1. 12 Apr, 2016 11 commits
    • Daniel Vetter's avatar
      drm/gma500: Use correct unref in the gem bo create function · 527435d6
      Daniel Vetter authored
      [ Upstream commit d3e376f5 ]
      
      This is called without dev->struct_mutex held, we need to use the
      _unlocked variant.
      
      Never caught in the wild since you'd need an evil userspace which
      races a gem_close ioctl call with the in-progress open.
      
      Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
      Acked-by: default avatarPatrik Jakobsson <patrik.r.jakobsson@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/1448271183-20523-17-git-send-email-daniel.vetter@ffwll.chSigned-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      527435d6
    • Jan Kara's avatar
      ext4: fix bh->b_state corruption · a7635d6a
      Jan Kara authored
      [ Upstream commit ed8ad838 ]
      
      ext4 can update bh->b_state non-atomically in _ext4_get_block() and
      ext4_da_get_block_prep(). Usually this is fine since bh is just a
      temporary storage for mapping information on stack but in some cases it
      can be fully living bh attached to a page. In such case non-atomic
      update of bh->b_state can race with an atomic update which then gets
      lost. Usually when we are mapping bh and thus updating bh->b_state
      non-atomically, nobody else touches the bh and so things work out fine
      but there is one case to especially worry about: ext4_finish_bio() uses
      BH_Uptodate_Lock on the first bh in the page to synchronize handling of
      PageWriteback state. So when blocksize < pagesize, we can be atomically
      modifying bh->b_state of a buffer that actually isn't under IO and thus
      can race e.g. with delalloc trying to map that buffer. The result is
      that we can mistakenly set / clear BH_Uptodate_Lock bit resulting in the
      corruption of PageWriteback state or missed unlock of BH_Uptodate_Lock.
      
      Fix the problem by always updating bh->b_state bits atomically.
      
      CC: stable@vger.kernel.org
      Reported-by: default avatarNikolay Borisov <kernel@kyup.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a7635d6a
    • Dave Chinner's avatar
      dax: don't abuse get_block mapping for endio callbacks · 0e3029cf
      Dave Chinner authored
      [ Upstream commit e842f290 ]
      
      dax_fault() currently relies on the get_block callback to attach an
      io completion callback to the mapping buffer head so that it can
      run unwritten extent conversion after zeroing allocated blocks.
      
      Instead of this hack, pass the conversion callback directly into
      dax_fault() similar to the get_block callback. When the filesystem
      allocates unwritten extents, it will set the buffer_unwritten()
      flag, and hence the dax_fault code can call the completion function
      in the contexts where it is necessary without overloading the
      mapping buffer head.
      
      Note: The changes to ext4 to use this interface are suspect at best.
      In fact, the way ext4 did this end_io assignment in the first place
      looks suspect because it only set a completion callback when there
      wasn't already some other write() call taking place on the same
      inode. The ext4 end_io code looks rather intricate and fragile with
      all it's reference counting and passing to different contexts for
      modification via inode private pointers that aren't protected by
      locks...
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Acked-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0e3029cf
    • Rusty Russell's avatar
      module: wrapper for symbol name. · 89d27e32
      Rusty Russell authored
      [ Upstream commit 2e7bac53 ]
      
      This trivial wrapper adds clarity and makes the following patch
      smaller.
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      89d27e32
    • Rich Felker's avatar
      MAINTAINERS: return arch/sh to maintained state, with new maintainers · b7fcd843
      Rich Felker authored
      [ Upstream commit 114bf37e ]
      
      Add Yoshinori Sato and Rich Felker as maintainers for arch/sh
      (SUPERH).
      Signed-off-by: default avatarRich Felker <dalias@libc.org>
      Signed-off-by: default avatarYoshinori Sato <ysato@users.sourceforge.jp>
      Acked-by: default avatarD. Jeff Dionne <jeff@uClinux.org>
      Acked-by: default avatarRob Landley <rob@landley.net>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Acked-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b7fcd843
    • Tony Lindgren's avatar
      ARM: OMAP2+: Fix l2_inv_api_params for rodata · 24e6deaf
      Tony Lindgren authored
      [ Upstream commit 0a0b1327 ]
      
      We don't want to write to .text, so let's move l2_inv_api_params
      to .data and access it via a pointer.
      
