1. 27 Jan, 2015 1 commit
  2. 16 Jan, 2015 39 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.10.65 · 5054319d
      Greg Kroah-Hartman authored
      5054319d
    • Linus Torvalds's avatar
      mm: Don't count the stack guard page towards RLIMIT_STACK · 7d702b4b
      Linus Torvalds authored
      commit 690eac53 upstream.
      
      Commit fee7e49d ("mm: propagate error from stack expansion even for
      guard page") made sure that we return the error properly for stack
      growth conditions.  It also theorized that counting the guard page
      towards the stack limit might break something, but also said "Let's see
      if anybody notices".
      
      Somebody did notice.  Apparently android-x86 sets the stack limit very
      close to the limit indeed, and including the guard page in the rlimit
      check causes the android 'zygote' process problems.
      
      So this adds the (fairly trivial) code to make the stack rlimit check be
      against the actual real stack size, rather than the size of the vma that
      includes the guard page.
      Reported-and-tested-by: default avatarChih-Wei Huang <cwhuang@android-x86.org>
      Cc: Jay Foad <jay.foad@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d702b4b
    • Linus Torvalds's avatar
      mm: propagate error from stack expansion even for guard page · 88b5d12c
      Linus Torvalds authored
      commit fee7e49d upstream.
      
      Jay Foad reports that the address sanitizer test (asan) sometimes gets
      confused by a stack pointer that ends up being outside the stack vma
      that is reported by /proc/maps.
      
      This happens due to an interaction between RLIMIT_STACK and the guard
      page: when we do the guard page check, we ignore the potential error
      from the stack expansion, which effectively results in a missing guard
      page, since the expected stack expansion won't have been done.
      
      And since /proc/maps explicitly ignores the guard page (commit
      d7824370: "mm: fix up some user-visible effects of the stack guard
      page"), the stack pointer ends up being outside the reported stack area.
      
      This is the minimal patch: it just propagates the error.  It also
      effectively makes the guard page part of the stack limit, which in turn
      measn that the actual real stack is one page less than the stack limit.
      
      Let's see if anybody notices.  We could teach acct_stack_growth() to
      allow an extra page for a grow-up/grow-down stack in the rlimit test,
      but I don't want to add more complexity if it isn't needed.
      Reported-and-tested-by: default avatarJay Foad <jay.foad@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88b5d12c
    • Vlastimil Babka's avatar
      mm, vmscan: prevent kswapd livelock due to pfmemalloc-throttled process being killed · 6bb148fb
      Vlastimil Babka authored
      commit 9e5e3661 upstream.
      
      Charles Shirron and Paul Cassella from Cray Inc have reported kswapd
      stuck in a busy loop with nothing left to balance, but
      kswapd_try_to_sleep() failing to sleep.  Their analysis found the cause
      to be a combination of several factors:
      
      1. A process is waiting in throttle_direct_reclaim() on pgdat->pfmemalloc_wait
      
      2. The process has been killed (by OOM in this case), but has not yet been
         scheduled to remove itself from the waitqueue and die.
      
      3. kswapd checks for throttled processes in prepare_kswapd_sleep():
      
              if (waitqueue_active(&pgdat->pfmemalloc_wait)) {
                      wake_up(&pgdat->pfmemalloc_wait);
      		return false; // kswapd will not go to sleep
      	}
      
         However, for a process that was already killed, wake_up() does not remove
         the process from the waitqueue, since try_to_wake_up() checks its state
         first and returns false when the process is no longer waiting.
      
      4. kswapd is running on the same CPU as the only CPU that the process is
         allowed to run on (through cpus_allowed, or possibly single-cpu system).
      
      5. CONFIG_PREEMPT_NONE=y kernel is used. If there's nothing to balance, kswapd
         encounters no voluntary preemption points and repeatedly fails
         prepare_kswapd_sleep(), blocking the process from running and removing
         itself from the waitqueue, which would let kswapd sleep.
      
      So, the source of the problem is that we prevent kswapd from going to
      sleep until there are processes waiting on the pfmemalloc_wait queue,
      and a process waiting on a queue is guaranteed to be removed from the
      queue only when it gets scheduled.  This was done to make sure that no
      process is left sleeping on pfmemalloc_wait when kswapd itself goes to
      sleep.
      
      However, it isn't necessary to postpone kswapd sleep until the
      pfmemalloc_wait queue actually empties.  To prevent processes from being
      left sleeping, it's actually enough to guarantee that all processes
      waiting on pfmemalloc_wait queue have been woken up by the time we put
      kswapd to sleep.
      
      This patch therefore fixes this issue by substituting 'wake_up' with
      'wake_up_all' and removing 'return false' in the code snippet from
      prepare_kswapd_sleep() above.  Note that if any process puts itself in
      the queue after this waitqueue_active() check, or after the wake up
      itself, it means that the process will also wake up kswapd - and since
      we are under prepare_to_wait(), the wake up won't be missed.  Also we
      update the comment prepare_kswapd_sleep() to hopefully more clearly
      describe the races it is preventing.
      
