1. 02 Feb, 2016 40 commits
    • Sven Eckelmann's avatar
      batman-adv: Avoid recursive call_rcu for batadv_bla_claim · 3816a728
      Sven Eckelmann authored
      commit 63b39927 upstream.
      
      The batadv_claim_free_ref function uses call_rcu to delay the free of the
      batadv_bla_claim object until no (already started) rcu_read_lock is enabled
      anymore. This makes sure that no context is still trying to access the
      object which should be removed. But batadv_bla_claim also contains a
      reference to backbone_gw which must be removed.
      
      The reference drop of backbone_gw was done in the call_rcu function
      batadv_claim_free_rcu but should actually be done in the
      batadv_claim_release function to avoid nested call_rcus. This is important
      because rcu_barrier (e.g. batadv_softif_free or batadv_exit) will not
      detect the inner call_rcu as relevant for its execution. Otherwise this
      barrier will most likely be inserted in the queue before the callback of
      the first call_rcu was executed. The caller of rcu_barrier will therefore
      continue to run before the inner call_rcu callback finished.
      
      Fixes: 23721387 ("batman-adv: add basic bridge loop avoidance code")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3816a728
    • Nikolay Aleksandrov's avatar
      bridge: fix lockdep addr_list_lock false positive splat · 9647516f
      Nikolay Aleksandrov authored
      commit c6894dec upstream.
      
      After promisc mode management was introduced a bridge device could do
      dev_set_promiscuity from its ndo_change_rx_flags() callback which in
      turn can be called after the bridge's addr_list_lock has been taken
      (e.g. by dev_uc_add). This causes a false positive lockdep splat because
      the port interfaces' addr_list_lock is taken when br_manage_promisc()
      runs after the bridge's addr list lock was already taken.
      To remove the false positive introduce a custom bridge addr_list_lock
      class and set it on bridge init.
      A simple way to reproduce this is with the following:
      $ brctl addbr br0
      $ ip l add l br0 br0.100 type vlan id 100
      $ ip l set br0 up
      $ ip l set br0.100 up
      $ echo 1 > /sys/class/net/br0/bridge/vlan_filtering
      $ brctl addif br0 eth0
      Splat:
      [   43.684325] =============================================
      [   43.684485] [ INFO: possible recursive locking detected ]
      [   43.684636] 4.4.0-rc8+ #54 Not tainted
      [   43.684755] ---------------------------------------------
      [   43.684906] brctl/1187 is trying to acquire lock:
      [   43.685047]  (_xmit_ETHER){+.....}, at: [<ffffffff8150169e>] dev_set_rx_mode+0x1e/0x40
      [   43.685460]  but task is already holding lock:
      [   43.685618]  (_xmit_ETHER){+.....}, at: [<ffffffff815072a7>] dev_uc_add+0x27/0x80
      [   43.686015]  other info that might help us debug this:
      [   43.686316]  Possible unsafe locking scenario:
      
      [   43.686743]        CPU0
      [   43.686967]        ----
      [   43.687197]   lock(_xmit_ETHER);
      [   43.687544]   lock(_xmit_ETHER);
      [   43.687886] *** DEADLOCK ***
      
      [   43.688438]  May be due to missing lock nesting notation
      
      [   43.688882] 2 locks held by brctl/1187:
      [   43.689134]  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81510317>] rtnl_lock+0x17/0x20
      [   43.689852]  #1:  (_xmit_ETHER){+.....}, at: [<ffffffff815072a7>] dev_uc_add+0x27/0x80
      [   43.690575] stack backtrace:
      [   43.690970] CPU: 0 PID: 1187 Comm: brctl Not tainted 4.4.0-rc8+ #54
      [   43.691270] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
      [   43.691770]  ffffffff826a25c0 ffff8800369fb8e0 ffffffff81360ceb ffffffff826a25c0
      [   43.692425]  ffff8800369fb9b8 ffffffff810d0466 ffff8800369fb968 ffffffff81537139
      [   43.693071]  ffff88003a08c880 0000000000000000 00000000ffffffff 0000000002080020
      [   43.693709] Call Trace:
      [   43.693931]  [<ffffffff81360ceb>] dump_stack+0x4b/0x70
      [   43.694199]  [<ffffffff810d0466>] __lock_acquire+0x1e46/0x1e90
      [   43.694483]  [<ffffffff81537139>] ? netlink_broadcast_filtered+0x139/0x3e0
      [   43.694789]  [<ffffffff8153b5da>] ? nlmsg_notify+0x5a/0xc0
      [   43.695064]  [<ffffffff810d10f5>] lock_acquire+0xe5/0x1f0
      [   43.695340]  [<ffffffff8150169e>] ? dev_set_rx_mode+0x1e/0x40
      [   43.695623]  [<ffffffff815edea5>] _raw_spin_lock_bh+0x45/0x80
      [   43.695901]  [<ffffffff8150169e>] ? dev_set_rx_mode+0x1e/0x40
      [   43.696180]  [<ffffffff8150169e>] dev_set_rx_mode+0x1e/0x40
      [   43.696460]  [<ffffffff8150189c>] dev_set_promiscuity+0x3c/0x50
      [   43.696750]  [<ffffffffa0586845>] br_port_set_promisc+0x25/0x50 [bridge]
      [   43.697052]  [<ffffffffa05869aa>] br_manage_promisc+0x8a/0xe0 [bridge]
      [   43.697348]  [<ffffffffa05826ee>] br_dev_change_rx_flags+0x1e/0x20 [bridge]
      [   43.697655]  [<ffffffff81501532>] __dev_set_promiscuity+0x132/0x1f0
      [   43.697943]  [<ffffffff81501672>] __dev_set_rx_mode+0x82/0x90
      [   43.698223]  [<ffffffff815072de>] dev_uc_add+0x5e/0x80
      [   43.698498]  [<ffffffffa05b3c62>] vlan_device_event+0x542/0x650 [8021q]
      [   43.698798]  [<ffffffff8109886d>] notifier_call_chain+0x5d/0x80
      [   43.699083]  [<ffffffff810988b6>] raw_notifier_call_chain+0x16/0x20
      [   43.699374]  [<ffffffff814f456e>] call_netdevice_notifiers_info+0x6e/0x80
      [   43.699678]  [<ffffffff814f4596>] call_netdevice_notifiers+0x16/0x20
      [   43.699973]  [<ffffffffa05872be>] br_add_if+0x47e/0x4c0 [bridge]
      [   43.700259]  [<ffffffffa058801e>] add_del_if+0x6e/0x80 [bridge]
      [   43.700548]  [<ffffffffa0588b5f>] br_dev_ioctl+0xaf/0xc0 [bridge]
      [   43.700836]  [<ffffffff8151a7ac>] dev_ifsioc+0x30c/0x3c0
      [   43.701106]  [<ffffffff8151aac9>] dev_ioctl+0xf9/0x6f0
      [   43.701379]  [<ffffffff81254345>] ? mntput_no_expire+0x5/0x450
      [   43.701665]  [<ffffffff812543ee>] ? mntput_no_expire+0xae/0x450
      [   43.701947]  [<ffffffff814d7b02>] sock_do_ioctl+0x42/0x50
      [   43.702219]  [<ffffffff814d8175>] sock_ioctl+0x1e5/0x290
      [   43.702500]  [<ffffffff81242d0b>] do_vfs_ioctl+0x2cb/0x5c0
      [   43.702771]  [<ffffffff81243079>] SyS_ioctl+0x79/0x90
      [   43.703033]  [<ffffffff815eebb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
      
