 upstream.

If a NFSv4 client uses the cache_consistency_bitmask in order to
request only information about the change attribute, timestamps and
size, then it has not revalidated all attributes, and hence the
attribute timeout timestamp should not be updated.

Reported-by: Donald Buczek <>
Signed-off-by: Trond Myklebust <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agortlwifi: rtl8192cu: Add missing parameter setup
Larry Finger [Mon, 14 Dec 2015 22:34:38 +0000 (16:34 -0600)]
rtlwifi: rtl8192cu: Add missing parameter setup

commit b68d0ae7e58624c33f2eddab471fee55db27dbf9 upstream.

This driver fails to copy the module parameter for software encryption
to the locations used by the main code.

Signed-off-by: Larry Finger <>
Signed-off-by: Kalle Valo <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
7 years agortlwifi: rtl8192ce: Fix handling of module parameters
Larry Finger [Mon, 14 Dec 2015 22:34:37 +0000 (16:34 -0600)]
rtlwifi: rtl8192ce: Fix handling of module parameters

commit b24f19f16b9e43f54218c07609b783ea8625406a upstream.

The module parameter for software encryption was never transferred to
the location used by the driver.

Signed-off-by: Larry Finger <>
Signed-off-by: Kalle Valo <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
7 years agortlwifi: rtl8192se: Fix module parameter initialization
Larry Finger [Mon, 14 Dec 2015 22:34:36 +0000 (16:34 -0600)]
rtlwifi: rtl8192se: Fix module parameter initialization

commit 7503efbd82c15c4070adffff1344e5169d3634b4 upstream.

Two of the module parameter descriptions show incorrect default values.
In addition the value for software encryption is not transferred to
the locations used by the driver.

Signed-off-by: Larry Finger <>
Signed-off-by: Kalle Valo <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
7 years agortlwifi: rtl8192de: Fix incorrect module parameter descriptions
Larry Finger [Mon, 14 Dec 2015 22:34:35 +0000 (16:34 -0600)]
rtlwifi: rtl8192de: Fix incorrect module parameter descriptions

commit d4d60b4caaa5926e1b243070770968f05656107a upstream.

Two of the module parameters are listed with incorrect default values.

Signed-off-by: Larry Finger <>
Signed-off-by: Kalle Valo <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
7 years agox86/LDT: Print the real LDT base address
Jan Beulich [Tue, 22 Dec 2015 15:42:44 +0000 (08:42 -0700)]
x86/LDT: Print the real LDT base address

commit 0d430e3fb3f7cdc13c0d22078b820f682821b45a upstream.

This was meant to print base address and entry count; make it do so

Fixes: 37868fe113ff "x86/ldt: Make modify_ldt synchronous"
Signed-off-by: Jan Beulich <>
Acked-by: Andy Lutomirski <>
Signed-off-by: Thomas Gleixner <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agoposix-clock: Fix return code on the poll method's error path
Richard Cochran [Tue, 22 Dec 2015 21:19:58 +0000 (22:19 +0100)]
posix-clock: Fix return code on the poll method's error path

commit 1b9f23727abb92c5e58f139e7d180befcaa06fe0 upstream.

The posix_clock_poll function is supposed to return a bit mask of
POLLxxx values.  However, in case the hardware has disappeared (due to
hot plugging for example) this code returns -ENODEV in a futile
attempt to throw an error at the file descriptor level.  The kernel's
file_operations interface does not accept such error codes from the
poll method.  Instead, this function aught to return POLLERR.

The value -ENODEV does, in fact, contain the POLLERR bit (and almost
all the other POLLxxx bits as well), but only by chance.  This patch
fixes code to return a proper bit mask.

Credit goes to Markus Elfring for pointing out the suspicious
signed/unsigned mismatch.

Reported-by: Markus Elfring <>
igned-off-by: Richard Cochran <>
Cc: John Stultz <>
Cc: Julia Lawall <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Ben Hutchings <>
7 years agoUSB: cp210x: add ID for ELV Marble Sound Board 1
Oliver Freyermuth [Mon, 28 Dec 2015 17:37:38 +0000 (18:37 +0100)]
USB: cp210x: add ID for ELV Marble Sound Board 1

commit f7d7f59ab124748156ea551edf789994f05da342 upstream.

Add the USB device ID for ELV Marble Sound Board 1.

Signed-off-by: Oliver Freyermuth <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Ben Hutchings <>
7 years agoudf: limit the maximum number of indirect extents in a row
Vegard Nossum [Fri, 11 Dec 2015 14:54:16 +0000 (15:54 +0100)]
udf: limit the maximum number of indirect extents in a row

commit b0918d9f476a8434b055e362b83fa4fd1d462c3f upstream.

udf_next_aext() just follows extent pointers while extents are marked as
indirect. This can loop forever for corrupted filesystem. Limit number
the of indirect extents we are willing to follow in a row.

[JK: Updated changelog, limit, style]

Signed-off-by: Vegard Nossum <>
Cc: Jan Kara <>
Cc: Quentin Casasnovas <>
Cc: Andrew Morton <>
Signed-off-by: Jan Kara <>
Signed-off-by: Ben Hutchings <>
7 years agodrm/radeon: clean up fujitsu quirks
Alex Deucher [Thu, 17 Dec 2015 17:52:17 +0000 (12:52 -0500)]
drm/radeon: clean up fujitsu quirks

commit 0eb1c3d4084eeb6fb3a703f88d6ce1521f8fcdd1 upstream.

Combine the two quirks.


Signed-off-by: Alex Deucher <>
Signed-off-by: Ben Hutchings <>
7 years agoALSA: fm801: propagate TUNER_ONLY bit when autodetected
Andy Shevchenko [Mon, 21 Dec 2015 17:09:52 +0000 (19:09 +0200)]
ALSA: fm801: propagate TUNER_ONLY bit when autodetected

commit dbec6719ac036f68568d8488805d41346c021eff upstream.

The commit d7ba858a7f7a (ALSA: fm801: implement TEA575x tuner autodetection)
brings autodetection to the driver. However the autodetection algorithm misses
the TUNER_ONLY bit if it is supplied by the user.