      Fixes: 5515061d ("mm: throttle direct reclaimers if PF_MEMALLOC reserves are low and swap is backed by network storage")
      Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Signed-off-by: default avatarVladimir Davydov <vdavydov@parallels.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarMichal Hocko <mhocko@suse.cz>
      Acked-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bb148fb
    • Jiri Olsa's avatar
      perf session: Do not fail on processing out of order event · 2788d619
      Jiri Olsa authored
      commit f61ff6c0 upstream.
      
      Linus reported perf report command being interrupted due to processing
      of 'out of order' event, with following error:
      
        Timestamp below last timeslice flush
        0x5733a8 [0x28]: failed to process type: 3
      
      I could reproduce the issue and in my case it was caused by one CPU
      (mmap) being behind during record and userspace mmap reader seeing the
      data after other CPUs data were already stored.
      
      This is expected under some circumstances because we need to limit the
      number of events that we queue for reordering when we receive a
      PERF_RECORD_FINISHED_ROUND or when we force flush due to memory
      pressure.
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Acked-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Corey Ashford <cjashfor@linux.vnet.ibm.com>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt.fleming@intel.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Stephane Eranian <eranian@google.com>
      Link: http://lkml.kernel.org/r/1417016371-30249-1-git-send-email-jolsa@kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      [zhangzhiqiang: backport to 3.10:
       - adjust context
       - commit f61ff6c0 struct events_stats was defined in tools/perf/util/event.h
         while 3.10 stable defined in tools/perf/util/hist.h.
       - 3.10 stable there is no pr_oe_time() which used for debug.
       - After the above adjustments, becomes same to the original patch:
         https://github.com/torvalds/linux/commit/f61ff6c06dc8f32c7036013ad802c899ec590607
      ]
      Signed-off-by: default avatarZhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2788d619
    • Jiri Olsa's avatar
      perf: Fix events installation during moving group · d525563b
      Jiri Olsa authored
      commit 9fc81d87 upstream.
      
      We allow PMU driver to change the cpu on which the event
      should be installed to. This happened in patch:
      
        e2d37cd2 ("perf: Allow the PMU driver to choose the CPU on which to install events")
      
      This patch also forces all the group members to follow
      the currently opened events cpu if the group happened
      to be moved.
      
      This and the change of event->cpu in perf_install_in_context()
      function introduced in:
      
        0cda4c02 ("perf: Introduce perf_pmu_migrate_context()")
      
      forces group members to change their event->cpu,
      if the currently-opened-event's PMU changed the cpu
      and there is a group move.
      
      Above behaviour causes problem for breakpoint events,
      which uses event->cpu to touch cpu specific data for
      breakpoints accounting. By changing event->cpu, some
      breakpoints slots were wrongly accounted for given
      cpu.
      
      Vinces's perf fuzzer hit this issue and caused following
      WARN on my setup:
      
         WARNING: CPU: 0 PID: 20214 at arch/x86/kernel/hw_breakpoint.c:119 arch_install_hw_breakpoint+0x142/0x150()
         Can't find any breakpoint slot
         [...]
      
      This patch changes the group moving code to keep the event's
      original cpu.
      Reported-by: default avatarVince Weaver <vince@deater.net>
      Signed-off-by: default avatarJiri Olsa <jolsa@redhat.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Vince Weaver <vince@deater.net>
      Cc: Yan, Zheng <zheng.z.yan@intel.com>
      Link: http://lkml.kernel.org/r/1418243031-20367-3-git-send-email-jolsa@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d525563b
    • Jiri Olsa's avatar
      perf/x86/intel/uncore: Make sure only uncore events are collected · ac96652d
      Jiri Olsa authored
      commit af91568e upstream.
      
      The uncore_collect_events functions assumes that event group
      might contain only uncore events which is wrong, because it
      might contain any type of events.
      
      This bug leads to uncore framework touching 'not' uncore events,
      which could end up all sorts of bugs.
      
      One was triggered by Vince's perf fuzzer, when the uncore code
      touched breakpoint event private event space as if it was uncore
      event and caused BUG:
      
         BUG: unable to handle kernel paging request at ffffffff82822068
         IP: [<ffffffff81020338>] uncore_assign_events+0x188/0x250
         ...
      
      The code in uncore_assign_events() function was looking for
      event->hw.idx data while the event was initialized as a
      breakpoint with different members in event->hw union.
      
      This patch forces uncore_collect_events() to collect only uncore
      events.
      Reported-by: default avatarVince Weaver <vince@deater.net>
      Signed-off-by: default avatarJiri Olsa <jolsa@redhat.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Yan, Zheng <zheng.z.yan@intel.com>
      Link: http://lkml.kernel.org/r/1418243031-20367-2-git-send-email-jolsa@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac96652d
    • Chris Mason's avatar
      Btrfs: don't delay inode ref updates during log replay · 16e9d54b
      Chris Mason authored
      commit 6f896054 upstream.
      
      Commit 1d52c78a (Btrfs: try not to ENOSPC on log replay) added a
      check to skip delayed inode updates during log replay because it
      confuses the enospc code.  But the delayed processing will end up
      ignoring delayed refs from log replay because the inode itself wasn't
      put through the delayed code.
      