      CC: Vlad Yasevich <vyasevic@redhat.com>
      CC: Stephen Hemminger <stephen@networkplumber.org>
      CC: Bridge list <bridge@lists.linux-foundation.org>
      CC: Andy Gospodarek <gospo@cumulusnetworks.com>
      CC: Roopa Prabhu <roopa@cumulusnetworks.com>
      Fixes: 2796d0c6 ("bridge: Automatically manage port promiscuous mode.")
      Reported-by: default avatarAndy Gospodarek <gospo@cumulusnetworks.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9647516f
    • Dan Carpenter's avatar
      Btrfs: clean up an error code in btrfs_init_space_info() · 26976416
      Dan Carpenter authored
      commit 0dc924c5 upstream.
      
      If we return 1 here, then the caller treats it as an error and returns
      -EINVAL.  It causes a static checker warning to treat positive returns
      as an error.
      
      Fixes: 1aba86d6 ('Btrfs: fix easily get into ENOSPC in mixed case')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      26976416
    • Russell King's avatar
      mmc: sd: limit SD card power limit according to cards capabilities · 6f40d496
      Russell King authored
      commit d9812780 upstream.
      
      The SD card specification allows cards to error out a SWITCH command
      where the requested function in a group is not supported.  The spec
      provides for a set of capabilities which indicate which functions are
      supported.
      
      In the case of the power limit, requesting an unsupported power level
      via the SWITCH command fails, resulting in the power level remaining at
      the power-on default of 0.72W, even though the host and card may support
      higher powers levels.
      
      This has been seen with SanDisk 8GB cards, which support the default
      0.72W and 1.44W (200mA and 400mA) in combination with an iMX6 host,
      supporting up to 2.88W (800mA).  This currently causes us to try to set
      a power limit function value of '3' (2.88W) which the card errors out
      on, and thereby causes the power level to remain at 0.72W rather than
      the desired 1.44W.
      
      Arrange to limit the selected current limit by the capabilities reported
      by the card to avoid the SWITCH command failing.  Select the highest
      current limit that the host and card combination support.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Fixes: a39ca6ae ("mmc: core: Simplify and fix for SD switch processing")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6f40d496
    • Eric Dumazet's avatar
      ipv6: tcp: add rcu locking in tcp_v6_send_synack() · 2e000990
      Eric Dumazet authored
      commit 3e4006f0 upstream.
      
      When first SYNACK is sent, we already hold rcu_read_lock(), but this
      is not true if a SYNACK is retransmitted, as a timer (soft) interrupt
      does not hold rcu_read_lock()
      
      Fixes: 45f6fad8 ("ipv6: add complete rcu protection around np->opt")
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2e000990
    • Mickaël Salaün's avatar
      um: Fix build error and kconfig for i386 · 1b687f7e
      Mickaël Salaün authored
      commit 42d91f61 upstream.
      
      Fix build error by generating elfcore.o only when ELF_CORE (depending on
      COREDUMP) is selected:
      
      arch/x86/um/built-in.o: In function `elf_core_write_extra_phdrs':
      (.text+0x3e62): undefined reference to `dump_emit'
      arch/x86/um/built-in.o: In function `elf_core_write_extra_data':
      (.text+0x3eef): undefined reference to `dump_emit'
      
      Fixes: 5d2acfc7 ("kconfig: make allnoconfig disable options behind EMBEDDED and EXPERT")
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Josh Triplett <josh@joshtriplett.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Michal Marek <mmarek@suse.cz>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1b687f7e
    • Bart Van Assche's avatar
      target: Fix a memory leak in target_dev_lba_map_store() · c8897d10
      Bart Van Assche authored
      commit f0a8afec upstream.
      
      strsep() modifies its first argument. Make the pointer passed to kfree()
      match the return value of kmalloc().
      
      Fixes: 229d4f11 (commit "target_core_alua: Referrals configfs integration")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c8897d10
    • Brian Norris's avatar
      firmware: actually return NULL on failed request_firmware_nowait() · f5117c4c
      Brian Norris authored
      commit 715780ae upstream.
      
      The kerneldoc for request_firmware_nowait() says that it may call the
      provided cont() callback with @fw == NULL, if the firmware request
      fails. However, this is not the case when called with an empty string
      (""). This case is short-circuited by the 'name[0] == '\0'' check
      introduced in commit 471b095d ("firmware_class: make sure fw requests
      contain a name"), so _request_firmware() never gets to set the fw to
      NULL.
      
