1. 18 Apr, 2016 10 commits
  2. 13 Apr, 2016 30 commits
    • Vasily Kulikov's avatar
      include/linux/poison.h: fix LIST_POISON{1,2} offset · 46460a03
      Vasily Kulikov authored
      [ Upstream commit 8a5e5e02 ]
      
      Poison pointer values should be small enough to find a room in
      non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
      is located starting from 0x0.  Given unprivileged users cannot mmap
      anything below mmap_min_addr, it should be safe to use poison pointers
      lower than mmap_min_addr.
      
      The current poison pointer values of LIST_POISON{1,2} might be too big for
      mmap_min_addr values equal or less than 1 MB (common case, e.g.  Ubuntu
      uses only 0x10000).  There is little point to use such a big value given
      the "poison pointer space" below 1 MB is not yet exhausted.  Changing it
      to a smaller value solves the problem for small mmap_min_addr setups.
      
      The values are suggested by Solar Designer:
      http://www.openwall.com/lists/oss-security/2015/05/02/6Signed-off-by: default avatarVasily Kulikov <segoon@openwall.com>
      Cc: Solar Designer <solar@openwall.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      46460a03
    • David Howells's avatar
      KEYS: Fix handling of stored error in a negatively instantiated user key · d979e967
      David Howells authored
      [ Upstream commit 096fe9ea ]
      
      If a user key gets negatively instantiated, an error code is cached in the
      payload area.  A negatively instantiated key may be then be positively
      instantiated by updating it with valid data.  However, the ->update key
      type method must be aware that the error code may be there.
      
      The following may be used to trigger the bug in the user key type:
      
          keyctl request2 user user "" @u
          keyctl add user user "a" @u
      
      which manifests itself as:
      
      	BUG: unable to handle kernel paging request at 00000000ffffff8a
      	IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
      	PGD 7cc30067 PUD 0
      	Oops: 0002 [#1] SMP
      	Modules linked in:
      	CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      	task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
      	RIP: 0010:[<ffffffff810a376f>]  [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
      	 [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
      	RSP: 0018:ffff88003dd8bdb0  EFLAGS: 00010246
      	RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
      	RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
      	RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
      	R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
      	R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
      	FS:  0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
      	CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      	CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
      	Stack:
      	 ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
      	 ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
      	 ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
      	Call Trace:
      	 [<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
      	 [<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
      	 [<     inline     >] __key_update security/keys/key.c:730
      	 [<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
      	 [<     inline     >] SYSC_add_key security/keys/keyctl.c:125
      	 [<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
      	 [<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
      
      Note the error code (-ENOKEY) in EDX.
      
      A similar bug can be tripped by:
      
          keyctl request2 trusted user "" @u
          keyctl add trusted user "a" @u
      
      This should also affect encrypted keys - but that has to be correctly
      parameterised or it will fail with EINVAL before getting to the bit that
      will crashes.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d979e967
    • Andrew Honig's avatar
      KVM: x86: Reload pit counters for all channels when restoring state · 90352f3f
      Andrew Honig authored
      [ Upstream commit 0185604c ]
      
      Currently if userspace restores the pit counters with a count of 0
      on channels 1 or 2 and the guest attempts to read the count on those
      channels, then KVM will perform a mod of 0 and crash.  This will ensure
      that 0 values are converted to 65536 as per the spec.
      
      This is CVE-2015-7513.
      Signed-off-by: default avatarAndy Honig <ahonig@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      90352f3f
    • Roman Gushchin's avatar
      fuse: break infinite loop in fuse_fill_write_pages() · ea44bf73
      Roman Gushchin authored
      [ Upstream commit 3ca8138f ]
      
      I got a report about unkillable task eating CPU. Further
      investigation shows, that the problem is in the fuse_fill_write_pages()
      function. If iov's first segment has zero length, we get an infinite
      loop, because we never reach iov_iter_advance() call.
      
      Fix this by calling iov_iter_advance() before repeating an attempt to
      copy data from userspace.
      