      This can end up triggering a warning at commit time:
      
      WARNING: CPU: 2 PID: 778 at fs/btrfs/delayed-inode.c:1410 btrfs_assert_delayed_root_empty+0x32/0x34()
      
      Which is repeated for each commit because we never process the delayed
      inode ref update.
      
      The fix used here is to change btrfs_delayed_delete_inode_ref to return
      an error if we're currently in log replay.  The caller will do the ref
      deletion immediately and everything will work properly.
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16e9d54b
    • Thomas Petazzoni's avatar
      ARM: mvebu: disable I/O coherency on non-SMP situations on Armada 370/375/38x/XP · f35fff85
      Thomas Petazzoni authored
      commit e5535545 upstream.
      
      Enabling the hardware I/O coherency on Armada 370, Armada 375, Armada
      38x and Armada XP requires a certain number of conditions:
      
       - On Armada 370, the cache policy must be set to write-allocate.
      
       - On Armada 375, 38x and XP, the cache policy must be set to
         write-allocate, the pages must be mapped with the shareable
         attribute, and the SMP bit must be set
      
      Currently, on Armada XP, when CONFIG_SMP is enabled, those conditions
      are met. However, when Armada XP is used in a !CONFIG_SMP kernel, none
      of these conditions are met. With Armada 370, the situation is worse:
      since the processor is single core, regardless of whether CONFIG_SMP
      or !CONFIG_SMP is used, the cache policy will be set to write-back by
      the kernel and not write-allocate.
      
      Since solving this problem turns out to be quite complicated, and we
      don't want to let users with a mainline kernel known to have
      infrequent but existing data corruptions, this commit proposes to
      simply disable hardware I/O coherency in situations where it is known
      not to work.
      
      And basically, the is_smp() function of the kernel tells us whether it
      is OK to enable hardware I/O coherency or not, so this commit slightly
      refactors the coherency_type() function to return
      COHERENCY_FABRIC_TYPE_NONE when is_smp() is false, or the appropriate
      type of the coherency fabric in the other case.
      
      Thanks to this, the I/O coherency fabric will no longer be used at all
      in !CONFIG_SMP configurations. It will continue to be used in
      CONFIG_SMP configurations on Armada XP, Armada 375 and Armada 38x
      (which are multiple cores processors), but will no longer be used on
      Armada 370 (which is a single core processor).
      
      In the process, it simplifies the implementation of the
      coherency_type() function, and adds a missing call to of_node_put().
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Fixes: e60304f8 ("arm: mvebu: Add hardware I/O Coherency support")
      Cc: <stable@vger.kernel.org> # v3.8+
      Acked-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Link: https://lkml.kernel.org/r/1415871540-20302-3-git-send-email-thomas.petazzoni@free-electrons.comSigned-off-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f35fff85
    • Johannes Berg's avatar
      scripts/kernel-doc: don't eat struct members with __aligned · 697f52b4
      Johannes Berg authored
      commit 7b990789 upstream.
      
      The change from \d+ to .+ inside __aligned() means that the following
      structure:
      
        struct test {
              u8 a __aligned(2);
              u8 b __aligned(2);
        };
      
      essentially gets modified to
      
        struct test {
              u8 a;
        };
      
      for purposes of kernel-doc, thus dropping a struct member, which in
      turns causes warnings and invalid kernel-doc generation.
      
      Fix this by replacing the catch-all (".") with anything that's not a
      semicolon ("[^;]").
      
      Fixes: 9dc30918 ("scripts/kernel-doc: handle struct member __aligned without numbers")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Cc: Nishanth Menon <nm@ti.com>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Cc: Michal Marek <mmarek@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      697f52b4
    • Ryusuke Konishi's avatar
      nilfs2: fix the nilfs_iget() vs. nilfs_new_inode() races · 344e833f
      Ryusuke Konishi authored
      commit 705304a8 upstream.
      
      Same story as in commit 41080b5a ("nfsd race fixes: ext2") (similar
      ext2 fix) except that nilfs2 needs to use insert_inode_locked4() instead
      of insert_inode_locked() and a bug of a check for dead inodes needs to
      be fixed.
      
      If nilfs_iget() is called from nfsd after nilfs_new_inode() calls
      insert_inode_locked4(), nilfs_iget() will wait for unlock_new_inode() at
      the end of nilfs_mkdir()/nilfs_create()/etc to unlock the inode.
      
      If nilfs_iget() is called before nilfs_new_inode() calls
      insert_inode_locked4(), it will create an in-core inode and read its
      data from the on-disk inode.  But, nilfs_iget() will find i_nlink equals
      zero and fail at nilfs_read_inode_common(), which will lead it to call
      iget_failed() and cleanly fail.
      
      However, this sanity check doesn't work as expected for reused on-disk
      inodes because they leave a non-zero value in i_mode field and it
      hinders the test of i_nlink.  This patch also fixes the issue by
      removing the test on i_mode that nilfs2 doesn't need.
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      344e833f
    • Benjamin Coddington's avatar
      nfsd4: fix xdr4 inclusion of escaped char · 0171a587
      Benjamin Coddington authored
      commit 5a64e569 upstream.
      