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Laura Abbott <labbott@redhat.com>
      Cc: Nishanth Menon <nm@ti.com>
      Cc: Richard Woodruff <r-woodruff2@ti.com>
      Cc: Russell King <linux@arm.linux.org.uk>
      Cc: Tero Kristo <t-kristo@ti.com>
      Acked-by: default avatarNicolas Pitre <nico@linaro.org>
      Cc: stable@vger.kernel.org # v4.0+
      Fixes: 1e6b4811 ("ARM: mm: allow non-text sections to be
      non-executable")
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      24e6deaf
    • Akinobu Mita's avatar
      iio: pressure: mpl115: fix temperature offset sign · 17fe8c8b
      Akinobu Mita authored
      [ Upstream commit 431386e7 ]
      
      According to the datasheet, the resolusion of temperature sensor is
      -5.35 counts/C. Temperature ADC is 472 counts at 25C.
      (https://www.sparkfun.com/datasheets/Sensors/Pressure/MPL115A1.pdf
      NOTE: This is older revision, but this information is removed from the
      latest datasheet from nxp somehow)
      
      Temp [C] = (Tadc - 472) / -5.35 + 25
               = (Tadc - 605.750000) * -0.186915888
      
      So the correct offset is -605.750000.
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Acked-by: default avatarPeter Meerwald-Stadler <pmeerw@pmeerw.net>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      17fe8c8b
    • Yong Li's avatar
      iio: dac: mcp4725: set iio name property in sysfs · 5b20b25a
      Yong Li authored
      [ Upstream commit 97a249e9 ]
      
      Without this change, the name entity for mcp4725 is missing in
      /sys/bus/iio/devices/iio\:device*/name
      
      With this change, name is reported correctly
      Signed-off-by: default avatarYong Li <sdliyong@gmail.com>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5b20b25a
    • Lars-Peter Clausen's avatar
      iio: adis_buffer: Fix out-of-bounds memory access · 3e77cb85
      Lars-Peter Clausen authored
      [ Upstream commit d590faf9 ]
      
      The SPI tx and rx buffers are both supposed to be scan_bytes amount of
      bytes large and a common allocation is used to allocate both buffers. This
      puts the beginning of the tx buffer scan_bytes bytes after the rx buffer.
      The initialization of the tx buffer pointer is done adding scan_bytes to
      the beginning of the rx buffer, but since the rx buffer is of type __be16
      this will actually add two times as much and the tx buffer ends up pointing
      after the allocated buffer.
      
      Fix this by using scan_count, which is scan_bytes / 2, instead of
      scan_bytes when initializing the tx buffer pointer.
      
      Fixes: aacff892 ("staging:iio:adis: Preallocate transfer message")
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      3e77cb85
    • Jann Horn's avatar
      ptrace: use fsuid, fsgid, effective creds for fs access checks · ab88ce5f
      Jann Horn authored
      [ Upstream commit caaee623 ]
      
      By checking the effective credentials instead of the real UID / permitted
      capabilities, ensure that the calling process actually intended to use its
      credentials.
      
      To ensure that all ptrace checks use the correct caller credentials (e.g.
      in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
      flag), use two new flags and require one of them to be set.
      
      The problem was that when a privileged task had temporarily dropped its
      privileges, e.g.  by calling setreuid(0, user_uid), with the intent to
      perform following syscalls with the credentials of a user, it still passed
      ptrace access checks that the user would not be able to pass.
      
      While an attacker should not be able to convince the privileged task to
      perform a ptrace() syscall, this is a problem because the ptrace access
      check is reused for things in procfs.
      
      In particular, the following somewhat interesting procfs entries only rely
      on ptrace access checks:
      
       /proc/$pid/stat - uses the check for determining whether pointers
           should be visible, useful for bypassing ASLR
       /proc/$pid/maps - also useful for bypassing ASLR
       /proc/$pid/cwd - useful for gaining access to restricted
           directories that contain files with lax permissions, e.g. in
           this scenario:
           lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
           drwx------ root root /root
           drwxr-xr-x root root /root/foobar
           -rw-r--r-- root root /root/foobar/secret
      
      Therefore, on a system where a root-owned mode 6755 binary changes its
      effective credentials as described and then dumps a user-specified file,
      this could be used by an attacker to reveal the memory layout of root's
      processes or reveal the contents of files he is not allowed to access
      (through /proc/$pid/cwd).
      