      Noticed while using the new 'trigger_async_request' testing hook:
      
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [10553.726178] test_firmware: loading ''
          [10553.729859] test_firmware: loaded: 995209091
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [10733.676184] test_firmware: loading ''
          [10733.679855] Unable to handle kernel NULL pointer dereference at virtual address 00000004
          [10733.687951] pgd = ec188000
          [10733.690655] [00000004] *pgd=00000000
          [10733.694240] Internal error: Oops: 5 [#1] SMP ARM
          [10733.698847] Modules linked in: btmrvl_sdio btmrvl bluetooth sbs_battery nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables asix usbnet mwifiex_sdio mwifiex cfg80211 jitterentropy_rng drbg joydev snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun
          [10733.725670] CPU: 0 PID: 6600 Comm: bash Not tainted 4.4.0-rc4-00351-g63d0877 #178
          [10733.733137] Hardware name: Rockchip (Device Tree)
          [10733.737831] task: ed24f6c0 ti: ee322000 task.ti: ee322000
          [10733.743222] PC is at do_raw_spin_lock+0x18/0x1a0
          [10733.747831] LR is at _raw_spin_lock+0x18/0x1c
          [10733.752180] pc : [<c00653a0>]    lr : [<c054c204>]    psr: a00d0013
          [10733.752180] sp : ee323df8  ip : ee323e20  fp : ee323e1c
          [10733.763634] r10: 00000051  r9 : b6f18000  r8 : ee323f80
          [10733.768847] r7 : c089cebc  r6 : 00000001  r5 : 00000000  r4 : ec0e6000
          [10733.775360] r3 : dead4ead  r2 : c06bd140  r1 : eef913b4  r0 : 00000000
          [10733.781874] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
          [10733.788995] Control: 10c5387d  Table: 2c18806a  DAC: 00000051
          [10733.794728] Process bash (pid: 6600, stack limit = 0xee322218)
          [10733.800549] Stack: (0xee323df8 to 0xee324000)
          [10733.804896] 3de0:                                                       ec0e6000 00000000
          [10733.813059] 3e00: 00000001 c089cebc ee323f80 b6f18000 ee323e2c ee323e20 c054c204 c0065394
          [10733.821221] 3e20: ee323e44 ee323e30 c02fec60 c054c1f8 ec0e7ec0 ec3fcfc0 ee323e5c ee323e48
          [10733.829384] 3e40: c02fed08 c02fec48 c07dbf74 eeb05a00 ee323e8c ee323e60 c0253828 c02fecac
          [10733.837547] 3e60: 00000001 c0116950 ee323eac ee323e78 00000001 ec3fce00 ed2d9700 ed2d970c
          [10733.845710] 3e80: ee323e9c ee323e90 c02e873c c02537d4 ee323eac ee323ea0 c017bd40 c02e8720
          [10733.853873] 3ea0: ee323ee4 ee323eb0 c017b250 c017bd00 00000000 00000000 f3e47a54 ec128b00
          [10733.862035] 3ec0: c017b10c ee323f80 00000001 c000f504 ee322000 00000000 ee323f4c ee323ee8
          [10733.870197] 3ee0: c011b71c c017b118 ee323fb0 c011bc90 becfa8d9 00000001 ec128b00 00000001
          [10733.878359] 3f00: b6f18000 ee323f80 ee323f4c ee323f18 c011bc90 c0063950 ee323f3c ee323f28
          [10733.886522] 3f20: c0063950 c0549138 00000001 ec128b00 00000001 ec128b00 b6f18000 ee323f80
          [10733.894684] 3f40: ee323f7c ee323f50 c011bed8 c011b6ec c0135fb8 c0135f24 ec128b00 ec128b00
          [10733.902847] 3f60: 00000001 b6f18000 c000f504 ee322000 ee323fa4 ee323f80 c011c664 c011be24
          [10733.911009] 3f80: 00000000 00000000 00000001 b6f18000 b6e79be0 00000004 00000000 ee323fa8
          [10733.919172] 3fa0: c000f340 c011c618 00000001 b6f18000 00000001 b6f18000 00000001 00000000
          [10733.927334] 3fc0: 00000001 b6f18000 b6e79be0 00000004 00000001 00000001 8068a3f1 b6e79c84
          [10733.935496] 3fe0: 00000000 becfa7dc b6de194d b6e20246 400d0030 00000001 7a4536e8 49bda390
          [10733.943664] [<c00653a0>] (do_raw_spin_lock) from [<c054c204>] (_raw_spin_lock+0x18/0x1c)
          [10733.951743] [<c054c204>] (_raw_spin_lock) from [<c02fec60>] (fw_free_buf+0x24/0x64)
          [10733.959388] [<c02fec60>] (fw_free_buf) from [<c02fed08>] (release_firmware+0x68/0x74)
          [10733.967207] [<c02fed08>] (release_firmware) from [<c0253828>] (trigger_async_request_store+0x60/0x124)
          [10733.976501] [<c0253828>] (trigger_async_request_store) from [<c02e873c>] (dev_attr_store+0x28/0x34)
          [10733.985533] [<c02e873c>] (dev_attr_store) from [<c017bd40>] (sysfs_kf_write+0x4c/0x58)
          [10733.993437] [<c017bd40>] (sysfs_kf_write) from [<c017b250>] (kernfs_fop_write+0x144/0x1a8)
          [10734.001689] [<c017b250>] (kernfs_fop_write) from [<c011b71c>] (__vfs_write+0x3c/0xe4)
      
      After this patch:
      
          # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request
          [   32.126322] test_firmware: loading ''
          [   32.129995] test_firmware: failed to async load firmware
          -bash: printf: write error: No such device
      
      Fixes: 471b095d ("firmware_class: make sure fw requests contain a name")
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Acked-by: default avatarMing Lei <ming.lei@canonical.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f5117c4c
    • Sasha Levin's avatar
      power: test_power: correctly handle empty writes · 9b633ad4
      Sasha Levin authored
      commit 6b9140f3 upstream.
      
      Writing 0 length data into test_power makes it access an invalid array
      location and kill the system.
      