      Fix a bug where nfsd4_encode_components_esc() includes the esc_end char as
      an additional string encoding.
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Fixes: e7a0444a "nfsd: add IPv6 addr escaping to fs_location hosts"
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0171a587
    • Rasmus Villemoes's avatar
      fs: nfsd: Fix signedness bug in compare_blob · 11e40402
      Rasmus Villemoes authored
      commit ef17af2a upstream.
      
      Bugs similar to the one in acbbe6fb (kcmp: fix standard comparison
      bug) are in rich supply.
      
      In this variant, the problem is that struct xdr_netobj::len has type
      unsigned int, so the expression o1->len - o2->len _also_ has type
      unsigned int; it has completely well-defined semantics, and the result
      is some non-negative integer, which is always representable in a long
      long. But this means that if the conditional triggers, we are
      guaranteed to return a positive value from compare_blob.
      
      In this case it could be fixed by
      
      -       res = o1->len - o2->len;
      +       res = (long long)o1->len - (long long)o2->len;
      
      but I'd rather eliminate the usually broken 'return a - b;' idiom.
      Reviewed-by: default avatarJeff Layton <jlayton@primarydata.com>
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      11e40402
    • Robert Baldyga's avatar
      serial: samsung: wait for transfer completion before clock disable · 6a388a83
      Robert Baldyga authored
      commit 1ff383a4 upstream.
      
      This patch adds waiting until transmit buffer and shifter will be empty
      before clock disabling.
      
      Without this fix it's possible to have clock disabled while data was
      not transmited yet, which causes unproper state of TX line and problems
      in following data transfers.
      Signed-off-by: default avatarRobert Baldyga <r.baldyga@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a388a83
    • Tejun Heo's avatar
      writeback: fix a subtle race condition in I_DIRTY clearing · 21fe2674
      Tejun Heo authored
      commit 9c6ac78e upstream.
      
      After invoking ->dirty_inode(), __mark_inode_dirty() does smp_mb() and
      tests inode->i_state locklessly to see whether it already has all the
      necessary I_DIRTY bits set.  The comment above the barrier doesn't
      contain any useful information - memory barriers can't ensure "changes
      are seen by all cpus" by itself.
      
      And it sure enough was broken.  Please consider the following
      scenario.
      
       CPU 0					CPU 1
       -------------------------------------------------------------------------------
      
      					enters __writeback_single_inode()
      					grabs inode->i_lock
      					tests PAGECACHE_TAG_DIRTY which is clear
       enters __set_page_dirty()
       grabs mapping->tree_lock
       sets PAGECACHE_TAG_DIRTY
       releases mapping->tree_lock
       leaves __set_page_dirty()
      
       enters __mark_inode_dirty()
       smp_mb()
       sees I_DIRTY_PAGES set
       leaves __mark_inode_dirty()
      					clears I_DIRTY_PAGES
      					releases inode->i_lock
      
      Now @inode has dirty pages w/ I_DIRTY_PAGES clear.  This doesn't seem
      to lead to an immediately critical problem because requeue_inode()
      later checks PAGECACHE_TAG_DIRTY instead of I_DIRTY_PAGES when
      deciding whether the inode needs to be requeued for IO and there are
      enough unintentional memory barriers inbetween, so while the inode
      ends up with inconsistent I_DIRTY_PAGES flag, it doesn't fall off the
      IO list.
      
      The lack of explicit barrier may also theoretically affect the other
      I_DIRTY bits which deal with metadata dirtiness.  There is no
      guarantee that a strong enough barrier exists between
      I_DIRTY_[DATA]SYNC clearing and write_inode() writing out the dirtied
      inode.  Filesystem inode writeout path likely has enough stuff which
      can behave as full barrier but it's theoretically possible that the
      writeout may not see all the updates from ->dirty_inode().
      
      Fix it by adding an explicit smp_mb() after I_DIRTY clearing.  Note
      that I_DIRTY_PAGES needs a special treatment as it always needs to be
      cleared to be interlocked with the lockless test on
      __mark_inode_dirty() side.  It's cleared unconditionally and
      reinstated after smp_mb() if the mapping still has dirty pages.
      
      Also add comments explaining how and why the barriers are paired.
      
      Lightly tested.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Mikulas Patocka <mpatocka@redhat.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21fe2674
    • Oliver Neukum's avatar
      cdc-acm: memory leak in error case · b16c4055
      Oliver Neukum authored
      commit d908f847 upstream.
      
      If probe() fails not only the attributes need to be removed
      but also the memory freed.
      Reported-by: default avatarAhmed Tamrawi <ahmedtamrawi@gmail.com>
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b16c4055
    • Jens Axboe's avatar
      genhd: check for int overflow in disk_expand_part_tbl() · dd4fb6fc
      Jens Axboe authored
      commit 5fabcb4c upstream.
      
      We can get here from blkdev_ioctl() -> blkpg_ioctl() -> add_partition()
      with a user passed in partno value. If we pass in 0x7fffffff, the
      new target in disk_expand_part_tbl() overflows the 'int' and we
      access beyond the end of ptbl->part[] and even write to it when we
      do the rcu_assign_pointer() to assign the new partition.
      Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd4fb6fc
    • Greg Kroah-Hartman's avatar
      USB: cdc-acm: check for valid interfaces · edefe206
      Greg Kroah-Hartman authored
      commit 403dff4e upstream.
      