      [akpm@linux-foundation.org: fix warning]
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ab88ce5f
    • Benjamin Tissoires's avatar
      HID: multitouch: fix input mode switching on some Elan panels · 93d310f6
      Benjamin Tissoires authored
      [ Upstream commit 73e7d63e ]
      
      as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481
      
      This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature
      reports on demand for Win8 devices") as the origin of the problem but this
      commit actually masked 2 firmware bugs that are annihilating each other:
      
      The report descriptor declares two features in reports 3 and 5:
      
      0x05, 0x0d,                    // Usage Page (Digitizers)             318
      0x09, 0x0e,                    // Usage (Device Configuration)        320
      0xa1, 0x01,                    // Collection (Application)            322
      0x85, 0x03,                    //  Report ID (3)                      324
      0x09, 0x22,                    //  Usage (Finger)                     326
      0xa1, 0x00,                    //  Collection (Physical)              328
      0x09, 0x52,                    //   Usage (Inputmode)                 330
      0x15, 0x00,                    //   Logical Minimum (0)               332
      0x25, 0x0a,                    //   Logical Maximum (10)              334
      0x75, 0x08,                    //   Report Size (8)                   336
      0x95, 0x02,                    //   Report Count (2)                  338
      0xb1, 0x02,                    //   Feature (Data,Var,Abs)            340
      0xc0,                          //  End Collection                     342
      0x09, 0x22,                    //  Usage (Finger)                     343
      0xa1, 0x00,                    //  Collection (Physical)              345
      0x85, 0x05,                    //   Report ID (5)                     347
      0x09, 0x57,                    //   Usage (Surface Switch)            349
      0x09, 0x58,                    //   Usage (Button Switch)             351
      0x15, 0x00,                    //   Logical Minimum (0)               353
      0x75, 0x01,                    //   Report Size (1)                   355
      0x95, 0x02,                    //   Report Count (2)                  357
      0x25, 0x03,                    //   Logical Maximum (3)               359
      0xb1, 0x02,                    //   Feature (Data,Var,Abs)            361
      0x95, 0x0e,                    //   Report Count (14)                 363
      0xb1, 0x03,                    //   Feature (Cnst,Var,Abs)            365
      0xc0,                          //  End Collection                     367
      
      The report ID 3 presents 2 input mode features, while only the first one
      is handled by the device. Given that we did not checked if one was
      previously assigned, we were dealing with the ignored featured and we
      should never have been able to switch this panel into the multitouch mode.
      
      However, the firmware presents an other bugs which allowed 6d4f5440
      to counteract the faulty report descriptor. When we request the values
      of the feature 5, the firmware answers "03 03 00". The fields are correct
      but the report id is wrong. Before 6d4f5440, we retrieved all the features
      and injected them in the system. So when we called report 5, we injected
      in the system the report 3 with the values "03 00".
      Setting the second input mode to 03 in this report changed it to "03 03"
      and the touchpad switched to the mt mode. We could have set anything
      in the second field because the actual value (the first 03 in this report)
      was given by the query of report ID 5.
      
      To sum up: 2 bugs in the firmware were hiding that we were accessing the
      wrong feature.
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      93d310f6
  2. 06 Apr, 2016 10 commits
    • Raghavendra K T's avatar
      sched: Fix crash in sched_init_numa() · 8cf0abcf
      Raghavendra K T authored
      [ Upstream commit 9c03ee14 ]
      
      The following PowerPC commit:
      
        c118baf8 ("arch/powerpc/mm/numa.c: do not allocate bootmem memory for non existing nodes")
      
      avoids allocating bootmem memory for non existent nodes.
      
      But when DEBUG_PER_CPU_MAPS=y is enabled, my powerNV system failed to boot
      because in sched_init_numa(), cpumask_or() operation was done on
      unallocated nodes.
      
      Fix that by making cpumask_or() operation only on existing nodes.
      
      [ Tested with and w/o DEBUG_PER_CPU_MAPS=y on x86 and PowerPC. ]
      Reported-by: default avatarJan Stancek <jstancek@redhat.com>
      Tested-by: default avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarRaghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
      Cc: <gkurz@linux.vnet.ibm.com>
      Cc: <grant.likely@linaro.org>
      Cc: <nikunj@linux.vnet.ibm.com>
      Cc: <vdavydov@parallels.com>
      Cc: <linuxppc-dev@lists.ozlabs.org>
      Cc: <linux-mm@kvack.org>
      Cc: <peterz@infradead.org>
      Cc: <benh@kernel.crashing.org>
      Cc: <paulus@samba.org>
      Cc: <mpe@ellerman.id.au>
      Cc: <anton@samba.org>
      Link: http://lkml.kernel.org/r/1452884483-11676-1-git-send-email-raghavendra.kt@linux.vnet.ibm.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      8cf0abcf
    • Takashi Iwai's avatar
      ALSA: hda - Implement loopback control switch for Realtek and other codecs · 7abe6e35
      Takashi Iwai authored
      [ Upstream commit e7fdd527 ]
      
      Many codecs, typically found on Realtek codecs, have the analog
      loopback path merged to the secondary input of the middle of the
      output paths.  Currently, we don't offer the dynamic switching in such
      configuration but let each loopback path mute by itself.
      
