commit 0bbf78fb0ac62ef6f0970a49d7e0a1fb79d10dce Author: Jiri Slaby Date: Fri Nov 14 14:02:27 2014 +0100 Linux 3.12.33 commit 2854d767135c3ca131d8658f5b47974d7b067d3b Author: Andy Lutomirski Date: Fri Oct 31 18:08:45 2014 -0700 x86_64, entry: Fix out of bounds read on sysenter commit 653bc77af60911ead1f423e588f54fc2547c4957 upstream. Rusty noticed a Really Bad Bug (tm) in my NT fix. The entry code reads out of bounds, causing the NT fix to be unreliable. But, and this is much, much worse, if your stack is somehow just below the top of the direct map (or a hole), you read out of bounds and crash. Excerpt from the crash: [ 1.129513] RSP: 0018:ffff88001da4bf88 EFLAGS: 00010296 2b:* f7 84 24 90 00 00 00 testl $0x4000,0x90(%rsp) That read is deterministically above the top of the stack. I thought I even single-stepped through this code when I wrote it to check the offset, but I clearly screwed it up. Fixes: 8c7aa698baca ("x86_64, entry: Filter RFLAGS.NT on entry from userspace") Reported-by: Rusty Russell Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 2edb76f37c9f8e3081c5b5619c51f8f291819531 Author: Sinclair Yeh Date: Thu Nov 13 14:22:10 2014 -0800 When screen objects are enabled, the bpp is assumed to be 32, otherwise it is set to 16. v2: * Use u32 instead of u64 for assumed_bpp. * Fixed mechanism to check for screen objects * Limit the back buffer size to VRAM. v3: * Backported for 3.12-stable Signed-off-by: Sinclair Yeh Reviewed-by: Thomas Hellstrom Cc: Signed-off-by: Jiri Slaby commit d4023bb346873d9f367e174b3e8cc860959296b0 Author: Vineet Gupta Date: Fri Mar 7 18:08:11 2014 +0530 ARC: Disable caches in early boot if so configured Requested-by: Noam Camus Signed-off-by: Vineet Gupta Signed-off-by: Jiri Slaby commit af38815938285cb19a5f489cc4e65e4862c149fa Author: Chris Mason Date: Tue Nov 4 06:59:04 2014 -0800 Btrfs: fix kfree on list_head in btrfs_lookup_csums_range error cleanup commit 6e5aafb27419f32575b27ef9d6a31e5d54661aca upstream. If we hit any errors in btrfs_lookup_csums_range, we'll loop through all the csums we allocate and free them. But the code was using list_entry incorrectly, and ended up trying to free the on-stack list_head instead. This bug came from commit 0678b6185 btrfs: Don't BUG_ON kzalloc error in btrfs_lookup_csums_range() Signed-off-by: Chris Mason Reported-by: Erik Berg Signed-off-by: Jiri Slaby commit ba82a2ab8f266a3c9c3f4364339fb4932b4cba36 Author: Grant Likely Date: Mon Nov 3 15:15:35 2014 +0000 of: Fix overflow bug in string property parsing functions commit a87fa1d81a9fb5e9adca9820e16008c40ad09f33 upstream. The string property read helpers will run off the end of the buffer if it is handed a malformed string property. Rework the parsers to make sure that doesn't happen. At the same time add new test cases to make sure the functions behave themselves. The original implementations of of_property_read_string_index() and of_property_count_strings() both open-coded the same block of parsing code, each with it's own subtly different bugs. The fix here merges functions into a single helper and makes the original functions static inline wrappers around the helper. One non-bugfix aspect of this patch is the addition of a new wrapper, of_property_read_string_array(). The new wrapper is needed by the device_properties feature that Rafael is working on and planning to merge for v3.19. The implementation is identical both with and without the new static inline wrapper, so it just got left in to reduce the churn on the header file. Signed-off-by: Grant Likely Cc: Rafael J. Wysocki Cc: Mika Westerberg Cc: Rob Herring Cc: Arnd Bergmann Cc: Darren Hart Signed-off-by: Jiri Slaby commit b2a5a44246eaad27e7002c98ee9df2790e43bb56 Author: Yijing Wang Date: Fri Nov 7 12:05:49 2014 +0800 sysfs: driver core: Fix glue dir race condition by gdp_mutex commit e4a60d139060975eb956717e4f63ae348d4d8cc5 upstream. There is a race condition when removing glue directory. It can be reproduced in following test: path 1: Add first child device device_add() get_device_parent() /*find parent from glue_dirs.list*/ list_for_each_entry(k, &dev->class->p->glue_dirs.list, entry) if (k->parent == parent_kobj) { kobj = kobject_get(k); break; } .... class_dir_create_and_add() path2: Remove last child device under glue dir device_del() cleanup_device_parent() cleanup_glue_dir() kobject_put(glue_dir); If path2 has been called cleanup_glue_dir(), but not call kobject_put(glue_dir), the glue dir is still in parent's kset list. Meanwhile, path1 find the glue dir from the glue_dirs.list. Path2 may release glue dir before path1 call kobject_get(). So kernel will report the warning and bug_on. This is a "classic" problem we have of a kref in a list that can be found while the last instance could be removed at the same time. This patch reuse gdp_mutex to fix this race condition. The following calltrace is captured in kernel 3.4, but the latest kernel still has this bug. ----------------------------------------------------- <4>[ 3965.441471] WARNING: at ...include/linux/kref.h:41 kobject_get+0x33/0x40() <4>[ 3965.441474] Hardware name: Romley <4>[ 3965.441475] Modules linked in: isd_iop(O) isd_xda(O)... ... <4>[ 3965.441605] Call Trace: <4>[ 3965.441611] [] warn_slowpath_common+0x7a/0xb0 <4>[ 3965.441615] [] warn_slowpath_null+0x15/0x20 <4>[ 3965.441618] [] kobject_get+0x33/0x40 <4>[ 3965.441624] [] get_device_parent.isra.11+0x135/0x1f0 <4>[ 3965.441627] [] device_add+0xd4/0x6d0 <4>[ 3965.441631] [] ? dev_set_name+0x3c/0x40 .... <2>[ 3965.441912] kernel BUG at ..../fs/sysfs/group.c:65! <4>[ 3965.441915] invalid opcode: 0000 [#1] SMP ... <4>[ 3965.686743] [] sysfs_create_group+0xe/0x10 <4>[ 3965.686748] [] blk_trace_init_sysfs+0x14/0x20 <4>[ 3965.686753] [] blk_register_queue+0x3b/0x120 <4>[ 3965.686756] [] add_disk+0x1cc/0x490 .... ------------------------------------------------------- Signed-off-by: Yijing Wang Signed-off-by: Weng Meiling Signed-off-by: Jiri Slaby commit f95c7176a5ddd27632da6b1dbabb529e20f5581f Author: Wolfram Sang Date: Mon Nov 3 21:16:16 2014 +0100 i2c: at91: don't account as iowait commit 11cfbfb098b22d3e57f1f2be217cad20e2d48463 upstream. iowait is for blkio [1]. I2C shouldn't use it. [1] https://lkml.org/lkml/2014/11/3/317 Signed-off-by: Wolfram Sang Acked-by: Ludovic Desroches Signed-off-by: Jiri Slaby commit 7f7ae192a6d6472d06a2d5a05daba04ce9facc43 Author: Krzysztof Kozlowski Date: Mon Nov 3 15:07:05 2014 +0100 regulator: max77693: Fix use of uninitialized regulator config commit ca0c37a0b489bb14bf3e1549e7a8d0c9a17f4919 upstream. Driver allocated on stack struct regulator_config but didn't initialize it fully. Few fields (driver_data, ena_gpio) were left untouched. This lead to using random ena_gpio values as GPIOs for max77693 regulators. On occasion these values could match real GPIO numbers leading to interfering with other drivers and to unsuccessful enable/disable of regulator. Signed-off-by: Krzysztof Kozlowski Fixes: 80b022e29bfd ("regulator: max77693: Add max77693 regualtor driver.") Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 8f9363f79d0b7cfb70f2dcec99719f6a53359d97 Author: Dan Streetman Date: Fri Oct 31 15:41:34 2014 -0400 powerpc: use device_online/offline() instead of cpu_up/down() commit 10ccaf178b2b961d8bca252d647ed7ed8aae2a20 upstream. In powerpc pseries platform dlpar operations, use device_online() and device_offline() instead of cpu_up() and cpu_down(). Calling cpu_up/down() directly does not update the cpu device offline field, which is used to online/offline a cpu from sysfs. Calling device_online/offline() instead keeps the sysfs cpu online value correct. The hotplug lock, which is required to be held when calling device_online/offline(), is already held when dlpar_online/offline_cpu() are called, since they are called only from cpu_probe|release_store(). This patch fixes errors on phyp (PowerVM) systems that have cpu(s) added/removed using dlpar operations; without this patch, the /sys/devices/system/cpu/cpuN/online nodes do not correctly show the online state of added/removed cpus. Signed-off-by: Dan Streetman Cc: Nathan Fontenot Fixes: 0902a9044fa5 ("Driver core: Use generic offline/online for CPU offline/online") Signed-off-by: Michael Ellerman Signed-off-by: Jiri Slaby commit ff631b1c39bf6ff7307eb43e40bcd8ee03e2450c Author: Hans de Goede Date: Wed Oct 22 16:06:38 2014 +0200 acer-wmi: Add acpi_backlight=video quirk for the Acer KAV80 commit 183fd8fcd7f8afb7ac5ec68f83194872f9fecc84 upstream. The acpi-video backlight interface on the Acer KAV80 is broken, and worse it causes the entire machine to slow down significantly after a suspend/resume. Blacklist it, and use the acer-wmi backlight interface instead. Note that the KAV80 is somewhat unique in that it is the only Acer model where we fall back to acer-wmi after blacklisting, rather then using the native (e.g. intel) backlight driver. This is done because there is no native backlight interface on this model. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1128309 Signed-off-by: Hans de Goede Signed-off-by: Darren Hart Signed-off-by: Jiri Slaby commit 7beac9d17eed590fbb8e1217464882c2a2c58b3f Author: Jan Kara Date: Wed Oct 22 09:17:24 2014 +0200 rbd: Fix error recovery in rbd_obj_read_sync() commit a8d4205623ae965e36c68629db306ca0695a2771 upstream. When we fail to allocate page vector in rbd_obj_read_sync() we just basically ignore the problem and continue which will result in an oops later. Fix the problem by returning proper error. CC: Yehuda Sadeh CC: Sage Weil CC: ceph-devel@vger.kernel.org Coverity-id: 1226882 Signed-off-by: Jan Kara Signed-off-by: Ilya Dryomov Signed-off-by: Jiri Slaby commit bdad2a470169fa5bcf1f2ac8a7a2587bf8aff527 Author: Alex Deucher Date: Sun Oct 26 15:18:42 2014 -0400 drm/radeon: remove invalid pci id commit 8c3e434769b1707fd2d24de5a2eb25fedc634c4a upstream. 0x4c6e is a secondary device id so should not be used by the driver. Noticed-by: Mark Kettenis Signed-off-by: Alex Deucher Signed-off-by: Jiri Slaby commit e217f8d2008f3c4f6695aabb099171e3a7176186 Author: Alex Deucher Date: Mon Oct 13 12:44:49 2014 -0400 drm/radeon/dpm: disable ulv support on SI commit 6fa455935ab956248b165f150ec6ae9106210077 upstream. Causes problems on some boards. bug: https://bugs.freedesktop.org/show_bug.cgi?id=82889 Signed-off-by: Alex Deucher Signed-off-by: Jiri Slaby commit 76475a690855449d3de64bd9f3d1035033f53012 Author: Felipe Balbi Date: Mon Nov 10 09:06:20 2014 -0600 usb: gadget: udc: core: fix kernel oops with soft-connect [ Upstream commit bfa6b18c680450c17512c741ed1d818695747621 ] Currently, there's no guarantee that udc->driver will be valid when using soft_connect sysfs interface. In fact, we can very easily trigger a NULL pointer dereference by trying to disconnect when a gadget driver isn't loaded. Fix this bug: ~# echo disconnect > soft_connect [ 33.685743] Unable to handle kernel NULL pointer dereference at virtual address 00000014 [ 33.694221] pgd = ed0cc000 [ 33.697174] [00000014] *pgd=ae351831, *pte=00000000, *ppte=00000000 [ 33.703766] Internal error: Oops: 17 [#1] SMP ARM [ 33.708697] Modules linked in: xhci_plat_hcd xhci_hcd snd_soc_davinci_mcasp snd_soc_tlv320aic3x snd_soc_edma snd_soc_omap snd_soc_evm snd_soc_core dwc3 snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd lis3lv02d_i2c matrix_keypad lis3lv02d dwc3_omap input_polldev soundcore [ 33.734372] CPU: 0 PID: 1457 Comm: bash Not tainted 3.17.0-09740-ga93416e-dirty #345 [ 33.742457] task: ee71ce00 ti: ee68a000 task.ti: ee68a000 [ 33.748116] PC is at usb_udc_softconn_store+0xa4/0xec [ 33.753416] LR is at mark_held_locks+0x78/0x90 [ 33.758057] pc : [] lr : [] psr: 20000013 [ 33.758057] sp : ee68bec8 ip : c0c00008 fp : ee68bee4 [ 33.770050] r10: ee6b394c r9 : ee68bf80 r8 : ee6062c0 [ 33.775508] r7 : 00000000 r6 : ee6062c0 r5 : 0000000b r4 : ee739408 [ 33.782346] r3 : 00000000 r2 : 00000000 r1 : ee71d390 r0 : ee664170 [ 33.789168] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [ 33.796636] Control: 10c5387d Table: ad0cc059 DAC: 00000015 [ 33.802638] Process bash (pid: 1457, stack limit = 0xee68a248) [ 33.808740] Stack: (0xee68bec8 to 0xee68c000) [ 33.813299] bec0: 0000000b c0411284 ee6062c0 00000000 ee68bef4 ee68bee8 [ 33.821862] bee0: c04112ac c04df090 ee68bf14 ee68bef8 c01c2868 c0411290 0000000b ee6b3940 [ 33.830419] bf00: 00000000 00000000 ee68bf4c ee68bf18 c01c1a24 c01c2818 00000000 00000000 [ 33.838990] bf20: ee61b940 ee2f47c0 0000000b 000ce408 ee68bf80 c000f304 ee68a000 00000000 [ 33.847544] bf40: ee68bf7c ee68bf50 c0152dd8 c01c1960 ee68bf7c c0170af8 ee68bf7c ee2f47c0 [ 33.856099] bf60: ee2f47c0 000ce408 0000000b c000f304 ee68bfa4 ee68bf80 c0153330 c0152d34 [ 33.864653] bf80: 00000000 00000000 0000000b 000ce408 b6e7fb50 00000004 00000000 ee68bfa8 [ 33.873204] bfa0: c000f080 c01532e8 0000000b 000ce408 00000001 000ce408 0000000b 00000000 [ 33.881763] bfc0: 0000000b 000ce408 b6e7fb50 00000004 0000000b 00000000 000c5758 00000000 [ 33.890319] bfe0: 00000000 bec2c924 b6de422d b6e1d226 40000030 00000001 75716d2f 00657565 [ 33.898890] [] (usb_udc_softconn_store) from [] (dev_attr_store+0x28/0x34) [ 33.907920] [] (dev_attr_store) from [] (sysfs_kf_write+0x5c/0x60) [ 33.916200] [] (sysfs_kf_write) from [] (kernfs_fop_write+0xd0/0x194) [ 33.924773] [] (kernfs_fop_write) from [] (vfs_write+0xb0/0x1bc) [ 33.932874] [] (vfs_write) from [] (SyS_write+0x54/0xb0) [ 33.940247] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x48) [ 33.948160] Code: e1a01007 e12fff33 e5140004 e5143008 (e5933014) [ 33.954625] ---[ end trace f849bead94eab7ea ]--- Fixes: 2ccea03 (usb: gadget: introduce UDC Class) Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 19342b6d5f7a7f0d7c8031e9db0b4f833e946f7a Author: Felipe Balbi Date: Mon Nov 10 08:56:40 2014 -0600 usb: gadget: function: acm: make f_acm pass USB20CV Chapter9 [ Upstream commit 52ec49a5e56a27c5b6f8217708783eff39f24c16 ] During Halt Endpoint Test, our interrupt endpoint will be disabled, which will clear out ep->desc to NULL. Unless we call config_ep_by_speed() again, we will not be able to enable this endpoint which will make us fail that test. Fixes: f9c56cd (usb: gadget: Clear usb_endpoint_descriptor inside the struct usb_ep on disable) Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 4220f3ffc14964c3395c031334d088f6fd545009 Author: Felipe Balbi Date: Mon Nov 10 08:55:44 2014 -0600 usb: dwc3: gadget: fix set_halt() bug with pending transfers [ Upstream commit 7a60855972f0d3c014093046cb6f013a1ee5bb19 ] According to our Gadget Framework API documentation, ->set_halt() *must* return -EAGAIN if we have pending transfers (on either direction) or FIFO isn't empty (on TX endpoints). Fix this bug so that the mass storage gadget can be used without stall=0 parameter. This patch should be backported to all kernels since v3.2. Suggested-by: Alan Stern Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit d87f96cce9a81981ca3346ff333ad6e9be073a97 Author: Ondrej Kozina Date: Mon Aug 25 11:49:54 2014 +0200 crypto: algif - avoid excessive use of socket buffer in skcipher commit e2cffb5f493a8b431dc87124388ea59b79f0bccb upstream. On archs with PAGE_SIZE >= 64 KiB the function skcipher_alloc_sgl() fails with -ENOMEM no matter what user space actually requested. This is caused by the fact sock_kmalloc call inside the function tried to allocate more memory than allowed by the default kernel socket buffer size (kernel param net.core.optmem_max). Signed-off-by: Ondrej Kozina Signed-off-by: Herbert Xu Signed-off-by: Jiri Slaby commit 50c36a9ad170f54c46c22a59a94f75ebcb2e51fd Author: Jan Kara Date: Thu Oct 30 10:35:00 2014 +1100 mm: Remove false WARN_ON from pagecache_isize_extended() commit f55fefd1a5a339b1bd08c120b93312d6eb64a9fb upstream. The WARN_ON checking whether i_mutex is held in pagecache_isize_extended() was wrong because some filesystems (e.g. XFS) use different locks for serialization of truncates / writes. So just remove the check. Signed-off-by: Jan Kara Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Signed-off-by: Jiri Slaby commit 4d54f12db93cc3ec3aaedd767b676f10ed237c98 Author: Andy Lutomirski Date: Wed Oct 15 10:12:07 2014 -0700 x86, apic: Handle a bad TSC more gracefully commit b47dcbdc5161d3d5756f430191e2840d9b855492 upstream. If the TSC is unusable or disabled, then this patch fixes: - Confusion while trying to clear old APIC interrupts. - Division by zero and incorrect programming of the TSC deadline timer. This fixes boot if the CPU has a TSC deadline timer but a missing or broken TSC. The failure to boot can be observed with qemu using -cpu qemu64,-tsc,+tsc-deadline This also happens to me in nested KVM for unknown reasons. With this patch, I can boot cleanly (although without a TSC). Signed-off-by: Andy Lutomirski Cc: Bandan Das Link: http://lkml.kernel.org/r/e2fa274e498c33988efac0ba8b7e3120f7f92d78.1413393027.git.luto@amacapital.net Signed-off-by: Thomas Gleixner Signed-off-by: Jiri Slaby commit 5bc8c3bd8e5784110da1e8c8aaff086672107a1d Author: Mathias Krause Date: Sat Oct 4 23:06:39 2014 +0200 posix-timers: Fix stack info leak in timer_create() commit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream. If userland creates a timer without specifying a sigevent info, we'll create one ourself, using a stack local variable. Particularly will we use the timer ID as sival_int. But as sigev_value is a union containing a pointer and an int, that assignment will only partially initialize sigev_value on systems where the size of a pointer is bigger than the size of an int. On such systems we'll copy the uninitialized stack bytes from the timer_create() call to userland when the timer actually fires and we're going to deliver the signal. Initialize sigev_value with 0 to plug the stack info leak. Found in the PaX patch, written by the PaX Team. Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...") Signed-off-by: Mathias Krause Cc: Oleg Nesterov Cc: Brad Spengler Cc: PaX Team Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com Signed-off-by: Thomas Gleixner Signed-off-by: Jiri Slaby commit 94f13cde9717b4fc28fffc8f9aa4c411ccf4ab3c Author: Karl Beldan Date: Mon Oct 13 14:34:41 2014 +0200 mac80211: fix typo in starting baserate for rts_cts_rate_idx commit c7abf25af0f41be4b50d44c5b185d52eea360cb8 upstream. It affects non-(V)HT rates and can lead to selecting an rts_cts rate that is not a basic rate or way superior to the reference rate (ATM rates[0] used for the 1st attempt of the protected frame data). E.g, assuming drivers register growing (bitrate) sorted tables of ieee80211_rate-s, having : - rates[0].idx == d'2 and basic_rates == b'10100 will select rts_cts idx b'10011 & ~d'(BIT(2)-1), i.e. 1, likewise - rates[0].idx == d'2 and basic_rates == b'10001 will select rts_cts idx b'10000 The first is not a basic rate and the second is > rates[0]. Also, wrt severity of the addressed misbehavior, ATM we only have one rts_cts_rate_idx rather than one per rate table entry, so this idx might still point to bitrates > rates[1..MAX_RATES]. Fixes: 5253ffb8c9e1 ("mac80211: always pick a basic rate to tx RTS/CTS for pre-HT rates") Signed-off-by: Karl Beldan Signed-off-by: Johannes Berg Signed-off-by: Jiri Slaby commit f40d14580cb56b248d3e744b94c9324778983c19 Author: Imre Deak Date: Fri Oct 24 20:29:10 2014 +0300 PM / Sleep: fix recovery during resuming from hibernation commit 94fb823fcb4892614f57e59601bb9d4920f24711 upstream. If a device's dev_pm_ops::freeze callback fails during the QUIESCE phase, we don't rollback things correctly calling the thaw and complete callbacks. This could leave some devices in a suspended state in case of an error during resuming from hibernation. Signed-off-by: Imre Deak Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 866f9fec24ee1dfa4a40e1d166b6ce3f4c3736de Author: Peter Hurley Date: Thu Oct 16 13:51:30 2014 -0400 tty: Fix high cpu load if tty is unreleaseable commit 37b164578826406a173ca7c20d9ba7430134d23e upstream. Kernel oops can cause the tty to be unreleaseable (for example, if n_tty_read() crashes while on the read_wait queue). This will cause tty_release() to endlessly loop without sleeping. Use a killable sleep timeout which grows by 2n+1 jiffies over the interval [0, 120 secs.) and then jumps to forever (but still killable). NB: killable just allows for the task to be rewoken manually, not to be terminated. Signed-off-by: Peter Hurley Signed-off-by: Jiri Slaby commit 0277558a6cc692295cb568b22970c12db2587f9a Author: Eric Sandeen Date: Mon Aug 4 11:35:44 2014 +1000 xfs: avoid false quotacheck after unclean shutdown commit 5ef828c4152726f56751c78ea844f08d2b2a4fa3 upstream. The commit 83e782e xfs: Remove incore use of XFS_OQUOTA_ENFD and XFS_OQUOTA_CHKD added a new function xfs_sb_quota_from_disk() which swaps on-disk XFS_OQUOTA_* flags for in-core XFS_GQUOTA_* and XFS_PQUOTA_* flags after the superblock is read. However, if log recovery is required, the superblock is read again, and the modified in-core flags are re-read from disk, so we have XFS_OQUOTA_* flags in memory again. This causes the XFS_QM_NEED_QUOTACHECK() test to be true, because the XFS_OQUOTA_CHKD is still set, and not XFS_GQUOTA_CHKD or XFS_PQUOTA_CHKD. Change xfs_sb_from_disk to call xfs_sb_quota_from disk and always convert the disk flags to in-memory flags. Add a lower-level function which can be called with "false" to not convert the flags, so that the sb verifier can verify exactly what was on disk, per Brian Foster's suggestion. Reported-by: Cyril B. Signed-off-by: Eric Sandeen Cc: Arkadiusz Miśkiewicz Signed-off-by: Jiri Slaby commit 27612dd4c65590eb3eefe08905f0e6ed9803265b Author: Jan Kara Date: Wed Oct 22 09:06:49 2014 +0200 quota: Properly return errors from dquot_writeback_dquots() commit 474d2605d119479e5aa050f738632e63589d4bb5 upstream. Due to a switched left and right side of an assignment, dquot_writeback_dquots() never returned error. This could result in errors during quota writeback to not be reported to userspace properly. Fix it. Coverity-id: 1226884 Signed-off-by: Jan Kara Signed-off-by: Jiri Slaby commit 5cc34e7c722026c0460c003aed940713e726c03c Author: Jan Kara Date: Tue Sep 16 22:23:10 2014 +0200 ext3: Don't check quota format when there are no quota files commit 7938db449bbc55bbeb164bec7af406212e7e98f1 upstream. The check whether quota format is set even though there are no quota files with journalled quota is pointless and it actually makes it impossible to turn off journalled quotas (as there's no way to unset journalled quota format). Just remove the check. Signed-off-by: Jan Kara Signed-off-by: Jiri Slaby commit 613a5ea57f0ed08228311a46b84155986949c7d4 Author: J. Bruce Fields Date: Wed Oct 22 14:46:29 2014 -0400 nfsd4: fix crash on unknown operation number commit 51904b08072a8bf2b9ed74d1bd7a5300a614471d upstream. Unknown operation numbers are caught in nfsd4_decode_compound() which sets op->opnum to OP_ILLEGAL and op->status to nfserr_op_illegal. The error causes the main loop in nfsd4_proc_compound() to skip most processing. But nfsd4_proc_compound also peeks ahead at the next operation in one case and doesn't take similar precautions there. Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit de351259edc887ab6cc08b74e27ea748ad532f4f Author: Jason Baron Date: Wed Oct 15 20:47:28 2014 +0000 cpc925_edac: Report UE events properly commit fa19ac4b92bc2b5024af3e868f41f81fa738567a upstream. Fix UE event being reported as HW_EVENT_ERR_CORRECTED. Signed-off-by: Jason Baron Link: http://lkml.kernel.org/r/8beb13803500076fef827eab33d523e355d83759.1413405053.git.jbaron@akamai.com Signed-off-by: Borislav Petkov Signed-off-by: Jiri Slaby commit 1b01c44de1695ec86b737d51bb365609e7c350ca Author: Jason Baron Date: Sat Oct 18 16:06:32 2014 +0200 e7xxx_edac: Report CE events properly commit 8030122a9ccf939186f8db96c318dbb99b5463f6 upstream. Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED. Signed-off-by: Jason Baron Link: http://lkml.kernel.org/r/e6dd616f2cd51583a7e77af6f639b86313c74144.1413405053.git.jbaron@akamai.com Signed-off-by: Borislav Petkov Signed-off-by: Jiri Slaby commit d13055e4024ecb76a8b3cfd29cf1b2272bac7fec Author: Jason Baron Date: Wed Oct 15 20:47:21 2014 +0000 i3200_edac: Report CE events properly commit 8a3f075d6c9b3612b4a5fb2af8db82b38b20caf0 upstream. Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED. Signed-off-by: Jason Baron Link: http://lkml.kernel.org/r/d02465b4f30314b390c12c061502eda5e9d29c52.1413405053.git.jbaron@akamai.com Signed-off-by: Borislav Petkov Signed-off-by: Jiri Slaby commit fad5bfc99e55787c2b924350eeb1a20a2bb1b516 Author: Jason Baron Date: Wed Oct 15 20:47:24 2014 +0000 i82860_edac: Report CE events properly commit ab0543de6ff0877474f57a5aafbb51a61e88676f upstream. Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED. Signed-off-by: Jason Baron Link: http://lkml.kernel.org/r/7aee8e244a32ff86b399a8f966c4aae70296aae0.1413405053.git.jbaron@akamai.com Signed-off-by: Borislav Petkov Signed-off-by: Jiri Slaby commit e00e9894a2a3a78d1a5d890f778afd2c50b8e017 Author: Jan Kara Date: Wed Oct 22 20:13:39 2014 -0600 scsi: Fix error handling in SCSI_IOCTL_SEND_COMMAND commit 84ce0f0e94ac97217398b3b69c21c7a62ebeed05 upstream. When sg_scsi_ioctl() fails to prepare request to submit in blk_rq_map_kern() we jump to a label where we just end up copying (luckily zeroed-out) kernel buffer to userspace instead of reporting error. Fix the problem by jumping to the right label. CC: Jens Axboe CC: linux-scsi@vger.kernel.org Coverity-id: 1226871 Signed-off-by: Jan Kara Signed-off-by: Jiri Slaby Fixed up the, now unused, out label. Signed-off-by: Jens Axboe commit 001172f932584d9af4c76a2dda54ee71ec15dede Author: Jan Kara Date: Wed Oct 29 14:50:44 2014 -0700 lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}() commit ea5d05b34aca25c066e0699512d0ffbd8ee6ac3e upstream. If __bitmap_shift_left() or __bitmap_shift_right() are asked to shift by a multiple of BITS_PER_LONG, they will try to shift a long value by BITS_PER_LONG bits which is undefined. Change the functions to avoid the undefined shift. Coverity id: 1192175 Coverity id: 1192174 Signed-off-by: Jan Kara Cc: Rasmus Villemoes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit e005085a9e12af146a56354d36b540700e694c95 Author: Wang Nan Date: Wed Oct 29 14:50:18 2014 -0700 cgroup/kmemleak: add kmemleak_free() for cgroup deallocations. commit 401507d67d5c2854f5a88b3f93f64fc6f267bca5 upstream. Commit ff7ee93f4715 ("cgroup/kmemleak: Annotate alloc_page() for cgroup allocations") introduces kmemleak_alloc() for alloc_page_cgroup(), but corresponding kmemleak_free() is missing, which makes kmemleak be wrongly disabled after memory offlining. Log is pasted at the end of this commit message. This patch add kmemleak_free() into free_page_cgroup(). During page offlining, this patch removes corresponding entries in kmemleak rbtree. After that, the freed memory can be allocated again by other subsystems without killing kmemleak. bash # for x in 1 2 3 4; do echo offline > /sys/devices/system/memory/memory$x/state ; sleep 1; done ; dmesg | grep leak Offlined Pages 32768 kmemleak: Cannot insert 0xffff880016969000 into the object search tree (overlaps existing) CPU: 0 PID: 412 Comm: sleep Not tainted 3.17.0-rc5+ #86 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: dump_stack+0x46/0x58 create_object+0x266/0x2c0 kmemleak_alloc+0x26/0x50 kmem_cache_alloc+0xd3/0x160 __sigqueue_alloc+0x49/0xd0 __send_signal+0xcb/0x410 send_signal+0x45/0x90 __group_send_sig_info+0x13/0x20 do_notify_parent+0x1bb/0x260 do_exit+0x767/0xa40 do_group_exit+0x44/0xa0 SyS_exit_group+0x17/0x20 system_call_fastpath+0x16/0x1b kmemleak: Kernel memory leak detector disabled kmemleak: Object 0xffff880016900000 (size 524288): kmemleak: comm "swapper/0", pid 0, jiffies 4294667296 kmemleak: min_count = 0 kmemleak: count = 0 kmemleak: flags = 0x1 kmemleak: checksum = 0 kmemleak: backtrace: log_early+0x63/0x77 kmemleak_alloc+0x4b/0x50 init_section_page_cgroup+0x7f/0xf5 page_cgroup_init+0xc5/0xd0 start_kernel+0x333/0x408 x86_64_start_reservations+0x2a/0x2c x86_64_start_kernel+0xf5/0xfc Fixes: ff7ee93f4715 (cgroup/kmemleak: Annotate alloc_page() for cgroup allocations) Signed-off-by: Wang Nan Acked-by: Johannes Weiner Acked-by: Michal Hocko Cc: Steven Rostedt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit ce55507d1cbc4429323efc3f9fafe2ff4c60de49 Author: Yu Zhao Date: Wed Oct 29 14:50:26 2014 -0700 mm: free compound page with correct order commit 5ddacbe92b806cd5b4f8f154e8e46ac267fff55c upstream. Compound page should be freed by put_page() or free_pages() with correct order. Not doing so will cause tail pages leaked. The compound order can be obtained by compound_order() or use HPAGE_PMD_ORDER in our case. Some people would argue the latter is faster but I prefer the former which is more general. This bug was observed not just on our servers (the worst case we saw is 11G leaked on a 48G machine) but also on our workstations running Ubuntu based distro. $ cat /proc/vmstat | grep thp_zero_page_alloc thp_zero_page_alloc 55 thp_zero_page_alloc_failed 0 This means there is (thp_zero_page_alloc - 1) * (2M - 4K) memory leaked. Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page") Signed-off-by: Yu Zhao Acked-by: Kirill A. Shutemov Cc: Andrea Arcangeli Cc: Mel Gorman Cc: David Rientjes Cc: Bob Liu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit b67eae0838424db8b4bb2f49024922df6792d0bb Author: Johan Hovold Date: Wed Oct 29 09:07:30 2014 +0100 USB: kobil_sct: fix non-atomic allocation in write path commit 191252837626fca0de694c18bb2aa64c118eda89 upstream. Write may be called from interrupt context so make sure to use GFP_ATOMIC for all allocations in write. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit bfdb4179ec3f9339062196ce922431ff27a2d99d Author: Hans de Goede Date: Wed Oct 1 11:29:14 2014 +0200 usb: Do not allow usb_alloc_streams on unconfigured devices commit 90a646c770c50cc206ceba0d7b50453c46c13c36 upstream. This commit fixes the following oops: [10238.622067] scsi host3: uas_eh_bus_reset_handler start [10240.766164] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd [10245.779365] usb 3-4: device descriptor read/8, error -110 [10245.883331] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd [10250.897603] usb 3-4: device descriptor read/8, error -110 [10251.058200] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 [10251.058244] IP: [] xhci_check_streams_endpoint+0x91/0x140 [10251.059473] Call Trace: [10251.059487] [] xhci_calculate_streams_and_bitmask+0xbc/0x130 [10251.059520] [] xhci_alloc_streams+0x10f/0x5a0 [10251.059548] [] ? check_preempt_curr+0x75/0xa0 [10251.059575] [] ? ttwu_do_wakeup+0x2c/0x100 [10251.059601] [] ? ttwu_do_activate.constprop.111+0x66/0x70 [10251.059635] [] usb_alloc_streams+0xab/0xf0 [10251.059662] [] uas_configure_endpoints+0x128/0x150 [uas] [10251.059694] [] uas_post_reset+0x3c/0xb0 [uas] [10251.059722] [] usb_reset_device+0x1b9/0x2a0 [10251.059749] [] uas_eh_bus_reset_handler+0xb2/0x190 [uas] [10251.059781] [] scsi_try_bus_reset+0x53/0x110 [10251.059808] [] scsi_eh_bus_reset+0xf7/0x270 The problem is the following call sequence (simplified): 1) usb_reset_device 2) usb_reset_and_verify_device 2) hub_port_init 3) hub_port_finish_reset 3) xhci_discover_or_reset_device This frees xhci->devs[slot_id]->eps[ep_index].ring for all eps but 0 4) usb_get_device_descriptor This fails 5) hub_port_init fails 6) usb_reset_and_verify_device fails, does not restore device config 7) uas_post_reset 8) xhci_alloc_streams NULL deref on the free-ed ring This commit fixes this by not allowing usb_alloc_streams to continue if the device is not configured. Note that we do allow usb_free_streams to continue after a (logical) disconnect, as it is necessary to explicitly free the streams at the xhci controller level. Signed-off-by: Hans de Goede Acked-by: Alan Stern Signed-off-by: Jiri Slaby commit b7b72e586240ab69fc5bc30c65005bebae0f8793 Author: Johan Hovold Date: Wed Oct 29 09:07:31 2014 +0100 USB: opticon: fix non-atomic allocation in write path commit e681286de221af78fc85db9222b6a203148c005a upstream. Write may be called from interrupt context so make sure to use GFP_ATOMIC for all allocations in write. Fixes: 0d930e51cfe6 ("USB: opticon: Add Opticon OPN2001 write support") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 2aa227341252dc88670a9814793975f1e685e74c Author: Alan Stern Date: Fri Oct 31 14:49:47 2014 -0400 usb-storage: handle a skipped data phase commit 93c9bf4d1838d5851a18ca398b0ad66397f05056 upstream. Sometimes mass-storage devices using the Bulk-only transport will mistakenly skip the data phase of a command. Rather than sending the data expected by the host or sending a zero-length packet, they go directly to the status phase and send the CSW. This causes problems for usb-storage, for obvious reasons. The driver will interpret the CSW as a short data transfer and will wait to receive a CSW. The device won't have anything left to send, so the command eventually times out. The SCSI layer doesn't retry commands after they time out (this is a relatively recent change). Therefore we should do our best to detect a skipped data phase and handle it promptly. This patch adds code to do that. If usb-storage receives a short 13-byte data transfer from the device, and if the first four bytes of the data match the CSW signature, the driver will set the residue to the full transfer length and interpret the data as a CSW. This fixes Bugzilla #86611. Signed-off-by: Alan Stern CC: Matthew Dharm Tested-by: Paul Osmialowski Signed-off-by: Jiri Slaby commit 2dbb38ff27f4c91eaa8e23887b7b36678f19c774 Author: Takashi Iwai Date: Wed Nov 5 15:08:49 2014 +0100 ALSA: usb-audio: Fix device_del() sysfs warnings at disconnect commit 0725dda207e95ff25f1aa01432250323e0ec49d6 upstream. Some USB-audio devices show weird sysfs warnings at disconnecting the devices, e.g. usb 1-3: USB disconnect, device number 3 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 973 at fs/sysfs/group.c:216 device_del+0x39/0x180() sysfs group ffffffff8183df40 not found for kobject 'midiC1D0' Call Trace: [] ? dump_stack+0x49/0x71 [] ? warn_slowpath_common+0x82/0xb0 [] ? warn_slowpath_fmt+0x45/0x50 [] ? device_del+0x39/0x180 [] ? device_unregister+0x9/0x20 [] ? device_destroy+0x34/0x40 [] ? snd_unregister_device+0x7f/0xd0 [snd] [] ? snd_rawmidi_dev_disconnect+0xce/0x100 [snd_rawmidi] [] ? snd_device_disconnect+0x62/0x90 [snd] [] ? snd_device_disconnect_all+0x3c/0x60 [snd] [] ? snd_card_disconnect+0x124/0x1a0 [snd] [] ? usb_audio_disconnect+0x88/0x1c0 [snd_usb_audio] [] ? usb_unbind_interface+0x5e/0x1b0 [usbcore] [] ? __device_release_driver+0x79/0xf0 [] ? device_release_driver+0x25/0x40 [] ? bus_remove_device+0xf1/0x130 [] ? device_del+0x109/0x180 [] ? usb_disable_device+0x95/0x1f0 [usbcore] [] ? usb_disconnect+0x8f/0x190 [usbcore] [] ? hub_thread+0x539/0x13a0 [usbcore] [] ? sched_clock_local+0x15/0x80 [] ? sched_clock_cpu+0xb8/0xd0 [] ? bit_waitqueue+0xb0/0xb0 [] ? usb_port_resume+0x430/0x430 [usbcore] [] ? usb_port_resume+0x430/0x430 [usbcore] [] ? kthread+0xce/0xf0 [] ? kthread_create_on_node+0x1c0/0x1c0 [] ? ret_from_fork+0x7c/0xb0 [] ? kthread_create_on_node+0x1c0/0x1c0 ---[ end trace 40b1928d1136b91e ]--- This comes from the fact that usb-audio driver may receive the disconnect callback multiple times, per each usb interface. When a device has both audio and midi interfaces, it gets called twice, and currently the driver tries to release resources at the last call. At this point, the first parent interface has been already deleted, thus deleting a child of the first parent hits such a warning. For fixing this problem, we need to call snd_card_disconnect() and cancel pending operations at the very first disconnect while the release of the whole objects waits until the last disconnect call. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80931 Reported-and-tested-by: Tomas Gayoso Reported-and-tested-by: Chris J Arges Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 07c1ac2971496b2a05e02490b554ef7b77811867 Author: Adel Gadllah Date: Thu Oct 9 08:05:53 2014 +0200 HID: usbhid: enable always-poll quirk for Elan Touchscreen 016f commit 1af39588f84c7c18f8c6d88342f36513a4ce383c upstream. This device needs the quirk as well. Tested-by: Kevin Fenzi Signed-off-by: Adel Gadllah Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit 51925e17cd94fdafc9fdb7a441d9e6c7b59079f1 Author: Adel Gadllah Date: Thu Oct 9 08:05:52 2014 +0200 HID: usbhid: enable always-poll quirk for Elan Touchscreen 009b commit 29d05c2ecf396161ef2938a0635707ef5685ef58 upstream. This device needs the quirk as well. Signed-off-by: Adel Gadllah Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit 12127f7f56a5776d9e20bcc5bae0fcc95870af6b Author: Johan Hovold Date: Fri Sep 5 18:08:48 2014 +0200 HID: usbhid: enable always-poll quirk for Elan Touchscreen commit bfe3c873e978d78b542a5852575dd74f4d1a5838 upstream. Enable the always-poll quirk for Elan Touchscreens found on some recent Samsung laptops. Without this quirk the device keeps disconnecting from the bus (and is re-enumerated) unless opened (and kept open, should an input event occur). Note that while the device can be run-time suspended, the autosuspend timeout must be high enough to allow the device to be polled at least once before being suspended. Specifically, using autosuspend_delay_ms=0 will still cause the device to disconnect on input events. Signed-off-by: Johan Hovold Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit 972b69a50ed38071d5340999089046a9ec04b0e8 Author: Johan Hovold Date: Fri Sep 5 18:08:47 2014 +0200 HID: usbhid: add always-poll quirk commit 0b750b3baa2d64f1b77aecc10f20deeb28efe60d upstream. Add quirk to make sure that a device is always polled for input events even if it hasn't been opened. This is needed for devices that disconnects from the bus unless the interrupt endpoint has been polled at least once or when not responding to an input event (e.g. after having shut down X). Signed-off-by: Johan Hovold Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit 605e35489e7c41c7c186aa0750d979f3abeaa025 Author: Adel Gadllah Date: Thu Oct 9 09:29:30 2014 +0200 USB: quirks: enable device-qualifier quirk for yet another Elan touchscreen commit d749947561af5996ccc076b2ffcc5f48b1be5d74 upstream. Yet another device affected by this. Tested-by: Kevin Fenzi Signed-off-by: Adel Gadllah Signed-off-by: Jiri Slaby commit 21748d8c32e22ed04b5fc2ad48a1029b81216ef9 Author: Adel Gadllah Date: Thu Oct 9 09:29:29 2014 +0200 USB: quirks: enable device-qualifier quirk for another Elan touchscreen commit 876af5d454548be40327ba9efea4bc92a8575019 upstream. Currently this quirk is enabled for the model with the device id 0x0089, it is needed for the 0x009b model, which is found on the Fujitsu Lifebook u904 as well. Signed-off-by: Adel Gadllah Signed-off-by: Jiri Slaby commit 08972217dab2d966e18ee52813f1ddcb219baf36 Author: Johan Hovold Date: Mon Aug 25 17:51:27 2014 +0200 USB: quirks: enable device-qualifier quirk for Elan Touchscreen commit c68929f75dfcb6354918862b91b5778585de1fa5 upstream. Enable device-qualifier quirk for Elan Touchscreen, which often fails to handle requests for the device_descriptor. Note that the device sometimes do respond properly with a Request Error (three times as USB core retries), but usually fails to respond at all. When this happens any further descriptor requests also fails, for example: [ 1528.688934] usb 2-7: new full-speed USB device number 4 using xhci_hcd [ 1530.945588] usb 2-7: unable to read config index 0 descriptor/start: -71 [ 1530.945592] usb 2-7: can't read configurations, error -71 This has been observed repeating for over a minute before eventual successful enumeration. Reported-by: Drew Von Spreecken Reported-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby Signed-off-by: Jiri Slaby commit 856cb361321b3ba16f90dd07e695b6fd4ccea5e1 Author: Johan Hovold Date: Mon Aug 25 17:51:26 2014 +0200 USB: core: add device-qualifier quirk commit 2a159389bf5d962359349a76827b2f683276a1c7 upstream. Add new quirk for devices that cannot handle requests for the device_qualifier descriptor. A USB-2.0 compliant device must respond to requests for the device_qualifier descriptor (even if it's with a request error), but at least one device is known to misbehave after such a request. Suggested-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit cd4386a94a23465eb28dfdce149e3cce72839588 Author: Thomas Gleixner Date: Thu Oct 2 17:32:16 2014 +0200 usb: musb: cppi41: restart hrtimer only if not yet done commit d2e6d62c9cbbc2da4211f672dbeea08960e29a80 upstream. commit c58d80f52 ("usb: musb: Ensure that cppi41 timer gets armed on premature DMA TX irq") fixed hrtimer scheduling bug. There is one left which does not trigger that often. The following scenario is still possible: lock(&x->lock); hrtimer_start(&x->t); unlock(&x->lock); expires: t->function(); lock(&x->lock); lock(&x->lock); if (!hrtimer_queued(&x->t)) hrtimer_start(&x->t); unlock(&x->lock); if (!list_empty(x->early_tx_list)) ret = HRTIMER_RESTART; -> hrtimer_forward_now(...) } else ret = HRTIMER_NORESTART; unlock(&x->lock); and the timer callback returns HRTIMER_RESTART for an armed timer. This is wrong and we run into the BUG_ON() in __run_hrtimer(). This can happens on SMP or PREEMPT-RT. The patch fixes the problem by only starting the timer if the timer is not yet queued. Reported-by: Torben Hohn Signed-off-by: Thomas Gleixner [bigeasy: collected information and created a patch + description based on it] Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 45b5df583c2c1d0e68f09e18b6c88cf476c6354e Author: Dmitry Eremin-Solenikov Date: Thu Nov 6 14:08:29 2014 +0300 spi: pxa2xx: toggle clocks on suspend if not disabled by runtime PM commit 2b9375b91bef65b837bed61a05fb387159b38ddf upstream. If PM_RUNTIME is enabled, it is easy to trigger the following backtrace on pxa2xx hosts: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at /home/lumag/linux/arch/arm/mach-pxa/clock.c:35 clk_disable+0xa0/0xa8() Modules linked in: CPU: 0 PID: 1 Comm: swapper Not tainted 3.17.0-00007-g1b3d2ee-dirty #104 [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (warn_slowpath_common+0x6c/0x8c) [] (warn_slowpath_common) from [] (warn_slowpath_null+0x1c/0x24) [] (warn_slowpath_null) from [] (clk_disable+0xa0/0xa8) [] (clk_disable) from [] (pxa2xx_spi_suspend+0x2c/0x34) [] (pxa2xx_spi_suspend) from [] (platform_pm_suspend+0x2c/0x54) [] (platform_pm_suspend) from [] (dpm_run_callback.isra.14+0x2c/0x74) [] (dpm_run_callback.isra.14) from [] (__device_suspend+0x120/0x2f8) [] (__device_suspend) from [] (dpm_suspend+0x50/0x208) [] (dpm_suspend) from [] (suspend_devices_and_enter+0x8c/0x3a0) [] (suspend_devices_and_enter) from [] (pm_suspend+0x214/0x2a8) [] (pm_suspend) from [] (test_suspend+0x14c/0x1dc) [] (test_suspend) from [] (do_one_initcall+0x8c/0x1fc) [] (do_one_initcall) from [] (kernel_init_freeable+0xf4/0x1b4) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xec) [] (kernel_init) from [] (ret_from_fork+0x14/0x24) ---[ end trace 46524156d8faa4f6 ]--- This happens because suspend function tries to disable a clock that is already disabled by runtime_suspend callback. Add if (!pm_runtime_suspended()) checks to suspend/resume path. Fixes: 7d94a505858 (spi/pxa2xx: add support for runtime PM) Signed-off-by: Dmitry Eremin-Solenikov Reported-by: Andrea Adami Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 35a3997ba76f408d13266a1e4cf01bbd264f9332 Author: Alexander Stein Date: Tue Nov 4 09:20:18 2014 +0100 spi: fsl-dspi: Fix CTAR selection commit 5cc7b04740effa5cc0af53f434134b5859d58b73 upstream. There are only 4 CTAR registers (CTAR0 - CTAR3) so we can only use the lower 2 bits of the chip select to select a CTAR register. SPI_PUSHR_CTAS used the lower 3 bits which would result in wrong bit values if the chip selects 4/5 are used. For those chip selects SPI_CTAR even calculated offsets of non-existing registers. Signed-off-by: Alexander Stein Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit d0ef4acce233803e2113b9e6b2c6f8400e48a9fe Author: Ray Jui Date: Thu Oct 9 11:44:54 2014 -0700 spi: pl022: Fix incorrect dma_unmap_sg commit 3ffa6158f002e096d28ede71be4e0ee8ab20baa2 upstream. When mapped RX DMA entries are unmapped in an error condition when DMA is firstly configured in the driver, the number of TX DMA entries was passed in, which is incorrect Signed-off-by: Ray Jui Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 37529c7250788fde7107b6ad11ec779aa53b8711 Author: Jack Pham Date: Tue Oct 21 16:31:10 2014 -0700 usb: dwc3: gadget: Properly initialize LINK TRB commit 1200a82a59b6aa65758ccc92c3447b98c53cd7a2 upstream. On ISOC endpoints the last trb_pool entry used as a LINK TRB is not getting zeroed out correctly due to memset being called incorrectly and in the wrong place. If pool allocated from DMA was not zero-initialized to begin with this will result in the size and ctrl values being random garbage. Call memset correctly after assignment of the trb_link pointer. Fixes: f6bafc6a1c ("usb: dwc3: convert TRBs into bitshifts") Signed-off-by: Jack Pham Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 28af2ea590152b183494a6b05d5c04fb3374d10a Author: Cyril Brulebois Date: Tue Oct 28 16:42:41 2014 +0100 wireless: rt2x00: add new rt2800usb device commit 664d6a792785cc677c2091038ce10322c8d04ae1 upstream. 0x1b75 0xa200 AirLive WN-200USB wireless 11b/g/n dongle References: https://bugs.debian.org/766802 Reported-by: Martin Mokrejs Signed-off-by: Cyril Brulebois Acked-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 538563b0cc1371790a946bd227dc4e7069f18f83 Author: Xose Vazquez Perez Date: Fri Jul 11 21:46:57 2014 +0200 wireless: rt2x00: add new rt2800usb devices commit 6a06e554daef86c4e8d290284927b081fedb249e upstream. 