1. 23 Mar, 2016 3 commits
    • Jan Kara's avatar
      ext4: fix races between buffered IO and collapse / insert range · 181aaebd
      Jan Kara authored
      Current code implementing FALLOC_FL_COLLAPSE_RANGE and
      FALLOC_FL_INSERT_RANGE is prone to races with buffered writes and page
      faults. If buffered write or write via mmap manages to squeeze between
      filemap_write_and_wait_range() and truncate_pagecache() in the fallocate
      implementations, the written data is simply discarded by
      truncate_pagecache() although it should have been shifted.
      
      Fix the problem by moving filemap_write_and_wait_range() call inside
      i_mutex and i_mmap_sem. That way we are protected against races with
      both buffered writes and page faults.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarMingming Cao <mingming.cao@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      181aaebd
    • Jan Kara's avatar
      ext4: move unlocked dio protection from ext4_alloc_file_blocks() · 9621787d
      Jan Kara authored
      Currently ext4_alloc_file_blocks() was handling protection against
      unlocked DIO. However we now need to sometimes call it under i_mmap_sem
      and sometimes not and DIO protection ranks above it (although strictly
      speaking this cannot currently create any deadlocks). Also
      ext4_zero_range() was actually getting & releasing unlocked DIO
      protection twice in some cases. Luckily it didn't introduce any real bug
      but it was a land mine waiting to be stepped on.  So move DIO protection
      out from ext4_alloc_file_blocks() into the two callsites.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarMingming Cao <mingming.cao@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9621787d
    • Jan Kara's avatar
      ext4: fix races between page faults and hole punching · 248766f0
      Jan Kara authored
      Currently, page faults and hole punching are completely unsynchronized.
      This can result in page fault faulting in a page into a range that we
      are punching after truncate_pagecache_range() has been called and thus
      we can end up with a page mapped to disk blocks that will be shortly
      freed. Filesystem corruption will shortly follow. Note that the same
      race is avoided for truncate by checking page fault offset against
      i_size but there isn't similar mechanism available for punching holes.
      
      Fix the problem by creating new rw semaphore i_mmap_sem in inode and
      grab it for writing over truncate, hole punching, and other functions
      removing blocks from extent tree and for read over page faults. We
      cannot easily use i_data_sem for this since that ranks below transaction
      start and we need something ranking above it so that it can be held over
      the whole truncate / hole punching operation. Also remove various
      workarounds we had in the code to reduce race window when page fault
      could have created pages with stale mapping information.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarMingming Cao <mingming.cao@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      248766f0
  2. 22 Mar, 2016 26 commits
  3. 18 Mar, 2016 11 commits
    • Takashi Iwai's avatar
      ASoC: wm8994: Fix enum ctl accesses in a wrong type · f4d57e47
      Takashi Iwai authored
      [ Upstream commit 8019c0b3 ]
      
      The DRC Mode like "AIF1DRC1 Mode" and EQ Mode like "AIF1.1 EQ Mode" in
      wm8994 codec driver are enum ctls, while the current driver accesses
      wrongly via value.integer.value[].  They have to be via
      value.enumerated.item[] instead.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f4d57e47
    • Takashi Iwai's avatar
      ASoC: wm8958: Fix enum ctl accesses in a wrong type · 58de29e6
      Takashi Iwai authored
      [ Upstream commit d0784829 ]
      
      "MBC Mode", "VSS Mode", "VSS HPF Mode" and "Enhanced EQ Mode" ctls in
      wm8958 codec driver are enum, while the current driver accesses
      wrongly via value.integer.value[].  They have to be via
      value.enumerated.item[] instead.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      58de29e6
    • Takashi Iwai's avatar
      ASoC: dapm: Fix ctl value accesses in a wrong type · 33824bb3
      Takashi Iwai authored
      [ Upstream commit 741338f9 ]
      
      snd_soc_dapm_dai_link_get() and _put() access the associated ctl
      values as value.integer.value[].  However, this is an enum ctl, and it
      has to be accessed via value.enumerated.item[].  The former is long
      while the latter is unsigned int, so they don't align.
      
      Fixes: c6615082 ('ASoC: dapm: add code to configure dai link parameters')
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      33824bb3
    • Maximilain Schneider's avatar
      can: gs_usb: fixed disconnect bug by removing erroneous use of kfree() · 01ff3a0a
      Maximilain Schneider authored
      [ Upstream commit e9a2d81b ]
      
      gs_destroy_candev() erroneously calls kfree() on a struct gs_can *, which is
      allocated through alloc_candev() and should instead be freed using
      free_candev() alone.
      