      We need to check that we have both a valid data and control inteface for both
      types of headers (union and not union.)
      
      References: https://bugzilla.kernel.org/show_bug.cgi?id=83551Reported-by: default avatarSimon Schubert <2+kernel@0x2c.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      edefe206
    • Takashi Iwai's avatar
      ALSA: hda - Fix wrong gpio_dir & gpio_mask hint setups for IDT/STAC codecs · c5bcceb0
      Takashi Iwai authored
      commit c507de88 upstream.
      
      stac_store_hints() does utterly wrong for masking the values for
      gpio_dir and gpio_data, likely due to copy&paste errors.  Fortunately,
      this feature is used very rarely, so the impact must be really small.
      Reported-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5bcceb0
    • Dan Carpenter's avatar
      ALSA: hda - using uninitialized data · a26f3d7a
      Dan Carpenter authored
      commit 69eba10e upstream.
      
      In olden times the snd_hda_param_read() function always set "*start_id"
      but in 2007 we introduced a new return and it causes uninitialized data
      bugs in a couple of the callers: print_codec_info() and
      hdmi_parse_codec().
      
      Fixes: e8a7f136 ('[ALSA] hda-intel - Improve HD-audio codec probing robustness')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a26f3d7a
    • Jiri Jaburek's avatar
      ALSA: usb-audio: extend KEF X300A FU 10 tweak to Arcam rPAC · 5c27da8b
      Jiri Jaburek authored
      commit d70a1b98 upstream.
      
      The Arcam rPAC seems to have the same problem - whenever anything
      (alsamixer, udevd, 3.9+ kernel from 60af3d03, ..) attempts to
      access mixer / control interface of the card, the firmware "locks up"
      the entire device, resulting in
        SNDRV_PCM_IOCTL_HW_PARAMS failed (-5): Input/output error
      from alsa-lib.
      
      Other operating systems can somehow read the mixer (there seems to be
      playback volume/mute), but any manipulation is ignored by the device
      (which has hardware volume controls).
      Signed-off-by: default avatarJiri Jaburek <jjaburek@redhat.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c27da8b
    • Alex Williamson's avatar
      driver core: Fix unbalanced device reference in drivers_probe · bdf2a0db
      Alex Williamson authored
      commit bb34cb6b upstream.
      
      bus_find_device_by_name() acquires a device reference which is never
      released.  This results in an object leak, which on older kernels
      results in failure to release all resources of PCI devices.  libvirt
      uses drivers_probe to re-attach devices to the host after assignment
      and is therefore a common trigger for this leak.
      
      Example:
      
      # cd /sys/bus/pci/
      # dmesg -C
      # echo 1 > devices/0000\:01\:00.0/sriov_numvfs
      # echo 0 > devices/0000\:01\:00.0/sriov_numvfs
      # dmesg | grep 01:10
       pci 0000:01:10.0: [8086:10ca] type 00 class 0x020000
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_add_internal: parent: '0000:00:01.0', set: 'devices'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_cleanup, parent           (null)
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): calling ktype release
       kobject: '0000:01:10.0': free name
      
      [kobject freed as expected]
      
      # dmesg -C
      # echo 1 > devices/0000\:01\:00.0/sriov_numvfs
      # echo 0000:01:10.0 > drivers_probe
      # echo 0 > devices/0000\:01\:00.0/sriov_numvfs
      # dmesg | grep 01:10
       pci 0000:01:10.0: [8086:10ca] type 00 class 0x020000
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_add_internal: parent: '0000:00:01.0', set: 'devices'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
      
      [no free]
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bdf2a0db
    • Andy Lutomirski's avatar
      x86, vdso: Use asm volatile in __getcpu · 04d98e96
      Andy Lutomirski authored
      commit 1ddf0b1b upstream.
      
      In Linux 3.18 and below, GCC hoists the lsl instructions in the
      pvclock code all the way to the beginning of __vdso_clock_gettime,
      slowing the non-paravirt case significantly.  For unknown reasons,
      presumably related to the removal of a branch, the performance issue
      is gone as of
      
      e76b027e x86,vdso: Use LSL unconditionally for vgetcpu
      
      but I don't trust GCC enough to expect the problem to stay fixed.
      
      There should be no correctness issue, because the __getcpu calls in
      __vdso_vlock_gettime were never necessary in the first place.
      
      Note to stable maintainers: In 3.18 and below, depending on
      configuration, gcc 4.9.2 generates code like this:
      
           9c3:       44 0f 03 e8             lsl    %ax,%r13d
           9c7:       45 89 eb                mov    %r13d,%r11d
           9ca:       0f 03 d8                lsl    %ax,%ebx
      
      This patch won't apply as is to any released kernel, but I'll send a
      trivial backported version if needed.
      
      [
       Backported by Andy Lutomirski.  Should apply to all affected
       versions.  This fixes a functionality bug as well as a performance
       bug: buggy kernels can infinite loop in __vdso_clock_gettime on
       affected compilers.  See, for exammple:
      
       https://bugzilla.redhat.com/show_bug.cgi?id=1178975
      ]
      
      Fixes: 51c19b4f x86: vdso: pvclock gettime support
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Acked-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04d98e96
    • Andy Lutomirski's avatar
      x86_64, vdso: Fix the vdso address randomization algorithm · 466ad659
      Andy Lutomirski authored
      commit 394f56fe upstream.
      