      Fixes: f17ef9b2 ("power: Make test_power driver more dynamic.")
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9b633ad4
    • Stephane Eranian's avatar
      perf/x86: Fix filter_events() bug with event mappings · 6342a172
      Stephane Eranian authored
      commit 61b87cae upstream.
      
      This patch fixes a bug in the filter_events() function.
      
      The patch fixes the bug whereby if some mappings did not
      exist, e.g., STALLED_CYCLES_FRONTEND, then any event after it
      in the attrs array would disappear from the published list of
      events in /sys/devices/cpu/events. This could be verified
      easily on any system post SNB (which do not publish
      STALLED_CYCLES_FRONTEND):
      
      	$ ./perf stat -e cycles,ref-cycles true
      	Performance counter stats for 'true':
                    1,217,348      cycles
      	<not supported>      ref-cycles
      
      The problem is that in filter_events() there is an assumption
      that the argument (attrs) is organized in increasing continuous
      event indexes related to the event_map(). But if we remove the
      non-supported events by shifing the position in the array, then
      the lookup x86_pmu.event_map() needs to compensate for it, otherwise
      we are looking up the wrong index. This patch corrects this problem
      by compensating for the deleted events and with that ref-cycles
      reappears (here shown on Haswell):
      
      	$ perf stat -e ref-cycles,cycles true
      	Performance counter stats for 'true':
               4,525,910      ref-cycles
               1,064,920      cycles
             0.002943888 seconds time elapsed
      Signed-off-by: default avatarStephane Eranian <eranian@google.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: jolsa@kernel.org
      Cc: kan.liang@intel.com
      Fixes: 8300daa2 ("perf/x86: Filter out undefined events from sysfs events attribute")
      Link: http://lkml.kernel.org/r/1449516805-6637-1-git-send-email-eranian@google.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6342a172
    • Vegard Nossum's avatar
      kconfig: return 'false' instead of 'no' in bool function · 684b9df4
      Vegard Nossum authored
      commit aab24a89 upstream.
      
      menu_is_visible() is a bool function and should use boolean return
      values. "no" is a tristate value which happens to also have a value
      of 0, but we should nevertheless use the right symbol for it.
      
      This is a very minor cleanup with no semantic change.
      
      Fixes: 86e187ff ("kconfig: add an option to determine a menu's visibility")
      Cc: Arnaud Lacombe <lacombar@gmail.com>
      Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      684b9df4
    • Ani Sinha's avatar
      sysrq: Fix warning in sysrq generated crash. · 3b6dec3f
      Ani Sinha authored
      commit 984cf355 upstream.
      
      Commit 984d74a7 ("sysrq: rcu-ify __handle_sysrq") replaced
      spin_lock_irqsave() calls with rcu_read_lock() calls in sysrq. Since
      rcu_read_lock() does not disable preemption, faulthandler_disabled() in
      __do_page_fault() in x86/fault.c returns false. When the code later calls
      might_sleep() in the pagefault handler, we get the following warning:
      
      BUG: sleeping function called from invalid context at ../arch/x86/mm/fault.c:1187
      in_atomic(): 0, irqs_disabled(): 0, pid: 4706, name: bash
      Preemption disabled at:[<ffffffff81484339>] printk+0x48/0x4a
      
      To fix this, we release the RCU read lock before we crash.
      
      Tested this patch on linux 3.18 by booting off one of our boards.
      
      Fixes: 984d74a7 ("sysrq: rcu-ify __handle_sysrq")
      Signed-off-by: default avatarAni Sinha <ani@arista.com>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3b6dec3f
    • Jan Beulich's avatar
      x86/LDT: Print the real LDT base address · 279aba8e
      Jan Beulich authored
      commit 0d430e3f upstream.
      
      This was meant to print base address and entry count; make it do so
      again.
      
      Fixes: 37868fe1 "x86/ldt: Make modify_ldt synchronous"
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
      Link: http://lkml.kernel.org/r/56797D8402000078000C24F0@prv-mh.provo.novell.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      279aba8e
    • Stefan Wahren's avatar
      pinctrl: bcm2835: Fix memory leak in error path · 0bbacb6a
      Stefan Wahren authored
      commit 53653c6b upstream.
      
      In case of an invalid pin value bcm2835_pctl_dt_node_to_map()
      would leak the pull configs of already assigned pins.
      So avoid this by calling the free map function in error case.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: e1b2dc70 ("pinctrl: add bcm2835 driver")
      Reviewed-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [ luis: backported to 3.16:
        - file rename: drivers/pinctrl/bcm/pinctrl-bcm2835.c ->
          drivers/pinctrl/pinctrl-bcm2835.c ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0bbacb6a
    • Andy Shevchenko's avatar
      ALSA: fm801: propagate TUNER_ONLY bit when autodetected · 59887677
      Andy Shevchenko authored
      commit dbec6719 upstream.
      
      The commit d7ba858a (ALSA: fm801: implement TEA575x tuner autodetection)
      brings autodetection to the driver. However the autodetection algorithm misses
      the TUNER_ONLY bit if it is supplied by the user.
      
      Thus, user gets weird messages and no card registered.
      
       snd_fm801 0000:0d:01.0: detected TEA575x radio type SF64-PCR
       snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
       snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
      ...
       snd_fm801 0000:0d:01.0: AC'97 0 does not respond - RESET
       snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
       snd_fm801 0000:0d:01.0: AC'97 interface is busy (1)
       snd_fm801 0000:0d:01.0: AC'97 0 access is not valid [0x0], removing mixer.
       snd_fm801: probe of 0000:0d:01.0 failed with error -5
      
      Do a copy of TUNER_ONLY bit to be applied after autodetection is done.
      
      Fixes: d7ba858a (ALSA: fm801: implement TEA575x tuner autodetection)
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Ondrej Zary <linux@rainbow-software.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      59887677
    • Boris BREZILLON's avatar
      mtd: nand: remove unused and buggy get_platform_nandchip() helper function · f1b1b603
      Boris BREZILLON authored
      commit 8142b47e upstream.
      