0x0b05 0x17e8 RT5372 USB 2.0 bgn 2x2 ASUS USB-N14 0x0411 0x0253 RT5572 USB 2.0 abgn 2x2 BUFFALO WLP-U2-300D 0x0df6 0x0078 RT???? Sitecom N300 Cc: Ivo van Doorn Cc: Helmut Schaa Cc: John W. Linville Cc: users@rt2x00.serialmonkey.com Cc: linux-wireless@vger.kernel.org Signed-off-by: Xose Vazquez Perez Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 8237ba542301c82a86768dbb814d34226ade79b4 Author: Canek Peláez Valdés Date: Sun Aug 24 19:06:11 2014 -0500 rt2x00: support Ralink 5362. commit ac0372abf8524a7572a9cdaac6495eb2eba20457 upstream. Signed-off-by: Canek Peláez Valdés Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit ced7ff3a7674c5127555ba3328edc636cda3c017 Author: Dan Williams Date: Tue Oct 14 11:10:41 2014 -0500 USB: option: add Haier CE81B CDMA modem commit 012eee1522318b5ccd64d277d50ac32f7e9974fe upstream. Port layout: 0: QCDM/DIAG 1: NMEA 2: AT 3: AT/PPP Signed-off-by: Dan Williams Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit fab757e50a861ec50762df138e91da494e595696 Author: Daniele Palmas Date: Tue Oct 14 10:47:37 2014 +0200 usb: option: add support for Telit LE910 commit 2d0eb862dd477c3c4f32b201254ca0b40e6f465c upstream. Add VID/PID for Telit LE910 modem. Interfaces description is almost the same than LE920, except that the qmi interface is number 2 (instead than 5). Signed-off-by: Daniele Palmas Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit fca03f3238cc9221fd584f95db2172eb87af78f6 Author: Johan Hovold Date: Wed Nov 5 18:41:59 2014 +0100 USB: cdc-acm: only raise DTR on transitions from B0 commit 4473d054ceb572557954f9536731d39b20937b0c upstream. Make sure to only raise DTR on transitions from B0 in set_termios. Also allow set_termios to be called from open with a termios_old of NULL. Note that DTR will not be raised prematurely in this case. Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 4a776e6ac881c8bcbe48ba4e5b26c78384bd7ee6 Author: Johan Hovold Date: Mon Oct 27 18:34:33 2014 +0100 USB: cdc-acm: add device id for GW Instek AFG-2225 commit cf84a691a61606a2e7269907d3727e2d9fa148ee upstream. Add device-id entry for GW Instek AFG-2225, which has a byte swapped bInterfaceSubClass (0x20). Reported-by: Karl Palsson Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 0de57c08042f960997e77635d7cf4ea7acd86c31 Author: Perry Hung Date: Wed Oct 22 23:31:34 2014 -0400 usb: serial: ftdi_sio: add "bricked" FTDI device PID commit 7f2719f0003da1ad13124ef00f48d7514c79e30d upstream. An official recent Windows driver from FTDI detects counterfeit devices and reprograms the internal EEPROM containing the USB PID to 0, effectively bricking the device. Add support for this VID/PID pair to correctly bind the driver on these devices. See: http://hackaday.com/2014/10/22/watch-that-windows-update-ftdi-drivers-are-killing-fake-chips/ Signed-off-by: Perry Hung Acked-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit ff8aff4db6d20ca4da80bec75e3b9987646b553f Author: Frans Klaver Date: Fri Oct 10 11:52:08 2014 +0200 usb: serial: ftdi_sio: add Awinda Station and Dongle products commit edd74ffab1f6909eee400c7de8ce621870aacac9 upstream. Add new IDs for the Xsens Awinda Station and Awinda Dongle. While at it, order the definitions by PID and add a logical separation between devices using Xsens' VID and those using FTDI's VID. Signed-off-by: Frans Klaver Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 088cfbaf0f7d8aa06257bf6b34603af744af66a9 Author: Nathaniel Ting Date: Fri Oct 3 12:01:20 2014 -0400 USB: serial: cp210x: add Silicon Labs 358x VID and PID commit 35cc83eab097e5720a9cc0ec12bdc3a726f58381 upstream. Enable Silicon Labs Ember VID chips to enumerate with the cp210x usb serial driver. EM358x devices operating with the Ember Z-Net 5.1.2 stack may now connect to host PCs over a USB serial link. Signed-off-by: Nathaniel Ting Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 7261d5fa0fdea0d53ed58c7ce2efad1b2485218e Author: Peter Hurley Date: Thu Oct 16 13:46:38 2014 -0400 serial: Fix divide-by-zero fault in uart_get_divisor() commit 547039ec502076e60034eeb79611df3433a99b7d upstream. uart_get_baud_rate() will return baud == 0 if the max rate is set to the "magic" 38400 rate and the SPD_* flags are also specified. On the first iteration, if the current baud rate is higher than the max, the baud rate is clamped at the max (which in the degenerate case is 38400). On the second iteration, the now-"magic" 38400 baud rate selects the possibly higher alternate baud rate indicated by the SPD_* flag. Since only two loop iterations are performed, the loop is exited, a kernel WARNING is generated and a baud rate of 0 is returned. Reproducible with: setserial /dev/ttyS0 spd_hi base_baud 38400 Only perform the "magic" 38400 -> SPD_* baud transform on the first loop iteration, which prevents the degenerate case from recognizing the clamped baud rate as the "magic" 38400 value. Reported-by: Robert Święcki Signed-off-by: Peter Hurley Signed-off-by: Jiri Slaby commit 9f9387ff8a126a65cd98b169b3acc1aa7f74b602 Author: Lars-Peter Clausen Date: Tue Nov 4 18:03:16 2014 +0100 staging:iio:ade7758: Remove "raw" from channel name commit b598aacc29331e7e638cd509108600e916c6331b upstream. "raw" is a property of a channel, but should not be part of the name of channel. Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit 4cf866e11cf4f921a0ac20f696031cdf24b2281b Author: Lars-Peter Clausen Date: Tue Nov 4 18:03:15 2014 +0100 staging:iio:ade7758: Fix check if channels are enabled in prenable commit 79fa64eb2ee8ccb4bcad7f54caa2699730b10b22 upstream. We should check if a channel is enabled, not if no channels are enabled. Fixes: 550268ca1111 ("staging:iio: scrap scan_count and ensure all drivers use active_scan_mask") Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit ca313dd32608ae7e76fe97e69e49c827c9b61ec7 Author: Lars-Peter Clausen Date: Tue Nov 4 18:03:14 2014 +0100 staging:iio:ade7758: Fix NULL pointer deref when enabling buffer commit e10554738cab4224e097c2f9d975ea781a4fcde4 upstream. In older versions of the IIO framework it was possible to pass a completely different set of channels to iio_buffer_register() as the one that is assigned to the IIO device. Commit 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") introduced a restriction that requires that the set of channels that is passed to iio_buffer_register() is a subset of the channels assigned to the IIO device as the IIO core will use the list of channels that is assigned to the device to lookup a channel by scan index in iio_compute_scan_bytes(). If it can not find the channel the function will crash. This patch fixes the issue by making sure that the same set of channels is assigned to the IIO device and passed to iio_buffer_register(). Note that we need to remove the IIO_CHAN_INFO_RAW and IIO_CHAN_INFO_SCALE info attributes from the channels since we don't actually want those to be registered. Fixes the following crash: Unable to handle kernel NULL pointer dereference at virtual address 00000016 pgd = d2094000 [00000016] *pgd=16e39831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 PID: 1695 Comm: bash Not tainted 3.17.0-06329-g29461ee #9686 task: d7768040 ti: d5bd4000 task.ti: d5bd4000 PC is at iio_compute_scan_bytes+0x38/0xc0 LR is at iio_compute_scan_bytes+0x34/0xc0 pc : [] lr : [] psr: 60070013 sp : d5bd5ec0 ip : 00000000 fp : 00000000 r10: d769f934 r9 : 00000000 r8 : 00000001 r7 : 00000000 r6 : c8fc6240 r5 : d769f800 r4 : 00000000 r3 : d769f800 r2 : 00000000 r1 : ffffffff r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 18c5387d Table: 1209404a DAC: 00000015 Process bash (pid: 1695, stack limit = 0xd5bd4240) Stack: (0xd5bd5ec0 to 0xd5bd6000) 5ec0: d769f800 d7435640 c8fc6240 d769f984 00000000 c03175a4 d7435690 d7435640 5ee0: d769f990 00000002 00000000 d769f800 d5bd4000 00000000 000b43a8 c03177f4 5f00: d769f810 0162b8c8 00000002 c8fc7e00 d77f1d08 d77f1da8 c8fc7e00 c01faf1c 5f20: 00000002 c010694c c010690c d5bd5f88 00000002 c8fc6840 c8fc684c c0105e08 5f40: 00000000 00000000 d20d1580 00000002 000af408 d5bd5f88 c000de84 c00b76d4 5f60: d20d1580 000af408 00000002 d20d1580 d20d1580 00000002 000af408 c000de84 5f80: 00000000 c00b7a44 00000000 00000000 00000002 b6ebea78 00000002 000af408 5fa0: 00000004 c000dd00 b6ebea78 00000002 00000001 000af408 00000002 00000000 5fc0: b6ebea78 00000002 000af408 00000004 bee96a4c 000a6094 00000000 000b43a8 5fe0: 00000000 bee969cc b6e2eb77 b6e6525c 40070010 00000001 00000000 00000000 [] (iio_compute_scan_bytes) from [] (__iio_update_buffers+0x248/0x438) [] (__iio_update_buffers) from [] (iio_buffer_store_enable+0x60/0x7c) [] (iio_buffer_store_enable) from [] (dev_attr_store+0x18/0x24) [] (dev_attr_store) from [] (sysfs_kf_write+0x40/0x4c) [] (sysfs_kf_write) from [] (kernfs_fop_write+0x110/0x154) [] (kernfs_fop_write) from [] (vfs_write+0xbc/0x170) [] (vfs_write) from [] (SyS_write+0x40/0x78) [] (SyS_write) from [] (ret_fast_syscall+0x0/0x30) Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit 0a63bb30eee369a03a72c3676b85d457505d5cdd Author: Lars-Peter Clausen Date: Thu Sep 25 15:27:00 2014 +0100 staging:iio:ad5933: Drop "raw" from channel names commit 6822ee34ad57b29a3b44df2c2829910f03c34fa4 upstream. "raw" is the name of a channel property, but should not be part of the channel name itself. Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit 5cb3a5568cb11529cdf92cc8f6649f4aac59de2f Author: Lars-Peter Clausen Date: Thu Sep 25 15:27:00 2014 +0100 staging:iio:ad5933: Fix NULL pointer deref when enabling buffer commit 824269c5868d2a7a26417e5ef3841a27d42c6139 upstream. In older versions of the IIO framework it was possible to pass a completely different set of channels to iio_buffer_register() as the one that is assigned to the IIO device. Commit 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") introduced a restriction that requires that the set of channels that is passed to iio_buffer_register() is a subset of the channels assigned to the IIO device as the IIO core will use the list of channels that is assigned to the device to lookup a channel by scan index in iio_compute_scan_bytes(). If it can not find the channel the function will crash. This patch fixes the issue by making sure that the same set of channels is assigned to the IIO device and passed to iio_buffer_register(). Fixes the follow NULL pointer derefernce kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 00000016 pgd = d53d0000 [00000016] *pgd=1534e831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 PID: 1626 Comm: bash Not tainted 3.15.0-19969-g2a180eb-dirty #9545 task: d6c124c0 ti: d539a000 task.ti: d539a000 PC is at iio_compute_scan_bytes+0x34/0xa8 LR is at iio_compute_scan_bytes+0x34/0xa8 pc : [] lr : [] psr: 60070013 sp : d539beb8 ip : 00000001 fp : 00000000 r10: 00000002 r9 : 00000000 r8 : 00000001 r7 : 00000000 r6 : d6dc8800 r5 : d7571000 r4 : 00000002 r3 : d7571000 r2 : 00000044 r1 : 00000001 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 18c5387d Table: 153d004a DAC: 00000015 Process bash (pid: 1626, stack limit = 0xd539a240) Stack: (0xd539beb8 to 0xd539c000) bea0: c02fc0e4 d7571000 bec0: d76c1640 d6dc8800 d757117c 00000000 d757112c c0305b04 d76c1690 d76c1640 bee0: d7571188 00000002 00000000 d7571000 d539a000 00000000 000dd1c8 c0305d54 bf00: d7571010 0160b868 00000002 c69d3900 d7573278 d7573308 c69d3900 c01ece90 bf20: 00000002 c0103fac c0103f6c d539bf88 00000002 c69d3b00 c69d3b0c c0103468 bf40: 00000000 00000000 d7694a00 00000002 000af408 d539bf88 c000dd84 c00b2f94 bf60: d7694a00 000af408 00000002 d7694a00 d7694a00 00000002 000af408 c000dd84 bf80: 00000000 c00b32d0 00000000 00000000 00000002 b6f1aa78 00000002 000af408 bfa0: 00000004 c000dc00 b6f1aa78 00000002 00000001 000af408 00000002 00000000 bfc0: b6f1aa78 00000002 000af408 00000004 be806a4c 000a6094 00000000 000dd1c8 bfe0: 00000000 be8069cc b6e8ab77 b6ec125c 40070010 00000001 22940489 154a5007 [] (iio_compute_scan_bytes) from [] (__iio_update_buffers+0x248/0x438) [] (__iio_update_buffers) from [] (iio_buffer_store_enable+0x60/0x7c) [] (iio_buffer_store_enable) from [] (dev_attr_store+0x18/0x24) [] (dev_attr_store) from [] (sysfs_kf_write+0x40/0x4c) [] (sysfs_kf_write) from [] (kernfs_fop_write+0x110/0x154) [] (kernfs_fop_write) from [] (vfs_write+0xd0/0x160) [] (vfs_write) from [] (SyS_write+0x40/0x78) [] (SyS_write) from [] (ret_fast_syscall+0x0/0x30) Code: ea00000e e1a01008 e1a00005 ebfff6fc (e5d0a016) Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit 3d375f0ef0a06455f4a9ddac56718f0df1e83a56 Author: Robin van der Gracht Date: Mon Sep 29 15:00:07 2014 +0200 iio: st_sensors: Fix buffer copy commit 4250c90b30b8bf2a1a21122ba0484f8f351f152d upstream. Use byte_for_channel as iterator to properly initialize the buffer. Signed-off-by: Robin van der Gracht Acked-by: Denis Ciocca Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit b76e04699452927c1881b5d364940a3381a692c8 Author: Michal Hocko Date: Mon Oct 20 18:12:32 2014 +0200 OOM, PM: OOM killed task shouldn't escape PM suspend commit 5695be142e203167e3cb515ef86a88424f3524eb upstream. PM freezer relies on having all tasks frozen by the time devices are getting frozen so that no task will touch them while they are getting frozen. But OOM killer is allowed to kill an already frozen task in order to handle OOM situtation. In order to protect from late wake ups OOM killer is disabled after all tasks are frozen. This, however, still keeps a window open when a killed task didn't manage to die by the time freeze_processes finishes. Reduce the race window by checking all tasks after OOM killer has been disabled. This is still not race free completely unfortunately because oom_killer_disable cannot stop an already ongoing OOM killer so a task might still wake up from the fridge and get killed without freeze_processes noticing. Full synchronization of OOM and freezer is, however, too heavy weight for this highly unlikely case. Introduce and check oom_kills counter which gets incremented early when the allocator enters __alloc_pages_may_oom path and only check all the tasks if the counter changes during the freezing attempt. The counter is updated so early to reduce the race window since allocator checked oom_killer_disabled which is set by PM-freezing code. A false positive will push the PM-freezer into a slow path but that is not a big deal. Changes since v1 - push the re-check loop out of freeze_processes into check_frozen_processes and invert the condition to make the code more readable as per Rafael Fixes: f660daac474c6f (oom: thaw threads if oom killed thread is frozen before deferring) Signed-off-by: Michal Hocko Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit a8b7bdeab0c35d96b7acdf94f90c0594d2a50245 Author: Cong Wang Date: Tue Oct 21 09:27:12 2014 +0200 freezer: Do not freeze tasks killed by OOM killer commit 51fae6da640edf9d266c94f36bc806c63c301991 upstream. Since f660daac474c6f (oom: thaw threads if oom killed thread is frozen before deferring) OOM killer relies on being able to thaw a frozen task to handle OOM situation but a3201227f803 (freezer: make freezing() test freeze conditions in effect instead of TIF_FREEZE) has reorganized the code and stopped clearing freeze flag in __thaw_task. This means that the target task only wakes up and goes into the fridge again because the freezing condition hasn't changed for it. This reintroduces the bug fixed by f660daac474c6f. Fix the issue by checking for TIF_MEMDIE thread flag in freezing_slow_path and exclude the task from freezing completely. If a task was already frozen it would get woken by __thaw_task from OOM killer and get out of freezer after rechecking freezing(). Changes since v1 - put TIF_MEMDIE check into freezing_slowpath rather than in __refrigerator as per Oleg - return __thaw_task into oom_scan_process_thread because oom_kill_process will not wake task in the fridge because it is sleeping uninterruptible [mhocko@suse.cz: rewrote the changelog] Fixes: a3201227f803 (freezer: make freezing() test freeze conditions in effect instead of TIF_FREEZE) Signed-off-by: Cong Wang Signed-off-by: Michal Hocko Acked-by: Oleg Nesterov Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 64118eaa371dc4b2546480ed611c34654e218706 Author: Libin Yang Date: Mon Aug 4 09:22:45 2014 +0800 ALSA: hda - add codec ID for Braswell display audio codec commit d1585c89cecdb513f68045e47ab76976524b5961 upstream. This patch adds codec ID (0x80862883) and module alias for Braswell display codec. Signed-off-by: Libin Yang Signed-off-by: Takashi Iwai Signed-off-by: Chang Rebecca Swee Fun Signed-off-by: Jiri Slaby commit 7e5b972427cff285a5315b52bd07071aaf0789d5 Author: Libin Yang Date: Mon Aug 4 09:22:44 2014 +0800 ALSA: hda - add PCI IDs for Intel Braswell commit f31b2ffcad2b8c57cee5ffc634928bcbc8c6a558 upstream. Add HD Audio Device PCI ID for the Intel Braswell platform. It is an HDA Intel PCH controller. AZX_DCAPS_ALIGN_BUFSIZE is not necessary for this controller. Signed-off-by: Libin Yang Signed-off-by: Takashi Iwai Signed-off-by: Chang Rebecca Swee Fun Signed-off-by: Jiri Slaby commit 0e5b6e1b993f400e1bd184545dedbb23017d6f74 Author: Derek Browne Date: Tue Jun 24 06:56:36 2014 -0700 mmc: sdhci-pci: SDIO host controller support for Intel Quark X1000 commit 43e968cec79b6334cf7cb3e11184cce720541712 upstream. This patch is to enable SDIO host controller for Intel Quark X1000. Signed-off-by: Derek Browne Signed-off-by: Alvin (Weike) Chen Signed-off-by: Ulf Hansson Signed-off-by: Chang Rebecca Swee Fun Signed-off-by: Jiri Slaby commit 03ed94fdc8607b448c48f40429f03938a51ab318 Author: Bryan O'Donoghue Date: Tue Oct 7 01:19:49 2014 +0100 x86: Add cpu_detect_cache_sizes to init_intel() add Quark legacy_cache() commit aece118e487a744eafcdd0c77fe32b55ee2092a1 upstream. Intel processors which don't report cache information via cpuid(2) or cpuid(4) need quirk code in the legacy_cache_size callback to report this data. For Intel that callback is is intel_size_cache(). This patch enables calling of cpu_detect_cache_sizes() inside of init_intel() and hence the calling of the legacy_cache callback in intel_size_cache(). Adding this call will ensure that PIII Tualatin currently in intel_size_cache() and Quark SoC X1000 being added to intel_size_cache() in this patch will report their respective cache sizes. This model of calling cpu_detect_cache_sizes() is consistent with AMD/Via/Cirix/Transmeta and Centaur. Also added is a string to idenitfy the Quark as Quark SoC X1000 giving better and more descriptive output via /proc/cpuinfo Adding cpu_detect_cache_sizes to init_intel() will enable calling of intel_size_cache() on Intel processors which currently no code can reach. Therefore this patch will also re-enable reporting of PIII Tualatin cache size information as well as add Quark SoC X1000 support. Comment text and cache flow logic suggested by Thomas Gleixner Signed-off-by: Bryan O'Donoghue Cc: davej@redhat.com Cc: hmh@hmh.eng.br Link: http://lkml.kernel.org/r/1412641189-12415-3-git-send-email-pure.logic@nexus-software.ie Signed-off-by: Thomas Gleixner Signed-off-by: Chang Rebecca Swee Fun Signed-off-by: Jiri Slaby commit 0d29536419e8608288753527f09c2e27ce03b7a3 Author: Pali Rohár Date: Thu Oct 16 01:16:51 2014 +0200 cpufreq: intel_pstate: Fix setting max_perf_pct in performance policy commit 36b4bed5cd8f6e17019fa7d380e0836872c7b367 upstream. Code which changes policy to powersave changes also max_policy_pct based on max_freq. Code which change max_perf_pct has upper limit base on value max_policy_pct. When policy is changing from powersave back to performance then max_policy_pct is not changed. Which means that changing max_perf_pct is not possible to high values if max_freq was too low in powersave policy. Test case: $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq 800000 $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 3300000 $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor performance $ cat /sys/devices/system/cpu/intel_pstate/max_perf_pct 100 $ echo powersave > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor $ echo 800000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq $ echo 20 > /sys/devices/system/cpu/intel_pstate/max_perf_pct $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor powersave $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 800000 $ cat /sys/devices/system/cpu/intel_pstate/max_perf_pct 20 $ echo performance > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor $ echo 3300000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq $ echo 100 > /sys/devices/system/cpu/intel_pstate/max_perf_pct $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor performance $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 3300000 $ cat /sys/devices/system/cpu/intel_pstate/max_perf_pct 24 And now intel_pstate driver allows to set maximal value for max_perf_pct based on max_policy_pct which is 24 for previous powersave max_freq 800000. This patch will set default value for max_policy_pct when setting policy to performance so it will allow to set also max value for max_perf_pct. Signed-off-by: Pali Rohár Acked-by: Dirk Brandewie Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit ead5af44a3789ff002b7f903491e91df268aaeff Author: Dirk Brandewie Date: Mon Oct 13 08:37:40 2014 -0700 cpufreq: expose scaling_cur_freq sysfs file for set_policy() drivers commit c034b02e213d271b98c45c4a7b54af8f69aaac1e upstream. Currently the core does not expose scaling_cur_freq for set_policy() drivers this breaks some userspace monitoring tools. Change the core to expose this file for all drivers and if the set_policy() driver supports the get() callback use it to retrieve the current frequency. Link: https://bugzilla.kernel.org/show_bug.cgi?id=73741 Signed-off-by: Dirk Brandewie Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit bf4939e265bc444151d92fb838b43ca705c4ffbe Author: Jan Kara Date: Thu Oct 30 10:53:16 2014 -0400 ext4: fix oops when loading block bitmap failed commit 599a9b77ab289d85c2d5c8607624efbe1f552b0f upstream. When we fail to load block bitmap in __ext4_new_inode() we will dereference NULL pointer in ext4_journal_get_write_access(). So check for error from ext4_read_block_bitmap(). Coverity-id: 989065 Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 82da3f09d4c518ffb596db2d1794d9e147da0a04 Author: Darrick J. Wong Date: Thu Oct 30 10:53:16 2014 -0400 ext4: enable journal checksum when metadata checksum feature enabled commit 98c1a7593fa355fda7f5a5940c8bf5326ca964ba upstream. If metadata checksumming is turned on for the FS, we need to tell the journal to use checksumming too. Signed-off-by: Darrick J. Wong Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 6eac6ac49db2487a748258be990a34cff73dc792 Author: Jan Kara Date: Thu Oct 30 10:52:57 2014 -0400 ext4: fix overflow when updating superblock backups after resize commit 9378c6768e4fca48971e7b6a9075bc006eda981d upstream. When there are no meta block groups update_backups() will compute the backup block in 32-bit arithmetics thus possibly overflowing the block number and corrupting the filesystem. OTOH filesystems without meta block groups larger than 16 TB should be rare. Fix the problem by doing the counting in 64-bit arithmetics. Coverity-id: 741252 Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Reviewed-by: Lukas Czerner Signed-off-by: Jiri Slaby commit 9154dd792c9820b25d51e67e6e8e7ae277b64250 Author: Darrick J. Wong Date: Tue Oct 14 02:35:49 2014 -0400 ext4: check s_chksum_driver when looking for bg csum presence commit 813d32f91333e4c33d5a19b67167c4bae42dae75 upstream. Convert the ext4_has_group_desc_csum predicate to look for a checksum driver instead of the metadata_csum flag and change the bg checksum calculation function to look for GDT_CSUM before taking the crc16 path. Without this patch, if we mount with ^uninit_bg,^metadata_csum and later metadata_csum gets turned on by accident, the