      This should work well in theory, but in reality, we often see that
      such a dead loopback path causes some background noises even if all
      the elements get muted.  Such a problem has been fixed by adding the
      quirk accordingly to disable aamix, and it's the right fix, per se.
      The only problem is that it's not so trivial to achieve it; user needs
      to pass a hint string via patch module option or sysfs.
      
      This patch gives a bit improvement on the situation: it adds "Loopback
      Mixing" control element for such codecs like other codecs (e.g. IDT or
      VIA codecs) with the individual loopback paths.  User can turn on/off
      the loopback path simply via a mixer app.
      
      For keeping the compatibility, the loopback is still enabled on these
      codecs.  But user can try to turn it off if experiencing a suspicious
      background or click noise on the fly, then build a static fixup later
      once after the problem is addressed.
      
      Other than the addition of the loopback enable/disablement control,
      there should be no changes.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7abe6e35
    • Ioan-Adrian Ratiu's avatar
      HID: usbhid: fix recursive deadlock · af24c621
      Ioan-Adrian Ratiu authored
      [ Upstream commit e470127e ]
      
      The critical section protected by usbhid->lock in hid_ctrl() is too
      big and because of this it causes a recursive deadlock. "Too big" means
      the case statement and the call to hid_input_report() do not need to be
      protected by the spinlock (no URB operations are done inside them).
      
      The deadlock happens because in certain rare cases drivers try to grab
      the lock while handling the ctrl irq which grabs the lock before them
      as described above. For example newer wacom tablets like 056a:033c try
      to reschedule proximity reads from wacom_intuos_schedule_prox_event()
      calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report()
      which tries to grab the usbhid lock already held by hid_ctrl().
      
      There are two ways to get out of this deadlock:
          1. Make the drivers work "around" the ctrl critical region, in the
          wacom case for ex. by delaying the scheduling of the proximity read
          request itself to a workqueue.
          2. Shrink the critical region so the usbhid lock protects only the
          instructions which modify usbhid state, calling hid_input_report()
          with the spinlock unlocked, allowing the device driver to grab the
          lock first, finish and then grab the lock afterwards in hid_ctrl().
      
      This patch implements the 2nd solution.
      Signed-off-by: default avatarIoan-Adrian Ratiu <adi@adirat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      af24c621
    • Takashi Iwai's avatar
      ALSA: hda - Add fixup for Dell Latitidue E6540 · 1c0c6599
      Takashi Iwai authored
      [ Upstream commit cf52103a ]
      
      Another Dell model, another fixup entry: Latitude E6540 needs the same
      fixup as other Latitude E series as workaround for noise problems.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=104341
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1c0c6599
    • Takashi Iwai's avatar
      ALSA: hda - Fix noise on Dell Latitude E6440 · a0eb05f6
      Takashi Iwai authored
      [ Upstream commit 86f799b8 ]
      
      Dell Latitude E6440 (1028:05bd) needs the same fixup as applied to
      other Latitude E7xxx models for the click noise due to the recent
      power-saving changes.
      
      Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=954876
      Cc: <stable@vger.kernel.org> # v4.1+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a0eb05f6
    • Takashi Iwai's avatar
      ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect · 46a190e6
      Takashi Iwai authored
      [ Upstream commit 5c06d68b ]
      