Thus, user gets weird messages and no card registered.

 snd_fm801 0000:0d:01.0: detected TEA575x radio type SF64-PCR
 snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
 snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
 snd_fm801 0000:0d:01.0: AC'97 0 does not respond - RESET
 snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
 snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
 snd_fm801 0000:0d:01.0: AC'97 0 access is not valid [0x0], removing mixer.
 snd_fm801: probe of 0000:0d:01.0 failed with error -5

Do a copy of TUNER_ONLY bit to be applied after autodetection is done.

Fixes: d7ba858a7f7a (ALSA: fm801: implement TEA575x tuner autodetection)
Signed-off-by: Andy Shevchenko <>
Cc: Ondrej Zary <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
7 years agofutex: Drop refcount if requeue_pi() acquired the rtmutex
Thomas Gleixner [Sat, 19 Dec 2015 20:07:38 +0000 (20:07 +0000)]
futex: Drop refcount if requeue_pi() acquired the rtmutex

commit fb75a4282d0d9a3c7c44d940582c2d226cf3acfb upstream.

If the proxy lock in the requeue loop acquires the rtmutex for a
waiter then it acquired also refcount on the pi_state related to the
futex, but the waiter side does not drop the reference count.

Add the missing free_pi_state() call.

Signed-off-by: Thomas Gleixner <>
Cc: Peter Zijlstra <>
Cc: Darren Hart <>
Cc: Davidlohr Bueso <>
Cc: Andy Lowe <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Ben Hutchings <>
7 years agoasix: silence log message from oversize packet
stephen hemminger [Fri, 18 Dec 2015 01:51:16 +0000 (17:51 -0800)]
asix: silence log message from oversize packet

commit b70183db83552cf63cac51406aaf76a2cf5fca73 upstream.

Since it is possible for an external system to send oversize packets
at anytime, it is best for driver not to print a message and spam
the log (potential external DoS).


Signed-off-by: Stephen Hemminger <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
7 years agopowerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
Boqun Feng [Mon, 2 Nov 2015 01:30:32 +0000 (09:30 +0800)]
powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered

commit 81d7a3294de7e9828310bbf986a67246b13fa01e upstream.

According to memory-barriers.txt, xchg*, cmpxchg* and their atomic_
versions all need to be fully ordered, however they are now just
RELEASE+ACQUIRE, which are not fully ordered.

__{cmp,}xchg_{u32,u64} respectively to guarantee fully ordered semantics
of atomic{,64}_{cmp,}xchg() and {cmp,}xchg(), as a complement of commit
b97021f85517 ("powerpc: Fix atomic_xxx_return barrier semantics")

This patch depends on patch "powerpc: Make value-returning atomics fully
ordered" for PPC_ATOMIC_ENTRY_BARRIER definition.

Signed-off-by: Boqun Feng <>
Reviewed-by: Paul E. McKenney <>
Acked-by: Peter Zijlstra (Intel) <>
Signed-off-by: Michael Ellerman <>
[bwh: backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
7 years agopowerpc: Make value-returning atomics fully ordered
Boqun Feng [Mon, 2 Nov 2015 01:30:31 +0000 (09:30 +0800)]
powerpc: Make value-returning atomics fully ordered

commit 49e9cf3f0c04bf76ffa59242254110309554861d upstream.

According to memory-barriers.txt:

> Any atomic operation that modifies some state in memory and returns
> information about the state (old or new) implies an SMP-conditional
> general memory barrier (smp_mb()) on each side of the actual
> operation ...

Which mean these operations should be fully ordered. However on PPC,
PPC_ATOMIC_ENTRY_BARRIER is the barrier before the actual operation,
which is currently "lwsync" if SMP=y. The leading "lwsync" can not
guarantee fully ordered atomics, according to Paul Mckenney:

To fix this, we define PPC_ATOMIC_ENTRY_BARRIER as "sync" to guarantee
the fully-ordered semantics.

This also makes futex atomics fully ordered, which can avoid possible
memory ordering problems if userspace code relies on futex system call
for fully ordered semantics.

Fixes: b97021f85517 ("powerpc: Fix atomic_xxx_return barrier semantics")
Signed-off-by: Boqun Feng <>
Reviewed-by: Paul E. McKenney <>
Acked-by: Peter Zijlstra (Intel) <>
Signed-off-by: Michael Ellerman <>
Signed-off-by: Ben Hutchings <>
7 years agoEDAC: Robustify workqueues destruction
Borislav Petkov [Fri, 27 Nov 2015 09:38:38 +0000 (10:38 +0100)]
EDAC: Robustify workqueues destruction

commit fcd5c4dd8201595d4c598c9cca5e54760277d687 upstream.

EDAC workqueue destruction is really fragile. We cancel delayed work
but if it is still running and requeues itself, we still go ahead and
destroy the workqueue and the queued work explodes when workqueue core
attempts to run it.

Make the destruction more robust by switching op_state to offline so
that requeuing stops. Cancel any pending work *synchronously* too.

  EDAC i7core: Driver loaded.
  general protection fault: 0000 [#1] SMP
  CPU 12
  Modules linked in:
  Supported: Yes
  Pid: 0, comm: kworker/0:1 Tainted: G          IE   3.0.101-0-default #1 HP ProLiant DL380 G7
  RIP: 0010:[<ffffffff8107dcd7>]  [<ffffffff8107dcd7>] __queue_work+0x17/0x3f0
  < ... regs ...>
  Process kworker/0:1 (pid: 0, threadinfo ffff88019def6000, task ffff88019def4600)
  Call Trace:
  Code: ...
  RIP  __queue_work
   RSP <...>

Signed-off-by: Borislav Petkov <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agowlcore/wl12xx: spi: fix oops on firmware load
Uri Mashiach [Thu, 10 Dec 2015 13:12:56 +0000 (15:12 +0200)]
wlcore/wl12xx: spi: fix oops on firmware load

commit 9b2761cb72dc41e1948c8a5512b4efd384eda130 upstream.

The maximum chunks used by the function is
The original commands array had space for
When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last
command is stored outside the bounds of the commands array.