      Nobody uses the get_platform_nandchip() helper function which is supposed
      to return a pointer to a platform_nand_chip struct from an mtd_info
      pointer.
      Moreover, this function is buggy since the introduction of the plat_nand
      layer (chip->priv is now storing a pointer to an intermediate
      plat_nand_data structure allocated in plat_nand_probe(), and we have no
      way to retrieve a pointer to the provided platform_nand_chip struct from
      this plat_nand_data pointer).
      
      While we are at it, remove the useless (and buggy, since it's pointing to
      something stored on the stack) data->chip.priv assignment.
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Fixes: 711fdf62 ("[MTD] [NAND] platform NAND driver: add driver")
      Cc: Vitaly Wool <vitalywool@gmail.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f1b1b603
    • Boris BREZILLON's avatar
      mtd: nand: denali: add missing nand_release() call in denali_remove() · 82a58175
      Boris BREZILLON authored
      commit 320092a0 upstream.
      
      Unregister the NAND device from the NAND subsystem when removing a denali
      NAND controller, otherwise the MTD attached to the NAND device is still
      exposed by the MTD layer, and accesses to this device will likely crash
      the system.
      
      Fixes: 2a0a288e ("mtd: denali: split the generic driver and PCI layer")
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Acked-by: default avatarDinh Nguyen <dinguyen@opensource.altera.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      82a58175
    • Boris BREZILLON's avatar
      mtd: nand: fix ONFI parameter page layout · ff67fea7
      Boris BREZILLON authored
      commit de64aa9e upstream.
      
      src_ssync_features field is only 1 byte large, and the 4th reserved area
      is actually 8 bytes large.
      
      Fixes: d1e1f4e4 ("mtd: nand: add support for reading ONFI parameters from NAND device")
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ff67fea7
    • Dan Carpenter's avatar
      ath9k_htc: check for underflow in ath9k_htc_rx_msg() · 639cf97f
      Dan Carpenter authored
      commit 3a318426 upstream.
      
      We check for overflow here, but we don't check for underflow so it
      causes a static checker warning.
      
      Fixes: fb9987d0 ('ath9k_htc: Support for AR9271 chipset.')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      639cf97f
    • Arnd Bergmann's avatar
      clk: st: avoid uninitialized variable use · 84b02b20
      Arnd Bergmann authored
      commit 2dd52d7f upstream.
      
      quadfs_pll_fs660c32_round_rate prints a few structure members
      that are never initialized, and also doesn't print the only one
      it cares about. We get a gcc warning about the ones that
      are printed:
      
      clk/st/clkgen-fsyn.c:560:93: warning: 'params.sdiv' may be used uninitialized in this function
      clk/st/clkgen-fsyn.c:560:93: warning: 'params.mdiv' may be used uninitialized in this function
      clk/st/clkgen-fsyn.c:560:93: warning: 'params.pe' may be used uninitialized in this function
      clk/st/clkgen-fsyn.c:560:93: warning: 'params.nsdiv' may be used uninitialized in this function
      
      This changes the code to no longer print uninitialized data, and
      for good measure it also prints the ndiv member that is being
      set.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 5f7aa907 ("clk: st: Support for QUADFS inside ClockGenB/C/D/E/F")
      Acked-by: default avatarGabriel Fernandez <gabriel.fernandez@linaro.org>
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      84b02b20
    • Loc Ho's avatar
      clk: xgene: Fix divider with non-zero shift value · ba65b79d
      Loc Ho authored
      commit 1382ea63 upstream.
      
      The X-Gene clock driver missed the divider shift operation when
      set the divider value.
      Signed-off-by: default avatarLoc Ho <lho@apm.com>
      Fixes: 308964ca ("clk: Add APM X-Gene SoC clock driver")
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ba65b79d
    • Arnd Bergmann's avatar
      SCSI: initio: remove duplicate module device table · 8f9f3466
      Arnd Bergmann authored
      commit d282e2b3 upstream.
      
      The initio driver has for many years had two copies of the
      same module device table. One of them is also used for registering
      the other driver, the other one is entirely useless after the
      large scale cleanup that Alan Cox did back in 2007.
      
      The compiler warns about this whenever the driver is built-in:
      
      drivers/scsi/initio.c:131:29: warning: 'i91u_pci_devices' defined but not used [-Wunused-variable]
      
      This removes the extraneous table and the warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 72d39fea ("[SCSI] initio: Convert into a real Linux driver and update to modern style")
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8f9f3466
    • Russell King's avatar
      [media] rc: allow rc modules to be loaded if rc-main is not a module · ca63c6e4
      Russell King authored
      commit 2ff56fad upstream.
      
      rc-main mistakenly uses #ifdef MODULE to determine whether it should
      load the rc keymap modules.  This symbol is only defined if rc-main
      is being built as a module itself, and bears no relation to whether
      the rc keymaps are modules.
      
      Fix this to use CONFIG_MODULES instead.
      
      Fixes: 631493ec ("[media] rc-core: merge rc-map.c into rc-main.c")
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ca63c6e4
    • Lukas Wunner's avatar
      drm/i915: On fb alloc failure, unref gem object where it gets refed · dd004fc2
      Lukas Wunner authored
      commit dcb1394e upstream.
      
      Currently when allocating a framebuffer fails, the gem object gets
      unrefed at the bottom of the call stack in __intel_framebuffer_create,
      not where it gets refed, which is in intel_framebuffer_create_for_mode
      (via i915_gem_alloc_object) and in intel_user_framebuffer_create
      (via drm_gem_object_lookup).
      
      This invites mistakes: __intel_framebuffer_create is also called from
      intelfb_alloc, and as discovered by Tvrtko Ursulin, a double unref
      was introduced there with a8bb6818 ("drm/i915: Fix error path leak
      in fbdev fb allocation").
      
      As suggested by Ville Syrjälä, fix the double unref and improve code
      clarity by moving the unref away from __intel_framebuffer_create to
      where the gem object gets refed.
      