      ALSA PCM may still have a leftover instance after disconnection and
      it delays its release.  The problem is that the PCM close code path of
      USB-audio driver has a call of snd_usb_autosuspend().  This involves
      with the call of usb_autopm_put_interface() and it may lead to a
      kernel Oops due to the NULL object like:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000190
       IP: [<ffffffff815ae7ef>] usb_autopm_put_interface+0xf/0x30 PGD 0
       Call Trace:
        [<ffffffff8173bd94>] snd_usb_autosuspend+0x14/0x20
        [<ffffffff817461bc>] snd_usb_pcm_close.isra.14+0x5c/0x90
        [<ffffffff8174621f>] snd_usb_playback_close+0xf/0x20
        [<ffffffff816ef58a>] snd_pcm_release_substream.part.36+0x3a/0x90
        [<ffffffff816ef6b3>] snd_pcm_release+0xa3/0xb0
        [<ffffffff816debb0>] snd_disconnect_release+0xd0/0xe0
        [<ffffffff8114d417>] __fput+0x97/0x1d0
        [<ffffffff8114d589>] ____fput+0x9/0x10
        [<ffffffff8109e452>] task_work_run+0x72/0x90
        [<ffffffff81088510>] do_exit+0x280/0xa80
        [<ffffffff8108996a>] do_group_exit+0x3a/0xa0
        [<ffffffff8109261f>] get_signal+0x1df/0x540
        [<ffffffff81040903>] do_signal+0x23/0x620
        [<ffffffff8114c128>] ? do_readv_writev+0x128/0x200
        [<ffffffff810012e1>] prepare_exit_to_usermode+0x91/0xd0
        [<ffffffff810013ba>] syscall_return_slowpath+0x9a/0x120
        [<ffffffff817587cd>] ? __sys_recvmsg+0x5d/0x70
        [<ffffffff810d2765>] ? ktime_get_ts64+0x45/0xe0
        [<ffffffff8115dea0>] ? SyS_poll+0x60/0xf0
        [<ffffffff818d2327>] int_ret_from_sys_call+0x25/0x8f
      
      We have already a check of disconnection in snd_usb_autoresume(), but
      the check is missing its counterpart.  The fix is just to put the same
      check in snd_usb_autosuspend(), too.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      46a190e6
    • Takashi Iwai's avatar
      ALSA: usb-audio: Avoid nested autoresume calls · 30e821e1
      Takashi Iwai authored
      [ Upstream commit 47ab1545 ]
      
      After the recent fix of runtime PM for USB-audio driver, we got a
      lockdep warning like:
      
        =============================================
        [ INFO: possible recursive locking detected ]
        4.2.0-rc8+ #61 Not tainted
        ---------------------------------------------
        pulseaudio/980 is trying to acquire lock:
         (&chip->shutdown_rwsem){.+.+.+}, at: [<ffffffffa0355dac>] snd_usb_autoresume+0x1d/0x52 [snd_usb_audio]
        but task is already holding lock:
         (&chip->shutdown_rwsem){.+.+.+}, at: [<ffffffffa0355dac>] snd_usb_autoresume+0x1d/0x52 [snd_usb_audio]
      
      This comes from snd_usb_autoresume() invoking down_read() and it's
      used in a nested way.  Although it's basically safe, per se (as these
      are read locks), it's better to reduce such spurious warnings.
      
      The read lock is needed to guarantee the execution of "shutdown"
      (cleanup at disconnection) task after all concurrent tasks are
      finished.  This can be implemented in another better way.
      
      Also, the current check of chip->in_pm isn't good enough for
      protecting the racy execution of multiple auto-resumes.
      
      This patch rewrites the logic of snd_usb_autoresume() & co; namely,
      - The recursive call of autopm is avoided by the new refcount,
        chip->active.  The chip->in_pm flag is removed accordingly.
      - Instead of rwsem, another refcount, chip->usage_count, is introduced
        for tracking the period to delay the shutdown procedure.  At
        the last clear of this refcount, wake_up() to the shutdown waiter is
        called.
      - The shutdown flag is replaced with shutdown atomic count; this is
        for reducing the lock.
      - Two new helpers are introduced to simplify the management of these
        refcounts; snd_usb_lock_shutdown() increases the usage_count, checks
        the shutdown state, and does autoresume.  snd_usb_unlock_shutdown()
        does the opposite.  Most of mixer and other codes just need this,
        and simply returns an error if it receives an error from lock.
      
      Fixes: 9003ebb1 ('ALSA: usb-audio: Fix runtime PM unbalance')
      Reported-and-tested-by: default avatarAlexnader Kuleshov <kuleshovmail@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      30e821e1
    • Julian Scheel's avatar
      ALSA: usb-audio: Fix parameter block size for UAC2 control requests · 8d343090
      Julian Scheel authored
      [ Upstream commit bc18e31c ]
      