Oops 5 (page fault) is generated during current wl1271 firmware load

root@debian-armhf:~# ifconfig wlan0 up
[  294.312399] Unable to handle kernel paging request at virtual address
[  294.320173] pgd = de528000
[  294.323028] [00203fc4] *pgd=00000000
[  294.326916] Internal error: Oops: 5 [#1] SMP ARM
[  294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx
wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common
wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys
[  294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted
4.2.0-00002-g3e9ad27-dirty #78
[  294.360154] Hardware name: Generic AM33XX (Flattened Device Tree)
[  294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000
[  294.372236] PC is at __spi_validate+0xa8/0x2ac
[  294.376902] LR is at __spi_sync+0x78/0x210
[  294.381200] pc : [<c049c760>]    lr : [<c049ebe0>]    psr: 60000013
[  294.381200] sp : de551998  ip : de5519d8  fp : 00200000
[  294.393242] r10: de551c8c  r9 : de5519d8  r8 : de3a9000
[  294.398730] r7 : de3a9258  r6 : de3a9400  r5 : de551a48  r4 :
[  294.405577] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 :
[  294.412420] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM
Segment user
[  294.419918] Control: 10c5387d  Table: 9e528019  DAC: 00000015
[  294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218)
[  294.432437] Stack: (0xde551998 to 0xde552000)


[  294.883613] [<c049c760>] (__spi_validate) from [<c049ebe0>]
[  294.891670] [<c049ebe0>] (__spi_sync) from [<bf036598>]
(wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi])
[  294.901661] [<bf036598>] (wl12xx_spi_raw_write [wlcore_spi]) from
[<bf21c694>] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore])
[  294.914038] [<bf21c694>] (wlcore_boot_upload_firmware [wlcore]) from
[<bf24532c>] (wl12xx_boot+0xc10/0xfac [wl12xx])
[  294.925161] [<bf24532c>] (wl12xx_boot [wl12xx]) from [<bf20d5cc>]
(wl1271_op_add_interface+0x5b0/0x910 [wlcore])
[  294.936364] [<bf20d5cc>] (wl1271_op_add_interface [wlcore]) from
[<bf15c4ac>] (ieee80211_do_open+0x44c/0xf7c [mac80211])
[  294.947963] [<bf15c4ac>] (ieee80211_do_open [mac80211]) from
[<c0537978>] (__dev_open+0xa8/0x110)
[  294.957307] [<c0537978>] (__dev_open) from [<c0537bf8>]
[  294.965713] [<c0537bf8>] (__dev_change_flags) from [<c0537cd0>]
[  294.974576] [<c0537cd0>] (dev_change_flags) from [<c05a55a0>]
[  294.983191] [<c05a55a0>] (devinet_ioctl) from [<c0517040>]
[  294.991244] [<c0517040>] (sock_ioctl) from [<c017d378>]
[  294.999208] [<c017d378>] (do_vfs_ioctl) from [<c017d674>]
[  295.006880] [<c017d674>] (SyS_ioctl) from [<c000f4c0>]
[  295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008)
[  295.021544] ---[ end trace 66ed188198f4e24e ]---

Signed-off-by: Uri Mashiach <>
Acked-by: Igor Grinberg <>
Signed-off-by: Kalle Valo <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
7 years agowlcore: SPI - fix spi transfer_list [Wed, 7 Nov 2012 13:42:19 +0000 (15:42 +0200)]
wlcore: SPI - fix spi transfer_list

commit 4eeac22c159f053ea34527e4fea359ab10b4b5a5 upstream.

In corner case for wl12xx_spi_raw_write() when
we don't setup correctly spi transfer_list.
Next we will have garbage and strange errors
reported by SPI framework (eg. wrong speed_hz,
failed to transfer one message from queue)
when iterate transfer_list.

Signed-off-by: Janusz Dziedzic <>
Signed-off-by: Luciano Coelho <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
7 years agortlwifi: fix memory leak for USB device
Peter Wu [Mon, 7 Dec 2015 00:07:31 +0000 (01:07 +0100)]
rtlwifi: fix memory leak for USB device

commit 17bc55864f81dd730d05f09b1641312a7990d636 upstream.

Free skb for received frames with a wrong checksum. This can happen
pretty rapidly, exhausting all memory.

This fixes a memleak (detected with kmemleak). Originally found while
using monitor mode, but it also appears during managed mode (once the
link is up).

Signed-off-by: Peter Wu <>
ACKed-by: Larry Finger <>
Signed-off-by: Kalle Valo <>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <>
7 years agoxhci: refuse loading if nousb is used
Oliver Neukum [Thu, 3 Dec 2015 14:03:34 +0000 (15:03 +0100)]
xhci: refuse loading if nousb is used

commit 1eaf35e4dd592c59041bc1ed3248c46326da1f5f upstream.

The module should fail to load.

Signed-off-by: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: xhci_hcd_init() registers the PCI driver, so
 check before doing that rather than at the end of the function]
Signed-off-by: Ben Hutchings <>
7 years agodrm/radeon: call hpd_irq_event on resume
Alex Deucher [Tue, 24 Nov 2015 19:32:44 +0000 (14:32 -0500)]
drm/radeon: call hpd_irq_event on resume

commit dbb17a21c131eca94eb31136eee9a7fe5aff00d9 upstream.

Need to call this on resume if displays changes during
suspend in order to properly be notified of changes.

Signed-off-by: Alex Deucher <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agomtd: nand: fix ONFI parameter page layout
Boris BREZILLON [Mon, 23 Nov 2015 10:23:07 +0000 (11:23 +0100)]
mtd: nand: fix ONFI parameter page layout

commit de64aa9ec129ba627634088f662a4d09e356ddb6 upstream.

src_ssync_features field is only 1 byte large, and the 4th reserved area
is actually 8 bytes large.

Fixes: d1e1f4e42b5 ("mtd: nand: add support for reading ONFI parameters from NAND device")
Signed-off-by: Boris Brezillon <>
Signed-off-by: Brian Norris <>
Signed-off-by: Ben Hutchings <>
7 years agoath9k_htc: check for underflow in ath9k_htc_rx_msg()
Dan Carpenter [Fri, 6 Nov 2015 10:01:20 +0000 (13:01 +0300)]
ath9k_htc: check for underflow in ath9k_htc_rx_msg()

commit 3a318426e09a9c9266fe6440842e11238f640a20 upstream.

We check for overflow here, but we don't check for underflow so it
causes a static checker warning.