      The inappropriate use of kfree() causes the kernel to hang when
      gs_destroy_candev() is called.
      
      Only the struct gs_usb * which is allocated through kzalloc() should be freed
      using kfree() when the device is disconnected.
      Signed-off-by: default avatarMaximilian Schneider <max@schneidersoft.net>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      01ff3a0a
    • Felix Fietkau's avatar
      mac80211: minstrel_ht: set default tx aggregation timeout to 0 · 870be7d2
      Felix Fietkau authored
      [ Upstream commit 7a36b930 ]
      
      The value 5000 was put here with the addition of the timeout field to
      ieee80211_start_tx_ba_session. It was originally added in mac80211 to
      save resources for drivers like iwlwifi, which only supports a limited
      number of concurrent aggregation sessions.
      
      Since iwlwifi does not use minstrel_ht and other drivers don't need
      this, 0 is a better default - especially since there have been
      recent reports of aggregation setup related issues reproduced with
      ath9k. This should improve stability without causing any adverse
      effects.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarAvery Pennarun <apenwarr@gmail.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      870be7d2
    • Charles Keepax's avatar
      ASoC: samsung: Use IRQ safe spin lock calls · ea46df70
      Charles Keepax authored
      [ Upstream commit 316fa9e0 ]
      
      Lockdep warns of a potential lock inversion, i2s->lock is held numerous
      times whilst we are under the substream lock (snd_pcm_stream_lock). If
      we use the IRQ unsafe spin lock calls, you can also end up locking
      snd_pcm_stream_lock whilst under i2s->lock (if an IRQ happens whilst we
      are holding i2s->lock). This could result in deadlock.
      
      [   18.147001]        CPU0                    CPU1
      [   18.151509]        ----                    ----
      [   18.156022]   lock(&(&pri_dai->spinlock)->rlock);
      [   18.160701]                                local_irq_disable();
      [   18.166622]                                lock(&(&substream->self_group.lock)->rlock);
      [   18.174595]                                lock(&(&pri_dai->spinlock)->rlock);
      [   18.181806]   <Interrupt>
      [   18.184408]     lock(&(&substream->self_group.lock)->rlock);
      [   18.190045]
      [   18.190045]  *** DEADLOCK ***
      
      This patch changes to using the irq safe spinlock calls, to avoid this
      issue.
      
      Fixes: ce8bcdbb ("ASoC: samsung: i2s: Protect more registers with a spinlock")
      Signed-off-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Tested-by: default avatarAnand Moon <linux.amoon@gmail.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ea46df70
    • Liad Kaufman's avatar
      iwlwifi: mvm: inc pending frames counter also when txing non-sta · 7e62b968
      Liad Kaufman authored
      [ Upstream commit fb896c44 ]
      
      Until this patch, when TXing non-sta the pending_frames counter
      wasn't increased, but it WAS decreased in
      iwl_mvm_rx_tx_cmd_single(), what makes it negative in certain
      conditions. This in turn caused much trouble when we need to
      remove the station since we won't be waiting forever until
      pending_frames gets 0. In certain cases, we were exhausting
      the station table even in BSS mode, because we had a lot of
      stale stations.
      
      Increase the counter also in iwl_mvm_tx_skb_non_sta() after a
      successful TX to avoid this outcome.
      
      CC: <stable@vger.kernel.org> [3.18+]
      Signed-off-by: default avatarLiad Kaufman <liad.kaufman@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7e62b968
    • Sven Eckelmann's avatar
      mac80211: minstrel: Change expected throughput unit back to Kbps · 60ca0012
      Sven Eckelmann authored
      [ Upstream commit 212c5a5e ]
      
      The change from cur_tp to the function
      minstrel_get_tp_avg/minstrel_ht_get_tp_avg changed the unit used for the
      current throughput. For example in minstrel_ht the correct
      conversion between them would be:
      
          mrs->cur_tp / 10 == minstrel_ht_get_tp_avg(..).
      
      This factor 10 must also be included in the calculation of
      minstrel_get_expected_throughput and minstrel_ht_get_expected_throughput to
      return values with the unit [Kbps] instead of [10Kbps]. Otherwise routing
      algorithms like B.A.T.M.A.N. V will make incorrect decision based on these
      values. Its kernel based implementation expects expected_throughput always
      to have the unit [Kbps] and not sometimes [10Kbps] and sometimes [Kbps].
      