      A similar problem is described in 124d3b70 ("fix writev regression:
      pan hanging unkillable and un-straceable"). If zero-length segmend
      is followed by segment with invalid address,
      iov_iter_fault_in_readable() checks only first segment (zero-length),
      iov_iter_copy_from_user_atomic() skips it, fails at second and
      returns zero -> goto again without skipping zero-length segment.
      
      Patch calls iov_iter_advance() before goto again: we'll skip zero-length
      segment at second iteraction and iov_iter_fault_in_readable() will detect
      invalid address.
      
      Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
      description.
      
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Maxim Patlasov <mpatlasov@parallels.com>
      Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarRoman Gushchin <klamm@yandex-team.ru>
      Signed-off-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Fixes: ea9b9907 ("fuse: implement perform_write")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ea44bf73
    • Miklos Szeredi's avatar
      ovl: fix permission checking for setattr · 2cadb57d
      Miklos Szeredi authored
      [ Upstream commit acff81ec ]
      
      [Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
      away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
      (with the former being always safe and the latter failing in case of
      insufficient permissions) it tries to combine these two.  Note that copyup
      itself will have to do ->setattr() anyway; _that_ is where the elevated
      capabilities are right.  Having these two ->setattr() (one to set verbatim
      copy of metadata, another to do what overlayfs ->setattr() had been asked
      to do in the first place) combined is where it breaks.
      Signed-off-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2cadb57d
    • James Hogan's avatar
      MIPS: smp.c: Fix uninitialised temp_foreign_map · 50d93d38
      James Hogan authored
      [ Upstream commit d825c06b ]
      
      When calculate_cpu_foreign_map() recalculates the cpu_foreign_map
      cpumask it uses the local variable temp_foreign_map without initialising
      it to zero. Since the calculation only ever sets bits in this cpumask
      any existing bits at that memory location will remain set and find their
      way into cpu_foreign_map too. This could potentially lead to cache
      operations suboptimally doing smp calls to multiple VPEs in the same
      core, even though the VPEs share primary caches.
      
      Therefore initialise temp_foreign_map using cpumask_clear() before use.
      
      Fixes: cccf34e9 ("MIPS: c-r4k: Fix cache flushing for MT cores")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/12759/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      50d93d38
    • Andreas Schwab's avatar
      powerpc: Fix dedotify for binutils >= 2.26 · 9c99016a
      Andreas Schwab authored
      [ Upstream commit f15838e9 ]
      
      Since binutils 2.26 BFD is doing suffix merging on STRTAB sections.  But
      dedotify modifies the symbol names in place, which can also modify
      unrelated symbols with a name that matches a suffix of a dotted name.  To
      remove the leading dot of a symbol name we can just increment the pointer
      into the STRTAB section instead.
      
      Backport to all stables to avoid breakage when people update their
      binutils - mpe.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndreas Schwab <schwab@linux-m68k.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9c99016a
    • Linus Torvalds's avatar
      Revert "drm/radeon: call hpd_irq_event on resume" · a490e8a4
      Linus Torvalds authored
      [ Upstream commit 256faedc ]
      
      This reverts commit dbb17a21.
      
      It turns out that commit can cause problems for systems with multiple
      GPUs, and causes X to hang on at least a HP Pavilion dv7 with hybrid
      graphics.
      
      This got noticed originally in 4.4.4, where this patch had already
      gotten back-ported, but 4.5-rc7 was verified to have the same problem.
      