Fixes: fb9987d0f748 ('ath9k_htc: Support for AR9271 chipset.')
Signed-off-by: Dan Carpenter <>
Signed-off-by: Kalle Valo <>
Signed-off-by: Ben Hutchings <>
7 years agoKVM: x86: correctly print #AC in traces
Paolo Bonzini [Thu, 12 Nov 2015 15:42:18 +0000 (16:42 +0100)]
KVM: x86: correctly print #AC in traces

commit aba2f06c070f604e388cf77b1dcc7f4cf4577eb0 upstream.

Poor #AC was so unimportant until a few days ago that we were
not even tracing its name correctly.  But now it's all over
the place.

Signed-off-by: Paolo Bonzini <>
Signed-off-by: Ben Hutchings <>
7 years agoKVM: x86: expose MSR_TSC_AUX to userspace
Paolo Bonzini [Thu, 12 Nov 2015 13:49:17 +0000 (14:49 +0100)]
KVM: x86: expose MSR_TSC_AUX to userspace

commit 9dbe6cf941a6fe82933aef565e4095fb10f65023 upstream.

If we do not do this, it is not properly saved and restored across
migration.  Windows notices due to its self-protection mechanisms,
and is very upset about it (blue screen of death).

Cc: Radim Krcmar <>
Signed-off-by: Paolo Bonzini <>
[bwh: Backported to 3.2:
 - We didn't yet have the switch() in kvm_init_msr_list as MPX is not
   supported at all
 - Adjust context]
Signed-off-by: Ben Hutchings <>
7 years agoSCSI: initio: remove duplicate module device table
Arnd Bergmann [Thu, 19 Nov 2015 14:33:41 +0000 (15:33 +0100)]
SCSI: initio: remove duplicate module device table

commit d282e2b383e3f41a7758e8cbf3076091ef9d9447 upstream.

The initio driver has for many years had two copies of the
same module device table. One of them is also used for registering
the other driver, the other one is entirely useless after the
large scale cleanup that Alan Cox did back in 2007.

The compiler warns about this whenever the driver is built-in:

drivers/scsi/initio.c:131:29: warning: 'i91u_pci_devices' defined but not used [-Wunused-variable]

This removes the extraneous table and the warning.

Signed-off-by: Arnd Bergmann <>
Fixes: 72d39fea901 ("[SCSI] initio: Convert into a real Linux driver and update to modern style")
Reviewed-by: Christoph Hellwig <>
Signed-off-by: Martin K. Petersen <>
Signed-off-by: Ben Hutchings <>
7 years agorc: allow rc modules to be loaded if rc-main is not a module
Russell King [Thu, 15 Oct 2015 16:15:24 +0000 (13:15 -0300)]
rc: allow rc modules to be loaded if rc-main is not a module

commit 2ff56fadd94cdaeeaeccbc0a9b703a0101ada128 upstream.

rc-main mistakenly uses #ifdef MODULE to determine whether it should
load the rc keymap modules.  This symbol is only defined if rc-main
is being built as a module itself, and bears no relation to whether
the rc keymaps are modules.

Fix this to use CONFIG_MODULES instead.

Fixes: 631493ecacd8 ("[media] rc-core: merge rc-map.c into rc-main.c")

Signed-off-by: Russell King <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Ben Hutchings <>
7 years agomedia: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
Malcolm Priestley [Mon, 31 Aug 2015 09:13:45 +0000 (06:13 -0300)]
media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode

commit c9d57de6103e343f2d4e04ea8d9e417e10a24da7 upstream.

When in FE_TUNE_MODE_ONESHOT the frontend must report
the actual capabilities so user can take appropriate

With frontends that can't do auto inversion this is done
by dvb-core automatically so CAN_INVERSION_AUTO is valid.

However, when in FE_TUNE_MODE_ONESHOT this is not true.

So only set FE_CAN_INVERSION_AUTO in modes other than

Signed-off-by: Malcolm Priestley <>
Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
7 years agogspca: ov534/topro: prevent a division by 0
Antonio Ospite [Fri, 2 Oct 2015 20:33:13 +0000 (17:33 -0300)]
gspca: ov534/topro: prevent a division by 0

commit dcc7fdbec53a960588f2c40232db2c6466c09917 upstream.

v4l2-compliance sends a zeroed struct v4l2_streamparm in
v4l2-test-formats.cpp::testParmType(), and this results in a division by
0 in some gspca subdrivers:

  divide error: 0000 [#1] SMP
  Modules linked in: gspca_ov534 gspca_main ...
  CPU: 0 PID: 17201 Comm: v4l2-compliance Not tainted 4.3.0-rc2-ao2 #1
  Hardware name: System manufacturer System Product Name/M2N-E SLI, BIOS
    ASUS M2N-E SLI ACPI BIOS Revision 1301 09/16/2010
  task: ffff8800818306c0 ti: ffff880095c4c000 task.ti: ffff880095c4c000
  RIP: 0010:[<ffffffffa079bd62>]  [<ffffffffa079bd62>] sd_set_streamparm+0x12/0x60 [gspca_ov534]
  RSP: 0018:ffff880095c4fce8  EFLAGS: 00010296
  RAX: 0000000000000000 RBX: ffff8800c9522000 RCX: ffffffffa077a140
  RDX: 0000000000000000 RSI: ffff880095e0c100 RDI: ffff8800c9522000
  RBP: ffff880095e0c100 R08: ffffffffa077a100 R09: 00000000000000cc
  R10: ffff880067ec7740 R11: 0000000000000016 R12: ffffffffa07bb400
  R13: 0000000000000000 R14: ffff880081b6a800 R15: 0000000000000000
  FS:  00007fda0de78740(0000) GS:ffff88012fc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000014630f8 CR3: 00000000cf349000 CR4: 00000000000006f0
   ffffffffa07a6431 ffff8800c9522000 ffffffffa077656e 00000000c0cc5616
   ffff8800c9522000 ffffffffa07a5e20 ffff880095e0c100 0000000000000000
   ffff880067ec7740 ffffffffa077a140 ffff880067ec7740 0000000000000016
  Call Trace:
   [<ffffffffa07a6431>] ? v4l_s_parm+0x21/0x50 [videodev]
   [<ffffffffa077656e>] ? vidioc_s_parm+0x4e/0x60 [gspca_main]
   [<ffffffffa07a5e20>] ? __video_do_ioctl+0x280/0x2f0 [videodev]
   [<ffffffffa07a5ba0>] ? video_ioctl2+0x20/0x20 [videodev]
   [<ffffffffa07a59b9>] ? video_usercopy+0x319/0x4e0 [videodev]
   [<ffffffff81182dc1>] ? page_add_new_anon_rmap+0x71/0xa0
   [<ffffffff811afb92>] ? mem_cgroup_commit_charge+0x52/0x90
   [<ffffffff81179b18>] ? handle_mm_fault+0xc18/0x1680
   [<ffffffffa07a15cc>] ? v4l2_ioctl+0xac/0xd0 [videodev]
   [<ffffffff811c846f>] ? do_vfs_ioctl+0x28f/0x480
   [<ffffffff811c86d4>] ? SyS_ioctl+0x74/0x80
   [<ffffffff8154a8b6>] ? entry_SYSCALL_64_fastpath+0x16/0x75
  Code: c7 93 d9 79 a0 5b 5d e9 f1 f3 9a e0 0f 1f 00 66 2e 0f 1f 84 00
    00 00 00 00 66 66 66 66 90 53 31 d2 48 89 fb 48 83 ec 08 8b 46 10 <f7>
    76 0c 80 bf ac 0c 00 00 00 88 87 4e 0e 00 00 74 09 80 bf 4f
  RIP  [<ffffffffa079bd62>] sd_set_streamparm+0x12/0x60 [gspca_ov534]
   RSP <ffff880095c4fce8>
  ---[ end trace 279710c2c6c72080 ]---