      USB Audio Class version 2.0 supports three different parameter block sizes for
      CUR requests, which are 1 byte (5.2.3.1 Layout 1 Parameter Block), 2 bytes
      (5.2.3.2 Layout 2 Parameter Block) and 4 bytes (5.2.3.3 Layout 3 Parameter
      Block). Use the correct size according to the specific control as it was
      already done for UACv1. The allocated block size for control requests is
      increased to support the 4 byte worst case.
      Signed-off-by: default avatarJulian Scheel <julian@jusst.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      8d343090
    • Johan Rastén's avatar
      ALSA: usb-audio: Set correct type for some UAC2 mixer controls. · 97828b71
      Johan Rastén authored
      [ Upstream commit 27c41dad ]
      
      Changed ctl type for Input Gain Control and Input Gain Pad Control to
      USB_MIXER_S16 as per section 5.2.5.7.11-12 in the USB Audio Class 2.0
      definition.
      Signed-off-by: default avatarJohan Rastén <johan@oljud.se>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      97828b71
    • David Henningsson's avatar
      ALSA: hda - Fixup inverted internal mic for Lenovo E50-80 · 6abe3345
      David Henningsson authored
      [ Upstream commit 56f27013 ]
      
      Inform userspace that one channel of the internal mic has reversed
      polarity, so it does not attempt to add both channels together and
      end up with silence.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAndrzej Mendel <andrzej.mendel@gmail.com>
      Alsa-info: http://www.alsa-project.org/db/?f=3088f82a0cf977855f92af9db8ad406c04f71efa
      BugLink: https://bugs.launchpad.net/bugs/1529624Signed-off-by: default avatarDavid Henningsson <david.henningsson@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6abe3345
  3. 03 Apr, 2016 1 commit
  4. 24 Mar, 2016 5 commits
    • Alexander Shishkin's avatar
      perf/core: Fix perf_sched_count derailment · 919e67a6
      Alexander Shishkin authored
      [ Upstream commit 927a5570 ]
      
      The error path in perf_event_open() is such that asking for a sampling
      event on a PMU that doesn't generate interrupts will end up in dropping
      the perf_sched_count even though it hasn't been incremented for this
      event yet.
      
      Given a sufficient amount of these calls, we'll end up disabling
      scheduler's jump label even though we'd still have active events in the
      system, thereby facilitating the arrival of the infernal regions upon us.
      
      I'm fixing this by moving account_event() inside perf_event_alloc().
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <stable@vger.kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: vince@deater.net
      Link: http://lkml.kernel.org/r/1456917854-29427-1-git-send-email-alexander.shishkin@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarHe Kuang <hekuang@huawei.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      919e67a6
    • Peter Zijlstra's avatar
      perf: Cure event->pending_disable race · 882f862d
      Peter Zijlstra authored
      [ Upstream commit 28a967c3 ]
      
      Because event_sched_out() checks event->pending_disable _before_
      actually disabling the event, it can happen that the event fires after
      it checks but before it gets disabled.
      
      This would leave event->pending_disable set and the queued irq_work
      will try and process it.
      
      However, if the event trigger was during schedule(), the event might
      have been de-scheduled by the time the irq_work runs, and
      perf_event_disable_local() will fail.
      
      Fix this by checking event->pending_disable _after_ we call
      event->pmu->del(). This depends on the latter being a compiler
      barrier, such that the compiler does not lift the load and re-creates
      the problem.
      Tested-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: dvyukov@google.com
      Cc: eranian@google.com
      Cc: oleg@redhat.com
      Cc: panand@redhat.com
      Cc: sasha.levin@oracle.com
      Cc: vince@deater.net
      Link: http://lkml.kernel.org/r/20160224174948.040469884@infradead.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarHe Kuang <hekuang@huawei.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      882f862d
    • Peter Zijlstra's avatar
      perf: Do not double free · 5709e7ba
      Peter Zijlstra authored
      [ Upstream commit 13005627 ]
      
      In case of: err_file: fput(event_file), we'll end up calling
      perf_release() which in turn will free the event.
      
      Do not then free the event _again_.
      Tested-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: dvyukov@google.com
      Cc: eranian@google.com
      Cc: oleg@redhat.com
      Cc: panand@redhat.com
      Cc: sasha.levin@oracle.com
      Cc: vince@deater.net
      Link: http://lkml.kernel.org/r/20160224174947.697350349@infradead.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarHe Kuang <hekuang@huawei.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5709e7ba
    • Yang Shi's avatar
      arm64: replace read_lock to rcu lock in call_step_hook · 143cf26c
      Yang Shi authored
      [ Upstream commit cf0a2543 ]
      
      BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:917
      in_atomic(): 1, irqs_disabled(): 128, pid: 383, name: sh
      Preemption disabled at:[<ffff800000124c18>] kgdb_cpu_enter+0x158/0x6b8
      