      The same requirement has iw or olsrdv2's nl80211 based statistics module
      which retrieve the same data via NL80211_STA_INFO_TX_BITRATE.
      
      Cc: stable@vger.kernel.org
      Fixes: 6a27b2c4 ("mac80211: restructure per-rate throughput calculation into function")
      Signed-off-by: default avatarSven Eckelmann <sven@open-mesh.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      60ca0012
    • Chris Bainbridge's avatar
      mac80211: fix use of uninitialised values in RX aggregation · d5bb89fa
      Chris Bainbridge authored
      [ Upstream commit f39ea269 ]
      
      Use kzalloc instead of kmalloc for struct tid_ampdu_rx to
      initialize the "removed" field (all others are initialized
      manually). That fixes:
      
      UBSAN: Undefined behaviour in net/mac80211/rx.c:932:29
      load of value 2 is not a valid value for type '_Bool'
      CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265
      Workqueue: phy0 rt2x00usb_work_rxdone
       0000000000000004 ffff880254a7ba50 ffffffff8181d866 0000000000000007
       ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d ffffffff8379b500
       ffff880254a7bab8 ffffffff81884747 0000000000000202 0000000348620032
      Call Trace:
       [<ffffffff8181d866>] dump_stack+0x45/0x5f
       [<ffffffff8188422d>] ubsan_epilogue+0xd/0x40
       [<ffffffff81884747>] __ubsan_handle_load_invalid_value+0x67/0x70
       [<ffffffff82227b4d>] ieee80211_sta_reorder_release.isra.16+0x5ed/0x730
       [<ffffffff8222ca14>] ieee80211_prepare_and_rx_handle+0xd04/0x1c00
       [<ffffffff8222db03>] __ieee80211_rx_handle_packet+0x1f3/0x750
       [<ffffffff8222e4a7>] ieee80211_rx_napi+0x447/0x990
      
      While at it, convert to use sizeof(*tid_agg_rx) instead.
      
      Fixes: 788211d8 ("mac80211: fix RX A-MPDU session reorder timer deletion")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChris Bainbridge <chris.bainbridge@gmail.com>
      [reword commit message, use sizeof(*tid_agg_rx)]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d5bb89fa
    • Johannes Berg's avatar
      cfg80211/wext: fix message ordering · 6d5202f3
      Johannes Berg authored
      [ Upstream commit cb150b9d ]
      
      Since cfg80211 frequently takes actions from its netdev notifier
      call, wireless extensions messages could still be ordered badly
      since the wext netdev notifier, since wext is built into the
      kernel, runs before the cfg80211 netdev notifier. For example,
      the following can happen:
      
      5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
          link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
      5: wlan1: <BROADCAST,MULTICAST,UP>
          link/ether
      
      when setting the interface down causes the wext message.
      
      To also fix this, export the wireless_nlevent_flush() function
      and also call it from the cfg80211 notifier.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6d5202f3
    • Johannes Berg's avatar
      wext: fix message delay/ordering · 746ba2ee
      Johannes Berg authored
      [ Upstream commit 8bf86273 ]
      
      Beniamino reported that he was getting an RTM_NEWLINK message for a
      given interface, after the RTM_DELLINK for it. It turns out that the
      message is a wireless extensions message, which was sent because the
      interface had been connected and disconnection while it was deleted
      caused a wext message.
      
      For its netlink messages, wext uses RTM_NEWLINK, but the message is
      without all the regular rtnetlink attributes, so "ip monitor link"
      prints just rudimentary information:
      
      5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
          link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
      Deleted 5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
          link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
      5: wlan1: <BROADCAST,MULTICAST,UP>
          link/ether
      (from my hwsim reproduction)
      
      This can cause userspace to get confused since it doesn't expect an
      RTM_NEWLINK message after RTM_DELLINK.
      
      The reason for this is that wext schedules a worker to send out the
      messages, and the scheduling delay can cause the messages to get out
      to userspace in different order.
      
      To fix this, have wext register a netdevice notifier and flush out
      any pending messages when netdevice state changes. This fixes any
      ordering whenever the original message wasn't sent by a notifier
      itself.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarBeniamino Galvani <bgalvani@redhat.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      746ba2ee