Following what the doc says about a zeroed timeperframe (see

  To reset manually applications can just set this field to zero.

fix the issue by resetting the frame rate to a default value in case of
an unusable timeperframe.

The fix is done in the subdrivers instead of gspca.c because only the
subdrivers have notion of a default frame rate to reset the camera to.

Signed-off-by: Antonio Ospite <>
Reviewed-by: Hans de Goede <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2: adjust filenames]
Signed-off-by: Ben Hutchings <>
7 years agoLinux 3.2.76 v3.2.76
Ben Hutchings [Fri, 22 Jan 2016 21:40:13 +0000 (21:40 +0000)]
Linux 3.2.76

7 years agoHID: dragonrise: fix HID Descriptor for 0x0006 PID
Maciej Zuk [Thu, 3 Sep 2015 19:46:39 +0000 (21:46 +0200)]
HID: dragonrise: fix HID Descriptor for 0x0006 PID

commit 18339f59c3a6698ee17d32970c9e1e450b16e7c3 upstream.

Fixed HID descriptor for DragonRise Joystick.  Replaced default descriptor
which doubles Z axis and causes mixing values of X and Z axes.

Signed-off-by: Maciej Zuk <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Ben Hutchings <>
7 years agocdrom: Random writing support for BD-RE media
Georgios Toptsidis [Fri, 25 Sep 2015 07:50:08 +0000 (10:50 +0300)]
cdrom: Random writing support for BD-RE media

commit f7e7868b4743f1cc5e59e6e0ddd3ccf9cfe53a1b upstream.

Recently, i bought a blu-ray writer and noticed that while cdrecord
worked perfectly, random writing didn't work on rewritable bd-re media.
For example, dd if=/dev/zero of=/dev/sr0 bs=32768 count=2 gave the usual
"read-only file system" message.

After checking if the problem lies with my burner or firmware, i grep-ed
the kernel source for EROFS. One of the results was in the cdrom driver.

I tried to follow the function chain and ended in the cdrom_is_dvd_rw
function where writing is permitted only for DVD-RAM and DVD+RW media.
I added a new case label for 0x43 which is the profile name of BD-RE
and now it works correctly for BD-RE too.

Maybe there is a better way of implementing this, like a new function
checking for blu-ray support and called from cdrom_open_write like
it happens for mrw and dvdram media, but adding the case label worked.

Thank you for your time.

Signed-off-by: Jens Axboe <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: add Intel Lewisburg device IDs
Alexandra Yates [Thu, 5 Nov 2015 19:40:25 +0000 (11:40 -0800)]
i2c: i801: add Intel Lewisburg device IDs

commit cdc5a3110e7c3ae793f367285789a6bc39c962dc upstream.

Adding Intel codename Lewisburg platform device IDs for SMBus.

Signed-off-by: Alexandra Yates <>
Reviewed-by: Jean Delvare <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Document Intel DNV and Broxton
Jarkko Nikula [Mon, 26 Oct 2015 11:26:56 +0000 (13:26 +0200)]
i2c: i801: Document Intel DNV and Broxton

commit 2b630df721ee4c286d286ab5d5d958d34c86f067 upstream.

Add missing entries into i2c-i801 documentation and Kconfig about recently
added Intel DNV and Broxton.

Reported-by: Jean Delvare <>
Signed-off-by: Jarkko Nikula <>
Reviewed-by: Mika Westerberg <>
Reviewed-by: Jean Delvare <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Add support for Intel Broxton
Jarkko Nikula [Thu, 22 Oct 2015 14:16:58 +0000 (17:16 +0300)]
i2c: i801: Add support for Intel Broxton

commit dd77f423e516293c37c2370b44fd700900409c48 upstream.

This patch adds the SMBUS PCI ID of Intel Broxton.

Signed-off-by: Jarkko Nikula <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Add support for Intel DNV
Mika Westerberg [Tue, 13 Oct 2015 12:41:39 +0000 (15:41 +0300)]
i2c: i801: Add support for Intel DNV

commit 84d7f2ebd70d36e9d83e0973d2f4dac56a671f4f upstream.

Intel DNV SoC has the same legacy SMBus host controller than Intel
Sunrisepoint PCH. It also has same iTCO watchdog on the bus.

Add DNV PCI ID to the list of supported devices.

Signed-off-by: Mika Westerberg <>
Signed-off-by: Wolfram Sang <>
[bwh: Backported to 3.2: no FEATURE_IRQ or FEATURE_TCO here]
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Add DeviceIDs for SunrisePoint LP
Devin Ryles [Wed, 5 Nov 2014 21:30:03 +0000 (16:30 -0500)]
i2c: i801: Add DeviceIDs for SunrisePoint LP

commit 3eee1799aed90e990e02a73a89bfcff1982c74dd upstream.