      Alexander Deucher says:
       "It looks like you have a muxed system so I suspect what's happening is
        that one of the display is being reported as connected for both the
        IGP and the dGPU and then the desktop environment gets confused or
        there some sort problem in the detect functions since the mux is not
        switched to the dGPU.  I don't see an easy fix unless Dave has any
        ideas.  I'd say just revert for now"
      Reported-by: default avatarJörg-Volker Peetz <jvpeetz@web.de>
      Acked-by: default avatarAlexander Deucher <Alexander.Deucher@amd.com>
      Cc: Dave Airlie <airlied@gmail.com>
      Cc: stable@kernel.org  # wherever dbb17a21 got back-ported
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a490e8a4
    • Ard Biesheuvel's avatar
      arm64: account for sparsemem section alignment when choosing vmemmap offset · fc726073
      Ard Biesheuvel authored
      [ Upstream commit 36e5cd6b ]
      
      Commit dfd55ad8 ("arm64: vmemmap: use virtual projection of linear
      region") fixed an issue where the struct page array would overflow into the
      adjacent virtual memory region if system RAM was placed so high up in
      physical memory that its addresses were not representable in the build time
      configured virtual address size.
      
      However, the fix failed to take into account that the vmemmap region needs
      to be relatively aligned with respect to the sparsemem section size, so that
      a sequence of page structs corresponding with a sparsemem section in the
      linear region appears naturally aligned in the vmemmap region.
      
      So round up vmemmap to sparsemem section size. Since this essentially moves
      the projection of the linear region up in memory, also revert the reduction
      of the size of the vmemmap region.
      
      Cc: <stable@vger.kernel.org>
      Fixes: dfd55ad8 ("arm64: vmemmap: use virtual projection of linear region")
      Tested-by: default avatarMark Langsdorf <mlangsdo@redhat.com>
      Tested-by: default avatarDavid Daney <david.daney@cavium.com>
      Tested-by: default avatarRobert Richter <rrichter@cavium.com>
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fc726073
    • Rusty Russell's avatar
      modules: fix longstanding /proc/kallsyms vs module insertion race. · 6d7ac2fe
      Rusty Russell authored
      [ Upstream commit 8244062e ]
      
      For CONFIG_KALLSYMS, we keep two symbol tables and two string tables.
      There's one full copy, marked SHF_ALLOC and laid out at the end of the
      module's init section.  There's also a cut-down version that only
      contains core symbols and strings, and lives in the module's core
      section.
      
      After module init (and before we free the module memory), we switch
      the mod->symtab, mod->num_symtab and mod->strtab to point to the core
      versions.  We do this under the module_mutex.
      
      However, kallsyms doesn't take the module_mutex: it uses
      preempt_disable() and rcu tricks to walk through the modules, because
      it's used in the oops path.  It's also used in /proc/kallsyms.
      There's nothing atomic about the change of these variables, so we can
      get the old (larger!) num_symtab and the new symtab pointer; in fact
      this is what I saw when trying to reproduce.
      
      By grouping these variables together, we can use a
      carefully-dereferenced pointer to ensure we always get one or the
      other (the free of the module init section is already done in an RCU
      callback, so that's safe).  We allocate the init one at the end of the
      module init section, and keep the core one inside the struct module
      itself (it could also have been allocated at the end of the module
      core, but that's probably overkill).
      Reported-by: default avatarWeilong Chen <chenweilong@huawei.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111541
      Cc: stable@kernel.org
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6d7ac2fe
    • Ard Biesheuvel's avatar
      arm64: vmemmap: use virtual projection of linear region · abae2840
      Ard Biesheuvel authored
      [ Upstream commit dfd55ad8 ]
      
      Commit dd006da2 ("arm64: mm: increase VA range of identity map") made
      some changes to the memory mapping code to allow physical memory to reside
      at an offset that exceeds the size of the virtual mapping.
      
      However, since the size of the vmemmap area is proportional to the size of
      the VA area, but it is populated relative to the physical space, we may
      end up with the struct page array being mapped outside of the vmemmap
      region. For instance, on my Seattle A0 box, I can see the following output
      in the dmesg log.
      
         vmemmap : 0xffffffbdc0000000 - 0xffffffbfc0000000   (     8 GB maximum)
                   0xffffffbfc0000000 - 0xffffffbfd0000000   (   256 MB actual)
      
      We can fix this by deciding that the vmemmap region is not a projection of
      the physical space, but of the virtual space above PAGE_OFFSET, i.e., the
      linear region. This way, we are guaranteed that the vmemmap region is of
      sufficient size, and we can even reduce the size by half.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      abae2840
    • Qu Wenruo's avatar
      btrfs: async-thread: Fix a use-after-free error for trace · b9a54ed9
      Qu Wenruo authored
      [ Upstream commit 0a95b851 ]
      
      Parameter of trace_btrfs_work_queued() can be freed in its workqueue.
      So no one use use that pointer after queue_work().
      