      CPU: 3 PID: 383 Comm: sh Tainted: G        W       4.1.13-rt13 #2
      Hardware name: Freescale Layerscape 2085a RDB Board (DT)
      Call trace:
      [<ffff8000000885e8>] dump_backtrace+0x0/0x128
      [<ffff800000088734>] show_stack+0x24/0x30
      [<ffff80000079a7c4>] dump_stack+0x80/0xa0
      [<ffff8000000bd324>] ___might_sleep+0x18c/0x1a0
      [<ffff8000007a20ac>] __rt_spin_lock+0x2c/0x40
      [<ffff8000007a2268>] rt_read_lock+0x40/0x58
      [<ffff800000085328>] single_step_handler+0x38/0xd8
      [<ffff800000082368>] do_debug_exception+0x58/0xb8
      Exception stack(0xffff80834a1e7c80 to 0xffff80834a1e7da0)
      7c80: ffffff9c ffffffff 92c23ba0 0000ffff 4a1e7e40 ffff8083 001bfcc4 ffff8000
      7ca0: f2000400 00000000 00000000 00000000 4a1e7d80 ffff8083 0049501c ffff8000
      7cc0: 00005402 00000000 00aaa210 ffff8000 4a1e7ea0 ffff8083 000833f4 ffff8000
      7ce0: ffffff9c ffffffff 92c23ba0 0000ffff 4a1e7ea0 ffff8083 001bfcc0 ffff8000
      7d00: 4a0fc400 ffff8083 00005402 00000000 4a1e7d40 ffff8083 00490324 ffff8000
      7d20: ffffff9c 00000000 92c23ba0 0000ffff 000a0000 00000000 00000000 00000000
      7d40: 00000008 00000000 00080000 00000000 92c23b8b 0000ffff 92c23b8e 0000ffff
      7d60: 00000038 00000000 00001cb2 00000000 00000005 00000000 92d7b498 0000ffff
      7d80: 01010101 01010101 92be9000 0000ffff 00000000 00000000 00000030 00000000
      [<ffff8000000833f4>] el1_dbg+0x18/0x6c
      
      This issue is similar with 62c6c61a("arm64: replace read_lock to rcu lock in
      call_break_hook"), but comes to single_step_handler.
      
      This also solves kgdbts boot test silent hang issue on 4.4 -rt kernel.
      Signed-off-by: default avatarYang Shi <yang.shi@linaro.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarHe Kuang <hekuang@huawei.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      143cf26c
    • Yang Shi's avatar
      arm64: replace read_lock to rcu lock in call_break_hook · 1a138f3e
      Yang Shi authored
      [ Upstream commit 62c6c61a ]
      
      BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:917
      in_atomic(): 0, irqs_disabled(): 128, pid: 342, name: perf
      1 lock held by perf/342:
       #0:  (break_hook_lock){+.+...}, at: [<ffffffc0000851ac>] call_break_hook+0x34/0xd0
      irq event stamp: 62224
      hardirqs last  enabled at (62223): [<ffffffc00010b7bc>] __call_rcu.constprop.59+0x104/0x270
      hardirqs last disabled at (62224): [<ffffffc0000fbe20>] vprintk_emit+0x68/0x640
      softirqs last  enabled at (0): [<ffffffc000097928>] copy_process.part.8+0x428/0x17f8
      softirqs last disabled at (0): [<          (null)>]           (null)
      CPU: 0 PID: 342 Comm: perf Not tainted 4.1.6-rt5 #4
      Hardware name: linux,dummy-virt (DT)
      Call trace:
      [<ffffffc000089968>] dump_backtrace+0x0/0x128
      [<ffffffc000089ab0>] show_stack+0x20/0x30
      [<ffffffc0007030d0>] dump_stack+0x7c/0xa0
      [<ffffffc0000c878c>] ___might_sleep+0x174/0x260
      [<ffffffc000708ac8>] __rt_spin_lock+0x28/0x40
      [<ffffffc000708db0>] rt_read_lock+0x60/0x80
      [<ffffffc0000851a8>] call_break_hook+0x30/0xd0
      [<ffffffc000085a70>] brk_handler+0x30/0x98
      [<ffffffc000082248>] do_debug_exception+0x50/0xb8
      Exception stack(0xffffffc00514fe30 to 0xffffffc00514ff50)
      fe20:                                     00000000 00000000 c1594680 0000007f
      fe40: ffffffff ffffffff 92063940 0000007f 0550dcd8 ffffffc0 00000000 00000000
      fe60: 0514fe70 ffffffc0 000be1f8 ffffffc0 0514feb0 ffffffc0 0008948c ffffffc0
      fe80: 00000004 00000000 0514fed0 ffffffc0 ffffffff ffffffff 9282a948 0000007f
      fea0: 00000000 00000000 9282b708 0000007f c1592820 0000007f 00083914 ffffffc0
      fec0: 00000000 00000000 00000010 00000000 00000064 00000000 00000001 00000000
      fee0: 005101e0 00000000 c1594680 0000007f c1594740 0000007f ffffffd8 ffffff80
      ff00: 00000000 00000000 00000000 00000000 c1594770 0000007f c1594770 0000007f
      ff20: 00665e10 00000000 7f7f7f7f 7f7f7f7f 01010101 01010101 00000000 00000000
      ff40: 928e4cc0 0000007f 91ff11e8 0000007f
      