      The theory behind vdso randomization is that it's mapped at a random
      offset above the top of the stack.  To avoid wasting a page of
      memory for an extra page table, the vdso isn't supposed to extend
      past the lowest PMD into which it can fit.  Other than that, the
      address should be a uniformly distributed address that meets all of
      the alignment requirements.
      
      The current algorithm is buggy: the vdso has about a 50% probability
      of being at the very end of a PMD.  The current algorithm also has a
      decent chance of failing outright due to incorrect handling of the
      case where the top of the stack is near the top of its PMD.
      
      This fixes the implementation.  The paxtest estimate of vdso
      "randomisation" improves from 11 bits to 18 bits.  (Disclaimer: I
      don't know what the paxtest code is actually calculating.)
      
      It's worth noting that this algorithm is inherently biased: the vdso
      is more likely to end up near the end of its PMD than near the
      beginning.  Ideally we would either nix the PMD sharing requirement
      or jointly randomize the vdso and the stack to reduce the bias.
      
      In the mean time, this is a considerable improvement with basically
      no risk of compatibility issues, since the allowed outputs of the
      algorithm are unchanged.
      
      As an easy test, doing this:
      
      for i in `seq 10000`
        do grep -P vdso /proc/self/maps |cut -d- -f1
      done |sort |uniq -d
      
      used to produce lots of output (1445 lines on my most recent run).
      A tiny subset looks like this:
      
      7fffdfffe000
      7fffe01fe000
      7fffe05fe000
      7fffe07fe000
      7fffe09fe000
      7fffe0bfe000
      7fffe0dfe000
      
      Note the suspicious fe000 endings.  With the fix, I get a much more
      palatable 76 repeated addresses.
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      466ad659
    • Giedrius Statkevičius's avatar
      HID: Add a new id 0x501a for Genius MousePen i608X · a0dd9ca4
      Giedrius Statkevičius authored
      commit 2bacedad upstream.
      
      New Genius MousePen i608X devices have a new id 0x501a instead of the
      old 0x5011 so add a new #define with "_2" appended and change required
      places.
      
      The remaining two checkpatch warnings about line length
      being over 80 characters are present in the original files too and this
      patch was made in the same style (no line break).
      
      Just adding a new id and changing the required places should make the
      new device work without any issues according to the bug report in the
      following url.
      
      This patch was made according to and fixes:
      https://bugzilla.kernel.org/show_bug.cgi?id=67111Signed-off-by: default avatarGiedrius Statkevičius <giedrius.statkevicius@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0dd9ca4
    • Karl Relton's avatar
      HID: add battery quirk for USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO keyboard · bee704e2
      Karl Relton authored
      commit da940db4 upstream.
      
      Apple bluetooth wireless keyboard (sold in UK) has always reported zero
      for battery strength no matter what condition the batteries are actually
      in. With this patch applied (applying same quirk as other Apple
      keyboards), the battery strength is now correctly reported.
      Signed-off-by: default avatarKarl Relton <karllinuxtest.relton@ntlworld.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bee704e2
    • Dan Carpenter's avatar
      HID: roccat: potential out of bounds in pyra_sysfs_write_settings() · 94bb429e
      Dan Carpenter authored
      commit 606185b2 upstream.
      
      This is a static checker fix.  We write some binary settings to the
      sysfs file.  One of the settings is the "->startup_profile".  There
      isn't any checking to make sure it fits into the
      pyra->profile_settings[] array in the profile_activated() function.
      
      I added a check to pyra_sysfs_write_settings() in both places because
      I wasn't positive that the other callers were correct.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      94bb429e
    • Gwendal Grignou's avatar
      HID: i2c-hid: prevent buffer overflow in early IRQ · 32b57c08
      Gwendal Grignou authored
      commit d1c7e29e upstream.
      
      Before ->start() is called, bufsize size is set to HID_MIN_BUFFER_SIZE,
      64 bytes. While processing the IRQ, we were asking to receive up to
      wMaxInputLength bytes, which can be bigger than 64 bytes.
      
      Later, when ->start is run, a proper bufsize will be calculated.
      
      Given wMaxInputLength is said to be unreliable in other part of the
      code, set to receive only what we can even if it results in truncated
      reports.
      Signed-off-by: default avatarGwendal Grignou <gwendal@chromium.org>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32b57c08
    • Jean-Baptiste Maneyrol's avatar
      HID: i2c-hid: fix race condition reading reports · caa853b3
      Jean-Baptiste Maneyrol authored
      commit 6296f4a8 upstream.
      
      Current driver uses a common buffer for reading reports either
      synchronously in i2c_hid_get_raw_report() and asynchronously in
      the interrupt handler.
      There is race condition if an interrupt arrives immediately after
      the report is received in i2c_hid_get_raw_report(); the common
      buffer is modified by the interrupt handler with the new report
      and then i2c_hid_get_raw_report() proceed using wrong data.
      