      Based on Tvrtko Ursulin's original v2.
      
      v3: On fb alloc failure, unref gem object where it gets refed,
          fix double unref in separate commit (Ville Syrjälä)
      
      v4: Lock struct_mutex on unref (Chris Wilson)
      
      v5: Rebase on drm-intel-nightly 2015y-09m-01d-09h-06m-08s UTC,
          rephrase commit message (Jani Nicula)
      Tested-by: default avatarPierre Moreau <pierre.morrow@free.fr>
          [MBP  5,3 2009  nvidia MCP79 + G96        pre-retina]
      Tested-by: default avatarPaul Hordiienko <pvt.gord@gmail.com>
          [MBP  6,2 2010  intel ILK + nvidia GT216  pre-retina]
      Tested-by: default avatarWilliam Brown <william@blackhats.net.au>
          [MBP  8,2 2011  intel SNB + amd turks     pre-retina]
      Tested-by: default avatarLukas Wunner <lukas@wunner.de>
          [MBP  9,1 2012  intel IVB + nvidia GK107  pre-retina]
      Tested-by: default avatarBruno Bierbaumer <bruno@bierbaumer.net>
          [MBP 11,3 2013  intel HSW + nvidia GK107  retina]
      
      Fixes: a8bb6818 ("drm/i915: Fix error path leak in fbdev fb
          allocation")
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/2161c5062ef5d6458f8ae14d924a26d4d1dba317.1446892879.git.lukas@wunner.deSigned-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      dd004fc2
    • Alexey Khoroshilov's avatar
      drm/i915: avoid deadlock on failure paths in __intel_framebuffer_create() · 1646605d
      Alexey Khoroshilov authored
      commit 6ccb81f2 upstream.
      
      Since a8bb6818 __intel_framebuffer_create() is called
      with struct_mutex held, so it should use drm_gem_object_unreference()
      instead of drm_gem_object_unreference_unlocked().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      
      This regression has been introduced in
      
      commit a8bb6818
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Mon Feb 10 18:00:39 2014 +0100
      
          drm/i915: Fix error path leak in fbdev fb allocation
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1646605d
    • Josh Boyer's avatar
      ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list · f703dc9d
      Josh Boyer authored
      commit 6b31de3e upstream.
      
      Like the Yoga 900 models the Lenovo Yoga 700 does not have a
      hw rfkill switch, and trying to read the hw rfkill switch through the
      ideapad module causes it to always reported blocking breaking wifi.
      
      This commit adds the Lenovo Yoga 700 to the no_hw_rfkill dmi list, fixing
      the wifi breakage.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1295272
      Tested-by: <dinyar.rabady+spam@gmail.com>
      Signed-off-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarDarren Hart <dvhart@linux.intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f703dc9d
    • Rich Felker's avatar
    • Tariq Saeed's avatar
      ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock · 5a18c7a6
      Tariq Saeed authored
      commit b1b1e15e upstream.
      
      NFS on a 2 node ocfs2 cluster each node exporting dir.  The lock causing
      the hang is the global bit map inode lock.  Node 1 is master, has the
      lock granted in PR mode; Node 2 is in the converting list (PR -> EX).
      There are no holders of the lock on the master node so it should
      downconvert to NL and grant EX to node 2 but that does not happen.
      BLOCKED + QUEUED in lock res are set and it is on osb blocked list.
      Threads are waiting in __ocfs2_cluster_lock on BLOCKED.  One thread
      wants EX, rest want PR.  So it is as though the downconvert thread needs
      to be kicked to complete the conv.
      
      The hang is caused by an EX req coming into __ocfs2_cluster_lock on the
      heels of a PR req after it sets BUSY (drops l_lock, releasing EX
      thread), forcing the incoming EX to wait on BUSY without doing anything.
      PR has called ocfs2_dlm_lock, which sets the node 1 lock from NL -> PR,
      queues ast.
      
      At this time, upconvert (PR ->EX) arrives from node 2, finds conflict
      with node 1 lock in PR, so the lock res is put on dlm thread's dirty
      listt.
      
      After ret from ocf2_dlm_lock, PR thread now waits behind EX on BUSY till
      awoken by ast.
      
      Now it is dlm_thread that serially runs dlm_shuffle_lists, ast, bast, in
      that order.  dlm_shuffle_lists ques a bast on behalf of node 2 (which
      will be run by dlm_thread right after the ast).  ast does its part, sets
      UPCONVERT_FINISHING, clears BUSY and wakes its waiters.  Next,
      dlm_thread runs bast.  It sets BLOCKED and kicks dc thread.  dc thread
      runs ocfs2_unblock_lock, but since UPCONVERT_FINISHING set, skips doing
      anything and reques.
      
      Inside of __ocfs2_cluster_lock, since EX has been waiting on BUSY ahead
      of PR, it wakes up first, finds BLOCKED set and skips doing anything but
      clearing UPCONVERT_FINISHING (which was actually "meant" for the PR
      thread), and this time waits on BLOCKED.  Next, the PR thread comes out
      of wait but since UPCONVERT_FINISHING is not set, it skips updating the
      l_ro_holders and goes straight to wait on BLOCKED.  So there, we have a
      hang! Threads in __ocfs2_cluster_lock wait on BLOCKED, lock res in osb
      blocked list.  Only when dc thread is awoken, it will run
      ocfs2_unblock_lock and things will unhang.
      
      One way to fix this is to wake the dc thread on the flag after clearing
      UPCONVERT_FINISHING
      
      Orabug: 20933419
      Signed-off-by: default avatarTariq Saeed <tariq.x.saeed@oracle.com>
      Signed-off-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Reviewed-by: default avatarWengang Wang <wen.gang.wang@oracle.com>
      Reviewed-by: default avatarMark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Cc: Eric Ren <zren@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      5a18c7a6
    • Takashi Iwai's avatar
      ALSA: timer: Handle disconnection more safely · dd3b91f6
      Takashi Iwai authored
      commit 230323da upstream.
      