      Fix the user-after-free bug by move the trace line before queue_work().
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Signed-off-by: default avatarQu Wenruo <quwenruo@cn.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b9a54ed9
    • Zhao Lei's avatar
      btrfs: Fix no_space in write and rm loop · d5b55a7a
      Zhao Lei authored
      [ Upstream commit 08acfd9d ]
      
      commit e1746e83 upstream.
      
      I see no_space in v4.4-rc1 again in xfstests generic/102.
      It happened randomly in some node only.
      (one of 4 phy-node, and a kvm with non-virtio block driver)
      
      By bisect, we can found the first-bad is:
       commit bdced438 ("block: setup bi_phys_segments after splitting")'
      But above patch only triggered the bug by making bio operation
      faster(or slower).
      
      Main reason is in our space_allocating code, we need to commit
      page writeback before wait it complish, this patch fixed above
      bug.
      
      BTW, there is another reason for generic/102 fail, caused by
      disable default mixed-blockgroup, I'll fix it in xfstests.
      Signed-off-by: default avatarZhao Lei <zhaolei@cn.fujitsu.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d5b55a7a
    • Zhao Lei's avatar
      btrfs: wait for delayed iputs on no space · 42bd8f4f
      Zhao Lei authored
      [ Upstream commit 9a4e7276 ]
      
      btrfs will report no_space when we run following write and delete
      file loop:
       # FILE_SIZE_M=[ 75% of fs space ]
       # DEV=[ some dev ]
       # MNT=[ some dir ]
       #
       # mkfs.btrfs -f "$DEV"
       # mount -o nodatacow "$DEV" "$MNT"
       # for ((i = 0; i < 100; i++)); do dd if=/dev/zero of="$MNT"/file0 bs=1M count="$FILE_SIZE_M"; rm -f "$MNT"/file0; done
       #
      
      Reason:
       iput() and evict() is run after write pages to block device, if
       write pages work is not finished before next write, the "rm"ed space
       is not freed, and caused above bug.
      
      Fix:
       We can add "-o flushoncommit" mount option to avoid above bug, but
       it have performance problem. Actually, we can to wait for on-the-fly
       writes only when no-space happened, it is which this patch do.
      Signed-off-by: default avatarZhao Lei <zhaolei@cn.fujitsu.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      42bd8f4f
    • Jann Horn's avatar
      security: let security modules use PTRACE_MODE_* with bitmasks · ee6ad435
      Jann Horn authored
      [ Upstream commit 3dfb7d8c ]
      
      It looks like smack and yama weren't aware that the ptrace mode
      can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
      only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
      all modes have flags ORed into them.
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ee6ad435
    • Andy Lutomirski's avatar
      x86/entry/compat: Add missing CLAC to entry_INT80_32 · 1f9780e3
      Andy Lutomirski authored
      [ Upstream commit 3d44d51b ]
      
      This doesn't seem to fix a regression -- I don't think the CLAC was
      ever there.
      
      I double-checked in a debugger: entries through the int80 gate do
      not automatically clear AC.
      
      Stable maintainers: I can provide a backport to 4.3 and earlier if
      needed.  This needs to be backported all the way to 3.10.
      Reported-by: default avatarBrian Gerst <brgerst@gmail.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <stable@vger.kernel.org> # v3.10 and later
      Fixes: 63bcff2a ("x86, smap: Add STAC and CLAC instructions to control user space access")
      Link: http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1f9780e3
    • Simon Guinot's avatar
      kernel/resource.c: fix muxed resource handling in __request_region() · aa1311b4
      Simon Guinot authored
      [ Upstream commit 59ceeaaf ]
      
      In __request_region, if a conflict with a BUSY and MUXED resource is
      detected, then the caller goes to sleep and waits for the resource to be
      released.  A pointer on the conflicting resource is kept.  At wake-up
      this pointer is used as a parent to retry to request the region.
      