      Fix it by using a separate buffers for synchronous reports.
      Signed-off-by: default avatarJean-Baptiste Maneyrol <jmaneyrol@invensense.com>
      [Antonio Borneo: cleanup, rebase to v3.17, submit mainline]
      Signed-off-by: default avatarAntonio Borneo <borneo.antonio@gmail.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      caa853b3
    • Jiang Liu's avatar
      iommu/vt-d: Fix an off-by-one bug in __domain_mapping() · b658f2ad
      Jiang Liu authored
      commit cc4f14aa upstream.
      
      There's an off-by-one bug in function __domain_mapping(), which may
      trigger the BUG_ON(nr_pages < lvl_pages) when
      	(nr_pages + 1) & superpage_mask == 0
      
      The issue was introduced by commit 9051aa02 "intel-iommu: Combine
      domain_pfn_mapping() and domain_sg_mapping()", which sets sg_res to
      "nr_pages + 1" to avoid some of the 'sg_res==0' code paths.
      
      It's safe to remove extra "+1" because sg_res is only used to calculate
      page size now.
      Reported-And-Tested-by: default avatarSudeep Dutt <sudeep.dutt@intel.com>
      Signed-off-by: default avatarJiang Liu <jiang.liu@linux.intel.com>
      Acked-By: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b658f2ad
    • Richard Weinberger's avatar
      UBI: Fix double free after do_sync_erase() · ccebbb7e
      Richard Weinberger authored
      commit aa5ad3b6 upstream.
      
      If the erase worker is unable to erase a PEB it will
      free the ubi_wl_entry itself.
      The failing ubi_wl_entry must not free()'d again after
      do_sync_erase() returns.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ccebbb7e
    • Richard Weinberger's avatar
      UBI: Fix invalid vfree() · 398dd8fd
      Richard Weinberger authored
      commit f38aed97 upstream.
      
      The logic of vfree()'ing vol->upd_buf is tied to vol->updating.
      In ubi_start_update() vol->updating is set long before vmalloc()'ing
      vol->upd_buf. If we encounter a write failure in ubi_start_update()
      before vmalloc() the UBI device release function will try to vfree()
      vol->upd_buf because vol->updating is set.
      Fix this by allocating vol->upd_buf directly after setting vol->updating.
      
      Fixes:
      [   31.559338] UBI warning: vol_cdev_release: update of volume 2 not finished, volume is damaged
      [   31.559340] ------------[ cut here ]------------
      [   31.559343] WARNING: CPU: 1 PID: 2747 at mm/vmalloc.c:1446 __vunmap+0xe3/0x110()
      [   31.559344] Trying to vfree() nonexistent vm area (ffffc90001f2b000)
      [   31.559345] Modules linked in:
      [   31.565620]  0000000000000bba ffff88002a0cbdb0 ffffffff818f0497 ffff88003b9ba148
      [   31.566347]  ffff88002a0cbde0 ffffffff8156f515 ffff88003b9ba148 0000000000000bba
      [   31.567073]  0000000000000000 0000000000000000 ffff88002a0cbe88 ffffffff8156c10a
      [   31.567793] Call Trace:
      [   31.568034]  [<ffffffff818f0497>] dump_stack+0x4e/0x7a
      [   31.568510]  [<ffffffff8156f515>] ubi_io_write_vid_hdr+0x155/0x160
      [   31.569084]  [<ffffffff8156c10a>] ubi_eba_write_leb+0x23a/0x870
      [   31.569628]  [<ffffffff81569b36>] vol_cdev_write+0x226/0x380
      [   31.570155]  [<ffffffff81179265>] vfs_write+0xb5/0x1f0
      [   31.570627]  [<ffffffff81179f8a>] SyS_pwrite64+0x6a/0xa0
      [   31.571123]  [<ffffffff818fde12>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      398dd8fd
    • Tony Lindgren's avatar
      pstore-ram: Allow optional mapping with pgprot_noncached · c0d9d658
      Tony Lindgren authored
      commit 027bc8b0 upstream.
      
      On some ARMs the memory can be mapped pgprot_noncached() and still
      be working for atomic operations. As pointed out by Colin Cross
      <ccross@android.com>, in some cases you do want to use
      pgprot_noncached() if the SoC supports it to see a debug printk
      just before a write hanging the system.
      
      On ARMs, the atomic operations on strongly ordered memory are
      implementation defined. So let's provide an optional kernel parameter
      for configuring pgprot_noncached(), and use pgprot_writecombine() by
      default.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robherring2@gmail.com>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Cc: Anton Vorontsov <anton@enomsg.org>
      Cc: Colin Cross <ccross@android.com>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: Russell King <linux@arm.linux.org.uk>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0d9d658
    • Rob Herring's avatar
      pstore-ram: Fix hangs by using write-combine mappings · af74a863
      Rob Herring authored
      commit 7ae9cb81 upstream.
      
      Currently trying to use pstore on at least ARMs can hang as we're
      mapping the peristent RAM with pgprot_noncached().
      
      On ARMs, pgprot_noncached() will actually make the memory strongly
      ordered, and as the atomic operations pstore uses are implementation
      defined for strongly ordered memory, they may not work. So basically
      atomic operations have undefined behavior on ARM for device or strongly
      ordered memory types.
      