      Currently ALSA timer device doesn't take the disconnection into
      account very well; it merely unlinks the timer device at disconnection
      callback but does nothing else.  Because of this, when an application
      accessing the timer device is disconnected, it may release the
      resource before actually closed.  In most cases, it results in a
      warning message indicating a leftover timer instance like:
         ALSA: timer xxxx is busy?
      But basically this is an open race.
      
      This patch tries to address it.  The strategy is like other ALSA
      devices: namely,
      - Manage card's refcount at each open/close
      - Wake up the pending tasks at disconnection
      - Check the shutdown flag appropriately at each possible call
      
      Note that this patch has one ugly hack to handle the wakeup of pending
      tasks.  It'd be cleaner to introduce a new disconnect op to
      snd_timer_instance ops.  But since it would lead to internal ABI
      breakage and it eventually increase my own work when backporting to
      stable kernels, I took a different path to implement locally in
      timer.c.  A cleanup patch will follow at next for 4.5 kernel.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      dd3b91f6
    • Nicholas Bellinger's avatar
      iscsi-target: Fix potential dead-lock during node acl delete · 035d3e18
      Nicholas Bellinger authored
      commit 26a99c19 upstream.
      
      This patch is a iscsi-target specific bug-fix for a dead-lock
      that can occur during explicit struct se_node_acl->acl_group
      se_session deletion via configfs rmdir(2), when iscsi-target
      time2retain timer is still active.
      
      It changes iscsi-target to obtain se_portal_group->session_lock
      internally using spin_in_locked() to check for the specific
      se_node_acl configfs shutdown rmdir(2) case.
      
      Note this patch is intended for stable, and the subsequent
      v4.5-rc patch converts target_core_tpg.c to use proper
      se_sess->sess_kref reference counting for both se_node_acl
      deletion + se_node_acl->queue_depth se_session restart.
      Reported-by: default avatar: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      035d3e18
    • Josh Boyer's avatar
      ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill dmi list · d6a67e5f
      Josh Boyer authored
      commit edde316a upstream.
      
      One of the newest ideapad models also lacks a physical hw rfkill switch,
      and trying to read the hw rfkill switch through the ideapad module
      causes it to always reported blocking breaking wifi.
      
      Fix it by adding this model to the DMI list.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1286293Signed-off-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarDarren Hart <dvhart@linux.intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d6a67e5f
    • Vinit Agnihotri's avatar
      IB/qib: Support creating qps with GFP_NOIO flag · d1fde520
      Vinit Agnihotri authored
      commit fbbeb863 upstream.
      
      The current code is problematic when the QP creation and ipoib is used to
      support NFS and NFS desires to do IO for paging purposes. In that case, the
      GFP_KERNEL allocation in qib_qp.c causes a deadlock in tight memory
      situations.
      
      This fix adds support to create queue pair with GFP_NOIO flag for connected
      mode only to cleanly fail the create queue pair in those situations.
      Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: default avatarVinit Agnihotri <vinit.abhay.agnihotri@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d1fde520
    • Mike Marciniszyn's avatar
      IB/qib: fix mcast detach when qp not attached · 4b5cb3f8
      Mike Marciniszyn authored
      commit 09dc9cd6 upstream.
      
      The code produces the following trace:
      
      [1750924.419007] general protection fault: 0000 [#3] SMP
      [1750924.420364] Modules linked in: nfnetlink autofs4 rpcsec_gss_krb5 nfsv4
      dcdbas rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl dm_multipath nfs lockd
      scsi_dh sunrpc fscache radeon ttm drm_kms_helper drm serio_raw parport_pc
      ppdev i2c_algo_bit lpc_ich ipmi_si ib_mthca ib_qib dca lp parport ib_ipoib
      mac_hid ib_cm i3000_edac ib_sa ib_uverbs edac_core ib_umad ib_mad ib_core
      ib_addr tg3 ptp dm_mirror dm_region_hash dm_log psmouse pps_core
      [1750924.420364] CPU: 1 PID: 8401 Comm: python Tainted: G D
      3.13.0-39-generic #66-Ubuntu
      [1750924.420364] Hardware name: Dell Computer Corporation PowerEdge
      860/0XM089, BIOS A04 07/24/2007
      [1750924.420364] task: ffff8800366a9800 ti: ffff88007af1c000 task.ti:
      ffff88007af1c000
      [1750924.420364] RIP: 0010:[<ffffffffa0131d51>] [<ffffffffa0131d51>]
      qib_mcast_qp_free+0x11/0x50 [ib_qib]
      [1750924.420364] RSP: 0018:ffff88007af1dd70  EFLAGS: 00010246
      [1750924.420364] RAX: 0000000000000001 RBX: ffff88007b822688 RCX:
      000000000000000f
      [1750924.420364] RDX: ffff88007b822688 RSI: ffff8800366c15a0 RDI:
      6764697200000000
      [1750924.420364] RBP: ffff88007af1dd78 R08: 0000000000000001 R09:
      0000000000000000
      [1750924.420364] R10: 0000000000000011 R11: 0000000000000246 R12:
      ffff88007baa1d98
      [1750924.420364] R13: ffff88003ecab000 R14: ffff88007b822660 R15:
      0000000000000000
      [1750924.420364] FS:  00007ffff7fd8740(0000) GS:ffff88007fc80000(0000)
      knlGS:0000000000000000
      [1750924.420364] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [1750924.420364] CR2: 00007ffff597c750 CR3: 000000006860b000 CR4:
      00000000000007e0
      [1750924.420364] Stack:
      [1750924.420364]  ffff88007b822688 ffff88007af1ddf0 ffffffffa0132429
      000000007af1de20
      [1750924.420364]  ffff88007baa1dc8 ffff88007baa0000 ffff88007af1de70
      ffffffffa00cb313
      [1750924.420364]  00007fffffffde88 0000000000000000 0000000000000008
      ffff88003ecab000
      [1750924.420364] Call Trace:
      [1750924.420364]  [<ffffffffa0132429>] qib_multicast_detach+0x1e9/0x350
      [ib_qib]
      [1750924.568035]  [<ffffffffa00cb313>] ? ib_uverbs_modify_qp+0x323/0x3d0
      [ib_uverbs]
      [1750924.568035]  [<ffffffffa0092d61>] ib_detach_mcast+0x31/0x50 [ib_core]
      [1750924.568035]  [<ffffffffa00cc213>] ib_uverbs_detach_mcast+0x93/0x170
      [ib_uverbs]
      [1750924.568035]  [<ffffffffa00c61f6>] ib_uverbs_write+0xc6/0x2c0 [ib_uverbs]
      [1750924.568035]  [<ffffffff81312e68>] ? apparmor_file_permission+0x18/0x20
      [1750924.568035]  [<ffffffff812d4cd3>] ? security_file_permission+0x23/0xa0
      [1750924.568035]  [<ffffffff811bd214>] vfs_write+0xb4/0x1f0
      [1750924.568035]  [<ffffffff811bdc49>] SyS_write+0x49/0xa0
      [1750924.568035]  [<ffffffff8172f7ed>] system_call_fastpath+0x1a/0x1f
      [1750924.568035] Code: 66 2e 0f 1f 84 00 00 00 00 00 31 c0 5d c3 66 2e 0f 1f
      84 00 00 00 00 00 66 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 8b 7f 10
      <f0> ff 8f 40 01 00 00 74 0e 48 89 df e8 8e f8 06 e1 5b 5d c3 0f
      [1750924.568035] RIP  [<ffffffffa0131d51>] qib_mcast_qp_free+0x11/0x50
      [ib_qib]
      [1750924.568035]  RSP <ffff88007af1dd70>
      [1750924.650439] ---[ end trace 73d5d4b3f8ad4851 ]
      