      A first problem is that this pointer might well be invalid (if for
      example the conflicting resource have already been freed).  Another
      problem is that the next call to __request_region() fails to detect a
      remaining conflict.  The previously conflicting resource is passed as a
      parameter and __request_region() will look for a conflict among the
      children of this resource and not at the resource itself.  It is likely
      to succeed anyway, even if there is still a conflict.
      
      Instead, the parent of the conflicting resource should be passed to
      __request_region().
      
      As a fix, this patch doesn't update the parent resource pointer in the
      case we have to wait for a muxed region right after.
      Reported-and-tested-by: default avatarVincent Pelletier <plr.vincent@gmail.com>
      Signed-off-by: default avatarSimon Guinot <simon.guinot@sequanux.org>
      Tested-by: default avatarVincent Donnefort <vdonnefort@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      aa1311b4
    • Hans de Goede's avatar
      ACPI: Revert "ACPI / video: Add Dell Inspiron 5737 to the blacklist" · 474510b4
      Hans de Goede authored
      [ Upstream commit b186b4dc ]
      
      The quirk to get "acpi_backlight=vendor" behavior by default on the
      Dell Inspiron 5737 was added before we started doing
      "acpi_backlight=native" by default on Win8 ready machines.
      
      Since we now avoid using acpi-video as backlight driver on these machines
      by default (using the native driver instead) we no longer need this quirk.
      
      Moreover the vendor driver does not work after a suspend/resume where
      as the native driver does.
      
      This reverts commit 08a56226 (ACPI / video: Add Dell Inspiron 5737
      to the blacklist).
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=111061
      Cc: 3.19+ <stable@vger.kernel.org> # 3.19+
      Reported-and-tested-by: erusan@gmail.com
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      474510b4
    • Mykola Lysenko's avatar
      drm/dp/mst: deallocate payload on port destruction · e159282e
      Mykola Lysenko authored
      [ Upstream commit 91a25e46 ]
      
      This is needed to properly deallocate port payload
      after downstream branch get unplugged.
      
      In order to do this unplugged MST topology should
      be preserved, to find first alive port on path to
      unplugged MST topology, and send payload deallocation
      request to branch device of found port.
      
      For this mstb and port kref's are used in reversed
      order to track when port and branch memory could be
      freed.
      
      Added additional functions to find appropriate mstb
      as described above.
      Signed-off-by: default avatarMykola Lysenko <Mykola.Lysenko@amd.com>
      Reviewed-by: default avatarHarry Wentland <Harry.Wentland@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e159282e
    • Andrey Grodzovsky's avatar
      drm/dp/mst: Reverse order of MST enable and clearing VC payload table. · 9cc69601
      Andrey Grodzovsky authored
      [ Upstream commit c175cd16 ]
      
      On DELL U3014 if you clear the table before enabling MST it sometimes
      hangs the receiver.
      Signed-off-by: default avatarAndrey Grodzovsky <Andrey.Grodzovsky@amd.com>
      Reviewed-by: default avatarHarry Wentland <harry.wentland@amd.com>
      Cc: stable@vger.kernel.org
      Acked-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9cc69601
    • Hersen Wu's avatar
      drm/dp/mst: move GUID storage from mgr, port to only mst branch · 11dd4e27
      Hersen Wu authored
      [ Upstream commit 5e93b820 ]
      
      Previous implementation does not handle case below: boot up one MST branch
      to DP connector of ASIC. After boot up, hot plug 2nd MST branch to DP output
      of 1st MST, GUID is not created for 2nd MST branch. When downstream port of
      2nd MST branch send upstream request, it fails because 2nd MST branch GUID
      is not available.
      