Signed-off-by: Devin Ryles <>
Reviewed-by: Jean Delvare <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Add Device IDs for Intel Sunrise Point PCH [Mon, 13 Oct 2014 22:20:24 +0000 (15:20 -0700)]
i2c: i801: Add Device IDs for Intel Sunrise Point PCH

commit 3e27a8445c21f8056517f188303827450590d868 upstream.

This patch adds the I2C/SMBus Device IDs for the Intel Sunrise Point PCH.

Signed-off-by: James Ralston <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Add PCI ID for Intel Braswell
Alan Cox [Tue, 19 Aug 2014 14:37:28 +0000 (17:37 +0300)]
i2c: i801: Add PCI ID for Intel Braswell

commit 39e8e30ee544a62c148033d64a979028b958ca05 upstream.

The SMBus host controller is the same as used in Baytrail so add the new
PCI ID to the driver's list of supported IDs.

Signed-off-by: Alan Cox <>
Signed-off-by: Mika Westerberg <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Add device ID for Intel Wildcat Point PCH
Jean Delvare [Thu, 17 Jul 2014 13:04:41 +0000 (15:04 +0200)]
i2c: i801: Add device ID for Intel Wildcat Point PCH

commit b299de839157852c563b9f133c8b7e630545a9c3 upstream.

Signed-off-by: Jean Delvare <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Fix the alignment of the device table
Jean Delvare [Thu, 17 Jul 2014 13:03:24 +0000 (15:03 +0200)]
i2c: i801: Fix the alignment of the device table

commit ce3161106ab57afbfbe1c33d95bf4a569405983a upstream.

A long name broke the alignment, shift the columns a bit to fix it and
make the table look nice again. While we're here, switch to the
standard comment style to make checkpatch happy, and use tabs instead
of spaces for column alignment.

Signed-off-by: Jean Delvare <>
Signed-off-by: Wolfram Sang <>
[bwh: Backported to 3.2: "Interrupt processing" isn't mentioned]
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: enable Intel BayTrail SMBUS
Chew, Kean ho [Fri, 28 Feb 2014 16:03:56 +0000 (00:03 +0800)]
i2c: i801: enable Intel BayTrail SMBUS

commit 1b31e9b76ef8c62291e698dfdb973499986a7f68 upstream.

Add Device ID of Intel BayTrail SMBus Controller.

Signed-off-by: Chew, Kean ho <>
Signed-off-by: Chew, Chiau Ee <>
Reviewed-by: Jean Delvare <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Add Device IDs for Intel Wildcat Point-LP PCH
James Ralston [Mon, 4 Nov 2013 17:29:48 +0000 (09:29 -0800)]
i2c: i801: Add Device IDs for Intel Wildcat Point-LP PCH

commit afc659241258b40b683998ec801d25d276529f43 upstream.

This patch adds the SMBus Device IDs for the Intel Wildcat Point-LP PCH.

Signed-off-by: James Ralston <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: SMBus patch for Intel Coleto Creek DeviceIDs
Seth Heasley [Wed, 19 Jun 2013 23:59:57 +0000 (16:59 -0700)]
i2c: i801: SMBus patch for Intel Coleto Creek DeviceIDs

commit f39901c1befa556bc91902516a3e2e460000b4a8 upstream.

This patch adds the i801 SMBus Controller DeviceIDs for the Intel Coleto Creek PCH.

Signed-off-by: Seth Heasley <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: Add Device IDs for Intel Wellsburg PCH
James Ralston [Thu, 14 Feb 2013 09:15:33 +0000 (09:15 +0000)]
i2c: i801: Add Device IDs for Intel Wellsburg PCH

commit a3fc0ff00a46c4b32e7214961a5be9a1dc39b60e upstream.

This patch adds the SMBus Device IDs for the Intel Wellsburg PCH

Signed-off-by: James Ralston <>
Reviewed-by: Jean Delvare <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoi2c: i801: SMBus patch for Intel Avoton DeviceIDs
Seth Heasley [Wed, 30 Jan 2013 15:25:32 +0000 (15:25 +0000)]
i2c: i801: SMBus patch for Intel Avoton DeviceIDs

commit c2db409cbc8751ccc7e6d2cc2e41af0d12ea637f upstream.

This patch adds the PCU SMBus DeviceID for the Intel Avoton SOC.

Signed-off-by: Seth Heasley <>
Reviewed-by: Jean Delvare <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
7 years agoahci: Order SATA device IDs for codename Lewisburg
Alexandra Yates [Mon, 16 Nov 2015 16:22:16 +0000 (11:22 -0500)]
ahci: Order SATA device IDs for codename Lewisburg

commit 4d92f0099a06ef0e36c7673f7c090f1a448b2d1b upstream.

This change was to preserve the ascending order of device IDs.
There was an exception with the first two Lewisburg device IDs to
keep all device IDs of the same kind grouped by code name.

Signed-off-by: Alexandra Yates <>
signed-off-by: Tejun Heo <>
Signed-off-by: Ben Hutchings <>
7 years agoahci: Add Device ID for Intel Sunrise Point PCH [Fri, 6 Nov 2015 20:18:56 +0000 (14:18 -0600)]
ahci: Add Device ID for Intel Sunrise Point PCH

commit c5967b79ecabe2baca40658d9073e28b30d7f6cf upstream.

This patch adds missing AHCI RAID SATA Device IDs for the Intel Sunrise
Point PCH.

Signed-off-by: Nanda Kishore Chinna <>
Signed-off-by: Charles Rose <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Ben Hutchings <>
7 years agoahci: add new Intel device IDs
Alexandra Yates [Tue, 3 Nov 2015 22:14:18 +0000 (14:14 -0800)]
ahci: add new Intel device IDs

commit 56e74338a535cbcc2f2da08b1ea1a92920194364 upstream.

Adding Intel codename Lewisburg platform device IDs for SATA.

Signed-off-by: Alexandra Yates <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Ben Hutchings <>
7 years agoahci: Add Marvell 88se91a2 device id
Johannes Thumshirn [Tue, 20 Oct 2015 07:31:22 +0000 (09:31 +0200)]
ahci: Add Marvell 88se91a2 device id

commit a40cf3f38881ce8543ceb9667150b4f2ead4c437 upstream.