      Let's fix the issue by using write-combine variants for mappings. This
      corresponds to normal, non-cacheable memory on ARM. For many other
      architectures, this change does not change the mapping type as by
      default we have:
      
      #define pgprot_writecombine pgprot_noncached
      
      The reason why pgprot_noncached() was originaly used for pstore
      is because Colin Cross <ccross@android.com> had observed lost
      debug prints right before a device hanging write operation on some
      systems. For the platforms supporting pgprot_noncached(), we can
      add a an optional configuration option to support that. But let's
      get pstore working first before adding new features.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Anton Vorontsov <cbouatmailru@gmail.com>
      Cc: Colin Cross <ccross@android.com>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: linux-kernel@vger.kernel.org
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarRob Herring <rob.herring@calxeda.com>
      [tony@atomide.com: updated description]
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af74a863
    • Myron Stowe's avatar
      PCI: Restore detection of read-only BARs · 9670f1a4
      Myron Stowe authored
      commit 36e81648 upstream.
      
      Commit 6ac665c6 ("PCI: rewrite PCI BAR reading code") masked off
      low-order bits from 'l', but not from 'sz'.  Both are passed to pci_size(),
      which compares 'base == maxbase' to check for read-only BARs.  The masking
      of 'l' means that comparison will never be 'true', so the check for
      read-only BARs no longer works.
      
      Resolve this by also masking off the low-order bits of 'sz' before passing
      it into pci_size() as 'maxbase'.  With this change, pci_size() will once
      again catch the problems that have been encountered to date:
      
        - AGP aperture BAR of AMD-7xx host bridges: if the AGP window is
          disabled, this BAR is read-only and read as 0x00000008 [1]
      
        - BARs 0-4 of ALi IDE controllers can be non-zero and read-only [1]
      
        - Intel Sandy Bridge - Thermal Management Controller [8086:0103];
          BAR 0 returning 0xfed98004 [2]
      
        - Intel Xeon E5 v3/Core i7 Power Control Unit [8086:2fc0];
          Bar 0 returning 0x00001a [3]
      
      Link: [1] https://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/drivers/pci/probe.c?id=1307ef6621991f1c4bc3cec1b5a4ebd6fd3d66b9 ("PCI: probing read-only BARs" (pre-git))
      Link: [2] https://bugzilla.kernel.org/show_bug.cgi?id=43331
      Link: [3] https://bugzilla.kernel.org/show_bug.cgi?id=85991Reported-by: default avatarWilliam Unruh <unruh@physics.ubc.ca>
      Reported-by: default avatarMartin Lucina <martin@lucina.net>
      Signed-off-by: default avatarMyron Stowe <myron.stowe@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Matthew Wilcox <willy@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9670f1a4
    • Andrew Jackson's avatar
      ASoC: dwc: Ensure FIFOs are flushed to prevent channel swap · 97a3f651
      Andrew Jackson authored
      commit 3475c3d0 upstream.
      
      Flush the FIFOs when the stream is prepared for use.  This avoids
      an inadvertent swapping of the left/right channels if the FIFOs are
      not empty at startup.
      Signed-off-by: default avatarAndrew Jackson <Andrew.Jackson@arm.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97a3f651
    • Jarkko Nikula's avatar
      ASoC: max98090: Fix ill-defined sidetone route · ef3a852c
      Jarkko Nikula authored
      commit 48826ee5 upstream.
      
      Commit 5fe5b767 ("ASoC: dapm: Do not pretend to support controls for non
      mixer/mux widgets") revealed ill-defined control in a route between
      "STENL Mux" and DACs in max98090.c:
      
      max98090 i2c-193C9890:00: Control not supported for path STENL Mux -> [NULL] -> DACL
      max98090 i2c-193C9890:00: ASoC: no dapm match for STENL Mux --> NULL --> DACL
      max98090 i2c-193C9890:00: ASoC: Failed to add route STENL Mux -> NULL -> DACL
      max98090 i2c-193C9890:00: Control not supported for path STENL Mux -> [NULL] -> DACR
      max98090 i2c-193C9890:00: ASoC: no dapm match for STENL Mux --> NULL --> DACR
      max98090 i2c-193C9890:00: ASoC: Failed to add route STENL Mux -> NULL -> DACR
      
      Since there is no control between "STENL Mux" and DACs the control name must
      be NULL not "NULL".
      Signed-off-by: default avatarJarkko Nikula <jarkko.nikula@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef3a852c
    • Lars-Peter Clausen's avatar
      ASoC: sigmadsp: Refuse to load firmware files with a non-supported version · c60c3ab7
      Lars-Peter Clausen authored
      commit 50c0f21b upstream.
      
      Make sure to check the version field of the firmware header to make sure to
      not accidentally try to parse a firmware file with a different layout.
      Trying to do so can result in loading invalid firmware code to the device.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c60c3ab7
    • Felix Fietkau's avatar
      ath5k: fix hardware queue index assignment · 68956d1e
      Felix Fietkau authored
      commit 9e4982f6 upstream.
      
      Like with ath9k, ath5k queues also need to be ordered by priority.
      queue_info->tqi_subtype already contains the correct index, so use it
      instead of relying on the order of ath5k_hw_setup_tx_queue calls.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68956d1e