      New Implementation: only create GUID for MST branch and save it within Branch.
      Signed-off-by: default avatarHersen Wu <hersenxs.wu@amd.com>
      Reviewed-by: default avatarHarry Wentland <harry.wentland@amd.com>
      Cc: stable@vger.kernel.org
      Acked-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      11dd4e27
    • Sekhar Nori's avatar
      irqchip/omap-intc: Add support for spurious irq handling · 1505f5ae
      Sekhar Nori authored
      [ Upstream commit d3b421cd ]
      
      Under some conditions, irq sorting procedure used by INTC can go wrong
      resulting in a spurious irq getting reported.
      
      If this condition is not handled, it results in endless stream of:
      
          unexpected IRQ trap at vector 00
      
      messages from ack_bad_irq()
      
      Handle the spurious interrupt condition in omap-intc driver to prevent this.
      
      Measurements using kernel function profiler on AM335x EVM running at 720MHz
      show that after this patch omap_intc_handle_irq() takes about 37.4us against
      34us before this patch.
      Signed-off-by: default avatarSekhar Nori <nsekhar@ti.com>
      Acked-by: default avatarTony Lindgren <tony@atomide.com>
      Cc: John Ogness <john.ogness@linutronix.de>
      Cc: Felipe Balbi <balbi@ti.com>
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: http://lkml.kernel.org/r/9c78a6db02ac55f7af7371b417b6e414d2c3095b.1450188128.git.nsekhar@ti.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1505f5ae
    • Felipe Balbi's avatar
      irqchip: omap-intc: Improve IRQ handler · 249ee754
      Felipe Balbi authored
      [ Upstream commit 6ed34648 ]
      
      As it turns out the current IRQ number will *always* be available from
      SIR register which renders the reads of PENDING registers as plain
      unnecessary overhead.
      
      In order to catch any situation where SIR reads as zero, we're adding
      a WARN() to turn it into a very verbose error and users actually
      report it.
      
      With this patch average running time of omap_intc_handle_irq() reduced
      from about 28.5us to 19.8us as measured by the kernel function
      profiler.
      
      Tested with BeagleBoneBlack Rev A5C.
      Tested-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Cc: Linux ARM Kernel Mailing List <linux-arm-kernel@lists.infradead.org>
      Link: http://lkml.kernel.org/r/20150720204910.GH5394@saruman.tx.rr.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      249ee754
    • Laura Abbott's avatar
      [media] si2157: return -EINVAL if firmware blob is too big · 610ed280
      Laura Abbott authored
      [ Upstream commit d2cc2f0b ]
      
      A previous patch added a check if the firmware is too big, but it didn't
      set the return error code with the right value.
      
      [mchehab@osg.samsung.com: I ended by applying a v1 of Laura's patch, without
       the proper return code. This patch contains the difference between v2 and v1 of
       the Laura's "si2157: Bounds check firmware" patch]
      Cc: stable@kernel.org
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Reviewed-by: default avatarOlli Salonen <olli.salonen@iki.fi>
      Tested-by: default avatarOlli Salonen <olli.salonen@iki.fi>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      610ed280
    • Sebastian Andrzej Siewior's avatar
      btrfs: initialize the seq counter in struct btrfs_device · 2068256b
      Sebastian Andrzej Siewior authored
      [ Upstream commit 546bed63 ]
      
      I managed to trigger this:
      | INFO: trying to register non-static key.
      | the code is fine but needs lockdep annotation.
      | turning off the locking correctness validator.
      | CPU: 1 PID: 781 Comm: systemd-gpt-aut Not tainted 4.4.0-rt2+ #14
      | Hardware name: ARM-Versatile Express
      | [<80307cec>] (dump_stack)
      | [<80070e98>] (__lock_acquire)
      | [<8007184c>] (lock_acquire)
      | [<80287800>] (btrfs_ioctl)
      | [<8012a8d4>] (do_vfs_ioctl)
      | [<8012ac14>] (SyS_ioctl)
      
      so I think that btrfs_device_data_ordered_init() is not invoked behind
      a macro somewhere.
      