      call_break_hook is called in atomic context (hard irq disabled), so replace
      the sleepable lock to rcu lock, replace relevant list operations to rcu
      version and call synchronize_rcu() in unregister_break_hook().
      
      And, replace write lock to spinlock in {un}register_break_hook.
      Signed-off-by: default avatarYang Shi <yang.shi@linaro.org>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarHe Kuang <hekuang@huawei.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1a138f3e
  5. 23 Mar, 2016 4 commits
    • Jan Kara's avatar
      ext4: fix races of writeback with punch hole and zero range · f2b13259
      Jan Kara authored
      When doing delayed allocation, update of on-disk inode size is postponed
      until IO submission time. However hole punch or zero range fallocate
      calls can end up discarding the tail page cache page and thus on-disk
      inode size would never be properly updated.
      
      Make sure the on-disk inode size is updated before truncating page
      cache.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarMingming Cao <mingming.cao@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f2b13259
    • Jan Kara's avatar
      ext4: fix races between buffered IO and collapse / insert range · 181aaebd
      Jan Kara authored
      Current code implementing FALLOC_FL_COLLAPSE_RANGE and
      FALLOC_FL_INSERT_RANGE is prone to races with buffered writes and page
      faults. If buffered write or write via mmap manages to squeeze between
      filemap_write_and_wait_range() and truncate_pagecache() in the fallocate
      implementations, the written data is simply discarded by
      truncate_pagecache() although it should have been shifted.
      
      Fix the problem by moving filemap_write_and_wait_range() call inside
      i_mutex and i_mmap_sem. That way we are protected against races with
      both buffered writes and page faults.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarMingming Cao <mingming.cao@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      181aaebd
    • Jan Kara's avatar
      ext4: move unlocked dio protection from ext4_alloc_file_blocks() · 9621787d
      Jan Kara authored
      Currently ext4_alloc_file_blocks() was handling protection against
      unlocked DIO. However we now need to sometimes call it under i_mmap_sem
      and sometimes not and DIO protection ranks above it (although strictly
      speaking this cannot currently create any deadlocks). Also
      ext4_zero_range() was actually getting & releasing unlocked DIO
      protection twice in some cases. Luckily it didn't introduce any real bug
      but it was a land mine waiting to be stepped on.  So move DIO protection
      out from ext4_alloc_file_blocks() into the two callsites.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarMingming Cao <mingming.cao@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9621787d
    • Jan Kara's avatar
      ext4: fix races between page faults and hole punching · 248766f0
      Jan Kara authored
      Currently, page faults and hole punching are completely unsynchronized.
      This can result in page fault faulting in a page into a range that we
      are punching after truncate_pagecache_range() has been called and thus
      we can end up with a page mapped to disk blocks that will be shortly
      freed. Filesystem corruption will shortly follow. Note that the same
      race is avoided for truncate by checking page fault offset against
      i_size but there isn't similar mechanism available for punching holes.
      
      Fix the problem by creating new rw semaphore i_mmap_sem in inode and
      grab it for writing over truncate, hole punching, and other functions
      removing blocks from extent tree and for read over page faults. We
      cannot easily use i_data_sem for this since that ranks below transaction
      start and we need something ranking above it so that it can be held over
      the whole truncate / hole punching operation. Also remove various
      workarounds we had in the code to reduce race window when page fault
      could have created pages with stale mapping information.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarMingming Cao <mingming.cao@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      248766f0
  6. 22 Mar, 2016 9 commits