Add device id for Marvell 88se91a2

Signed-off-by: Johannes Thumshirn <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Ben Hutchings <>
7 years agoahci: Remove Device ID for Intel Sunrise Point PCH
James Ralston [Tue, 13 Jan 2015 00:13:52 +0000 (16:13 -0800)]
ahci: Remove Device ID for Intel Sunrise Point PCH

commit 46319e13581a6c442b0a0e5a3bd5d9af4496f252 upstream.

This patch removes a duplicate AHCI-mode SATA Device ID for the Intel Sunrise Point PCH.

Signed-off-by: James Ralston <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Ben Hutchings <>
7 years agoahci: Add JMicron 362 device IDs
Ben Hutchings [Mon, 10 Sep 2012 00:09:04 +0000 (01:09 +0100)]
ahci: Add JMicron 362 device IDs

commit 1fefb8fdc6562057a0e4e4542f3d4323981c9686 upstream.

The JMicron JMB362 controller supports AHCI only, but some revisions
use the IDE class code.  These need to be matched by device ID.

These additions have apparently been included by QNAP in their NAS
devices using these controllers.

Signed-off-by: Ben Hutchings <>
Signed-off-by: Jeff Garzik <>
7 years agoahci: Add Device IDs for Intel Wellsburg PCH
James Ralston [Thu, 21 Feb 2013 19:08:51 +0000 (11:08 -0800)]
ahci: Add Device IDs for Intel Wellsburg PCH

commit efda332cb66d78d6fdf6f98e7b067480f43624f2 upstream.

This patch adds the RAID-mode SATA Device IDs for the Intel Wellsburg PCH

Signed-off-by: James Ralston <>
Signed-off-by: Jeff Garzik <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agovmstat: allocate vmstat_wq before it is used
Michal Hocko [Fri, 8 Jan 2016 10:18:29 +0000 (11:18 +0100)]
vmstat: allocate vmstat_wq before it is used

commit 751e5f5c753e8d447bcf89f9e96b9616ac081628 upstream.

kernel test robot has reported the following crash:

  BUG: unable to handle kernel NULL pointer dereference at 00000100
  IP: [<c1074df6>] __queue_work+0x26/0x390
  *pdpt = 0000000000000000 *pde = f000ff53f000ff53 *pde = f000ff53f000ff53
  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.4.0-rc4-00139-g373ccbe #1
  Workqueue: events vmstat_shepherd
  task: cb684600 ti: cb7ba000 task.ti: cb7ba000
  EIP: 0060:[<c1074df6>] EFLAGS: 00010046 CPU: 0
  EIP is at __queue_work+0x26/0x390
  EAX: 00000046 EBX: cbb37800 ECX: cbb37800 EDX: 00000000
  ESI: 00000000 EDI: 00000000 EBP: cb7bbe68 ESP: cb7bbe38
   DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
  CR0: 8005003b CR2: 00000100 CR3: 01fd5000 CR4: 000006b0
  Call Trace:

The reason is that start_shepherd_timer schedules the shepherd work item
which uses vmstat_wq (vmstat_shepherd) before setup_vmstat allocates
that workqueue so if the further initialization takes more than HZ we
might end up scheduling on a NULL vmstat_wq.  This is really unlikely
but not impossible.

Fixes: 373ccbe59270 ("mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make any progress")
Reported-by: kernel test robot <>
Signed-off-by: Michal Hocko <>
Tested-by: Tetsuo Handa <>
Cc: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: This precise race condition doesn't exist, but there
 is a similar potential race with CPU hotplug.  So move the alloc_workqueue()
 above register_cpu_notifier().]
Signed-off-by: Ben Hutchings <>
7 years agoudp: properly support MSG_PEEK with truncated buffers
Eric Dumazet [Wed, 30 Dec 2015 13:51:12 +0000 (08:51 -0500)]
udp: properly support MSG_PEEK with truncated buffers

commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream.

Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.

In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
returns -EFAULT.

This bug does not happen in upstream kernels since Al Viro did a great
job to replace this into :
skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
This variant is safe vs short buffers.

For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic
skb_copy_and_csum_datagram_iovec() call.

This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.

Signed-off-by: Eric Dumazet <>
Acked-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agoRevert "net: add length argument to skb_copy_and_csum_datagram_iovec"
Ben Hutchings [Sat, 2 Jan 2016 01:11:55 +0000 (01:11 +0000)]
Revert "net: add length argument to skb_copy_and_csum_datagram_iovec"

This reverts commit 127500d724f8c43f452610c9080444eedb5eaa6c.  That fixed
the problem of buffer over-reads introduced by backporting commit
89c22d8c3b27 ("net: Fix skb csum races when peeking"), but resulted in
incorrect checksumming for short reads.  It will be replaced with a
complete fix.

Signed-off-by: Ben Hutchings <>
7 years agokvm: x86: only channel 0 of the i8254 is linked to the HPET
Paolo Bonzini [Thu, 7 Jan 2016 12:50:38 +0000 (13:50 +0100)]
kvm: x86: only channel 0 of the i8254 is linked to the HPET

commit e5e57e7a03b1cdcb98e4aed135def2a08cbf3257 upstream.

While setting the KVM PIT counters in 'kvm_pit_load_count', if
'hpet_legacy_start' is set, the function disables the timer on
channel[0], instead of the respective index 'channel'. This is
because channels 1-3 are not linked to the HPET.  Fix the caller
to only activate the special HPET processing for channel 0.

Reported-by: P J P <>
Fixes: 0185604c2d82c560dab2f2933a18f797e74ab5a8
Signed-off-by: Paolo Bonzini <>
Signed-off-by: Ben Hutchings <>
7 years agoKVM: x86: Reload pit counters for all channels when restoring state
Andrew Honig [Wed, 18 Nov 2015 22:50:23 +0000 (14:50 -0800)]
KVM: x86: Reload pit counters for all channels when restoring state

commit 0185604c2d82c560dab2f2933a18f797e74ab5a8 upstream.

Currently if userspace restores the pit counters with a count of 0
on channels 1 or 2 and the guest attempts to read the count on those
channels, then KVM will perform a mod of 0 and crash.  This will ensure
that 0 values are converted to 65536 as per the spec.

This is CVE-2015-7513.