      The fix is to note the qib_mcast_qp that was found.   If none is found, then
      return EINVAL indicating the error.
      Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Reported-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Signed-off-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4b5cb3f8
    • Jean Delvare's avatar
      crypto: crc32c - Fix crc32c soft dependency · 998c8c3c
      Jean Delvare authored
      commit fd7f6727 upstream.
      
      I don't think it makes sense for a module to have a soft dependency
      on itself. This seems quite cyclic by nature and I can't see what
      purpose it could serve.
      
      OTOH libcrc32c calls crypto_alloc_shash("crc32c", 0, 0) so it pretty
      much assumes that some incarnation of the "crc32c" hash algorithm has
      been loaded. Therefore it makes sense to have the soft dependency
      there (as crc-t10dif does.)
      
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      998c8c3c
    • Herbert Xu's avatar
      crypto: algif_skcipher - Load TX SG list after waiting · f608afd0
      Herbert Xu authored
      commit 4f0414e5 upstream.
      
      We need to load the TX SG list in sendmsg(2) after waiting for
      incoming data, not before.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f608afd0
    • Takashi Iwai's avatar
      ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 · 27b7f141
      Takashi Iwai authored
      commit c0bcdbdf upstream.
      
      When a TLV ioctl with numid zero is handled, the driver may spew a
      kernel warning with a stack trace at each call.  The check was
      intended obviously only for a kernel driver, but not for a user
      interaction.  Let's fix it.
      
      This was spotted by syzkaller fuzzer.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      27b7f141
    • Nicolas Boichat's avatar
      ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode · b88eef28
      Nicolas Boichat authored
      commit 9586495d upstream.
      
      This reverts one hunk of
      commit ef44a1ec ("ALSA: sound/core: use memdup_user()"), which
      replaced a number of kmalloc followed by memcpy with memdup calls.
      
      In this case, we are copying from a struct snd_seq_port_info32 to a
      struct snd_seq_port_info, but the latter is 4 bytes longer than the
      32-bit version, so we need to separate kmalloc and copy calls.
      
      Fixes: ef44a1ec ('ALSA: sound/core: use memdup_user()')
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b88eef28
    • Nicolas Boichat's avatar
      ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode · 1fe68765
      Nicolas Boichat authored
      commit 43c54b8c upstream.
      
      This reverts one hunk of
      commit ef44a1ec ("ALSA: sound/core: use memdup_user()"), which
      replaced a number of kmalloc followed by memcpy with memdup calls.
      
      In this case, we are copying from a struct snd_pcm_hw_params32 to
      a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
      the 32-bit version, so we need to separate kmalloc and copy calls.
      
      This actually leads to an out-of-bounds memory access later on
      in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).
      
      Fixes: ef44a1ec ('ALSA: sound/core: use memdup_user()')
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1fe68765
    • Takashi Iwai's avatar
      ALSA: hrtimer: Fix stall by hrtimer_cancel() · 4238f492
      Takashi Iwai authored
      commit 2ba1fe7a upstream.
      
      hrtimer_cancel() waits for the completion from the callback, thus it
      must not be called inside the callback itself.  This was already a
      problem in the past with ALSA hrtimer driver, and the early commit
      [fcfdebe7: ALSA: hrtimer - Fix lock-up] tried to address it.
      
      However, the previous fix is still insufficient: it may still cause a
      lockup when the ALSA timer instance reprograms itself in its callback.
      Then it invokes the start function even in snd_timer_interrupt() that
      is called in hrtimer callback itself, results in a CPU stall.  This is
      no hypothetical problem but actually triggered by syzkaller fuzzer.
      
      This patch tries to fix the issue again.  Now we call
      hrtimer_try_to_cancel() at both start and stop functions so that it
      won't fall into a deadlock, yet giving some chance to cancel the queue
      if the functions have been called outside the callback.  The proper
      hrtimer_cancel() is called in anyway at closing, so this should be
      enough.
      Reported-and-tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4238f492
    • Herbert Xu's avatar
      crypto: af_alg - Forbid bind(2) when nokey child sockets are present · 88dd6606
      Herbert Xu authored
      commit a6a48c56 upstream.
      
      This patch forbids the calling of bind(2) when there are child
      sockets created by accept(2) in existence, even if they are created
      on the nokey path.
      
      This is needed as those child sockets have references to the tfm
      object which bind(2) will destroy.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      88dd6606