      Fixes: 7cc8e58d ("Btrfs: fix unprotected device's variants on 32bits machine")
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2068256b
    • Chandan Rajendra's avatar
      Btrfs: Initialize btrfs_root->highest_objectid when loading tree root and subvolume roots · c19cd7e3
      Chandan Rajendra authored
      [ Upstream commit f32e48e9 ]
      
      The following call trace is seen when btrfs/031 test is executed in a loop,
      
      [  158.661848] ------------[ cut here ]------------
      [  158.662634] WARNING: CPU: 2 PID: 890 at /home/chandan/repos/linux/fs/btrfs/ioctl.c:558 create_subvol+0x3d1/0x6ea()
      [  158.664102] BTRFS: Transaction aborted (error -2)
      [  158.664774] Modules linked in:
      [  158.665266] CPU: 2 PID: 890 Comm: btrfs Not tainted 4.4.0-rc6-g511711af #2
      [  158.666251] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      [  158.667392]  ffffffff81c0a6b0 ffff8806c7c4f8e8 ffffffff81431fc8 ffff8806c7c4f930
      [  158.668515]  ffff8806c7c4f920 ffffffff81051aa1 ffff880c85aff000 ffff8800bb44d000
      [  158.669647]  ffff8808863b5c98 0000000000000000 00000000fffffffe ffff8806c7c4f980
      [  158.670769] Call Trace:
      [  158.671153]  [<ffffffff81431fc8>] dump_stack+0x44/0x5c
      [  158.671884]  [<ffffffff81051aa1>] warn_slowpath_common+0x81/0xc0
      [  158.672769]  [<ffffffff81051b27>] warn_slowpath_fmt+0x47/0x50
      [  158.673620]  [<ffffffff813bc98d>] create_subvol+0x3d1/0x6ea
      [  158.674440]  [<ffffffff813777c9>] btrfs_mksubvol.isra.30+0x369/0x520
      [  158.675376]  [<ffffffff8108a4aa>] ? percpu_down_read+0x1a/0x50
      [  158.676235]  [<ffffffff81377a81>] btrfs_ioctl_snap_create_transid+0x101/0x180
      [  158.677268]  [<ffffffff81377b52>] btrfs_ioctl_snap_create+0x52/0x70
      [  158.678183]  [<ffffffff8137afb4>] btrfs_ioctl+0x474/0x2f90
      [  158.678975]  [<ffffffff81144b8e>] ? vma_merge+0xee/0x300
      [  158.679751]  [<ffffffff8115be31>] ? alloc_pages_vma+0x91/0x170
      [  158.680599]  [<ffffffff81123f62>] ? lru_cache_add_active_or_unevictable+0x22/0x70
      [  158.681686]  [<ffffffff813d99cf>] ? selinux_file_ioctl+0xff/0x1d0
      [  158.682581]  [<ffffffff8117b791>] do_vfs_ioctl+0x2c1/0x490
      [  158.683399]  [<ffffffff813d3cde>] ? security_file_ioctl+0x3e/0x60
      [  158.684297]  [<ffffffff8117b9d4>] SyS_ioctl+0x74/0x80
      [  158.685051]  [<ffffffff819b2bd7>] entry_SYSCALL_64_fastpath+0x12/0x6a
      [  158.685958] ---[ end trace 4b63312de5a2cb76 ]---
      [  158.686647] BTRFS: error (device loop0) in create_subvol:558: errno=-2 No such entry
      [  158.709508] BTRFS info (device loop0): forced readonly
      [  158.737113] BTRFS info (device loop0): disk space caching is enabled
      [  158.738096] BTRFS error (device loop0): Remounting read-write after error is not allowed
      [  158.851303] BTRFS error (device loop0): cleaner transaction attach returned -30
      
      This occurs because,
      
      Mount filesystem
      Create subvol with ID 257
      Unmount filesystem
      Mount filesystem
      Delete subvol with ID 257
        btrfs_drop_snapshot()
          Add root corresponding to subvol 257 into
          btrfs_transaction->dropped_roots list
      Create new subvol (i.e. create_subvol())
        257 is returned as the next free objectid
        btrfs_read_fs_root_no_name()
          Finds the btrfs_root instance corresponding to the old subvol with ID 257
          in btrfs_fs_info->fs_roots_radix.
          Returns error since btrfs_root_item->refs has the value of 0.
      