block group checksum functions will incorrectly assume that checksumming is enabled (metadata_csum) but that crc16 should be used (!s_chksum_driver). This is totally wrong, so fix the predicate and the checksum formula selection. (Granted, if the metadata_csum feature bit gets enabled on a live FS then something underhanded is going on, but we could at least avoid writing garbage into the on-disk fields.) Signed-off-by: Darrick J. Wong Signed-off-by: Theodore Ts'o Reviewed-by: Dmitry Monakhov Signed-off-by: Jiri Slaby commit c8137a7d271bc709697ecac2dfc88d6a226f2124 Author: Dmitry Monakhov Date: Mon Oct 13 03:36:16 2014 -0400 ext4: Replace open coded mdata csum feature to helper function commit 9aa5d32ba269bec0e7eaba2697a986a7b0bc8528 upstream. Besides the fact that this replacement improves code readability it also protects from errors caused direct EXT4_S(sb)->s_es manipulation which may result attempt to use uninitialized csum machinery. #Testcase_BEGIN IMG=/dev/ram0 MNT=/mnt mkfs.ext4 $IMG mount $IMG $MNT #Enable feature directly on disk, on mounted fs tune2fs -O metadata_csum $IMG # Provoke metadata update, likey result in OOPS touch $MNT/test umount $MNT #Testcase_END # Replacement script @@ expression E; @@ - EXT4_HAS_RO_COMPAT_FEATURE(E, EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) + ext4_has_metadata_csum(E) https://bugzilla.kernel.org/show_bug.cgi?id=82201 Signed-off-by: Dmitry Monakhov Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit cc35695f5987ae0f15439882dc66729deb82810d Author: Eric Sandeen Date: Sat Oct 11 19:51:17 2014 -0400 ext4: fix reservation overflow in ext4_da_write_begin commit 0ff8947fc5f700172b37cbca811a38eb9cb81e08 upstream. Delalloc write journal reservations only reserve 1 credit, to update the inode if necessary. However, it may happen once in a filesystem's lifetime that a file will cross the 2G threshold, and require the LARGE_FILE feature to be set in the superblock as well, if it was not set already. This overruns the transaction reservation, and can be demonstrated simply on any ext4 filesystem without the LARGE_FILE feature already set: dd if=/dev/zero of=testfile bs=1 seek=2147483646 count=1 \ conv=notrunc of=testfile sync dd if=/dev/zero of=testfile bs=1 seek=2147483647 count=1 \ conv=notrunc of=testfile leads to: EXT4-fs: ext4_do_update_inode:4296: aborting transaction: error 28 in __ext4_handle_dirty_super EXT4-fs error (device loop0) in ext4_do_update_inode:4301: error 28 EXT4-fs error (device loop0) in ext4_reserve_inode_write:4757: Readonly filesystem EXT4-fs error (device loop0) in ext4_dirty_inode:4876: error 28 EXT4-fs error (device loop0) in ext4_da_write_end:2685: error 28 Adjust the number of credits based on whether the flag is already set, and whether the current write may extend past the LARGE_FILE limit. Signed-off-by: Eric Sandeen Signed-off-by: Theodore Ts'o Reviewed-by: Andreas Dilger Signed-off-by: Jiri Slaby commit bead15b503cf4007a0383f6e8a7409569c41a546 Author: Theodore Ts'o Date: Sun Oct 5 22:56:00 2014 -0400 ext4: add ext4_iget_normal() which is to be used for dir tree lookups commit f4bb2981024fc91b23b4d09a8817c415396dbabb upstream. If there is a corrupted file system which has directory entries that point at reserved, metadata inodes, prohibit them from being used by treating them the same way we treat Boot Loader inodes --- that is, mark them to be bad inodes. This prohibits them from being opened, deleted, or modified via chmod, chown, utimes, etc. In particular, this prevents a corrupted file system which has a directory entry which points at the journal inode from being deleted and its blocks released, after which point Much Hilarity Ensues. Reported-by: Sami Liedes Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 147261f789cb5b1f0d62459f849c18dea7ada958 Author: Dmitry Monakhov Date: Fri Oct 3 12:47:23 2014 -0400 ext4: grab missed write_count for EXT4_IOC_SWAP_BOOT commit 3e67cfad22230ebed85c56cbe413876f33fea82b upstream. Otherwise this provokes complain like follows: WARNING: CPU: 12 PID: 5795 at fs/ext4/ext4_jbd2.c:48 ext4_journal_check_start+0x4e/0xa0() Modules linked in: brd iTCO_wdt lpc_ich mfd_core igb ptp dm_mirror dm_region_hash dm_log dm_mod CPU: 12 PID: 5795 Comm: python Not tainted 3.17.0-rc2-00175-gae5344f #158 Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.99.99.x028.061320111235 06/13/2011 0000000000000030 ffff8808116cfd28 ffffffff815c7dfc 0000000000000030 0000000000000000 ffff8808116cfd68 ffffffff8106ce8c ffff8808116cfdc8 ffff880813b16000 ffff880806ad6ae8 ffffffff81202008 0000000000000000 Call Trace: [] dump_stack+0x51/0x6d [] warn_slowpath_common+0x8c/0xc0 [] ? ext4_ioctl+0x9e8/0xeb0 [] warn_slowpath_null+0x1a/0x20 [] ext4_journal_check_start+0x4e/0xa0 [] __ext4_journal_start_sb+0x90/0x110 [] ext4_ioctl+0x9e8/0xeb0 [] ? ptrace_stop+0x24d/0x2f0 [] ? alloc_pid+0x480/0x480 [] ? ptrace_do_notify+0x92/0xb0 [] do_vfs_ioctl+0x4e5/0x550 [] ? _raw_spin_unlock_irq+0x2b/0x40 [] SyS_ioctl+0x53/0x80 [] tracesys+0xd0/0xd5 Reviewed-by: Jan Kara Signed-off-by: Dmitry Monakhov Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 97f94c2e2fe51803a074d4e50de0049a243391eb Author: Jan Kara Date: Wed Oct 1 21:49:46 2014 -0400 ext4: fix mmap data corruption when blocksize < pagesize commit d6320cbfc92910a3e5f10c42d98c231c98db4f60 upstream. Use truncate_isize_extended() when hole is being created in a file so that ->page_mkwrite() will get called for the partial tail page if it is mmaped (see the first patch in the series for details). Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 0dce193f3456fe009fc3c588f4ac39f33446df61 Author: Jan Kara Date: Thu Sep 18 01:12:15 2014 -0400 ext4: don't check quota format when there are no quota files commit 279bf6d390933d5353ab298fcc306c391a961469 upstream. The check whether quota format is set even though there are no quota files with journalled quota is pointless and it actually makes it impossible to turn off journalled quotas (as there's no way to unset journalled quota format). Just remove the check. Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 2d550cd1fcb6816e8f41c46f19802d57daa9762f Author: Darrick J. Wong Date: Tue Sep 16 14:34:59 2014 -0400 ext4: check EA value offset when loading commit a0626e75954078cfacddb00a4545dde821170bc5 upstream. When loading extended attributes, check each entry's value offset to make sure it doesn't collide with the entries. Without this check it is easy to crash the kernel by mounting a malicious FS containing a file with an EA wherein e_value_offs = 0 and e_value_size > 0 and then deleting the EA, which corrupts the name list. (See the f_ea_value_crash test's FS image in e2fsprogs for an example.) Signed-off-by: Darrick J. Wong Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 3a7fa65d2e144ff488dc2145fea70ef42ae1bdfb Author: Darrick J. Wong Date: Tue Sep 16 14:43:09 2014 -0400 jbd2: free bh when descriptor block checksum fails commit 064d83892e9ba547f7d4eae22cbca066d95210ce upstream. Free the buffer head if the journal descriptor block fails checksum verification. This is the jbd2 port of the e2fsprogs patch "e2fsck: free bh on csum verify error in do_one_pass". Signed-off-by: Darrick J. Wong Signed-off-by: Theodore Ts'o Reviewed-by: Eric Sandeen Signed-off-by: Jiri Slaby commit ff4b0a924a8d99fb56e77760ebe7ea1e0129163b Author: Marc-André Lureau Date: Thu Oct 16 11:39:44 2014 +0200 qxl: don't create too large primary surface commit c572aaf46f71f63ae5914d4e194a955e0ba1b519 upstream. Limit primary to qemu vgamem size, to avoid reaching qemu guest bug "requested primary larger than framebuffer" on resizing screen too large to fit. Remove unneeded and misleading variables. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1127552 Signed-off-by: Marc-André Lureau Signed-off-by: Dave Airlie Signed-off-by: Jiri Slaby commit f223ebe3b68f4317cee5f2f0e081884c85da1fa2 Author: David Daney Date: Mon Oct 20 15:34:23 2014 -0700 MIPS: tlbex: Properly fix HUGE TLB Refill exception handler commit 9e0f162a36914937a937358fcb45e0609ef2bfc4 upstream. In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets would work properly with huge pages. The change was incorrect in that it broke the OCTEON case. The problem is shown here: xxx0: df7a0000 ld k0,0(k1) . . . xxxc0: df610000 ld at,0(k1) xxxc4: 335a0ff0 andi k0,k0,0xff0 xxxc8: e825ffcd bbit1 at,0x5,0x0 xxxcc: 003ad82d daddu k1,at,k0 . . . In the non-octeon case there is a destructive test for the huge PTE bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609 patch added). In the octeon case, we modify k1 in the branch delay slot, but we never need k0 again, so the new load is not needed, but since k1 is modified, if we do the load, we load from a garbage location and then get a nested TLB Refill, which is seen in userspace as either SIGBUS or SIGSEGV (depending on the garbage). The real fix is to only do this reloading if it is needed, and never where it is harmful. Signed-off-by: David Daney Cc: Huacai Chen Cc: Fuxin Zhang Cc: Zhangjin Wu Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8151/ Signed-off-by: Ralf Baechle Signed-off-by: Jiri Slaby commit 84e435ce293dde3b27fb40a64b02d476bd2a6d1c Author: Markos Chandras Date: Mon Oct 20 09:39:31 2014 +0100 MIPS: ftrace: Fix a microMIPS build problem commit aedd153f5bb5b1f1d6d9142014f521ae2ec294cc upstream. Code before the .fixup section needs to have the .insn directive. This has no side effects on MIPS32/64 but it affects the way microMIPS loads the address for the return label. Fixes the following build problem: mips-linux-gnu-ld: arch/mips/built-in.o: .fixup+0x4a0: Unsupported jump between ISA modes; consider recompiling with interlinking enabled. mips-linux-gnu-ld: final link failed: Bad value Makefile:819: recipe for target 'vmlinux' failed The fix is similar to 1658f914ff91c3bf ("MIPS: microMIPS: Disable LL/SC and fix linker bug.") Signed-off-by: Markos Chandras Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8117/ Signed-off-by: Ralf Baechle Signed-off-by: Jiri Slaby commit 8bb710aed647d505da7434ff9c3162344e2ad309 Author: Nicholas Bellinger Date: Sat Oct 4 04:23:15 2014 +0000 target: Fix APTPL metadata handling for dynamic MappedLUNs commit e24805637d2d270d7975502e9024d473de86afdb upstream. This patch fixes a bug in handling of SPC-3 PR Activate Persistence across Target Power Loss (APTPL) logic where re-creation of state for MappedLUNs from dynamically generated NodeACLs did not occur during I_T Nexus establishment. It adds the missing core_scsi3_check_aptpl_registration() call during core_tpg_check_initiator_node_acl() -> core_tpg_add_node_to_devs() in order to replay any pre-loaded APTPL metadata state associated with the newly connected SCSI Initiator Port. Cc: Mike Christie Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 63e62ea88d0511922dd69fbee72257ad65c22099 Author: Quinn Tran Date: Thu Sep 25 06:22:28 2014 -0400 target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream. During temporary resource starvation at lower transport layer, command is placed on queue full retry path, which expose this problem. The TCM queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same cmd twice to lower layer. The 1st time led to cmd normal free path. The 2nd time cause Null pointer access. This regression bug was originally introduced v3.1-rc code in the following commit: commit e057f53308a5f071556ee80586b99ee755bf07f5 Author: Christoph Hellwig Date: Mon Oct 17 13:56:41 2011 -0400 target: remove the transport_qf_callback se_cmd callback Signed-off-by: Quinn Tran Signed-off-by: Saurav Kashyap Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 769e28594544e6662fdbe69086b8162e04b8cf86 Author: Joern Engel Date: Fri Oct 3 14:35:56 2014 -0700 qla_target: don't delete changed nacls commit f4c24db1b7ad0ce84409e15744d26c6f86a96840 upstream. The code is currently riddled with "drop the hardware_lock to avoid a deadlock" bugs that expose races. One of those races seems to expose a valid warning in tcm_qla2xxx_clear_nacl_from_fcport_map. Add some bandaid to it. Signed-off-by: Joern Engel Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 1e3b42efefd201e167bef3429ac7c90a9c3d534b Author: Vineet Gupta Date: Mon Feb 24 11:42:50 2014 +0800 ARC: [SMP] General Fixes commit c3441edd2dea83923421fd6050d2ffdc57696323 upstream. -Pass the expected arg to non-boot park'ing routine (It worked so far because existing SMP backends don't use the arg) -CONFIG_DEBUG_PREEMPT warning Signed-off-by: Jiri Slaby commit 5838e85ea0a3c77a83465dfd87257f96d0ceb6ae Author: Petr Matousek Date: Tue Sep 23 20:22:30 2014 +0200 kvm: vmx: handle invvpid vm exit gracefully commit a642fc305053cc1c6e47e4f4df327895747ab485 upstream. On systems with invvpid instruction support (corresponding bit in IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid causes vm exit, which is currently not handled and results in propagation of unknown exit to userspace. Fix this by installing an invvpid vm exit handler. This is CVE-2014-3646. Signed-off-by: Petr Matousek Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit a20e81cb2b2b8aebdca9d11b6fa2133f1b97251d Author: Nadav Amit Date: Thu Sep 18 22:39:38 2014 +0300 KVM: x86: Emulator fixes for eip canonical checks on near branches commit 234f3ce485d54017f15cf5e0699cff4100121601 upstream. Before changing rip (during jmp, call, ret, etc.) the target should be asserted to be canonical one, as real CPUs do. During sysret, both target rsp and rip should be canonical. If any of these values is noncanonical, a #GP exception should occur. The exception to this rule are syscall and sysenter instructions in which the assigned rip is checked during the assignment to the relevant MSRs. This patch fixes the emulator to behave as real CPUs do for near branches. Far branches are handled by the next patch. This fixes CVE-2014-3647. Signed-off-by: Nadav Amit Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 4b4290c052b7180700de7257793a31f4c0ae75df Author: Nadav Amit Date: Thu Sep 18 22:39:37 2014 +0300 KVM: x86: Fix wrong masking on relative jump/call commit 05c83ec9b73c8124555b706f6af777b10adf0862 upstream. Relative jumps and calls do the masking according to the operand size, and not according to the address size as the KVM emulator does today. This patch fixes KVM behavior. Signed-off-by: Nadav Amit Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 3f119d66b95c31910a5363b15308ff3d18bba29d Author: Michael S. Tsirkin Date: Thu Sep 18 16:21:16 2014 +0300 kvm: x86: don't kill guest on unknown exit reason commit 2bc19dc3754fc066c43799659f0d848631c44cfe upstream. KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was triggered by a priveledged application. Let's not kill the guest: WARN and inject #UD instead. Signed-off-by: Michael S. Tsirkin Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 7e60cb9b5f7ad5a47404db9e7a974ab82a054544 Author: Nadav Amit Date: Tue Sep 16 03:24:05 2014 +0300 KVM: x86: Check non-canonical addresses upon WRMSR commit 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 upstream. Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is written to certain MSRs. The behavior is "almost" identical for AMD and Intel (ignoring MSRs that are not implemented in either architecture since they would anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if non-canonical address is written on Intel but not on AMD (which ignores the top 32-bits). Accordingly, this patch injects a #GP on the MSRs which behave identically on Intel and AMD. To eliminate the differences between the architecutres, the value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to canonical value before writing instead of injecting a #GP. Some references from Intel and AMD manuals: According to Intel SDM description of WRMSR instruction #GP is expected on WRMSR "If the source register contains a non-canonical address and ECX specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE, IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP." According to AMD manual instruction manual: LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical form, a general-protection exception (#GP) occurs." IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the base field must be in canonical form or a #GP fault will occur." IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must be in canonical form." This patch fixes CVE-2014-3610. Signed-off-by: Nadav Amit Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 5671c6a9229edd1b1587b4ea1014d540a7e74797 Author: Andy Honig Date: Wed Aug 27 14:42:54 2014 -0700 KVM: x86: Improve thread safety in pit commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream. There's a race condition in the PIT emulation code in KVM. In __kvm_migrate_pit_timer the pit_timer object is accessed without synchronization. If the race condition occurs at the wrong time this can crash the host kernel. This fixes CVE-2014-3611. Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 9f9a1ce3932ca0b1bd52932d70929eab6e574d97 Author: Andy Honig Date: Wed Aug 27 11:16:44 2014 -0700 KVM: x86: Prevent host from panicking on shared MSR writes. commit 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f upstream. The previous patch blocked invalid writes directly when the MSR is written. As a precaution, prevent future similar mistakes by gracefulling handle GPs caused by writes to shared MSRs. Signed-off-by: Andrew Honig [Remove parts obsoleted by Nadav's patch. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 248541357433e3035d954435dafcdb9e70afee4e Author: Quentin Casasnovas Date: Fri Oct 17 22:55:59 2014 +0200 kvm: fix excessive pages un-pinning in kvm_iommu_map error path. commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream. The third parameter of kvm_unpin_pages() when called from kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin and not the page size. This error was facilitated with an inconsistent API: kvm_pin_pages() takes a size, but kvn_unpin_pages() takes a number of pages, so fix the problem by matching the two. This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of un-pinning for pages intended to be un-pinned (i.e. memory leak) but unfortunately potentially aggravated the number of pages we un-pin that should have stayed pinned. As far as I understand though, the same practical mitigations apply. This issue was found during review of Red Hat 6.6 patches to prepare Ksplice rebootless updates. Thanks to Vegard for his time on a late Friday evening to help me in understanding this code. Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)") Signed-off-by: Quentin Casasnovas Signed-off-by: Vegard Nossum Signed-off-by: Jamie Iles Reviewed-by: Sasha Levin Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 9f7dc51801a9bab5ebf3de6cfccbe78c779a6863 Author: Axel Lin Date: Fri Aug 8 10:32:56 2014 -0300 media: tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register commit 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 upstream. Fix a copy-paste bug when converting to the control framework. Fixes: commit 5d478e0de871 ("[media] tda7432: convert to the control framework") Signed-off-by: Axel Lin Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 4ccf56c9abfbdf00180257f0b5107a622740496b Author: Ulrich Eckhardt Date: Fri Oct 10 14:19:12 2014 -0300 media: ds3000: fix LNB supply voltage on Tevii S480 on initialization commit 8c5bcded11cb607b1bb5920de3b9c882136d27db upstream. The Tevii S480 outputs 18V on startup for the LNB supply voltage and does not automatically power down. This blocks other receivers connected to a satellite channel router (EN50494), since the receivers can not send the required DiSEqC sequences when the Tevii card is connected to a the same SCR. This patch switches off the LNB supply voltage on initialization of the frontend. [mchehab@osg.samsung.com: add a comment about why we're explicitly turning off voltage at device init] Signed-off-by: Ulrich Eckhardt Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit e59ec6fb45becf48c400c84124df2ff55c38b930 Author: Frank Schaefer Date: Sat Aug 9 06:37:20 2014 -0300 media: em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop commit 627530c32a43283474e9dd3e954519410ffa033a upstream. When a new video frame is started, the driver takes the next video buffer from the list of active buffers and moves it to dev->usb_ctl.vid_buf / dev->usb_ctl.vbi_buf for further processing. On streaming stop we currently only give back the pending buffers from the list but not the ones which are currently processed. This causes the following warning from the vb2 core since kernel 3.15: ... ------------[ cut here ]------------ WARNING: CPU: 1 PID: 2284 at drivers/media/v4l2-core/videobuf2-core.c:2115 __vb2_queue_cancel+0xed/0x150 [videobuf2_core]() [...] Call Trace: [] dump_stack+0x48/0x69 [] warn_slowpath_common+0x79/0x90 [] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core] [] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core] [] warn_slowpath_null+0x1d/0x20 [] __vb2_queue_cancel+0xed/0x150 [videobuf2_core] [] vb2_internal_streamoff+0x35/0x90 [videobuf2_core] [] vb2_streamoff+0x35/0x60 [videobuf2_core] [] vb2_ioctl_streamoff+0x37/0x40 [videobuf2_core] [] v4l_streamoff+0x15/0x20 [videodev] [] __video_do_ioctl+0x23d/0x2d0 [videodev] [] ? video_ioctl2+0x20/0x20 [videodev] [] video_usercopy+0x203/0x5a0 [videodev] [] ? video_ioctl2+0x20/0x20 [videodev] [] ? fsnotify+0x1e7/0x2b0 [] video_ioctl2+0x12/0x20 [videodev] [] ? video_ioctl2+0x20/0x20 [videodev] [] v4l2_ioctl+0xee/0x130 [videodev] [] ? v4l2_open+0xf0/0xf0 [videodev] [] do_vfs_ioctl+0x2e2/0x4d0 [] ? vfs_write+0x13c/0x1c0 [] ? vfs_writev+0x2f/0x50 [] SyS_ioctl+0x58/0x80 [] sysenter_do_call+0x12/0x12 ---[ end trace 5545f934409f13f4 ]--- ... Many thanks to Hans Verkuil, whose recently added check in the vb2 core unveiled this long standing issue and who has investigated it further. Signed-off-by: Frank Schäfer Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 2b78ff2f0d9f5be64af3ab88d2bff9033010a422 Author: Paul Fertser Date: Sun Jun 8 12:16:48 2014 -0300 media: usb: uvc: add a quirk for Dell XPS M1330 webcam commit 62ea864f84fed6e04dd033d500d4c9183a83d590 upstream. As reported on [1], this device needs this quirk to be able to reliably initialise the webcam. [1] http://ubuntuforums.org/showthread.php?t=2145996 Cc: stable@vger.kernel.org Signed-off-by: Paul Fertser Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit c04a0fa72b628335a12aefa707f46a1a85010225 Author: Maciej Matraszek Date: Mon Sep 15 05:14:48 2014 -0300 media: v4l2-common: fix overflow in v4l_bound_align_image() commit 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c upstream. Fix clamp_align() used in v4l_bound_align_image() to prevent overflow when passed large value like UINT32_MAX. In the current implementation: clamp_align(UINT32_MAX, 8, 8192, 3) returns 8, because in line: x = (x + (1 << (align - 1))) & mask; x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192. v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter explicitly states that: "The modified format should be as close as possible to the original request." -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html Thus one would expect, that passing UINT32_MAX as format width and height will result in setting maximum possible resolution for the device. Particularly, when the driver doesn't support VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase. Fixes changeset: b0d3159be9a3 Signed-off-by: Maciej Matraszek Acked-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 5a14c978fed450baabf93cec388743b1de8b4b41 Author: Ben Skeggs Date: Mon Sep 8 10:33:32 2014 +1000 drm/nouveau/bios: memset dcb struct to zero before parsing commit 595d373f1e9c9ce0fc946457fdb488e8a58972cd upstream. Fixes type/mask calculation being based on uninitialised data for VGA outputs. Signed-off-by: Ben Skeggs Signed-off-by: Jiri Slaby commit 3055e72f042a7e5566f02ca2be609426ba6f6efa Author: Benjamin Herrenschmidt Date: Tue Oct 7 19:04:58 2014 +1100 drm/ast: Fix HW cursor image commit 1e99cfa8de0f0879091e33cd65fd60418d006ad9 upstream. The translation from the X driver to the KMS one typo'ed a couple of array indices, causing the HW cursor to look weird (blocky with leaking edge colors). This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Dave Airlie Signed-off-by: Jiri Slaby commit 09cefff4b3b8dfbded9ab2ff7d7f1f1290dd1920 Author: Hans de Goede Date: Fri Oct 24 14:55:24 2014 -0700 Input: i8042 - quirks for Fujitsu Lifebook A544 and Lifebook AH544 commit 993b3a3f80a7842a48cd46c2b41e1b3ef6302468 upstream. These models need i8042.notimeout, otherwise the touchpad will not work. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=69731 BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1111138 Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit f16aa7220146b9ec68ead80057cf3f59ee6bf3ca Author: Hans de Goede Date: Sat Oct 11 11:27:37 2014 -0700 Input: i8042 - add noloop quirk for Asus X750LN commit 9ff84a17302aeb8913ff244ecc0d8f9d219fecb5 upstream. Without this the aux port does not get detected, and consequently the touchpad will not work. https://bugzilla.redhat.com/show_bug.cgi?id=1110011 Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 813324190f068e9e710ef2078deed32bc9df0f56 Author: Mikulas Patocka Date: Tue Sep 16 12:40:26 2014 -0400 framebuffer: fix border color commit f74a289b9480648a654e5afd8458c2263c03a1e1 upstream. The framebuffer code uses the current background color to fill the border when switching consoles, however, this results in inconsistent behavior. For example: - start Midnigh Commander - the border is black - switch to another console and switch back - the border is cyan - type something into the command line in mc - the border is cyan - switch to another console and switch back - the border is black - press F9 to go to menu - the border is black - switch to another console and switch back - the border is dark blue When switching to a console with Midnight Commander, the border is random color that was left selected by the slang subsystem. This patch fixes this inconsistency by always using black as the background color when switching consoles. Signed-off-by: Mikulas Patocka Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit 860ce42432c4a884c78dec67f03f7b2c22644457 Author: Prarit Bhargava Date: Tue Oct 14 02:51:39 2014 +1030 modules, lock around setting of MODULE_STATE_UNFORMED commit d3051b489aa81ca9ba62af366149ef42b8dae97c upstream. A panic was seen in the following sitation. There are two threads running on the system. The first thread is a system monitoring thread that is reading /proc/modules. The second thread is loading and unloading a module (in this example I'm using my simple dummy-module.ko). Note, in the "real world" this occurred with the qlogic driver module. When doing this, the following panic occurred: ------------[ cut here ]------------ kernel BUG at kernel/module.c:3739! invalid opcode: 0000 [#1] SMP Modules linked in: binfmt_misc sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw igb gf128mul glue_helper iTCO_wdt iTCO_vendor_support ablk_helper ptp sb_edac cryptd pps_core edac_core shpchp i2c_i801 pcspkr wmi lpc_ich ioatdma mfd_core dca ipmi_si nfsd ipmi_msghandler auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm isci drm libsas ahci libahci scsi_transport_sas libata i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: dummy_module] CPU: 37 PID: 186343 Comm: cat Tainted: GF O-------------- 3.10.0+ #7 Hardware name: Intel Corporation S2600CP/S2600CP, BIOS RMLSDP.86I.00.29.D696.1311111329 11/11/2013 task: ffff8807fd2d8000 ti: ffff88080fa7c000 task.ti: ffff88080fa7c000 RIP: 0010:[] [] module_flags+0xb5/0xc0 RSP: 0018:ffff88080fa7fe18 EFLAGS: 00010246 RAX: 0000000000000003 RBX: ffffffffa03b5200 RCX: 0000000000000000 RDX: 0000000000001000 RSI: ffff88080fa7fe38 RDI: ffffffffa03b5000 RBP: ffff88080fa7fe28 R08: 0000000000000010 R09: 0000000000000000 R10: 0000000000000000 R11: 000000000000000f R12: ffffffffa03b5000 R13: ffffffffa03b5008 R14: ffffffffa03b5200 R15: ffffffffa03b5000 FS: 00007f6ae57ef740(0000) GS:ffff88101e7a0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000404f70 CR3: 0000000ffed48000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffffffffa03b5200 ffff8810101e4800 ffff88080fa7fe70 ffffffff810d666c ffff88081e807300 000000002e0f2fbf 0000000000000000 ffff88100f257b00 ffffffffa03b5008 ffff88080fa7ff48 ffff8810101e4800 ffff88080fa7fee0 Call Trace: [] m_show+0x19c/0x1e0 [] seq_read+0x16e/0x3b0 [] proc_reg_read+0x3d/0x80 [] vfs_read+0x9c/0x170 [] SyS_read+0x58/0xb0 [] system_call_fastpath+0x16/0x1b Code: 48 63 c2 83 c2 01 c6 04 03 29 48 63 d2 eb d9 0f 1f 80 00 00 00 00 48 63 d2 c6 04 13 2d 41 8b 0c 24 8d 50 02 83 f9 01 75 b2 eb cb <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 RIP [] module_flags+0xb5/0xc0 RSP Consider the two processes running on the system. CPU 0 (/proc/modules reader) CPU 1 (loading/unloading module) CPU 0 opens /proc/modules, and starts displaying data for each module by traversing the modules list via fs/seq_file.c:seq_open() and fs/seq_file.c:seq_read(). For each module in the modules list, seq_read does op->start() <-- this is a pointer to m_start() op->show() <- this is a pointer to m_show() op->stop() <-- this is a pointer to m_stop() The m_start(), m_show(), and m_stop() module functions are defined in kernel/module.c. The m_start() and m_stop() functions acquire and release the module_mutex respectively. ie) When reading /proc/modules, the module_mutex is acquired and released for each module. m_show() is called with the module_mutex held. It accesses the module struct data and attempts to write out module data. It is in this code path that the above BUG_ON() warning is encountered, specifically m_show() calls static char *module_flags(struct module *mod, char *buf) { int bx = 0; BUG_ON(mod->state == MODULE_STATE_UNFORMED); ... The other thread, CPU 1, in unloading the module calls the syscall delete_module() defined in kernel/module.c. The module_mutex is acquired for a short time, and then released. free_module() is called without the module_mutex. free_module() then sets mod->state = MODULE_STATE_UNFORMED, also without the module_mutex. Some additional code is called and then the module_mutex is reacquired to remove the module from the modules list: /* Now we can delete it from the lists */ mutex_lock(&module_mutex); stop_machine(__unlink_module, mod, NULL); mutex_unlock(&module_mutex); This is the sequence of events that leads to the panic. CPU 1 is removing dummy_module via delete_module(). It acquires the module_mutex, and then releases it. CPU 1 has NOT set dummy_module->state to MODULE_STATE_UNFORMED yet. CPU 0, which is reading the /proc/modules, acquires the module_mutex and acquires a pointer to the dummy_module which is still in the modules list. CPU 0 calls m_show for dummy_module. The check in m_show() for MODULE_STATE_UNFORMED passed for dummy_module even though it is being torn down. Meanwhile CPU 1, which has been continuing to remove dummy_module without holding the module_mutex, now calls free_module() and sets dummy_module->state to MODULE_STATE_UNFORMED. CPU 0 now calls module_flags() with dummy_module and ... static char *module_flags(struct module *mod, char *buf) { int bx = 0; BUG_ON(mod->state == MODULE_STATE_UNFORMED); and BOOM. Acquire and release the module_mutex lock around the setting of MODULE_STATE_UNFORMED in the teardown path, which should resolve the problem. Testing: In the unpatched kernel I can panic the system within 1 minute by doing while (true) do insmod dummy_module.ko; rmmod dummy_module.ko; done and while (true) do cat /proc/modules; done in separate terminals. In the patched kernel I was able to run just over one hour without seeing any issues. I also verified the output of panic via sysrq-c and the output of /proc/modules looks correct for all three states for the dummy_module. dummy_module 12661 0 - Unloading 0xffffffffa03a5000 (OE-) dummy_module 12661 0 - Live 0xffffffffa03bb000 (OE) dummy_module 14015 1 - Loading 0xffffffffa03a5000 (OE+) Signed-off-by: Prarit Bhargava Reviewed-by: Oleg Nesterov Signed-off-by: Rusty Russell Signed-off-by: Jiri Slaby commit 93232824e2c3aa8173a1060fbf9acea7f477d53c Author: Alexey Khoroshilov Date: Wed Oct 1 22:58:35 2014 +0200 dm log userspace: fix memory leak in dm_ulog_tfr_init failure path commit 56ec16cb1e1ce46354de8511eef962a417c32c92 upstream. If cn_add_callback() fails in dm_ulog_tfr_init(), it does not deallocate prealloced memory but calls cn_del_callback(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Reviewed-by: Jonathan Brassow Signed-off-by: Mike Snitzer Signed-off-by: Jiri Slaby commit 40e8412c09dbb9a60aaba93a91c4d56e88caa9c8 Author: Mike Snitzer Date: Wed Oct 8 18:26:13 2014 -0400 block: fix alignment_offset math that assumes io_min is a power-of-2 commit b8839b8c55f3fdd60dc36abcda7e0266aff7985c upstream. The math in both blk_stack_limits() and queue_limit_alignment_offset() assume that a block device's io_min (aka minimum_io_size) is always a power-of-2. Fix the math such that it works for non-power-of-2 io_min. This issue (of alignment_offset != 0) became apparent when testing dm-thinp with a thinp blocksize that matches a RAID6 stripesize of 1280K. Commit fdfb4c8c1 ("dm thin: set minimum_io_size to pool's data block size") unlocked the potential for alignment_offset != 0 due to the dm-thin-pool's io_min possibly being a non-power-of-2. Signed-off-by: Mike Snitzer Acked-by: Martin K. Petersen Signed-off-by: Jens Axboe Signed-off-by: Jiri Slaby commit 5fa353fffaae9794ac109d748e2c6a9808abbba0 Author: Lai Jiangshan Date: Thu Sep 18 16:49:41 2014 +0200 drbd: compute the end before rb_insert_augmented() commit 82cfb90bc99d7b7e0ec62d0505b9d4f06805d5db upstream. Commit 98683650 "Merge branch 'drbd-8.4_ed6' into for-3.8-drivers-drbd-8.4_ed6" switches to the new augment API, but the new API requires that the tree is augmented before rb_insert_augmented() is called, which is missing. So we add the augment-code to drbd_insert_interval() when it travels the tree up to down before rb_insert_augmented(). See the example in include/linux/interval_tree_generic.h or Documentation/rbtree.txt. drbd_insert_interval() may cancel the insertion when traveling, in this case, the just added augment-code does nothing before cancel since the @this node is already in the subtrees in this case. CC: Michel Lespinasse Signed-off-by: Lai Jiangshan Signed-off-by: Andreas Gruenbacher Signed-off-by: Philipp Reisner Signed-off-by: Jens Axboe Signed-off-by: Jiri Slaby commit de91001eafdb327475a4034b97b1871170d1f0ce Author: Mikulas Patocka Date: Wed Oct 1 13:29:48 2014 -0400 dm bufio: when done scanning return from __scan immediately commit 0e825862f3c04cee40e25f55680333728a4ffa9b upstream. When __scan frees the required number of buffer entries that the shrinker requested (nr_to_scan becomes zero) it must return. Before this fix the __scan code exited only the inner loop and continued in the outer loop -- which could result in reduced performance due to extra buffers being freed (e.g. unnecessarily evicted thinp metadata needing to be synchronously re-read into bufio's cache). Also, move dm_bufio_cond_resched to __scan's inner loop, so that iterating the bufio client's lru lists doesn't result in scheduling latency. Reported-by: Joe Thornber Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Jiri Slaby commit 15188b0745439aa1f686e6eb55cacabbe2ea0244 Author: Joe Thornber Date: Tue Sep 30 09:32:46 2014 +0100 dm bufio: update last_accessed when relinking a buffer commit eb76faf53b1ff7a77ce3f78cc98ad392ac70c2a0 upstream. The 'last_accessed' member of the dm_buffer structure was only set when the the buffer was created. This led to each buffer being discarded after dm_bufio_max_age time even if it was used recently. In practice this resulted in all thinp metadata being evicted soon after being read -- this is particularly problematic for metadata intensive workloads like multithreaded small random IO. 'last_accessed' is now updated each time the buffer is moved to the head of the LRU list, so the buffer is now properly discarded if it was not used in dm_bufio_max_age time. Signed-off-by: Joe Thornber Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Jiri Slaby commit 579cd3110d9192bcb86b472c50253b90eb0571a9 Author: Olaf Hering Date: Fri Apr 11 08:56:23 2014 +0200 drm/cirrus: bind also to qemu-xen-traditional commit c0c3e735fa7bae29c6623511127fd021b2d6d849 upstream. qemu as used by xend/xm toolstack uses a different subvendor id. Bind the drm driver also to this emulated card. Signed-off-by: Olaf Hering Signed-off-by: Dave Airlie Signed-off-by: Jiri Slaby commit e8dbfec28946937e04c901fec26f1f0676d46ce6 Author: Roger Pau Monné Date: Mon Sep 15 11:55:27 2014 +0200 xen-blkback: fix leak on grant map error path commit 61cecca865280bef4f8a9748d0a9afa5df351ac2 upstream. Fix leaking a page when a grant mapping has failed. Signed-off-by: Roger Pau Monné Reported-and-Tested-by: Tao Chen Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Jiri Slaby commit a5f37e6cb8c60f4a066ca9d2d4bcb6af002af4eb Author: Michael S. Tsirkin Date: Tue Oct 14 10:40:29 2014 +1030 virtio_pci: fix virtio spec compliance on restore commit 6fbc198cf623944ab60a1db6d306a4d55cdd820d upstream. On restore, virtio pci does the following: + set features + init vqs etc - device can be used at this point! + set ACKNOWLEDGE,DRIVER and DRIVER_OK status bits This is in violation of the virtio spec, which requires the following order: - ACKNOWLEDGE - DRIVER - init vqs - DRIVER_OK This behaviour will break with hypervisors that assume spec compliant behaviour. It seems like a good idea to have this patch applied to stable branches to reduce the support butden for the hypervisors. Cc: Amit Shah Signed-off-by: Michael S. Tsirkin Signed-off-by: Rusty Russell Signed-off-by: Jiri Slaby commit ff6fe80314fb2b131503835ce59b5ba9210d5864 Author: Stephen Smalley Date: Mon Oct 6 16:32:52 2014 -0400 selinux: fix inode security list corruption commit 923190d32de4428afbea5e5773be86bea60a9925 upstream. sb_finish_set_opts() can race with inode_free_security() when initializing inode security structures for inodes created prior to initial policy load or by the filesystem during ->mount(). This appears to have always been a possible race, but commit 3dc91d4 ("SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()") made it more evident by immediately reusing the unioned list/rcu element of the inode security structure for call_rcu() upon an inode_free_security(). But the underlying issue was already present before that commit as a possible use-after-free of isec. Shivnandan Kumar reported the list corruption and proposed a patch to split the list and rcu elements out of the union as separate fields of the inode_security_struct so that setting the rcu element would not affect the list element. However, this would merely hide the issue and not truly fix the code. This patch instead moves up the deletion of the list entry prior to dropping the sbsec->isec_lock initially. Then, if the inode is dropped subsequently, there will be no further references to the isec. Reported-by: Shivnandan Kumar Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore Signed-off-by: Jiri Slaby commit 77bbc2f5844a52a6b3d56a3df504e8e1387bdea1 Author: Valdis Kletnieks Date: Sun Oct 12 23:09:08 2014 -0400 pstore: Fix duplicate {console,ftrace}-efi entries commit d4bf205da618bbd0b038e404d646f14e76915718 upstream. The pstore filesystem still creates duplicate filename/inode pairs for some pstore types. Add the id to the filename to prevent that. Before patch: [/sys/fs/pstore] ls -li total 0 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi 1250 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi After: [/sys/fs/pstore] ls -li total 0 1232 -r--r--r--. 1 root root 148 Sep 29 17:09 console-efi-141202499100000 1231 -r--r--r--. 1 root root 67 Sep 29 17:09 console-efi-141202499200000 1230 -r--r--r--. 1 root root 148 Sep 29 17:44 console-efi-141202705400000 1229 -r--r--r--. 1 root root 67 Sep 29 17:44 console-efi-141202705500000 1228 -r--r--r--. 1 root root 67 Sep 29 20:42 console-efi-141203772600000 1227 -r--r--r--. 1 root root 148 Sep 29 23:42 console-efi-141204854900000 1226 -r--r--r--. 1 root root 67 Sep 29 23:42 console-efi-141204855000000 1225 -r--r--r--. 1 root root 148 Sep 29 23:59 console-efi-141204954200000 1224 -r--r--r--. 1 root root 67 Sep 29 23:59 console-efi-141204954400000 Signed-off-by: Valdis Kletnieks Acked-by: Kees Cook Signed-off-by: Tony Luck Signed-off-by: Jiri Slaby commit 3d96e8ff2dbd213598460bda628892ce091f8dcc Author: Chris Ball Date: Thu Sep 4 17:11:53 2014 +0100 mfd: rtsx_pcr: Fix MSI enable error handling commit 5152970538a5e16c03bbcb9f1c780489a795ed40 upstream. pci_enable_msi() can return failure with both positive and negative integers -- it returns 0 for success -- but is only tested here for "if (ret < 0)". This causes us to try to use MSI on the RTS5249 SD reader in the Dell XPS 11 when enabling MSI failed, causing: [ 1.737110] rtsx_pci: probe of 0000:05:00.0 failed with error -110 Reported-by: D. Jared Dominguez Tested-by: D. Jared Dominguez Signed-off-by: Chris Ball Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit 365446fe1c7bf1b481cedfb9e50cfc8a86fdde89 Author: Eric W. Biederman Date: Wed Oct 8 10:42:27 2014 -0700 mnt: Prevent pivot_root from creating a loop in the mount tree commit 0d0826019e529f21c84687521d03f60cd241ca7d upstream. Andy Lutomirski recently demonstrated that when chroot is used to set the root path below the path for the new ``root'' passed to pivot_root the pivot_root system call succeeds and leaks mounts. In examining the code I see that starting with a new root that is below the current root in the mount tree will result in a loop in the mount tree after the mounts are detached and then reattached to one another. Resulting in all kinds of ugliness including a leak of that mounts involved in the leak of the mount loop. Prevent this problem by ensuring that the new mount is reachable from the current root of the mount tree. [Added stable cc. Fixes CVE-2014-7970. --Andy] Reported-by: Andy Lutomirski Reviewed-by: Andy Lutomirski Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org Signed-off-by: "Eric W. Biederman" Signed-off-by: Andy Lutomirski Signed-off-by: Jiri Slaby commit c7077ed405a94651d01822ab8390ab1b84bf341a Author: Richard Genoud Date: Tue Sep 9 14:25:01 2014 +0200 UBI: add missing kmem_cache_free() in process_pool_aeb error path commit 1bf1890e86869032099b539bc83b098be12fc5a7 upstream. I ran into this error after a ubiupdatevol, because I forgot to backport e9110361a9a4 UBI: fix the volumes tree sorting criteria. UBI error: process_pool_aeb: orphaned volume in fastmap pool UBI error: ubi_scan_fastmap: Attach by fastmap failed, doing a full scan! kmem_cache_destroy ubi_ainf_peb_slab: Slab cache still has objects CPU: 0 PID: 1 Comm: swapper Not tainted 3.14.18-00053-gf05cac8dbf85 #1 [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (destroy_ai+0x230/0x244) [] (destroy_ai) from [] (ubi_attach+0x98/0x1ec) [] (ubi_attach) from [] (ubi_attach_mtd_dev+0x2b8/0x868) [] (ubi_attach_mtd_dev) from [] (ubi_init+0x1dc/0x2ac) [] (ubi_init) from [] (do_one_initcall+0x94/0x140) [] (do_one_initcall) from [] (kernel_init_freeable+0xe8/0x1b0) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xe4) [] (kernel_init) from [] (ret_from_fork+0x14/0x24) UBI: scanning is finished Freeing the cache in the error path fixes the Slab error. Tested on at91sam9g35 (3.14.18+fastmap backports) Signed-off-by: Richard Genoud Signed-off-by: Jiri Slaby commit 3b29acb38f39aea8cf7675eadd5214300149bb9e Author: Daniel Borkmann Date: Tue Aug 26 23:16:35 2014 -0400 random: add and use memzero_explicit() for clearing data commit d4c5efdb97773f59a2b711754ca0953f24516739 upstream. zatimend has reported that in his environment (3.16/gcc4.8.3/corei7) memset() calls which clear out sensitive data in extract_{buf,entropy, entropy_user}() in random driver are being optimized away by gcc. Add a helper memzero_explicit() (similarly as explicit_bzero() variants) that can be used in such cases where a variable with sensitive data is being cleared out in the end. Other use cases might also be in crypto code. [ I have put this into lib/string.c though, as it's always built-in and doesn't need any dependencies then. ] Fixes kernel bugzilla: 82041 Reported-by: zatimend@hotmail.co.uk Signed-off-by: Daniel Borkmann Acked-by: Hannes Frederic Sowa Cc: Alexey Dobriyan Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 63550e4be59837925cc1bee167bee83a90ce974c Author: Thorsten Knabe Date: Sat Aug 23 15:47:38 2014 +0200 um: ubd: Fix for processes stuck in D state forever commit 2a2361228c5e6d8c1733f00653481de918598e50 upstream. Starting with Linux 3.12 processes get stuck in D state forever in UserModeLinux under sync heavy workloads. This bug was introduced by commit 805f11a0d5 (um: ubd: Add REQ_FLUSH suppport). Fix bug by adding a check if FLUSH request was successfully submitted to the I/O thread and keeping the FLUSH request on the request queue on submission failures. Fixes: 805f11a0d5 (um: ubd: Add REQ_FLUSH suppport) Signed-off-by: Thorsten Knabe Signed-off-by: Richard Weinberger Signed-off-by: Jiri Slaby commit ec84c5e8a19be56aa297f195885e0303a956230f Author: Al Viro Date: Wed Oct 8 23:44:00 2014 -0400 fix misuses of f_count() in ppp and netlink commit 24dff96a37a2ca319e75a74d3929b2de22447ca6 upstream. we used to check for "nobody else could start doing anything with that opened file" by checking that refcount was 2 or less - one for descriptor table and one we'd acquired in fget() on the way to wherever we are. That was race-prone (somebody else might have had a reference to descriptor table and do fget() just as we'd been checking) and it had become flat-out incorrect back when we switched to fget_light() on those codepaths - unlike fget(), it doesn't grab an extra reference unless the descriptor table is shared. The same change allowed a race-free check, though - we are safe exactly when refcount is less than 2. It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading to ppp one) and 2.6.17 for sendmsg() (netlink one). OTOH, netlink hadn't grown that check until 3.9 and ppp used to live in drivers/net, not drivers/net/ppp until 3.1. The bug existed well before