Signed-off-by: Andy Honig <>
Signed-off-by: Paolo Bonzini <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agonet: possible use after free in dst_release
Francesco Ruggeri [Wed, 6 Jan 2016 08:18:48 +0000 (00:18 -0800)]
net: possible use after free in dst_release

commit 07a5d38453599052aff0877b16bb9c1585f08609 upstream.

dst_release should not access dst->flags after decrementing
__refcnt to 0. The dst_entry may be in dst_busy_list and
dst_gc_task may dst_destroy it before dst_release gets a chance
to access dst->flags.

Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()")
Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
Signed-off-by: Francesco Ruggeri <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
7 years agoftrace/scripts: Fix incorrect use of sprintf in recordmcount
Colin Ian King [Wed, 30 Dec 2015 23:06:41 +0000 (23:06 +0000)]
ftrace/scripts: Fix incorrect use of sprintf in recordmcount

commit 713a3e4de707fab49d5aa4bceb77db1058572a7b upstream.

Fix build warning:

scripts/recordmcount.c:589:4: warning: format not a string
literal and no format arguments [-Wformat-security]
    sprintf("%s: failed\n", file);

Fixes: a50bd43935586 ("ftrace/scripts: Have recordmcount copy the object file")
Cc: Li Bin <>
Cc: Russell King <>
Cc: Will Deacon <>
Signed-off-by: Colin Ian King <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Ben Hutchings <>
7 years agogenirq: Prevent chip buslock deadlock
Thomas Gleixner [Sun, 13 Dec 2015 17:12:30 +0000 (18:12 +0100)]
genirq: Prevent chip buslock deadlock

commit abc7e40c81d113ef4bacb556f0a77ca63ac81d85 upstream.

If a interrupt chip utilizes chip->buslock then free_irq() can
deadlock in the following way:

interrupt(X) (Shared or spurious)
free_irq(X) interrupt_thread(X)

synchronize_irq() waits for the interrupt thread to complete,
i.e. forever.

Solution is simple: Drop chip_bus_lock() before calling
synchronize_irq() as we do with the irq_desc lock. There is nothing to
be protected after the point where irq_desc lock has been released.

This adds chip_bus_lock/unlock() to the remove_irq() code path, but
that's actually correct in the case where remove_irq() is called on
such an interrupt. The current users of remove_irq() are not affected
as none of those interrupts is on a chip which requires buslock.

Reported-by: Fredrik Markström <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Ben Hutchings <>
7 years agonet/core: revert "net: fix __netdev_update_features return.." and add comment
Nikolay Aleksandrov [Tue, 17 Nov 2015 14:49:06 +0000 (15:49 +0100)]
net/core: revert "net: fix __netdev_update_features return.." and add comment

commit 17b85d29e82cc3c874a497a8bc5764d6a2b043e2 upstream.

This reverts commit 00ee59271777 ("net: fix __netdev_update_features return
on ndo_set_features failure")
and adds a comment explaining why it's okay to return a value other than
0 upon error. Some drivers might actually change flags and return an
error so it's better to fire a spurious notification rather than miss

CC: Michał Mirosław <>
Signed-off-by: Nikolay Aleksandrov <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
7 years agodrm/radeon: fix hotplug race at startup
Dave Airlie [Thu, 20 Aug 2015 00:13:55 +0000 (10:13 +1000)]
drm/radeon: fix hotplug race at startup

commit 7f98ca454ad373fc1b76be804fa7138ff68c1d27 upstream.

We apparantly get a hotplug irq before we've initialised

[drm] Loading R100 Microcode
BUG: unable to handle kernel NULL pointer dereference at   (null)
IP: [<c125f56f>] __mutex_lock_slowpath+0x23/0x91
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: radeon(+) drm_kms_helper ttm drm i2c_algo_bit backlight pcspkr psmouse evdev sr_mod input_leds led_class cdrom sg parport_pc parport floppy intel_agp intel_gtt lpc_ich acpi_cpufreq processor button mfd_core agpgart uhci_hcd ehci_hcd rng_core snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm usbcore usb_common i2c_i801 i2c_core snd_timer snd soundcore thermal_sys
CPU: 0 PID: 15 Comm: kworker/0:1 Not tainted 4.2.0-rc7-00015-gbf67402 #111
Hardware name: MicroLink                               /D850MV                         , BIOS MV85010A.86A.0067.P24.0304081124 04/08/2003
Workqueue: events radeon_hotplug_work_func [radeon]
task: f6ca5900 ti: f6d3e000 task.ti: f6d3e000
EIP: 0060:[<c125f56f>] EFLAGS: 00010282 CPU: 0
EIP is at __mutex_lock_slowpath+0x23/0x91
EAX: 00000000 EBX: f5e900fc ECX: 00000000 EDX: fffffffe
ESI: f6ca5900 EDI: f5e90100 EBP: f5e90000 ESP: f6d3ff0c
 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
CR0: 8005003b CR2: 00000000 CR3: 36f61000 CR4: 000006d0
 f5e90100 00000000 c103c4c1 f6d2a5a0 f5e900fc f6df394c c125f162 f8b0faca
 f6d2a5a0 c138ca00 f6df394c f7395600 c1034741 00d40000 00000000 f6d2a5a0
 c138ca00 f6d2a5b8 c138ca10 c1034b58 00000001 f6d40000 f6ca5900 f6d0c940
Call Trace:
 [<c103c4c1>] ? dequeue_task_fair+0xa4/0xb7
 [<c125f162>] ? mutex_lock+0x9/0xa
 [<f8b0faca>] ? radeon_hotplug_work_func+0x17/0x57 [radeon]
 [<c1034741>] ? process_one_work+0xfc/0x194
 [<c1034b58>] ? worker_thread+0x18d/0x218
 [<c10349cb>] ? rescuer_thread+0x1d5/0x1d5
 [<c103742a>] ? kthread+0x7b/0x80
 [<c12601c0>] ? ret_from_kernel_thread+0x20/0x30
 [<c10373af>] ? init_completion+0x18/0x18
Code: 42 08 e8 8e a6 dd ff c3 57 56 53 83 ec 0c 8b 35 48 f7 37 c1 8b 10 4a 74 1a 89 c3 8d 78 04 8b 40 08 89 63

Reported-and-Tested-by: Meelis Roos <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Ben Hutchings <>