      To fix the issue the commit initializes tree root's and subvolume root's
      highest_objectid when loading the roots from disk.
      Signed-off-by: default avatarChandan Rajendra <chandan@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c19cd7e3
    • Filipe Manana's avatar
      Btrfs: fix transaction handle leak on failure to create hard link · 9bf972e8
      Filipe Manana authored
      [ Upstream commit 271dba45 ]
      
      If we failed to create a hard link we were not always releasing the
      the transaction handle we got before, resulting in a memory leak and
      preventing any other tasks from being able to commit the current
      transaction.
      Fix this by always releasing our transaction handle.
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9bf972e8
    • Filipe Manana's avatar
      Btrfs: fix number of transaction units required to create symlink · a1f535ac
      Filipe Manana authored
      [ Upstream commit 9269d12b ]
      
      We weren't accounting for the insertion of an inline extent item for the
      symlink inode nor that we need to update the parent inode item (through
      the call to btrfs_add_nondir()). So fix this by including two more
      transaction units.
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a1f535ac
    • Filipe Manana's avatar
      Btrfs: send, don't BUG_ON() when an empty symlink is found · e92c51b7
      Filipe Manana authored
      [ Upstream commit a879719b ]
      
      When a symlink is successfully created it always has an inline extent
      containing the source path. However if an error happens when creating
      the symlink, we can leave in the subvolume's tree a symlink inode without
      any such inline extent item - this happens if after btrfs_symlink() calls
      btrfs_end_transaction() and before it calls the inode eviction handler
      (through the final iput() call), the transaction gets committed and a
      crash happens before the eviction handler gets called, or if a snapshot
      of the subvolume is made before the eviction handler gets called. Sadly
      we can't just avoid this by making btrfs_symlink() call
      btrfs_end_transaction() after it calls the eviction handler, because the
      later can commit the current transaction before it removes any items from
      the subvolume tree (if it encounters ENOSPC errors while reserving space
      for removing all the items).
      
      So make send fail more gracefully, with an -EIO error, and print a
      message to dmesg/syslog informing that there's an empty symlink inode,
      so that the user can delete the empty symlink or do something else
      about it.
      Reported-by: default avatarStephen R. van den Berg <srb@cuci.nl>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e92c51b7
    • David Sterba's avatar
      btrfs: statfs: report zero available if metadata are exhausted · 4e3fa12f
      David Sterba authored
      [ Upstream commit ca8a51b3 ]
      
      There is one ENOSPC case that's very confusing. There's Available
      greater than zero but no file operation succeds (besides removing
      files). This happens when the metadata are exhausted and there's no
      possibility to allocate another chunk.
      
      In this scenario it's normal that there's still some space in the data
      chunk and the calculation in df reflects that in the Avail value.
      
      To at least give some clue about the ENOSPC situation, let statfs report
      zero value in Avail, even if there's still data space available.
      
      Current:
        /dev/sdb1             4.0G  3.3G  719M  83% /mnt/test
      
      New:
        /dev/sdb1             4.0G  3.3G     0 100% /mnt/test
      
      We calculate the remaining metadata space minus global reserve. If this
      is (supposedly) smaller than zero, there's no space. But this does not
      hold in practice, the exhausted state happens where's still some
      positive delta. So we apply some guesswork and compare the delta to a 4M
      threshold. (Practically observed delta was 2M.)
      
      We probably cannot calculate the exact threshold value because this
      depends on the internal reservations requested by various operations, so
      some operations that consume a few metadata will succeed even if the
      Avail is zero. But this is better than the other way around.
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4e3fa12f