that, though, and the same fix used to apply in old location of file. Signed-off-by: Al Viro Signed-off-by: Jiri Slaby commit ca57f7e423849774b8fbc4547c8a7f43b876216b Author: Al Viro Date: Fri Aug 1 20:13:40 2014 +0100 kill wbuf_queued/wbuf_dwork_lock commit 99358a1ca53e8e6ce09423500191396f0e6584d2 upstream. schedule_delayed_work() happening when the work is already pending is a cheap no-op. Don't bother with ->wbuf_queued logics - it's both broken (cancelling ->wbuf_dwork leaves it set, as spotted by Jeff Harris) and pointless. It's cheaper to let schedule_delayed_work() handle that case. Reported-by: Jeff Harris Tested-by: Jeff Harris Signed-off-by: Al Viro Signed-off-by: Jiri Slaby commit 1c4b9d08a82414e5351a2aa54e047eff7286e93e Author: Al Viro Date: Mon Sep 29 14:46:30 2014 -0400 missing data dependency barrier in prepend_name() commit 6d13f69444bd3d4888e43f7756449748f5a98bad upstream. AFAICS, prepend_name() is broken on SMP alpha. Disclaimer: I don't have SMP alpha boxen to reproduce it on. However, it really looks like the race is real. CPU1: d_path() on /mnt/ramfs/<255-character>/foo CPU2: mv /mnt/ramfs/<255-character> /mnt/ramfs/<63-character> CPU2 does d_alloc(), which allocates an external name, stores the name there including terminating NUL, does smp_wmb() and stores its address in dentry->d_name.name. It proceeds to d_add(dentry, NULL) and d_move() old dentry over to that. ->d_name.name value ends up in that dentry. In the meanwhile, CPU1 gets to prepend_name() for that dentry. It fetches ->d_name.name and ->d_name.len; the former ends up pointing to new name (64-byte kmalloc'ed array), the latter - 255 (length of the old name). Nothing to force the ordering there, and normally that would be OK, since we'd run into the terminating NUL and stop. Except that it's alpha, and we'd need a data dependency barrier to guarantee that we see that store of NUL __d_alloc() has done. In a similar situation dentry_cmp() would survive; it does explicit smp_read_barrier_depends() after fetching ->d_name.name. prepend_name() doesn't and it risks walking past the end of kmalloc'ed object and possibly oops due to taking a page fault in kernel mode. Signed-off-by: Al Viro Signed-off-by: Jiri Slaby commit 12f36730da98ee45a2e16bff0122b3357291f7d6 Author: Takashi Iwai Date: Tue Oct 28 12:42:19 2014 +0100 ALSA: pcm: Zero-clear reserved fields of PCM status ioctl in compat mode commit 317168d0c766defd14b3d0e9c2c4a9a258b803ee upstream. In compat mode, we copy each field of snd_pcm_status struct but don't touch the reserved fields, and this leaves uninitialized values there. Meanwhile the native ioctl does zero-clear the whole structure, so we should follow the same rule in compat mode, too. Reported-by: Pierre-Louis Bossart Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 54ae5738de038c08cc19eee64f58a5faf46d091a Author: Dmitry Kasatkin Date: Tue Oct 28 14:28:49 2014 +0200 evm: check xattr value length and type in evm_inode_setxattr() commit 3b1deef6b1289a99505858a3b212c5b50adf0c2f upstream. evm_inode_setxattr() can be called with no value. The function does not check the length so that following command can be used to produce the kernel oops: setfattr -n security.evm FOO. This patch fixes it. Changes in v3: * there is no reason to return different error codes for EVM_XATTR_HMAC and non EVM_XATTR_HMAC. Remove unnecessary test then. Changes in v2: * testing for validity of xattr type [ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1106.398192] IP: [] evm_inode_setxattr+0x2a/0x48 [ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0 [ 1106.399953] Oops: 0000 [#1] SMP [ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse [ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936 [ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000 [ 1106.400020] RIP: 0010:[] [] evm_inode_setxattr+0x2a/0x48 [ 1106.400020] RSP: 0018:ffff88002917fd50 EFLAGS: 00010246 [ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000 [ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8 [ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df [ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00 [ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1106.400020] FS: 00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000 [ 1106.400020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0 [ 1106.400020] Stack: [ 1106.400020] ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98 [ 1106.400020] ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000 [ 1106.400020] 0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8 [ 1106.400020] Call Trace: [ 1106.400020] [] security_inode_setxattr+0x5d/0x6a [ 1106.400020] [] vfs_setxattr+0x6b/0x9f [ 1106.400020] [] setxattr+0x122/0x16c [ 1106.400020] [] ? mnt_want_write+0x21/0x45 [ 1106.400020] [] ? __sb_start_write+0x10f/0x143 [ 1106.400020] [] ? mnt_want_write+0x21/0x45 [ 1106.400020] [] ? __mnt_want_write+0x48/0x4f [ 1106.400020] [] SyS_setxattr+0x6e/0xb0 [ 1106.400020] [] system_call_fastpath+0x16/0x1b [ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83 [ 1106.400020] RIP [] evm_inode_setxattr+0x2a/0x48 [ 1106.400020] RSP [ 1106.400020] CR2: 0000000000000000 [ 1106.428061] ---[ end trace ae08331628ba3050 ]--- Reported-by: Jan Kara Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar Signed-off-by: Jiri Slaby commit 0833c9e835508b7dc0305846e8b2ebf793a18d97 Author: Dexuan Cui Date: Wed Oct 29 03:53:37 2014 -0700 x86, pageattr: Prevent overflow in slow_virt_to_phys() for X86_PAE commit d1cd1210834649ce1ca6bafe5ac25d2f40331343 upstream. pte_pfn() returns a PFN of long (32 bits in 32-PAE), so "long << PAGE_SHIFT" will overflow for PFNs above 4GB. Due to this issue, some Linux 32-PAE distros, running as guests on Hyper-V, with 5GB memory assigned, can't load the netvsc driver successfully and hence the synthetic network device can't work (we can use the kernel parameter mem=3000M to work around the issue). Cast pte_pfn() to phys_addr_t before shifting. Fixes: "commit d76565344512: x86, mm: Create slow_virt_to_phys()" Signed-off-by: Dexuan Cui Cc: K. Y. Srinivasan Cc: Haiyang Zhang Cc: gregkh@linuxfoundation.org Cc: linux-mm@kvack.org Cc: olaf@aepfle.de Cc: apw@canonical.com Cc: jasowang@redhat.com Cc: dave.hansen@intel.com Cc: riel@redhat.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/1414580017-27444-1-git-send-email-decui@microsoft.com Signed-off-by: Thomas Gleixner Signed-off-by: Jiri Slaby commit cb3a0a46bd06006dd2094660435e6a1c4ee4bbfc Author: Andy Lutomirski Date: Wed Oct 1 11:49:04 2014 -0700 x86_64, entry: Filter RFLAGS.NT on entry from userspace commit 8c7aa698baca5e8f1ba9edb68081f1e7a1abf455 upstream. The NT flag doesn't do anything in long mode other than causing IRET to #GP. Oddly, CPL3 code can still set NT using popf. Entry via hardware or software interrupt clears NT automatically, so the only relevant entries are fast syscalls. If user code causes kernel code to run with NT set, then there's at least some (small) chance that it could cause trouble. For example, user code could cause a call to EFI code with NT set, and who knows what would happen? Apparently some games on Wine sometimes do this (!), and, if an IRET return happens, they will segfault. That segfault cannot be handled, because signal delivery fails, too. This patch programs the CPU to clear NT on entry via SYSCALL (both 32-bit and 64-bit, by my reading of the AMD APM), and it clears NT in software on entry via SYSENTER. To save a few cycles, this borrows a trick from Jan Beulich in Xen: it checks whether NT is set before trying to clear it. As a result, it seems to have very little effect on SYSENTER performance on my machine. There's another minor bug fix in here: it looks like the CFI annotations were wrong if CONFIG_AUDITSYSCALL=n. Testers beware: on Xen, SYSENTER with NT set turns into a GPF. I haven't touched anything on 32-bit kernels. The syscall mask change comes from a variant of this patch by Anish Bhatt. Note to stable maintainers: there is no known security issue here. A misguided program can set NT and cause the kernel to try and fail to deliver SIGSEGV, crashing the program. This patch fixes Far Cry on Wine: https://bugs.winehq.org/show_bug.cgi?id=33275 Reported-by: Anish Bhatt Signed-off-by: Andy Lutomirski Link: http://lkml.kernel.org/r/395749a5d39a29bd3e4b35899cf3a3c1340e5595.1412189265.git.luto@amacapital.net Signed-off-by: H. Peter Anvin Signed-off-by: Jiri Slaby commit 2a57185838f4b505cd8ce0ea8ac3e1da6f2a3ff4 Author: Oleg Nesterov Date: Tue Sep 2 19:57:13 2014 +0200 x86, fpu: shift drop_init_fpu() from save_xstate_sig() to handle_signal() commit 66463db4fc5605d51c7bb81d009d5bf30a783a2c upstream. save_xstate_sig()->drop_init_fpu() doesn't look right. setup_rt_frame() can fail after that, in this case the next setup_rt_frame() triggered by SIGSEGV won't save fpu simply because the old state was lost. This obviously mean that fpu won't be restored after sys_rt_sigreturn() from SIGSEGV handler. Shift drop_init_fpu() into !failed branch in handle_signal(). Test-case (needs -O2): #include #include #include #include #include #include #include volatile double D; void test(double d) { int pid = getpid(); for (D = d; D == d; ) { /* sys_tkill(pid, SIGHUP); asm to avoid save/reload * fp regs around "C" call */ asm ("" : : "a"(200), "D"(pid), "S"(1)); asm ("syscall" : : : "ax"); } printf("ERR!!\n"); } void sigh(int sig) { } char altstack[4096 * 10] __attribute__((aligned(4096))); void *tfunc(void *arg) { for (;;) { mprotect(altstack, sizeof(altstack), PROT_READ); mprotect(altstack, sizeof(altstack), PROT_READ|PROT_WRITE); } } int main(void) { stack_t st = { .ss_sp = altstack, .ss_size = sizeof(altstack), .ss_flags = SS_ONSTACK, }; struct sigaction sa = { .sa_handler = sigh, }; pthread_t pt; sigaction(SIGSEGV, &sa, NULL); sigaltstack(&st, NULL); sa.sa_flags = SA_ONSTACK; sigaction(SIGHUP, &sa, NULL); pthread_create(&pt, NULL, tfunc, NULL); test(123.456); return 0; } Reported-by: Bean Anderson Signed-off-by: Oleg Nesterov Link: http://lkml.kernel.org/r/20140902175713.GA21646@redhat.com Signed-off-by: H. Peter Anvin Signed-off-by: Jiri Slaby commit 03f43efc6a00eb29015222f8e9caeafdd9986a63 Author: Oleg Nesterov Date: Tue Sep 2 19:57:17 2014 +0200 x86, fpu: __restore_xstate_sig()->math_state_restore() needs preempt_disable() commit df24fb859a4e200d9324e2974229fbb7adf00aef upstream. Add preempt_disable() + preempt_enable() around math_state_restore() in __restore_xstate_sig(). Otherwise __switch_to() after __thread_fpu_begin() can overwrite fpu->state we are going to restore. Signed-off-by: Oleg Nesterov Link: http://lkml.kernel.org/r/20140902175717.GA21649@redhat.com Reviewed-by: Suresh Siddha Signed-off-by: H. Peter Anvin Signed-off-by: Jiri Slaby commit 19ad5dfd81d7bebf89a9a5c49ab0bc2bc6187ae7 Author: Ben Hutchings Date: Sun Sep 7 21:05:05 2014 +0100 x86: Reject x32 executables if x32 ABI not supported commit 0e6d3112a4e95d55cf6dca88f298d5f4b8f29bd1 upstream. It is currently possible to execve() an x32 executable on an x86_64 kernel that has only ia32 compat enabled. However all its syscalls will fail, even _exit(). This usually causes it to segfault. Change the ELF compat architecture check so that x32 executables are rejected if we don't support the x32 ABI. Signed-off-by: Ben Hutchings Link: http://lkml.kernel.org/r/1410120305.6822.9.camel@decadent.org.uk Signed-off-by: Thomas Gleixner Signed-off-by: Jiri Slaby commit 3976690344783e5da7438e52fc2cd16529ddc1b5 Author: Jan Kara Date: Wed Oct 1 21:49:18 2014 -0400 vfs: fix data corruption when blocksize < pagesize for mmaped data commit 90a8020278c1598fafd071736a0846b38510309c upstream. ->page_mkwrite() is used by filesystems to allocate blocks under a page which is becoming writeably mmapped in some process' address space. This allows a filesystem to return a page fault if there is not enough space available, user exceeds quota or similar problem happens, rather than silently discarding data later when writepage is called. However VFS fails to call ->page_mkwrite() in all the cases where filesystems need it when blocksize < pagesize. For example when blocksize = 1024, pagesize = 4096 the following is problematic: ftruncate(fd, 0); pwrite(fd, buf, 1024, 0); map = mmap(NULL, 1024, PROT_WRITE, MAP_SHARED, fd, 0); map[0] = 'a'; ----> page_mkwrite() for index 0 is called ftruncate(fd, 10000); /* or even pwrite(fd, buf, 1, 10000) */ mremap(map, 1024, 10000, 0); map[4095] = 'a'; ----> no page_mkwrite() called At the moment ->page_mkwrite() is called, filesystem can allocate only one block for the page because i_size == 1024. Otherwise it would create blocks beyond i_size which is generally undesirable. But later at ->writepage() time, we also need to store data at offset 4095 but we don't have block allocated for it. This patch introduces a helper function filesystems can use to have ->page_mkwrite() called at all the necessary moments. Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 4f111bbc16e4d6c657c8f53f50d7a9cfa7f37e4f Author: Artem Bityutskiy Date: Wed Jul 16 15:22:29 2014 +0300 UBIFS: fix free log space calculation commit ba29e721eb2df6df8f33c1f248388bb037a47914 upstream. Hu (hujianyang ) discovered an issue in the 'empty_log_bytes()' function, which calculates how many bytes are left in the log: " If 'c->lhead_lnum + 1 == c->ltail_lnum' and 'c->lhead_offs == c->leb_size', 'h' would equalent to 't' and 'empty_log_bytes()' would return 'c->log_bytes' instead of 0. " At this point it is not clear what would be the consequences of this, and whether this may lead to any problems, but this patch addresses the issue just in case. Tested-by: hujianyang Reported-by: hujianyang Signed-off-by: Artem Bityutskiy Signed-off-by: Jiri Slaby commit c52a27957eb0e9f84c7d43767d0b41c6415ee2c8 Author: Artem Bityutskiy Date: Sun Jun 29 17:00:45 2014 +0300 UBIFS: fix a race condition commit 052c28073ff26f771d44ef33952a41d18dadd255 upstream. Hu (hujianyang@huawei.com) discovered a race condition which may lead to a situation when UBIFS is unable to mount the file-system after an unclean reboot. The problem is theoretical, though. In UBIFS, we have the log, which basically a set of LEBs in a certain area. The log has the tail and the head. Every time user writes data to the file-system, the UBIFS journal grows, and the log grows as well, because we append new reference nodes to the head of the log. So the head moves forward all the time, while the log tail stays at the same position. At any time, the UBIFS master node points to the tail of the log. When we mount the file-system, we scan the log, and we always start from its tail, because this is where the master node points to. The only occasion when the tail of the log changes is the commit operation. The commit operation has 2 phases - "commit start" and "commit end". The former is relatively short, and does not involve much I/O. During this phase we mostly just build various in-memory lists of the things which have to be written to the flash media during "commit end" phase. During the commit start phase, what we do is we "clean" the log. Indeed, the commit operation will index all the data in the journal, so the entire journal "disappears", and therefore the data in the log become unneeded. So we just move the head of the log to the next LEB, and write the CS node there. This LEB will be the tail of the new log when the commit operation finishes. When the "commit start" phase finishes, users may write more data to the file-system, in parallel with the ongoing "commit end" operation. At this point the log tail was not changed yet, it is the same as it had been before we started the commit. The log head keeps moving forward, though. The commit operation now needs to write the new master node, and the new master node should point to the new log tail. After this the LEBs between the old log tail and the new log tail can be unmapped and re-used again. And here is the possible problem. We do 2 operations: (a) We first update the log tail position in memory (see 'ubifs_log_end_commit()'). (b) And then we write the master node (see the big lock of code in 'do_commit()'). But nothing prevents the log head from moving forward between (a) and (b), and the log head may "wrap" now to the old log tail. And when the "wrap" happens, the contends of the log tail gets erased. Now a power cut happens and we are in trouble. We end up with the old master node pointing to the old tail, which was erased. And replay fails because it expects the master node to point to the correct log tail at all times. This patch merges the abovementioned (a) and (b) operations by moving the master node change code to the 'ubifs_log_end_commit()' function, so that it runs with the log mutex locked, which will prevent the log from being changed benween operations (a) and (b). Reported-by: hujianyang Tested-by: hujianyang Signed-off-by: Artem Bityutskiy Signed-off-by: Jiri Slaby commit c2e130398734c847683536576354976ab18e3d91 Author: Artem Bityutskiy Date: Sun Jun 29 16:55:02 2014 +0300 UBIFS: remove mst_mutex commit 07e19dff63e3d5d6500d831e36554ac9b1b0560e upstream. The 'mst_mutex' is not needed since because 'ubifs_write_master()' is only called on the mount path and commit path. The mount path is sequential and there is no parallelism, and the commit path is also serialized - there is only one commit going on at a time. Signed-off-by: Artem Bityutskiy Signed-off-by: Jiri Slaby commit e54fc4edabd848ca4d6e3ba7c4f4ffe73c2fec0b Author: Eric Rannaud Date: Thu Oct 30 01:51:01 2014 -0700 fs: allow open(dir, O_TMPFILE|..., 0) with mode 0 commit 69a91c237ab0ebe4e9fdeaf6d0090c85275594ec upstream. The man page for open(2) indicates that when O_CREAT is specified, the 'mode' argument applies only to future accesses to the file: Note that this mode applies only to future accesses of the newly created file; the open() call that creates a read-only file may well return a read/write file descriptor. The man page for open(2) implies that 'mode' is treated identically by O_CREAT and O_TMPFILE. O_TMPFILE, however, behaves differently: int fd = open("/tmp", O_TMPFILE | O_RDWR, 0); assert(fd == -1); assert(errno == EACCES); int fd = open("/tmp", O_TMPFILE | O_RDWR, 0600); assert(fd > 0); For O_CREAT, do_last() sets acc_mode to MAY_OPEN only: if (*opened & FILE_CREATED) { /* Don't check for write permission, don't truncate */ open_flag &= ~O_TRUNC; will_truncate = false; acc_mode = MAY_OPEN; path_to_nameidata(path, nd); goto finish_open_created; } But for O_TMPFILE, do_tmpfile() passes the full op->acc_mode to may_open(). This patch lines up the behavior of O_TMPFILE with O_CREAT. After the inode is created, may_open() is called with acc_mode = MAY_OPEN, in do_tmpfile(). A different, but related glibc bug revealed the discrepancy: https://sourceware.org/bugzilla/show_bug.cgi?id=17523 The glibc lazily loads the 'mode' argument of open() and openat() using va_arg() only if O_CREAT is present in 'flags' (to support both the 2 argument and the 3 argument forms of open; same idea for openat()). However, the glibc ignores the 'mode' argument if O_TMPFILE is in 'flags'. On x86_64, for open(), it magically works anyway, as 'mode' is in RDX when entering open(), and is still in RDX on SYSCALL, which is where the kernel looks for the 3rd argument of a syscall. But openat() is not quite so lucky: 'mode' is in RCX when entering the glibc wrapper for openat(), while the kernel looks for the 4th argument of a syscall in R10. Indeed, the syscall calling convention differs from the regular calling convention in this respect on x86_64. So the kernel sees mode = 0 when trying to use glibc openat() with O_TMPFILE, and fails with EACCES. Signed-off-by: Eric Rannaud Acked-by: Andy Lutomirski Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit b44a6e3363bd7f61502207c53537ce98c2818070 Author: Tetsuo Handa Date: Sat May 17 20:56:38 2014 +0900 fs: Fix theoretical division by 0 in super_cache_scan(). commit 475d0db742e3755c6b267f48577ff7cbb7dfda0d upstream. total_objects could be 0 and is used as a denom. While total_objects is a "long", total_objects == 0 unlikely happens for 3.12 and later kernels because 32-bit architectures would not be able to hold (1 << 32) objects. However, total_objects == 0 may happen for kernels between 3.1 and 3.11 because total_objects in prune_super() was an "int" and (e.g.) x86_64 architecture might be able to hold (1 << 32) objects. Signed-off-by: Tetsuo Handa Reviewed-by: Christoph Hellwig Signed-off-by: Al Viro Signed-off-by: Jiri Slaby commit b99b3db3dd136f694fced42552c4b927b5364f2f Author: Mikulas Patocka Date: Sun Jul 27 13:00:41 2014 -0400 fs: make cont_expand_zero interruptible commit c2ca0fcd202863b14bd041a7fece2e789926c225 upstream. This patch makes it possible to kill a process looping in cont_expand_zero. A process may spend a lot of time in this function, so it is desirable to be able to kill it. It happened to me that I wanted to copy a piece data from the disk to a file. By mistake, I used the "seek" parameter to dd instead of "skip". Due to the "seek" parameter, dd attempted to extend the file and became stuck doing so - the only possibility was to reset the machine or wait many hours until the filesystem runs out of space and cont_expand_zero fails. We need this patch to be able to terminate the process. Signed-off-by: Mikulas Patocka Signed-off-by: Al Viro Signed-off-by: Jiri Slaby commit 87394e735e609660eceb70e505f6d8b7c7a1eaba Author: Roger Tseng Date: Fri Aug 15 14:06:00 2014 +0800 mmc: rtsx_pci_sdmmc: fix incorrect last byte in R2 response commit d1419d50c1bf711e9fd27b516a739c86b23f7cf9 upstream. Current code erroneously fill the last byte of R2 response with an undefined value. In addition, the controller actually 'offloads' the last byte (CRC7, end bit) while receiving R2 response and thus it's impossible to get the actual value. This could cause mmc stack to obtain inconsistent CID from the same card after resume and misidentify it as a different card. Fix by assigning dummy CRC and end bit: {7'b0, 1} = 0x1 to the last byte of R2. Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver") Signed-off-by: Roger Tseng Signed-off-by: Ulf Hansson Signed-off-by: Jiri Slaby commit 9e5e18105b8ac7f8e5167f396c0eeb2aaef6e003 Author: Daniel Mack Date: Tue Oct 7 13:41:24 2014 +0200 ASoC: soc-dapm: fix use after free commit e5092c96c9c28f4d12811edcd02ca8eec16e748e upstream. Coverity spotted the following possible use-after-free condition in dapm_create_or_share_mixmux_kcontrol(): If kcontrol is NULL, and (wname_in_long_name && kcname_in_long_name) validates to true, 'name' will be set to an allocated string, and be freed a few lines later via the 'long_name' alias. 'name', however, is used by dev_err() in case snd_ctl_add() fails. Fix this by adding a jump label that frees 'long_name' at the end of the function. Signed-off-by: Daniel Mack Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit d525cbdb3d29308d900b0417ca38e70fe6c4c25a Author: Ondrej Zary Date: Sat Sep 27 00:04:46 2014 +0200 libata-sff: Fix controllers with no ctl port commit 6d8ca28fa688a9354bc9fbc935bdaeb3651b6677 upstream. Currently, ata_sff_softreset is skipped for controllers with no ctl port. But that also skips ata_sff_dev_classify required for device detection. This means that libata is currently broken on controllers with no ctl port. No device connected: [ 1.872480] pata_isapnp 01:01.02: activated [ 1.889823] scsi2 : pata_isapnp [ 1.890109] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11 [ 6.888110] ata3.01: qc timeout (cmd 0xec) [ 6.888179] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) [ 16.888085] ata3.01: qc timeout (cmd 0xec) [ 16.888147] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) [ 46.888086] ata3.01: qc timeout (cmd 0xec) [ 46.888148] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) [ 51.888100] ata3.00: qc timeout (cmd 0xec) [ 51.888160] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5) [ 61.888079] ata3.00: qc timeout (cmd 0xec) [ 61.888141] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5) [ 91.888089] ata3.00: qc timeout (cmd 0xec) [ 91.888152] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5) ATAPI device connected: [ 1.882061] pata_isapnp 01:01.02: activated [ 1.893430] scsi2 : pata_isapnp [ 1.893719] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11 [ 6.892107] ata3.01: qc timeout (cmd 0xec) [ 6.892171] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) [ 16.892079] ata3.01: qc timeout (cmd 0xec) [ 16.892138] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) [ 46.892079] ata3.01: qc timeout (cmd 0xec) [ 46.892138] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5) [ 46.908586] ata3.00: ATAPI: ACER CD-767E/O, V1.5X, max PIO2, CDB intr [ 46.924570] ata3.00: configured for PIO0 (device error ignored) [ 46.926295] scsi 2:0:0:0: CD-ROM ACER CD-767E/O 1.5X PQ: 0 ANSI: 5 [ 46.984519] sr0: scsi3-mmc drive: 6x/6x xa/form2 tray [ 46.984592] cdrom: Uniform CD-ROM driver Revision: 3.20 So don't skip ata_sff_softreset, just skip the reset part of ata_bus_softreset if the ctl port is not available. This makes IDE port on ES968 behave correctly: No device connected: [ 4.670888] pata_isapnp 01:01.02: activated [ 4.673207] scsi host2: pata_isapnp [ 4.673675] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11 [ 7.081840] Adding 2541652k swap on /dev/sda2. Priority:-1 extents:1 across:2541652k ATAPI device connected: [ 4.704362] pata_isapnp 01:01.02: activated [ 4.706620] scsi host2: pata_isapnp [ 4.706877] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11 [ 4.872782] ata3.00: ATAPI: ACER CD-767E/O, V1.5X, max PIO2, CDB intr [ 4.888673] ata3.00: configured for PIO0 (device error ignored) [ 4.893984] scsi 2:0:0:0: CD-ROM ACER CD-767E/O 1.5X PQ: 0 ANSI: 5 [ 7.015578] Adding 2541652k swap on /dev/sda2. Priority:-1 extents:1 across:2541652k Signed-off-by: Ondrej Zary Signed-off-by: Tejun Heo Signed-off-by: Jiri Slaby commit 49deccc83930e5e153de766c57f182ccd34f3d34 Author: Scott Carter Date: Wed Sep 24 18:13:09 2014 -0700 pata_serverworks: disable 64-KB DMA transfers on Broadcom OSB4 IDE Controller commit 37017ac6849e772e67dd187ba2fbd056c4afa533 upstream. The Broadcom OSB4 IDE Controller (vendor and device IDs: 1166:0211) does not support 64-KB DMA transfers. Whenever a 64-KB DMA transfer is attempted, the transfer fails and messages similar to the following are written to the console log: [ 2431.851125] sr 0:0:0:0: [sr0] Unhandled sense code [ 2431.851139] sr 0:0:0:0: [sr0] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE [ 2431.851152] sr 0:0:0:0: [sr0] Sense Key : Hardware Error [current] [ 2431.851166] sr 0:0:0:0: [sr0] Add. Sense: Logical unit communication time-out [ 2431.851182] sr 0:0:0:0: [sr0] CDB: Read(10): 28 00 00 00 76 f4 00 00 40 00 [ 2431.851210] end_request: I/O error, dev sr0, sector 121808 When the libata and pata_serverworks modules are recompiled with ATA_DEBUG and ATA_VERBOSE_DEBUG defined in libata.h, the 64-KB transfer size in the scatter-gather list can be seen in the console log: [ 2664.897267] sr 9:0:0:0: [sr0] Send: [ 2664.897274] 0xf63d85e0 [ 2664.897283] sr 9:0:0:0: [sr0] CDB: [ 2664.897288] Read(10): 28 00 00 00 7f b4 00 00 40 00 [ 2664.897319] buffer = 0xf6d6fbc0, bufflen = 131072, queuecommand 0xf81b7700 [ 2664.897331] ata_scsi_dump_cdb: CDB (1:0,0,0) 28 00 00 00 7f b4 00 00 40 [ 2664.897338] ata_scsi_translate: ENTER [ 2664.897345] ata_sg_setup: ENTER, ata1 [ 2664.897356] ata_sg_setup: 3 sg elements mapped [ 2664.897364] ata_bmdma_fill_sg: PRD[0] = (0x66FD2000, 0xE000) [ 2664.897371] ata_bmdma_fill_sg: PRD[1] = (0x65000000, 0x10000) ------------------------------------------------------> ======= [ 2664.897378] ata_bmdma_fill_sg: PRD[2] = (0x66A10000, 0x2000) [ 2664.897386] ata1: ata_dev_select: ENTER, device 0, wait 1 [ 2664.897422] ata_sff_tf_load: feat 0x1 nsect 0x0 lba 0x0 0x0 0xFC [ 2664.897428] ata_sff_tf_load: device 0xA0 [ 2664.897448] ata_sff_exec_command: ata1: cmd 0xA0 [ 2664.897457] ata_scsi_translate: EXIT [ 2664.897462] leaving scsi_dispatch_cmnd() [ 2664.897497] Doing sr request, dev = sr0, block = 0 [ 2664.897507] sr0 : reading 64/256 512 byte blocks. [ 2664.897553] ata_sff_hsm_move: ata1: protocol 7 task_state 1 (dev_stat 0x58) [ 2664.897560] atapi_send_cdb: send cdb [ 2666.910058] ata_bmdma_port_intr: ata1: host_stat 0x64 [ 2666.910079] __ata_sff_port_intr: ata1: protocol 7 task_state 3 [ 2666.910093] ata_sff_hsm_move: ata1: protocol 7 task_state 3 (dev_stat 0x51) [ 2666.910101] ata_sff_hsm_move: ata1: protocol 7 task_state 4 (dev_stat 0x51) [ 2666.910129] sr 9:0:0:0: [sr0] Done: [ 2666.910136] 0xf63d85e0 TIMEOUT lspci shows that the driver used for the Broadcom OSB4 IDE Controller is pata_serverworks: 00:0f.1 IDE interface: Broadcom OSB4 IDE Controller (prog-if 8e [Master SecP SecO PriP]) Flags: bus master, medium devsel, latency 64 [virtual] Memory at 000001f0 (32-bit, non-prefetchable) [size=8] [virtual] Memory at 000003f0 (type 3, non-prefetchable) [size=1] I/O ports at 0170 [size=8] I/O ports at 0374 [size=4] I/O ports at 1440 [size=16] Kernel driver in use: pata_serverworks The pata_serverworks driver supports five distinct device IDs, one being the OSB4 and the other four belonging to the CSB series. The CSB series appears to support 64-KB DMA transfers, as tests on a machine with an SAI2 motherboard containing a Broadcom CSB5 IDE Controller (vendor and device IDs: 1166:0212) showed no problems with 64-KB DMA transfers. This problem was first discovered when attempting to install openSUSE from a DVD on a machine with an STL2 motherboard. Using the pata_serverworks module, older releases of openSUSE will not install at all due to the timeouts. Releases of openSUSE prior to 11.3 can be installed by disabling the pata_serverworks module using the brokenmodules boot parameter, which causes the serverworks module to be used instead. Recent releases of openSUSE (12.2 and later) include better error recovery and will install, though very slowly. On all openSUSE releases, the problem can be recreated on a machine containing a Broadcom OSB4 IDE Controller by mounting an install DVD and running a command similar to the following: find /mnt -type f -print | xargs cat > /dev/null The patch below corrects the problem. Similar to the other ATA drivers that do not support 64-KB DMA transfers, the patch changes the ata_port_operations qc_prep vector to point to a routine that breaks any 64-KB segment into two 32-KB segments and changes the scsi_host_template sg_tablesize element to reduce by half the number of scatter/gather elements allowed. These two changes affect only the OSB4. Signed-off-by: Scott Carter Signed-off-by: Tejun Heo Signed-off-by: Jiri Slaby commit c6c58e6d637da36ce199f23a673711706a76d9b6 Author: Guenter Roeck Date: Sun Sep 21 15:04:53 2014 -0700 Revert "percpu: free percpu allocation info for uniprocessor system" commit bb2e226b3bef596dd56be97df655d857b4603923 upstream. This reverts commit 3189eddbcafc ("percpu: free percpu allocation info for uniprocessor system"). The commit causes a hang with a crisv32 image. This may be an architecture problem, but at least for now the revert is necessary to be able to boot a crisv32 image. Cc: Tejun Heo Cc: Honggang Li Signed-off-by: Guenter Roeck Signed-off-by: Tejun Heo Fixes: 3189eddbcafc ("percpu: free percpu allocation info for uniprocessor system") Signed-off-by: Jiri Slaby commit 92d945892fb00d0e0e22c1bcc77da9413b1a1395 Author: Benjamin Coddington Date: Tue Sep 23 12:26:20 2014 -0400 lockd: Try to reconnect if statd has moved commit 173b3afceebe76fa2205b2c8808682d5b541fe3c upstream. If rpc.statd is restarted, upcalls to monitor hosts can fail with ECONNREFUSED. In that case force a lookup of statd's new port and retry the upcall. Signed-off-by: Benjamin Coddington Signed-off-by: Trond Myklebust Signed-off-by: Jiri Slaby commit abc07cd01c51fb54088c6bc8ee654d104a5ec7d9 Author: Rabin Vincent Date: Wed Oct 29 23:06:58 2014 +0100 tracing/syscalls: Ignore numbers outside NR_syscalls' range commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream. ARM has some private syscalls (for example, set_tls(2)) which lie outside the range of NR_syscalls. If any of these are called while syscall tracing is being performed, out-of-bounds array access will occur in the ftrace and perf sys_{enter,exit} handlers. # trace-cmd record -e raw_syscalls:* true && trace-cmd report ... true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0) true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264 true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1) true-653 [000] 384.675988: sys_exit: NR 983045 = 0 ... # trace-cmd record -e syscalls:* true [ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace [ 17.289590] pgd = 9e71c000 [ 17.289696] [aaaaaace] *pgd=00000000 [ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 17.290169] Modules linked in: [ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21 [ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000 [ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8 [ 17.290866] LR is at syscall_trace_enter+0x124/0x184 Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers. Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" added the check for less than zero, but it should have also checked for greater than NR_syscalls. Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" Signed-off-by: Rabin Vincent Signed-off-by: Steven Rostedt Signed-off-by: Jiri Slaby commit a7a2830c5cf50217e38ffbc6797e36bc15bb4f1c Author: Quentin Casasnovas Date: Wed Nov 12 11:19:23 2014 +0100 regmap: fix kernel hang on regmap_bulk_write with zero val_count. If val_count is zero we return -EINVAL with map->lock_arg locked, which will deadlock the kernel next time we try to acquire this lock. In 3.12, this was introduced by a0b8d8d906d267987d507138003048c5fdf774 ("regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error.") which improperly back-ported d6b41cb06044a7d895db82bdd54f6e4219970510. This issue was found during review of Ubuntu Trusty 3.13.0-40.68 kernel to prepare Ksplice rebootless updates. Fixes: f5942dd ("regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error.") Signed-off-by: Quentin Casasnovas Signed-off-by: Jiri Slaby commit cb06484a39282097dded8a42243d001ab25a18a4 Author: Cesar Eduardo Barros Date: Mon Nov 25 22:00:41 2013 -0200 crypto: more robust crypto_memneq commit fe8c8a126806fea4465c43d62a1f9d273a572bf5 upstream. [Only use the compiler.h portion of this patch, to get the OPTIMIZER_HIDE_VAR() macro, which we need for other -stable patches - gregkh] Disabling compiler optimizations can be fragile, since a new optimization could be added to -O0 or -Os that breaks the assumptions the code is making. Instead of disabling compiler optimizations, use a dummy inline assembly (based on RELOC_HIDE) to block the problematic kinds of optimization, while still allowing other optimizations to be applied to the code. The dummy inline assembly is added after every OR, and has the accumulator variable as its input and output. The compiler is forced to assume that the dummy inline assembly could both depend on the accumulator variable and change the accumulator variable, so it is forced to compute the value correctly before the inline assembly, and cannot assume anything about its value after the inline assembly. This change should be enough to make crypto_memneq work correctly (with data-independent timing) even if it is inlined at its call sites. That can be done later in a followup patch. Compile-tested on x86_64. Signed-off-by: Cesar Eduardo Barros Acked-by: Daniel Borkmann Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit dd58b9eff8500d0c4b6a9a47079731d08a322e47 Author: Roman Dubtsov Date: Tue Jan 21 14:49:18 2014 +0700 rt2x00: rt2800usb: mark D-Link DWA-137 as supported commit 7f6d740753ff0d29a330b06eb3efa0dfc791bbba upstream. Signed-off-by: Roman Dubtsov Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit f8c0eb576c0dc53ecf22087359a7f0d79abeb277 Author: Xose Vazquez Perez Date: Sat Sep 28 13:07:10 2013 +0200 wireless: rt2x00: rt2800usb: add new devices commit 274dede8c52036a1849ea970fab8d185fb0dce2b upstream. 0411,0241 RT5572 BUFFALO WI-U2-300D Wireless LAN Adapter 0789,0170 RT3572 Logitec LAN-W300AN/U2 0846,9013 RT3573 NETGEAR Adaptador USB Inalambrico Movistar 0df6,006e RT3573 Sitecom WiFi USB adapter N900 2001,3c1f RT3573 D-Link DWA-162 Wireless N900 Dual Band Adapter 2001,3c20 RT5372 D-Link DWA-140 Wireless N USB Adapter(rev.D) 2001,3c21 RT5572 D-Link DWA-160 Xtreme N Dual Band USB Adapter(rev.C) 2001,3c22 RT5372 D-Link DWA-132 Wireless N USB Adapter(rev.B) 2001,3c23 RT5372 D-Link GO-USB-N300 Wireless N Easy USB Adapter 2019,ab29 ? Planex GW-USMirco300 20f4,724a RT5572 TRENDnet N600 Wireless Dual Band USB Adapter Cc: Ivo van Doorn Cc: Gertjan van Wingerde Cc: Helmut Schaa Cc: John W. Linville Cc: users@rt2x00.serialmonkey.com Cc: linux-wireless@vger.kernel.org Signed-off-by: Xose Vazquez Perez Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 5044d67c2ef5a035cf3eb9e7a6613f0cc80188ed Author: Eric Ernst Date: Mon Oct 21 09:54:41 2013 -0700 mmc: sdhci-pci: Add SDIO/MMC device ID support for Intel Clovertrail commit d052068a0ba43273eb9cfe32460e9445ef75fdc5 upstream. This patch adds intel_mid clovertrail SDIO and eMMC device IDs to the sdhci-pci driver. Signed-off-by: Eric Ernst Signed-off-by: David Cohen Signed-off-by: Chris Ball Signed-off-by: Jiri Slaby commit b6ae6483e85c0cb9c26d8b0b0236a3f4ad21f34d Author: David Cohen Date: Tue Oct 1 13:18:15 2013 -0700 mmc: sdhci-pci: add Intel Merrifield support commit 8776a165d152d57a3a58895d55204614abe93d7f upstream. Implement initial SDHCI Intel Merrifield support. This patch is based on previous one from Yunpeng Gao . Signed-off-by: David Cohen Signed-off-by: Chris Ball Signed-off-by: Jiri Slaby commit 482c6cb2dfb40838d67b0ba844b4b3d0af0f3d20 Author: Dan Carpenter Date: Fri Sep 5 09:09:28 2014 -0300 [media] ttusb-dec: buffer overflow in ioctl commit f2e323ec96077642d397bb1c355def536d489d16 upstream. We need to add a limit check here so we don't overflow the buffer. Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 336cc76cb08dd42fa6afc3e1d92b9bd547cc6aa9 Author: Richard Leitner Date: Wed Oct 8 15:21:32 2014 -0700 Input: serio - avoid negative serio device numbers commit 0224ec9e9f111b1c39ec00a10de4858061b4afea upstream. Fix the format string for serio device name generation to avoid negative device numbers when the id exceeds the maximum signed integer value. Signed-off-by: Richard Leitner Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 1b3ad9572eaa643f86f2304b79c9e772fd0f734b Author: Tommi Rantala Date: Thu Oct 16 14:01:43 2014 -0700 Input: xpad - add USB ID for Thrustmaster Ferrari 458 Racing Wheel commit 4b54625822eb7a4eae9c5b8c890b6c4dc001b895 upstream. Add the USB ID for the Xbox 360 Thrustmaster Ferrari 458 Racing Wheel. Signed-off-by: Tommi Rantala Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 4988892bbd6f47cda2df4b927a70cb9d2e59ac6a Author: Benjamin Valentin Date: Mon Sep 8 14:18:40 2014 -0700 Input: xpad - sync device IDs with xboxdrv commit f554f619b7041e388d46395b1e30b151925a7797 upstream. The userspace xboxdrv driver knows some more device ids than the kernel. This patch adds the missing xbox gamepads from [1] to xpad.c [1] https://github.com/Grumbel/xboxdrv/blob/master/src/xpad_device.cpp Signed-off-by: Benjamin Valentin Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit c4736877ce6ddfbefd32cac42da6524e9e0370cc Author: Frank Razenberg Date: Mon Sep 8 11:32:20 2014 -0700 Input: xpad - add VID/PID for Razer Sabertooth commit a7b447380c5c974c740437af82793e450f47304d upstream. The xpad driver recognizes Razer Sabertooth controllers as generic xbox controller, while it is really a 360 controller. This patch adds pid/vid mappings for the controller so that it is correctly recognized. Signed-off-by: Frank Razenberg Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 6ba3c3431eb82ecf8d8f2d3941fa8f65a6e32546 Author: Petr Sebor Date: Thu Jan 2 15:35:07 2014 -0800 Input: xpad - add new USB IDs for Logitech F310 and F710 commit 8e2f2325b73f3e5e46ecffd291556f33b8e3f8c9 upstream. This enables the rumble force feedback on the F710 unit since it is no longer treated as XTYPE_UNKNOWN type. Signed-off-by: Petr Sebor Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit b90cbd9256eb7a77c13871f73e76503ae9256a31 Author: Thomaz de Oliveira dos Reis Date: Thu Jan 2 15:38:45 2014 -0800 Input: xpad - change D-PAD mapping on Razer devices commit dbb48007a016f48f7fc19d8af753bae8b9c15816 upstream. When using Razer Onza controller the dpad doesn't work in many games because D-PAD was mapped to buttons (useful for dance pads) and not to HAT0X/Y axis. ers who really want to have it mapped to buttons can restore previous behavior by using 'dpad_to_buttons' module option. Signed-off-by: Thomaz de Oliveira dos Reis Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 0d39ee5105c5394991dc055f218b5d702cca5b90 Author: Vincent Zwanenburg Date: Fri Aug 8 12:33:56 2014 +0100 Add a new PID/VID 0227/0930 for AR3012. commit 89d2975fa06e66ea0d3665d91f799fb1ce4b8bad upstream. usb devices info: T: Bus=01 Lev=02 Prnt=05 Port=00 Cnt=01 Dev#= 20 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0930 ProdID=0227 Rev= 0.02 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms Signed-off-by: Vincent Zwanenburg Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit e4ee97b70030f68d8b8d099436080cffadca0014 Author: Anantha Krishnan Date: Tue Jul 8 19:25:08 2014 +0530 Bluetooth: Add support for Acer [13D3:3432] commit fa2f1394fe9c1a217213f02df77812701de6362f upstream. Add support for the QCA6174 chip. T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 30 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3432 Rev=00.02 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Anantha Krishnan Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit ed6bb62bed00a9cd2c7de17b1e767c01fb826146 Author: Andy Shevchenko Date: Tue Feb 18 18:26:20 2014 +0200 Bluetooth: append new supported device to the list [0b05:17d0] commit a735f9e22432899cee188d167966782c29246390 upstream. The device found on Asus Z87 Expert motherboard requires firmware to work correctly. T: Bus=03 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0b05 ProdID=17d0 Rev=00.02 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Andy Shevchenko Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit e0dd6d2f9983101dd340f3a4b4342934526daffb Author: Andy Shevchenko Date: Tue Feb 18 18:26:19 2014 +0200 Bluetooth: sort the list of IDs in the source code commit 0b8800623d3f12dd40a039aa191d52bfa4eef5b4 upstream. This will help to manage table of supported IDs. There is no functional change. Signed-off-by: Andy Shevchenko Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit b076ceb94da40c8ed79cdb5bd61ba14d5e0093bf Author: Oliver Neukum Date: Thu Jan 16 16:02:58 2014 +0100 Bluetooth: Add firmware update for Atheros 0cf3:311f commit 1e56f1eb2bbeab0ddc3a1e536d2a0065cfe4c131 upstream. The device is not functional without firmware. The device without firmware: T: Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=311f Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb The device with firmware: T: Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=3007 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Oliver Neukum Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit 912173ce87470ab8b59706520f215f31bd5c43b5 Author: Oliver Neukum Date: Thu Jan 16 15:37:11 2014 +0100 Bluetooth: Enable Atheros 0cf3:311e for firmware upload commit b131237ca3995edad9efc162d0bc959c3b1dddc2 upstream. The device will bind to btusb without firmware, but with the original buggy firmware device discovery does not work. No devices are detected. Device descriptor without firmware: T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=311e Rev= 0.01 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms with firmware: T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=311e Rev= 0.02 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms Signed-off-by: Oliver Neukum Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit 0d6a4578644f00624cb663c6e7cc7d14abad1206 Author: Marco Piazza Date: Thu Nov 28 00:15:25 2013 +0100 Bluetooth: Add support for Toshiba Bluetooth device [0930:0220] commit bd0976dd3379e790b031cef7f477c58b82a65fc2 upstream. This patch adds support for new Toshiba Bluetooth device. T: Bus=05 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0930 ProdID=0220 Rev=00.02 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Marco Piazza Signed-off-by: Gustavo Padovan Signed-off-by: Jiri Slaby commit 6aedbaf0e4df582698f7b73297306c05743af876 Author: Sujith Manoharan Date: Mon Nov 4 21:38:23 2013 +0530 Bluetooth: ath3k: Add support for a new AR3012 device commit 35580d223b6b04d9a570e4fe377c46a102413fe8 upstream. T: Bus=02 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 9 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e05f Rev= 0.02 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Reported-by: Joshua Richenhagen Signed-off-by: Sujith Manoharan Signed-off-by: Johan Hedberg Signed-off-by: Jiri Slaby commit 1adfda065f0d9d74a6e2bcd0fa5e94347dc6f6ab Author: Sujith Manoharan Date: Wed Nov 6 10:56:00 2013 +0530 Bluetooth: ath3k: Add support for another AR3012 card commit bd0fca1b2be8c96dfc391a2bc2ee4ce6970ae6af upstream. T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=04ca ProdID=300b Rev= 0.01 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Reported-by: Face Signed-off-by: Sujith Manoharan Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit bf0736629bf30132d5429c118e4b6e5a856ddd0a Author: Anatol Pomozov Date: Wed Jul 30 15:57:03 2014 -0700 Bluetooth: Fix crash in the Marvell driver initialization codepath commit 8500d791c458ccbbb3e2d3fa9a0320ffd5729069 upstream. btmrvl_add_card() function calls kthread_run that might return error (e.g. if current thread is killed). If one tries to use the error value as a pointer then invalid memory access oops happens. Check kthread_run() return value, if it is an error then release resources correctly. TEST=boot computer with BT modules enabled. I see the error message that BT device initialization failed. Now kernel does not crash. Hint: to enable BT run 'rmmod btmrvl_sdio; modprobe btmrvl_sdio' Signed-off-by: Anatol Pomozov Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit 7a121aac1bebe3ba625142e0227c973d5d589b11 Author: Marcel Holtmann Date: Mon Jul 21 14:02:33 2014 +0200 Bluetooth: Add support for Broadcom device of Asus Z97-DELUXE motherboard commit c2aef6e8cbebd60f79555baeb9266e220f135a44 upstream. The Asus Z97-DELUXE motherboard contains a Broadcom based Bluetooth controller on the USB bus. However vendor and product ID are listed as ASUSTek Computer. T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0b05 ProdID=17cf Rev= 1.12 S: Manufacturer=Broadcom Corp S: Product=BCM20702A0 S: SerialNumber=54271E910064 C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) Reported-by: Jerome Leclanche Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Jiri Slaby commit 6ac01731d51012e9faa8875c0b4437bc0ccd51c7 Author: Marcel Holtmann Date: Sun Jul 20 17:29:59 2014 +0200 Bluetooth: Fix endian and alignment issue with ath3k version handling commit 72dd2b2a44d82118714e0821fa16c65f9e40eb00 upstream. The ath3k driver is treating the version information badly when it comes to loading the right firmware version and comparing that it actually matches with the hardware. Initially this showed up as this: CHECK drivers/bluetooth/ath3k.c drivers/bluetooth/ath3k.c:373:17: warning: cast to restricted __le32 drivers/bluetooth/ath3k.c:435:17: warning: cast to restricted __le32 However when fixing this by actually using __packed and __le32 for the ath3_version structure, more issues came up: CHECK drivers/bluetooth/ath3k.c drivers/bluetooth/ath3k.c:381:32: warning: incorrect type in assignment (different base types) drivers/bluetooth/ath3k.c:381:32: expected restricted __le32 [usertype] rom_version drivers/bluetooth/ath3k.c:381:32: got int [signed] drivers/bluetooth/ath3k.c:382:34: warning: incorrect type in assignment (different base types) drivers/bluetooth/ath3k.c:382:34: expected restricted __le32 [usertype] build_version drivers/bluetooth/ath3k.c:382:34: got int [signed] drivers/bluetooth/ath3k.c:386:28: warning: restricted __le32 degrades to integer drivers/bluetooth/ath3k.c:386:56: warning: restricted __le32 degrades to integer This patch fixes every instance of the firmware version handling and makes sure it is endian safe and uses proper unaligned access. Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Jiri Slaby commit fa982cfbc81a2a0e3ada5ebfe9c8b48e3aed57ec Author: Peng Chen Date: Thu Sep 6 19:30:43 2012 +0800 Bluetooth: Fix endianess issue in the ath3k driver commit b9e2535acad8f52a17e2aa843d45a6b756b59592 upstream. The version is always in little endian format. This patch makes the driver work on both little and big endian CPUs. Signed-off-by: Peng Chen Signed-off-by: Johan Hedberg Signed-off-by: Jiri Slaby commit 330550885226357a59f017474091cbc45e529b10 Author: Marcel Holtmann Date: Sun Jul 6 14:53:55 2014 +0200 Bluetooth: Ignore isochronous endpoints for Intel USB bootloader commit d92f2df0565ea04101d6ac04bdc10feeb1d93c94 upstream. The isochronous endpoints are not valid when the Intel Bluetooth controller boots up in bootloader mode. So just mark these endpoints as broken and then they will not be configured. Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Jiri Slaby commit 35aaf24b19442db101a7fe7dbc9030a12203e3fa Author: Marcel Holtmann Date: Sun Jul 6 14:53:54 2014 +0200 Bluetooth: Handle Intel USB bootloader with buggy interrupt commit 3a5ef20c979c0f33b6fb2582d04957397a6bf51f upstream. The interrupt interface for the Intel USB bootloader devices is only enabled after receiving SetInterface(0, AltSetting=0). When this USB command is not send, then no HCI events will be received. Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Jiri Slaby commit c7e56b1a35a924e8011700e748cd8fcb7eedc0e1 Author: Marcel Holtmann Date: Sun Jul 6 13:29:58 2014 +0200 Bluetooth: Add support for Intel bootloader devices commit 40df783d1ef1989ac454e3dfcda017270b8950e6 upstream. Intel Bluetooth devices that boot up in bootloader mode can not be used as generic HCI devices, but their HCI transport is still valuable and so bring that up as raw-only devices. T: Bus=02 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 14 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=ff(vend.) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=8087 ProdID=0a5a Rev= 0.00 S: Manufacturer=Intel(R) Corporation S: Product=Intel(R) Wilkins Peak 2x2 S: SerialNumber=001122334455 WP_A0 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Jiri Slaby commit ac8b4e8d5fcf2207c6fd4fe89d695e36e901ef17 Author: Jurgen Kramer Date: Sat Feb 15 12:01:09 2014 +0100 Bluetooth: btusb: Add IMC Networks (Broadcom based) commit 9113bfd82dc8ece9cbb898df8794f58a78a36e97 upstream. Add support for IMC Networks (Broadcom based) to btusb driver. Below the output of /sys/kernel/debug/usb/devices for this device: T: Bus=01 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3404 Rev= 1.12 S: Manufacturer=Broadcom Corp S: Product=BCM20702A0 S: SerialNumber=240A649F8246 C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) Signed-off-by: Jurgen Kramer Signed-off-by: Marcel Holtmann Signed-off-by: Jiri Slaby commit d9892fefa40e5f6a7e2ec30e3ec288fe9f3f19e7 Author: Jiri Kosina Date: Mon Jun 2 10:58:00 2014 +0200 HID: usbhid: enable NO_INIT_REPORTS quirk for Semico USB Keykoard commit 9ea63c439c5dffcb7c46c741929fe74b31b9676b upstream. The device which identifies itself as a "USB Keykoard" (no typo) with VID:PID 1a2c:0023 does not seem to be handling the reports initialization very well. This results in a "usb_submit_urb(ctrl) failed: -1" message from the kernel when connected, and a delay before its initialization. This patch adds the quirk for this device, which causes the delay to disappear. [jkosina@suse.cz: remove superfluous comment and fix ordering] Signed-off-by: Daniel Kamil Kozar Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit 1a7ae6c00f200c810b5c77b7dc1add63143650fd Author: John Sung Date: Fri Jun 27 16:22:08 2014 +0800 HID: usbhid: quirk for PM1610 and PM1640 Touchscreen. commit 66e5482752386786c4346f4f4b214b0998639702 upstream. These device needs to be added to the quirks list with HID_QUIRK_NOGET, otherwise they will reset upon receiving the get input report requests. Signed-off-by: John Sung Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit d5585865781bd6cf0b9ba1466df2ed6a6e2fce65 Author: Wen-chien Jesse Sung Date: Mon Jul 7 17:44:02 2014 -0700 HID: use multi input quirk for 22b9:2968 commit d90b1cf0c4cbe6fdcf4c4e0b0c9c97fe32b9f8a1 upstream. This device generates ABS_Z and ABS_RX events instead of ABS_X and ABS_Y. Signed-off-by: Wen-chien Jesse Sung Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit 4c1e006db378eca8181f7e0dd90918c7b40e0f5b Author: Reyad Attiyat Date: Fri Jul 25 00:13:01 2014 -0500 HID: usbhid: Use flag HID_DISCONNECTED when a usb device is removed commit 46df9dedabc1541f9c45f94ecd2c3c7ab0c3bf23 upstream. Set disconnected flag in struct usbhid when a usb device is removed. Check for disconnected flag before sending urb requests. This prevents a kernel panic when a hid driver calls hid_hw_request() after removing a usb device. BUG: unable to handle kernel NULL pointer dereference at 0000000000000058 IP: [] hid_submit_ctrl+0x7f/0x290 PGD 0 Oops: 0002 [#1] PREEMPT SMP CPU: 2 PID: 39 Comm: khubd Tainted: G IO 3.16.0-rc5+ #112 Hardware name: Microsoft Corporation Surface Pro 2/Surface Pro 2, BIOS 2.03.0250 09/06/2013 task: ffff880118aba6e0 ti: ffff8800daf80000 task.ti: ffff8800daf80000 RIP: 0010:[] [] hid_submit_ctrl+0x7f/0x290 RSP: 0018:ffff8800daf83750 EFLAGS: 00010086 RAX: 0000000080000300 RBX: ffff88003f60c000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff880117f78000 RBP: ffff8800daf83788 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: ffff880117f78000 R13: ffff88003f11a290 R14: 000000000000000c R15: ffff880091cb3ab8 FS: 0000000000000000(0000) GS:ffff88011b000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 0000000001c11000 CR4: 00000000001407e0 Stack: ffff880117f3dcd0 ffff880117f78000 ffff88003f60c000 ffff880117f78000 ffff880117f78000 ffff88003f11a290 0000000000000000 ffff8800daf837b0 ffffffff81617707 ffff880117f78000 ffff88003f60c000 0000000000000013 Call Trace: [] usbhid_restart_ctrl_queue+0x87/0x140 [] usbhid_submit_report+0x2c8/0x370 [] usbhid_request+0x1a/0x30 [] sensor_hub_set_feature+0x8b/0xd0 [hid_sensor_hub] [] hid_sensor_power_state+0x84/0x110 [hid_sensor_trigger] [] hid_sensor_data_rdy_trigger_set_state+0x19/0x20 [hid_sensor_trigger] [] iio_triggered_buffer_predisable+0xa7/0xb0 [industrialio] [] iio_disable_all_buffers+0x3a/0xc0 [industrialio] [] iio_device_unregister+0x53/0x80 [industrialio] [] hid_accel_3d_remove+0x2a/0x50 [hid_sensor_accel_3d] [] platform_drv_remove+0x1d/0x40 [] __device_release_driver+0x7f/0xf0 [] device_release_driver+0x25/0x40 [] bus_remove_device+0x11c/0x1a0 [] device_del+0x136/0x1e0 [] ? mfd_cell_disable+0x80/0x80 [] platform_device_del+0x21/0xc0 [] platform_device_unregister+0x12/0x30 [] mfd_remove_devices_fn+0x43/0x50 [] device_for_each_child+0x43/0x70 [] mfd_remove_devices+0x25/0x30 [] sensor_hub_remove+0x87/0x140 [hid_sensor_hub] [] hid_device_remove+0x6b/0xd0 [] __device_release_driver+0x7f/0xf0 [] device_release_driver+0x25/0x40 [] bus_remove_device+0x11c/0x1a0 [] device_del+0x136/0x1e0 [] hid_destroy_device+0x27/0x60 [] usbhid_disconnect+0x22/0x50 [] usb_unbind_interface+0x77/0x2b0 [] __device_release_driver+0x7f/0xf0 [] device_release_driver+0x25/0x40 [] bus_remove_device+0x11c/0x1a0 [] device_del+0x136/0x1e0 [] usb_disable_device+0x91/0x2a0 [] usb_disconnect+0x96/0x2e0 [] hub_thread+0xb5a/0x1840 Signed-off-by: Reyad Attiyat Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit ba1816b40a87a3f3c4ca9cd54a593a10d87bd391 Author: Sergio Gelato Date: Thu Nov 6 14:05:30 2014 +0100 nfsd: fix NFS regression Fix regression introduced in pre-3.14 kernels by cherry-picking aa07c713ecfc0522916f3cd57ac628ea6127c0ec (NFSD: Call ->set_acl with a NULL ACL structure if no entries). This is in v3.12.22 as commit 723ac81c8671b3a095d9eb303974c7bc9964b506. The affected code was removed in 3.14 by commit 4ac7249ea5a0ceef9f8269f63f33cc873c3fac61 (nfsd: use get_acl and ->set_acl). The ->set_acl methods are already able to cope with a NULL argument. So this is not needed for >= 3.14. Signed-off-by: Sergio Gelato Signed-off-by: Jiri Slaby commit 0e8361ae716b89ea54a97050fbf9d74f6dc4292d Author: Ben Hutchings Date: Fri Oct 31 03:10:31 2014 +0000 drivers/net: macvtap and tun depend on INET [ Upstream commit de11b0e8c569b96c2cf6a811e3805b7aeef498a3 ] These drivers now call ipv6_proxy_select_ident(), which is defined only if CONFIG_INET is enabled. However, they have really depended on CONFIG_INET for as long as they have allowed sending GSO packets from userland. Reported-by: kbuild test robot Signed-off-by: Ben Hutchings Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr") Fixes: b9fb9ee07e67 ("macvtap: add GSO/csum offload support") Fixes: 5188cd44c55d ("drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets") Signed-off-by: David S. Miller commit 30ab1cf8b31dc6a680ac6443a34d02d9edb9a589 Author: Ben Hutchings Date: Thu Oct 30 18:27:17 2014 +0000 drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets [ Upstream commit 5188cd44c55db3e92cd9e77a40b5baa7ed4340f7 ] UFO is now disabled on all drivers that work with virtio net headers, but userland may try to send UFO/IPv6 packets anyway. Instead of sending with ID=0, we should select identifiers on their behalf (as we used to). Signed-off-by: Ben Hutchings Fixes: 916e4cf46d02 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data") Signed-off-by: David S. Miller commit d84c3df2a5f2e6847a15c5d7fbdfba86346e67ab Author: Vasily Averin Date: Wed Oct 15 16:24:02 2014 +0400 ipv4: dst_entry leak in ip_send_unicast_reply() [ Upstream commit 4062090e3e5caaf55bed4523a69f26c3265cc1d2 ] ip_setup_cork() called inside ip_append_data() steals dst entry from rt to cork and in case errors in __ip_append_data() nobody frees stolen dst entry Fixes: 2e77d89b2fa8 ("net: avoid a pair of dst_hold()/dst_release() in ip_append_data()") Signed-off-by: Vasily Averin Acked-by: Eric Dumazet Signed-off-by: David S. Miller commit a388cd772c2e0cd19f61a3b0dc8d2ecd6b380216 Author: Eric Dumazet Date: Thu Oct 23 12:58:58 2014 -0700 tcp: md5: do not use alloc_percpu() [ Upstream commit 349ce993ac706869d553a1816426d3a4bfda02b1 ] percpu tcp_md5sig_pool contains memory blobs that ultimately go through sg_set_buf(). -> sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf)); This requires that whole area is in a physically contiguous portion of memory. And that @buf is not backed by vmalloc(). Given that alloc_percpu() can use vmalloc() areas, this does not fit the requirements. Replace alloc_percpu() by a static DEFINE_PER_CPU() as tcp_md5sig_pool is small anyway, there is no gain to dynamically allocate it. Signed-off-by: Eric Dumazet Fixes: 765cf9976e93 ("tcp: md5: remove one indirection level in tcp_md5sig_pool") Reported-by: Crestez Dan Leonard Signed-off-by: David S. Miller commit 93b6d31fdc9b3b4ee3f6544c18ad48aefeb54ce0 Author: Ian Morgan Date: Sun Oct 19 08:05:13 2014 -0400 ax88179_178a: fix bonding failure [ Upstream commit 95ff88688781db2f64042e69bd499e518bbb36e5 ] The following patch fixes a bug which causes the ax88179_178a driver to be incapable of being added to a bond. When I brought up the issue with the bonding maintainers, they indicated that the real problem was with the NIC driver which must return zero for success (of setting the MAC address). I see that several other NIC drivers follow that pattern by either simply always returing zero, or by passing through a negative (error) result while rewriting any positive return code to zero. With that same philisophy applied to the ax88179_178a driver, it allows it to work correctly with the bonding driver. I believe this is suitable for queuing in -stable, as it's a small, simple, and obvious fix that corrects a defect with no other known workaround. This patch is against vanilla 3.17(.0). Signed-off-by: Ian Morgan drivers/net/usb/ax88179_178a.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) Signed-off-by: David S. Miller commit 690050bfb427bd2191188d032ad6bac5f277bafd Author: Li RongQing Date: Fri Oct 17 16:53:23 2014 +0800 ipv4: fix a potential use after free in ip_tunnel_core.c [ Upstream commit 1245dfc8cadb258386fcd27df38215a0eccb1f17 ] pskb_may_pull() maybe change skb->data and make eth pointer oboslete, so set eth after pskb_may_pull() Fixes:3d7b46cd("ip_tunnel: push generic protocol handling to ip_tunnel module") Cc: Pravin B Shelar Signed-off-by: Li RongQing Acked-by: Pravin B Shelar Signed-off-by: David S. Miller commit 4cb545d54ca5815e9a2d56daef266a39096e6157 Author: Li RongQing Date: Fri Oct 17 14:06:16 2014 +0800 vxlan: fix a free after use [ Upstream commit 7a9f526fc3ee49b6034af2f243676ee0a27dcaa8 ] pskb_may_pull maybe change skb->data and make eth pointer oboslete, so eth needs to reload Fixes: 91269e390d062 ("vxlan: using pskb_may_pull as early as possible") Cc: Eric Dumazet Signed-off-by: Li RongQing Signed-off-by: David S. Miller commit e073fb104ffd9170e37b0c528199aa493ae55978 Author: Li RongQing Date: Thu Oct 16 09:17:18 2014 +0800 vxlan: using pskb_may_pull as early as possible [ Upstream commit 91269e390d062b526432f2ef1352b8df82e0e0bc ] pskb_may_pull should be used to check if skb->data has enough space, skb->len can not ensure that. Cc: Cong Wang Signed-off-by: Li RongQing Signed-off-by: David S. Miller commit ef0444ff81e4aa1580725d7f485a38760e799b22 Author: Li RongQing Date: Thu Oct 16 08:49:41 2014 +0800 vxlan: fix a use after free in vxlan_encap_bypass [ Upstream commit ce6502a8f9572179f044a4d62667c4645256d6e4 ] when netif_rx() is done, the netif_rx handled skb maybe be freed, and should not be used. Signed-off-by: Li RongQing Signed-off-by: David S. Miller commit bc9b1233fe48f27c2325de5ccc584c4b2a0ce12c Author: Jiri Pirko Date: Mon Oct 13 16:34:10 2014 +0200 ipv4: fix nexthop attlen check in fib_nh_match [ Upstream commit f76936d07c4eeb36d8dbb64ebd30ab46ff85d9f7 ] fib_nh_match does not match nexthops correctly. Example: ip route add 172.16.10/24 nexthop via 192.168.122.12 dev eth0 \ nexthop via 192.168.122.13 dev eth0 ip route del 172.16.10/24 nexthop via 192.168.122.14 dev eth0 \ nexthop via 192.168.122.15 dev eth0 Del command is successful and route is removed. After this patch applied, the route is correctly matched and result is: RTNETLINK answers: No such process Please consider this for stable trees as well. Fixes: 4e902c57417c4 ("[IPv4]: FIB configuration using struct fib_config") Signed-off-by: Jiri Pirko Acked-by: Eric Dumazet Signed-off-by: David S. Miller commit 7fccdb578ab6a71fc23690f772d37e7f0050a6bf Author: Mengdong Lin Date: Thu Jul 3 17:02:23 2014 +0800 ALSA: hda - restore BCLK M/N value as per CDCLK for HSW/BDW display HDA controller commit e4d9e513dedb5ac4e166c1053314fa935ddecc8c upstream. For HSW/BDW display HD-A controller, hda_set_bclk() is defined to set BCLK by programming the M/N values as per the core display clock (CDCLK) queried from i915 display driver. And the audio driver will also set BCLK in azx_first_init() since the display driver can turn off the shared power in boot phase if only eDP is connected and M/N values will be lost and must be reprogrammed. Signed-off-by: Mengdong Lin Cc: Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit e48c442a046d006ff87cd67a686a27a5f64dedbb Author: Jani Nikula Date: Fri Jul 4 10:00:37 2014 +0800 drm/i915: provide interface for audio driver to query cdclk commit c149dcb5c60bfea8871f16dfcc0690255eeb825f upstream. For Haswell and Broadwell, if the display power well has been disabled, the display audio controller divider values EM4 M VALUE and EM5 N VALUE will have been lost. The CDCLK frequency is required for reprogramming them to generate 24MHz HD-A link BCLK. So provide a private interface for the audio driver to query CDCLK. This is a stopgap solution until a more generic interface between audio and display drivers has been implemented. Signed-off-by: Jani Nikula Reviewed-by: Damien Lespiau Signed-off-by: Mengdong Lin Cc: Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit fcb1eed7baee724ca62f157df7684e99edd4145a Author: Takashi Iwai Date: Fri Jun 13 15:14:34 2014 +0200 drm/i915, HD-audio: Don't continue probing when nomodeset is given commit 74b0c2d75fb4cc89173944e6d8f9eb47aca0c343 upstream. When a machine is booted with nomodeset option, i915 driver skips the whole initialization. Meanwhile, HD-audio tries to bind wth i915 just by request_symbol() without knowing that the initialization was skipped, and eventually it hits WARN_ON() in i915_request_power_well() and i915_release_power_well() wrongly but still continues probing, even though it doesn't work at all. In this patch, both functions are changed to return an error in case of uninitialized state instead of WARN_ON(), so that HD-audio driver can give up HDMI controller initialization at the right time. Acked-by: Daniel Vetter Cc: [3.15] Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 92f4ce188b5d85a7c26809b830994caf5625b3e8 Author: Lv Zheng Date: Wed Oct 29 11:33:49 2014 +0800 ACPI / EC: Fix regression due to conflicting firmware behavior between Samsung and Acer. commit 79149001105f18bd2285ada109f9229ea24a7571 upstream. It is reported that Samsung laptops that need to poll events are broken by the following commit: Commit 3afcf2ece453e1a8c2c6de19cdf06da3772a1b08 Subject: ACPI / EC: Add support to disallow QR_EC to be issued when SCI_EVT isn't set The behaviors of the 2 vendor firmwares are conflict: 1. Acer: OSPM shouldn't issue QR_EC unless SCI_EVT is set, firmware automatically sets SCI_EVT as long as there is event queued up. 2. Samsung: OSPM should issue QR_EC whatever SCI_EVT is set, firmware returns 0 when there is no event queued up. This patch is a quick fix to distinguish the behaviors to make Acer behavior only effective for Acer EC firmware so that the breakages on Samsung EC firmware can be avoided. Fixes: 3afcf2ece453 (ACPI / EC: Add support to disallow QR_EC to be issued ...) Link: https://bugzilla.kernel.org/show_bug.cgi?id=44161 Reported-and-tested-by: Ortwin Glück Signed-off-by: Lv Zheng Cc: 3.17+ # 3.17+ [ rjw : Subject ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 6c0b6ba79db1b33efe2e5233fbefcd26d1a5a022 Author: Lv Zheng Date: Thu Aug 21 14:41:13 2014 +0800 ACPI / EC: Add support to disallow QR_EC to be issued when SCI_EVT isn't set commit 3afcf2ece453e1a8c2c6de19cdf06da3772a1b08 upstream. There is a platform refusing to respond QR_EC when SCI_EVT isn't set (Acer Aspire V5-573G). Currently, we rely on the behaviour that the EC firmware can respond something (for example, 0x00 to indicate "no outstanding events") to QR_EC even when SCI_EVT is not set, but the reporter has complained about AC/battery pluging/unpluging and video brightness change delay on that platform. This is because the work item that has issued QR_EC has to wait until timeout in this case, and the _Qxx method evaluation work item queued after QR_EC one is delayed. It sounds reasonable to fix this issue by: 1. Implementing SCI_EVT sanity check before issuing QR_EC in the EC driver's main state machine. 2. Moving QR_EC issuing out of the work queue used by _Qxx evaluation to a seperate IRQ handling thread. This patch fixes this issue using solution 1. By disallowing QR_EC to be issued when SCI_EVT isn't set, we are able to handle such platform in the EC driver's main state machine. This patch enhances the state machine in this way to survive with such malfunctioning EC firmware. Note that this patch can also fix CLEAR_ON_RESUME quirk which also relies on the assumption that the platforms are able to respond even when SCI_EVT isn't set. Fixes: c0d653412fc8 ACPI / EC: Fix race condition in ec_transaction_completed() Link: https://bugzilla.kernel.org/show_bug.cgi?id=82611 Reported-and-tested-by: Alexander Mezin Signed-off-by: Lv Zheng Cc: 3.16+ # 3.16+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 28f04bcc068a44c5641c727883947960fb8dcbd5 Author: Johannes Weiner Date: Thu Oct 2 16:21:10 2014 -0700 mm: page_alloc: fix zone allocation fairness on UP commit abe5f972912d086c080be4bde67750630b6fb38b upstream. The zone allocation batches can easily underflow due to higher-order allocations or spills to remote nodes. On SMP that's fine, because underflows are expected from concurrency and dealt with by returning 0. But on UP, zone_page_state will just return a wrapped unsigned long, which will get past the <= 0 check and then consider the zone eligible until its watermarks are hit. Commit 3a025760fc15 ("mm: page_alloc: spill to remote nodes before waking kswapd") already made the counter-resetting use atomic_long_read() to accomodate underflows from remote spills, but it didn't go all the way with it. Make it clear that these batches are expected to go negative regardless of concurrency, and use atomic_long_read() everywhere. Fixes: 81c0a2bb515f ("mm: page_alloc: fair zone allocator policy") Reported-by: Vlastimil Babka Reported-by: Leon Romanovsky Signed-off-by: Johannes Weiner Acked-by: Mel Gorman Cc: [3.12+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby