1. 07 Mar, 2015 40 commits
    • Stefano Stabellini's avatar
      Revert "swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single" · 764a3524
      Stefano Stabellini authored
      This reverts commit 2c3fc8d2.
      
      This commit broke on x86 PV because entries in the generic SWIOTLB are
      indexed using (pseudo-)physical address not DMA address and these are
      not the same in a x86 PV guest.
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reviewed-by: default avatarStefano Stabellini <stefano.stabellini@eu.citrix.com>
      
      Revert "swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single"
      
      This reverts commit 2c3fc8d2.
      
      This commit broke on x86 PV because entries in the generic SWIOTLB are
      indexed using (pseudo-)physical address not DMA address and these are
      not the same in a x86 PV guest.
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reviewed-by: default avatarStefano Stabellini <stefano.stabellini@eu.citrix.com>
      
      xen: annotate xen_set_identity_and_remap_chunk() with __init
      
      Commit 5b8e7d80 removed the __init
      annotation from xen_set_identity_and_remap_chunk(). Add it again.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: introduce helper functions to do safe read and write accesses
      
      Introduce two helper functions to safely read and write unsigned long
      values from or to memory when the access may fault because the mapping
      is non-present or read-only.
      
      These helpers can be used instead of open coded uses of __get_user()
      and __put_user() avoiding the need to do casts to fix sparse warnings.
      
      Use the helpers in page.h and p2m.c. This will fix the sparse
      warnings when doing "make C=1".
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: Speed up set_phys_to_machine() by using read-only mappings
      
      Instead of checking at each call of set_phys_to_machine() whether a
      new p2m page has to be allocated due to writing an entry in a large
      invalid or identity area, just map those areas read only and react
      to a page fault on write by allocating the new page.
      
      This change will make the common path with no allocation much
      faster as it only requires a single write of the new mfn instead
      of walking the address translation tables and checking for the
      special cases.
      Suggested-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: switch to linear virtual mapped sparse p2m list
      
      At start of the day the Xen hypervisor presents a contiguous mfn list
      to a pv-domain. In order to support sparse memory this mfn list is
      accessed via a three level p2m tree built early in the boot process.
      Whenever the system needs the mfn associated with a pfn this tree is
      used to find the mfn.
      
      Instead of using a software walked tree for accessing a specific mfn
      list entry this patch is creating a virtual address area for the
      entire possible mfn list including memory holes. The holes are
      covered by mapping a pre-defined  page consisting only of "invalid
      mfn" entries. Access to a mfn entry is possible by just using the
      virtual base address of the mfn list and the pfn as index into that
      list. This speeds up the (hot) path of determining the mfn of a
      pfn.
      
      Kernel build on a Dell Latitude E6440 (2 cores, HT) in 64 bit Dom0
      showed following improvements:
      
      Elapsed time: 32:50 ->  32:35
      System:       18:07 ->  17:47
      User:        104:00 -> 103:30
      
      Tested with following configurations:
      - 64 bit dom0, 8GB RAM
      - 64 bit dom0, 128 GB RAM, PCI-area above 4 GB
      - 32 bit domU, 512 MB, 8 GB, 43 GB (more wouldn't work even without
                                          the patch)
      - 32 bit domU, ballooning up and down
      - 32 bit domU, save and restore
      - 32 bit domU with PCI passthrough
      - 64 bit domU, 8 GB, 2049 MB, 5000 MB
      - 64 bit domU, ballooning up and down
      - 64 bit domU, save and restore
      - 64 bit domU with PCI passthrough
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: Hide get_phys_to_machine() to be able to tune common path
      
      Today get_phys_to_machine() is always called when the mfn for a pfn
      is to be obtained. Add a wrapper __pfn_to_mfn() as inline function
      to be able to avoid calling get_phys_to_machine() when possible as
      soon as the switch to a linear mapped p2m list has been done.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      x86: Introduce function to get pmd entry pointer
      
      Introduces lookup_pmd_address() to get the address of the pmd entry
      related to a virtual address in the current address space. This
      function is needed for support of a virtual mapped sparse p2m list
      in xen pv domains, as we need the address of the pmd entry, not the
      one of the pte in that case.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: Delay invalidating extra memory
      
      When the physical memory configuration is initialized the p2m entries
      for not pouplated memory pages are set to "invalid". As those pages
      are beyond the hypervisor built p2m list the p2m tree has to be
      extended.
      
      This patch delays processing the extra memory related p2m entries
      during the boot process until some more basic memory management
      functions are callable. This removes the need to create new p2m
      entries until virtual memory management is available.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: Delay m2p_override initialization
      
      The m2p overrides are used to be able to find the local pfn for a
      foreign mfn mapped into the domain. They are used by driver backends
      having to access frontend data.
      
      As this functionality isn't used in early boot it makes no sense to
      initialize the m2p override functions very early. It can be done
      later without doing any harm, removing the need for allocating memory
      via extend_brk().
      
      While at it make some m2p override functions static as they are only
      used internally.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: Delay remapping memory of pv-domain
      
      Early in the boot process the memory layout of a pv-domain is changed
      to match the E820 map (either the host one for Dom0 or the Xen one)
      regarding placement of RAM and PCI holes. This requires removing memory
      pages initially located at positions not suitable for RAM and adding
      them later at higher addresses where no restrictions apply.
      
      To be able to operate on the hypervisor supported p2m list until a
      virtual mapped linear p2m list can be constructed, remapping must
      be delayed until virtual memory management is initialized, as the
      initial p2m list can't be extended unlimited at physical memory
      initialization time due to it's fixed structure.
      
      A further advantage is the reduction in complexity and code volume as
      we don't have to be careful regarding memory restrictions during p2m
      updates.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: use common page allocation function in p2m.c
      
      In arch/x86/xen/p2m.c three different allocation functions for
      obtaining a memory page are used: extend_brk(), alloc_bootmem_align()
      or __get_free_page().  Which of those functions is used depends on the
      progress of the boot process of the system.
      
      Introduce a common allocation routine selecting the to be called
      allocation routine dynamically based on the boot progress. This allows
      moving initialization steps without having to care about changing
      allocation calls.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: Make functions static
      
      Some functions in arch/x86/xen/p2m.c are used locally only. Make them
      static. Rearrange the functions in p2m.c to avoid forward declarations.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen: fix some style issues in p2m.c
      
      The source arch/x86/xen/p2m.c has some coding style issues. Fix them.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen/pci: Use APIC directly when APIC virtualization hardware is available
      
      When hardware supports APIC/x2APIC virtualization we don't need to use
      pirqs for MSI handling and instead use APIC since most APIC accesses
      (MMIO or MSR) will now be processed without VMEXITs.
      
      As an example, netperf on the original code produces this profile
      (collected wih 'xentrace -e 0x0008ffff -T 5'):
      
          342 cpu_change
          260 CPUID
        34638 HLT
        64067 INJ_VIRQ
        28374 INTR
        82733 INTR_WINDOW
           10 NPF
        24337 TRAP
       370610 vlapic_accept_pic_intr
       307528 VMENTRY
       307527 VMEXIT
       140998 VMMCALL
          127 wrap_buffer
      
      After applying this patch the same test shows
      
          230 cpu_change
          260 CPUID
        36542 HLT
          174 INJ_VIRQ
        27250 INTR
          222 INTR_WINDOW
           20 NPF
        24999 TRAP
       381812 vlapic_accept_pic_intr
       166480 VMENTRY
       166479 VMEXIT
        77208 VMMCALL
           81 wrap_buffer
      
      ApacheBench results (ab -n 10000 -c 200) improve by about 10%
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarAndrew Cooper <andrew.cooper3@citrix.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen/pci: Defer initialization of MSI ops on HVM guests
      
      If the hardware supports APIC virtualization we may decide not to use
      pirqs and instead use APIC/x2APIC directly, meaning that we don't want
      to set x86_msi.setup_msi_irqs and x86_msi.teardown_msi_irq to
      Xen-specific routines.  However, x2APIC is not set up by the time
      pci_xen_hvm_init() is called so we need to postpone setting these ops
      until later, when we know which APIC mode is used.
      
      (Note that currently x2APIC is never initialized on HVM guests. This
      may change in the future)
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Acked-by: default avatarStefano Stabellini <stefano.stabellini@eu.citrix.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen-pciback: drop SR-IOV VFs when PF driver unloads
      
      When a PF driver unloads, it may find it necessary to leave the VFs
      around simply because of pciback having marked them as assigned to a
      guest. Utilize a suitable notification to let go of the VFs, thus
      allowing the PF to go back into the state it was before its driver
      loaded (which in particular allows the driver to be loaded again with
      it being able to create the VFs anew, but which also allows to then
      pass through the PF instead of the VFs).
      
      Don't do this however for any VFs currently in active use by a guest.
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      [v2: Removed the switch statement, moved it about]
      [v3: Redid it a bit differently]
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen/pciback: Restore configuration space when detaching from a guest.
      
      The commit "xen/pciback: Don't deadlock when unbinding." was using
      the version of pci_reset_function which would lock the device lock.
      That is no good as we can dead-lock. As such we swapped to using
      the lock-less version and requiring that the callers
      of 'pcistub_put_pci_dev' take the device lock. And as such
      this bug got exposed.
      
      Using the lock-less version is  OK, except that we tried to
      use 'pci_restore_state' after the lock-less version of
      __pci_reset_function_locked - which won't work as 'state_saved'
      is set to false. Said 'state_saved' is a toggle boolean that
      is to be used by the sequence of a) pci_save_state/pci_restore_state
      or b) pci_load_and_free_saved_state/pci_restore_state. We don't
      want to use a) as the guest might have messed up the PCI
      configuration space and we want it to revert to the state
      when the PCI device was binded to us. Therefore we pick
      b) to restore the configuration space.
      
      We restore from our 'golden' version of PCI configuration space, when an:
       - Device is unbinded from pciback
       - Device is detached from a guest.
      Reported-by: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      PCI: Expose pci_load_saved_state for public consumption.
      
      We have the pci_load_and_free_saved_state, and pci_store_saved_state
      but are missing the functionality to just load the state
      multiple times in the PCI device without having to free/save
      the state.
      
      This patch makes it possible to use this function.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen/pciback: Remove tons of dereferences
      
      A little cleanup. No functional difference.
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen/pciback: Print out the domain owning the device.
      
      We had been printing it only if the device was built with
      debug enabled. But this information is useful in the field
      to troubleshoot.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen/pciback: Include the domain id if removing the device whilst still in use
      
      Cleanup the function a bit - also include the id of the
      domain that is using the device.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      driver core: Provide an wrapper around the mutex to do lockdep warnings
      
      Instead of open-coding it in drivers that want to double check
      that their functions are indeed holding the device lock.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Suggested-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      xen/pciback: Don't deadlock when unbinding.
      
      As commit 0a9fd015
      'xen/pciback: Document the entry points for 'pcistub_put_pci_dev''
      explained there are four entry points in this function.
      Two of them are when the user fiddles in the SysFS to
      unbind a device which might be in use by a guest or not.
      
      Both 'unbind' states will cause a deadlock as the the PCI lock has
      already been taken, which then pci_device_reset tries to take.
      
      We can simplify this by requiring that all callers of
      pcistub_put_pci_dev MUST hold the device lock. And then
      we can just call the lockless version of pci_device_reset.
      
      To make it even simpler we will modify xen_pcibk_release_pci_dev
      to quality whether it should take a lock or not - as it ends
      up calling xen_pcibk_release_pci_dev and needs to hold the lock.
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      
      swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single
      
      Need to pass the pointer within the swiotlb internal buffer to the
      swiotlb library, that in the case of xen_unmap_single is dev_addr, not
      paddr.
      Signed-off-by: default avatarStefano Stabellini <stefano.stabellini@eu.citrix.com>
      Acked-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      CC: stable@vger.kernel.org
      
      (cherry picked from commit dbdd7476
      4ef8e3f3
      2c3fc8d2)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      764a3524
    • Guenter Roeck's avatar
      next: sh: Fix compile error · a1e5cc97
      Guenter Roeck authored
      Commit 927609d6 ("kernel: tighten rules for ACCESS ONCE") results in a
      compile failure for sh builds with CONFIG_X2TLB enabled.
      
      arch/sh/mm/gup.c: In function 'gup_get_pte':
      arch/sh/mm/gup.c:20:2: error: invalid initializer
      make[1]: *** [arch/sh/mm/gup.o] Error 1
      
      Replace ACCESS_ONCE with READ_ONCE to fix the problem.
      
      Fixes: 927609d6 ("kernel: tighten rules for ACCESS ONCE")
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      
      (cherry picked from commit 378af02b)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a1e5cc97
    • Christian Borntraeger's avatar
      kernel: Fix sparse warning for ACCESS_ONCE · 4e3fb495
      Christian Borntraeger authored
      Commit 927609d6 ("kernel: tighten rules for ACCESS ONCE") results in
      sparse warnings like "Using plain integer as NULL pointer" - Let's add a
      type cast to the dummy assignment.
      To avoid warnings lik "sparse: warning: cast to restricted __hc32" we also
      use __force on that cast.
      
      Fixes: 927609d6 ("kernel: tighten rules for ACCESS ONCE")
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      
      (cherry picked from commit c5b19946)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4e3fb495
    • Christian Borntraeger's avatar
      kernel: Fix sparse warning for ACCESS_ONCE · 3d9479f9
      Christian Borntraeger authored
      Commit 927609d6 ("kernel: tighten rules for ACCESS ONCE") results in
      sparse warnings like "Using plain integer as NULL pointer" - Let's add a
      type cast to the dummy assignment.
      To avoid warnings lik "sparse: warning: cast to restricted __hc32" we also
      use __force on that cast.
      
      Fixes: 927609d6 ("kernel: tighten rules for ACCESS ONCE")
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      
      next: sh: Fix compile error
      
      Commit 927609d6 ("kernel: tighten rules for ACCESS ONCE") results in a
      compile failure for sh builds with CONFIG_X2TLB enabled.
      
      arch/sh/mm/gup.c: In function 'gup_get_pte':
      arch/sh/mm/gup.c:20:2: error: invalid initializer
      make[1]: *** [arch/sh/mm/gup.o] Error 1
      
      Replace ACCESS_ONCE with READ_ONCE to fix the problem.
      
      Fixes: 927609d6 ("kernel: tighten rules for ACCESS ONCE")
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      
      kernel: tighten rules for ACCESS ONCE
      
      Now that all non-scalar users of ACCESS_ONCE have been converted
      to READ_ONCE or ASSIGN once, lets tighten ACCESS_ONCE to only
      work on scalar types.
      This variant was proposed by Alexei Starovoitov.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      
      (cherry picked from commit c5b19946
      378af02b
      927609d6)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      3d9479f9
    • Hector Marco-Gisbert's avatar
      x86, mm/ASLR: Fix stack randomization on 64-bit systems · 02d7840b
      Hector Marco-Gisbert authored
      The issue is that the stack for processes is not properly randomized on
      64 bit architectures due to an integer overflow.
      
      The affected function is randomize_stack_top() in file
      "fs/binfmt_elf.c":
      
        static unsigned long randomize_stack_top(unsigned long stack_top)
        {
                 unsigned int random_variable = 0;
      
                 if ((current->flags & PF_RANDOMIZE) &&
                         !(current->personality & ADDR_NO_RANDOMIZE)) {
                         random_variable = get_random_int() & STACK_RND_MASK;
                         random_variable <<= PAGE_SHIFT;
                 }
                 return PAGE_ALIGN(stack_top) + random_variable;
                 return PAGE_ALIGN(stack_top) - random_variable;
        }
      
      Note that, it declares the "random_variable" variable as "unsigned int".
      Since the result of the shifting operation between STACK_RND_MASK (which
      is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
      
      	  random_variable <<= PAGE_SHIFT;
      
      then the two leftmost bits are dropped when storing the result in the
      "random_variable". This variable shall be at least 34 bits long to hold
      the (22+12) result.
      
      These two dropped bits have an impact on the entropy of process stack.
      Concretely, the total stack entropy is reduced by four: from 2^28 to
      2^30 (One fourth of expected entropy).
      
      This patch restores back the entropy by correcting the types involved
      in the operations in the functions randomize_stack_top() and
      stack_maxrandom_size().
      
      The successful fix can be tested with:
      
        $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
        7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0                          [stack]
        7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0                          [stack]
        7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0                          [stack]
        7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0                          [stack]
        ...
      
      Once corrected, the leading bytes should be between 7ffc and 7fff,
      rather than always being 7fff.
      Signed-off-by: default avatarHector Marco-Gisbert <hecmargi@upv.es>
      Signed-off-by: default avatarIsmael Ripoll <iripoll@upv.es>
      [ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: <stable@vger.kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Fixes: CVE-2015-1593
      Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.netSigned-off-by: default avatarBorislav Petkov <bp@suse.de>
      
      (cherry picked from commit 4e7c22d4)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      02d7840b
    • Thadeu Lima de Souza Cascardo's avatar
      blk-throttle: check stats_cpu before reading it from sysfs · bc289b9a
      Thadeu Lima de Souza Cascardo authored
      When reading blkio.throttle.io_serviced in a recently created blkio
      cgroup, it's possible to race against the creation of a throttle policy,
      which delays the allocation of stats_cpu.
      
      Like other functions in the throttle code, just checking for a NULL
      stats_cpu prevents the following oops caused by that race.
      
      [ 1117.285199] Unable to handle kernel paging request for data at address 0x7fb4d0020
      [ 1117.285252] Faulting instruction address: 0xc0000000003efa2c
      [ 1137.733921] Oops: Kernel access of bad area, sig: 11 [#1]
      [ 1137.733945] SMP NR_CPUS=2048 NUMA PowerNV
      [ 1137.734025] Modules linked in: bridge stp llc kvm_hv kvm binfmt_misc autofs4
      [ 1137.734102] CPU: 3 PID: 5302 Comm: blkcgroup Not tainted 3.19.0 #5
      [ 1137.734132] task: c000000f1d188b00 ti: c000000f1d210000 task.ti: c000000f1d210000
      [ 1137.734167] NIP: c0000000003efa2c LR: c0000000003ef9f0 CTR: c0000000003ef980
      [ 1137.734202] REGS: c000000f1d213500 TRAP: 0300   Not tainted  (3.19.0)
      [ 1137.734230] MSR: 9000000000009032 <SF,HV,EE,ME,IR,DR,RI>  CR: 42008884  XER: 20000000
      [ 1137.734325] CFAR: 0000000000008458 DAR: 00000007fb4d0020 DSISR: 40000000 SOFTE: 0
      GPR00: c0000000003ed3a0 c000000f1d213780 c000000000c59538 0000000000000000
      GPR04: 0000000000000800 0000000000000000 0000000000000000 0000000000000000
      GPR08: ffffffffffffffff 00000007fb4d0020 00000007fb4d0000 c000000000780808
      GPR12: 0000000022000888 c00000000fdc0d80 0000000000000000 0000000000000000
      GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      GPR20: 000001003e120200 c000000f1d5b0cc0 0000000000000200 0000000000000000
      GPR24: 0000000000000001 c000000000c269e0 0000000000000020 c000000f1d5b0c80
      GPR28: c000000000ca3a08 c000000000ca3dec c000000f1c667e00 c000000f1d213850
      [ 1137.734886] NIP [c0000000003efa2c] .tg_prfill_cpu_rwstat+0xac/0x180
      [ 1137.734915] LR [c0000000003ef9f0] .tg_prfill_cpu_rwstat+0x70/0x180
      [ 1137.734943] Call Trace:
      [ 1137.734952] [c000000f1d213780] [d000000005560520] 0xd000000005560520 (unreliable)
      [ 1137.734996] [c000000f1d2138a0] [c0000000003ed3a0] .blkcg_print_blkgs+0xe0/0x1a0
      [ 1137.735039] [c000000f1d213960] [c0000000003efb50] .tg_print_cpu_rwstat+0x50/0x70
      [ 1137.735082] [c000000f1d2139e0] [c000000000104b48] .cgroup_seqfile_show+0x58/0x150
      [ 1137.735125] [c000000f1d213a70] [c0000000002749dc] .kernfs_seq_show+0x3c/0x50
      [ 1137.735161] [c000000f1d213ae0] [c000000000218630] .seq_read+0xe0/0x510
      [ 1137.735197] [c000000f1d213bd0] [c000000000275b04] .kernfs_fop_read+0x164/0x200
      [ 1137.735240] [c000000f1d213c80] [c0000000001eb8e0] .__vfs_read+0x30/0x80
      [ 1137.735276] [c000000f1d213cf0] [c0000000001eb9c4] .vfs_read+0x94/0x1b0
      [ 1137.735312] [c000000f1d213d90] [c0000000001ebb38] .SyS_read+0x58/0x100
      [ 1137.735349] [c000000f1d213e30] [c000000000009218] syscall_exit+0x0/0x98
      [ 1137.735383] Instruction dump:
      [ 1137.735405] 7c6307b4 7f891800 409d00b8 60000000 60420000 3d420004 392a63b0 786a1f24
      [ 1137.735471] 7d49502a e93e01c8 7d495214 7d2ad214 <7cead02a> e9090008 e9490010 e9290018
      
      And here is one code that allows to easily reproduce this, although this
      has first been found by running docker.
      
      void run(pid_t pid)
      {
      	int n;
      	int status;
      	int fd;
      	char *buffer;
      	buffer = memalign(BUFFER_ALIGN, BUFFER_SIZE);
      	n = snprintf(buffer, BUFFER_SIZE, "%d\n", pid);
      	fd = open(CGPATH "/test/tasks", O_WRONLY);
      	write(fd, buffer, n);
      	close(fd);
      	if (fork() > 0) {
      		fd = open("/dev/sda", O_RDONLY | O_DIRECT);
      		read(fd, buffer, 512);
      		close(fd);
      		wait(&status);
      	} else {
      		fd = open(CGPATH "/test/blkio.throttle.io_serviced", O_RDONLY);
      		n = read(fd, buffer, BUFFER_SIZE);
      		close(fd);
      	}
      	free(buffer);
      	exit(0);
      }
      
      void test(void)
      {
      	int status;
      	mkdir(CGPATH "/test", 0666);
      	if (fork() > 0)
      		wait(&status);
      	else
      		run(getpid());
      	rmdir(CGPATH "/test");
      }
      
      int main(int argc, char **argv)
      {
      	int i;
      	for (i = 0; i < NR_TESTS; i++)
      		test();
      	return 0;
      }
      Reported-by: default avatarRicardo Marin Matinata <rmm@br.ibm.com>
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      
      (cherry picked from commit 045c47ca)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      bc289b9a
    • Chen Jie's avatar
      jffs2: fix handling of corrupted summary length · ccbdcbb9
      Chen Jie authored
      sm->offset maybe wrong but magic maybe right, the offset do not have CRC.
      
      Badness at c00c7580 [verbose debug info unavailable]
      NIP: c00c7580 LR: c00c718c CTR: 00000014
      REGS: df07bb40 TRAP: 0700   Not tainted  (2.6.34.13-WR4.3.0.0_standard)
      MSR: 00029000 <EE,ME,CE>  CR: 22084f84  XER: 00000000
      TASK = df84d6e0[908] 'mount' THREAD: df07a000
      GPR00: 00000001 df07bbf0 df84d6e0 00000000 00000001 00000000 df07bb58 00000041
      GPR08: 00000041 c0638860 00000000 00000010 22084f88 100636c8 df814ff8 00000000
      GPR16: df84d6e0 dfa558cc c05adb90 00000048 c0452d30 00000000 000240d0 000040d0
      GPR24: 00000014 c05ae734 c05be2e0 00000000 00000001 00000000 00000000 c05ae730
      NIP [c00c7580] __alloc_pages_nodemask+0x4d0/0x638
      LR [c00c718c] __alloc_pages_nodemask+0xdc/0x638
      Call Trace:
      [df07bbf0] [c00c718c] __alloc_pages_nodemask+0xdc/0x638 (unreliable)
      [df07bc90] [c00c7708] __get_free_pages+0x20/0x48
      [df07bca0] [c00f4a40] __kmalloc+0x15c/0x1ec
      [df07bcd0] [c01fc880] jffs2_scan_medium+0xa58/0x14d0
      [df07bd70] [c01ff38c] jffs2_do_mount_fs+0x1f4/0x6b4
      [df07bdb0] [c020144c] jffs2_do_fill_super+0xa8/0x260
      [df07bdd0] [c020230c] jffs2_fill_super+0x104/0x184
      [df07be00] [c0335814] get_sb_mtd_aux+0x9c/0xec
      [df07be20] [c033596c] get_sb_mtd+0x84/0x1e8
      [df07be60] [c0201ed0] jffs2_get_sb+0x1c/0x2c
      [df07be70] [c0103898] vfs_kern_mount+0x78/0x1e8
      [df07bea0] [c0103a58] do_kern_mount+0x40/0x100
      [df07bec0] [c011fe90] do_mount+0x240/0x890
      [df07bf10] [c0120570] sys_mount+0x90/0xd8
      [df07bf40] [c00110d8] ret_from_syscall+0x0/0x4
      
      === Exception: c01 at 0xff61a34
          LR = 0x100135f0
      Instruction dump:
      38800005 38600000 48010f41 4bfffe1c 4bfc2d15 4bfffe8c 72e90200 4082fc28
      3d20c064 39298860 8809000d 68000001 <0f000000> 2f800000 419efc0c 38000001
      mount: mounting /dev/mtdblock3 on /common failed: Input/output error
      Signed-off-by: default avatarChen Jie <chenjie6@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      
      (cherry picked from commit 164c2406)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ccbdcbb9
    • Tomáš Hodek's avatar
      md/raid1: fix read balance when a drive is write-mostly. · 7401d6e3
      Tomáš Hodek authored
      When a drive is marked write-mostly it should only be the
      target of reads if there is no other option.
      
      This behaviour was broken by
      
      commit 9dedf603
          md/raid1: read balance chooses idlest disk for SSD
      
      which causes a write-mostly device to be *preferred* is some cases.
      
      Restore correct behaviour by checking and setting
      best_dist_disk and best_pending_disk rather than best_disk.
      
      We only need to test one of these as they are both changed
      from -1 or >=0 at the same time.
      
      As we leave min_pending and best_dist unchanged, any non-write-mostly
      device will appear better than the write-mostly device.
      Reported-by: default avatarTomáš Hodek <tomas.hodek@volny.cz>
      Reported-by: default avatarDark Penguin <darkpenguin@yandex.ru>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Link: http://marc.info/?l=linux-raid&m=135982797322422
      Fixes: 9dedf603
      Cc: stable@vger.kernel.org (3.6+)
      
      (cherry picked from commit d1901ef0)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7401d6e3
    • NeilBrown's avatar
      md/raid5: Fix livelock when array is both resyncing and degraded. · d1fb6ee2
      NeilBrown authored
      Commit a7854487:
        md: When RAID5 is dirty, force reconstruct-write instead of read-modify-write.
      
      Causes an RCW cycle to be forced even when the array is degraded.
      A degraded array cannot support RCW as that requires reading all data
      blocks, and one may be missing.
      
      Forcing an RCW when it is not possible causes a live-lock and the code
      spins, repeatedly deciding to do something that cannot succeed.
      
      So change the condition to only force RCW on non-degraded arrays.
      Reported-by: default avatarManibalan P <pmanibalan@amiindia.co.in>
      Bisected-by: default avatarJes Sorensen <Jes.Sorensen@redhat.com>
      Tested-by: default avatarJes Sorensen <Jes.Sorensen@redhat.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Fixes: a7854487
      Cc: stable@vger.kernel.org (v3.7+)
      
      (cherry picked from commit 26ac1073)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d1fb6ee2
    • Nicolas Saenz Julienne's avatar
      gpio: tps65912: fix wrong container_of arguments · 81bf896a
      Nicolas Saenz Julienne authored
      The gpio_chip operations receive a pointer the gpio_chip struct which is
      contained in the driver's private struct, yet the container_of call in those
      functions point to the mfd struct defined in include/linux/mfd/tps65912.h.
      
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarNicolas Saenz Julienne <nicolassaenzj@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      
      (cherry picked from commit 2f97c20e)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      81bf896a
    • Catalin Marinas's avatar
      arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian · 2f6ed8ad
      Catalin Marinas authored
      The native (64-bit) sigval_t union contains sival_int (32-bit) and
      sival_ptr (64-bit). When a compat application invokes a syscall that
      takes a sigval_t value (as part of a larger structure, e.g.
      compat_sys_mq_notify, compat_sys_timer_create), the compat_sigval_t
      union is converted to the native sigval_t with sival_int overlapping
      with either the least or the most significant half of sival_ptr,
      depending on endianness. When the corresponding signal is delivered to a
      compat application, on big endian the current (compat_uptr_t)sival_ptr
      cast always returns 0 since sival_int corresponds to the top part of
      sival_ptr. This patch fixes copy_siginfo_to_user32() so that sival_int
      is copied to the compat_siginfo_t structure.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarBamvor Jian Zhang <bamvor.zhangjian@huawei.com>
      Tested-by: default avatarBamvor Jian Zhang <bamvor.zhangjian@huawei.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      
      (cherry picked from commit 9d42d48a)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2f6ed8ad
    • Martin Vajnar's avatar
      hx4700: regulator: declare full constraints · 7801a4a6
      Martin Vajnar authored
      Since the removal of CONFIG_REGULATOR_DUMMY option, the touchscreen stopped
      working. This patch enables the "replacement" for REGULATOR_DUMMY and
      allows the touchscreen to work even though there is no regulator for "vcc".
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMartin Vajnar <martin.vajnar@gmail.com>
      Signed-off-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      
      (cherry picked from commit a52d2093)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7801a4a6
    • Jan Kara's avatar
      udf: Check length of extended attributes and allocation descriptors · 0d31b113
      Jan Kara authored
      Check length of extended attributes and allocation descriptors when
      loading inodes from disk. Otherwise corrupted filesystems could confuse
      the code and make the kernel oops.
      Reported-by: default avatarCarl Henrik Lunde <chlunde@ping.uio.no>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      
      (cherry picked from commit 23b133bd)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0d31b113
    • Jay Lan's avatar
      kdb: fix incorrect counts in KDB summary command output · 16301684
      Jay Lan authored
      The output of KDB 'summary' command should report MemTotal, MemFree
      and Buffers output in kB. Current codes report in unit of pages.
      
      A define of K(x) as
      is defined in the code, but not used.
      
      This patch would apply the define to convert the values to kB.
      Please include me on Cc on replies. I do not subscribe to linux-kernel.
      Signed-off-by: default avatarJay Lan <jlan@sgi.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJason Wessel <jason.wessel@windriver.com>
      
      (cherry picked from commit 14675592)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      16301684
    • Dmitry Eremin-Solenikov's avatar
      ARM: pxa: add regulator_has_full_constraints to poodle board file · 016e2467
      Dmitry Eremin-Solenikov authored
      Add regulator_has_full_constraints() call to poodle board file to let
      regulator core know that we do not have any additional regulators left.
      This lets it substitute unprovided regulators with dummy ones.
      
      This fixes the following warnings that can be seen on poodle if
      regulators are enabled:
      
      ads7846 spi1.0: unable to get regulator: -517
      spi spi1.0: Driver ads7846 requests probe deferral
      wm8731 0-001b: Failed to get supply 'AVDD': -517
      wm8731 0-001b: Failed to request supplies: -517
      wm8731 0-001b: ASoC: failed to probe component -517
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Acked-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      
      (cherry picked from commit 9bc78f32)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      016e2467
    • Dmitry Eremin-Solenikov's avatar
      ARM: pxa: add regulator_has_full_constraints to corgi board file · 857d9547
      Dmitry Eremin-Solenikov authored
      Add regulator_has_full_constraints() call to corgi board file to let
      regulator core know that we do not have any additional regulators left.
      This lets it substitute unprovided regulators with dummy ones.
      
      This fixes the following warnings that can be seen on corgi if
      regulators are enabled:
      
      ads7846 spi1.0: unable to get regulator: -517
      spi spi1.0: Driver ads7846 requests probe deferral
      wm8731 0-001b: Failed to get supply 'AVDD': -517
      wm8731 0-001b: Failed to request supplies: -517
      wm8731 0-001b: ASoC: failed to probe component -517
      corgi-audio corgi-audio: ASoC: failed to instantiate card -517
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Acked-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      
      (cherry picked from commit 271e8017)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      857d9547
    • Nicolas Pitre's avatar
      vt: provide notifications on selection changes · acacda61
      Nicolas Pitre authored
      The vcs device's poll/fasync support relies on the vt notifier to signal
      changes to the screen content.  Notifier invocations were missing for
      changes that comes through the selection interface though.  Fix that.
      
      Tested with BRLTTY 5.2.
      Signed-off-by: default avatarNicolas Pitre <nico@linaro.org>
      Cc: Dave Mielke <dave@mielke.cc>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      (cherry picked from commit 19e3ae6b)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      acacda61
    • Oliver Neukum's avatar
      cdc-acm: add sanity checks · 4128a2c4
      Oliver Neukum authored
      Check the special CDC headers for a plausible minimum length.
      Another big operating systems ignores such garbage.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      CC: stable@vger.kernel.org
      Reviewed-by: default avatarAdam Lee <adam8157@gmail.com>
      Tested-by: default avatarAdam Lee <adam8157@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      (cherry picked from commit 7e860a6e)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4128a2c4
    • Alan Stern's avatar
      USB: don't cancel queued resets when unbinding drivers · 7a370c88
      Alan Stern authored
      The USB stack provides a mechanism for drivers to request an
      asynchronous device reset (usb_queue_reset_device()).  The mechanism
      uses a work item (reset_ws) embedded in the usb_interface structure
      used by the driver, and the reset is carried out by a work queue
      routine.
      
      The asynchronous reset can race with driver unbinding.  When this
      happens, we try to cancel the queued reset before unbinding the
      driver, on the theory that the driver won't care about any resets once
      it is unbound.
      
      However, thanks to the fact that lockdep now tracks work queue
      accesses, this can provoke a lockdep warning in situations where the
      device reset causes another interface's driver to be unbound; see
      
      	http://marc.info/?l=linux-usb&m=141893165203776&w=2
      
      for an example.  The reason is that the work routine for reset_ws in
      one interface calls cancel_queued_work() for the reset_ws in another
      interface.  Lockdep thinks this might lead to a work routine trying to
      cancel itself.  The simplest solution is not to cancel queued resets
      when unbinding drivers.
      
      This means we now need to acquire a reference to the usb_interface
      when queuing a reset_ws work item and to drop the reference when the
      work routine finishes.  We also need to make sure that the
      usb_interface structure doesn't outlive its parent usb_device; this
      means acquiring and dropping a reference when the interface is created
      and destroyed.
      
      In addition, cancelling a queued reset can fail (if the device is in
      the middle of an earlier reset), and this can cause usb_reset_device()
      to try to rebind an interface that has been deallocated (see
      http://marc.info/?l=linux-usb&m=142175717016628&w=2 for details).
      Acquiring the extra references prevents this failure.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarRussell King - ARM Linux <linux@arm.linux.org.uk>
      Reported-by: default avatarOlivier Sobrie <olivier@sobrie.be>
      Tested-by: default avatarOlivier Sobrie <olivier@sobrie.be>
      Cc: stable <stable@vger.kernel.org> # 3.19
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      (cherry picked from commit 524134d4)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7a370c88
    • Sebastian Andrzej Siewior's avatar
      usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN · ff355a54
      Sebastian Andrzej Siewior authored
      the following error pops up during "testusb -a -t 10"
      | musb-hdrc musb-hdrc.1.auto: dma_pool_free buffer-128,	f134e000/be842000 (bad dma)
      hcd_buffer_create() creates a few buffers, the smallest has 32 bytes of
      size. ARCH_KMALLOC_MINALIGN is set to 64 bytes. This combo results in
      hcd_buffer_alloc() returning memory which is 32 bytes aligned and it
      might by identified by buffer_offset() as another buffer. This means the
      buffer which is on a 32 byte boundary will not get freed, instead it
      tries to free another buffer with the error message.
      
      This patch fixes the issue by creating the smallest DMA buffer with the
      size of ARCH_KMALLOC_MINALIGN (or 32 in case ARCH_KMALLOC_MINALIGN is
      smaller). This might be 32, 64 or even 128 bytes. The next three pools
      will have the size 128, 512 and 2048.
      In case the smallest pool is 128 bytes then we have only three pools
      instead of four (and zero the first entry in the array).
      The last pool size is always 2048 bytes which is the assumed PAGE_SIZE /
      2 of 4096. I doubt it makes sense to continue using PAGE_SIZE / 2 where
      we would end up with 8KiB buffer in case we have 16KiB pages.
      Instead I think it makes sense to have a common size(s) and extend them
      if there is need to.
      There is a BUILD_BUG_ON() now in case someone has a minalign of more than
      128 bytes.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      (cherry picked from commit 5efd2ea8)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ff355a54
    • Alan Stern's avatar
      USB: fix use-after-free bug in usb_hcd_unlink_urb() · 396a2711
      Alan Stern authored
      The usb_hcd_unlink_urb() routine in hcd.c contains two possible
      use-after-free errors.  The dev_dbg() statement at the end of the
      routine dereferences urb and urb->dev even though both structures may
      have been deallocated.
      
      This patch fixes the problem by storing urb->dev in a local variable
      (avoiding the dereference of urb) and moving the dev_dbg() up before
      the usb_put_dev() call.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
      Tested-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <greg@kroah.com>
      
      (cherry picked from commit c9919790)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      396a2711
    • Lennart Sorensen's avatar
      USB: cp210x: add ID for RUGGEDCOM USB Serial Console · e8385377
      Lennart Sorensen authored
      Added the USB serial console device ID for Siemens Ruggedcom devices
      which have a USB port for their serial console.
      Signed-off-by: default avatarLen Sorensen <lsorense@csclub.uwaterloo.ca>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      
      (cherry picked from commit a6f03312)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e8385377
    • Peter Hurley's avatar
      tty: Prevent untrappable signals from malicious program · d9d9a0e2
      Peter Hurley authored
      Commit 26df6d13 ("tty: Add EXTPROC support for LINEMODE")
      allows a process which has opened a pty master to send _any_ signal
      to the process group of the pty slave. Although potentially
      exploitable by a malicious program running a setuid program on
      a pty slave, it's unknown if this exploit currently exists.
      
      Limit to signals actually used.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Howard Chu <hyc@symas.com>
      Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Cc: <stable@vger.kernel.org> # 2.6.36+
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      (cherry picked from commit 37480a05)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d9d9a0e2
    • Matthew Wilcox's avatar
      axonram: Fix bug in direct_access · cac8ab78
      Matthew Wilcox authored
      The 'pfn' returned by axonram was completely bogus, and has been since
      2008.
      Signed-off-by: default avatarMatthew Wilcox <matthew.r.wilcox@intel.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      
      (cherry picked from commit 91117a20)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      cac8ab78
    • Paul Moore's avatar
      cipso: don't use IPCB() to locate the CIPSO IP option · a6c4b98b
      Paul Moore authored
      Using the IPCB() macro to get the IPv4 options is convenient, but
      unfortunately NetLabel often needs to examine the CIPSO option outside
      of the scope of the IP layer in the stack.  While historically IPCB()
      worked above the IP layer, due to the inclusion of the inet_skb_param
      struct at the head of the {tcp,udp}_skb_cb structs, recent commit
      971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
      reordered the tcp_skb_cb struct and invalidated this IPCB() trick.
      
      This patch fixes the problem by creating a new function,
      cipso_v4_optptr(), which locates the CIPSO option inside the IP header
      without calling IPCB().  Unfortunately, this isn't as fast as a simple
      lookup so some additional tweaks were made to limit the use of this
      new function.
      
      Cc: <stable@vger.kernel.org> # 3.18
      Reported-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      
      (cherry picked from commit 04f81f01)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a6c4b98b
    • Jeff Moyer's avatar
      cfq-iosched: fix incorrect filing of rt async cfqq · b111d408
      Jeff Moyer authored
      Hi,
      
      If you can manage to submit an async write as the first async I/O from
      the context of a process with realtime scheduling priority, then a
      cfq_queue is allocated, but filed into the wrong async_cfqq bucket.  It
      ends up in the best effort array, but actually has realtime I/O
      scheduling priority set in cfqq->ioprio.
      
      The reason is that cfq_get_queue assumes the default scheduling class and
      priority when there is no information present (i.e. when the async cfqq
      is created):
      
      static struct cfq_queue *
      cfq_get_queue(struct cfq_data *cfqd, bool is_sync, struct cfq_io_cq *cic,
      	      struct bio *bio, gfp_t gfp_mask)
      {
      	const int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
      	const int ioprio = IOPRIO_PRIO_DATA(cic->ioprio);
      
      cic->ioprio starts out as 0, which is "invalid".  So, class of 0
      (IOPRIO_CLASS_NONE) is passed to cfq_async_queue_prio like so:
      
      		async_cfqq = cfq_async_queue_prio(cfqd, ioprio_class, ioprio);
      
      static struct cfq_queue **
      cfq_async_queue_prio(struct cfq_data *cfqd, int ioprio_class, int ioprio)
      {
              switch (ioprio_class) {
              case IOPRIO_CLASS_RT:
                      return &cfqd->async_cfqq[0][ioprio];
              case IOPRIO_CLASS_NONE:
                      ioprio = IOPRIO_NORM;
                      /* fall through */
              case IOPRIO_CLASS_BE:
                      return &cfqd->async_cfqq[1][ioprio];
              case IOPRIO_CLASS_IDLE:
                      return &cfqd->async_idle_cfqq;
              default:
                      BUG();
              }
      }
      
      Here, instead of returning a class mapped from the process' scheduling
      priority, we get back the bucket associated with IOPRIO_CLASS_BE.
      
      Now, there is no queue allocated there yet, so we create it:
      
      		cfqq = cfq_find_alloc_queue(cfqd, is_sync, cic, bio, gfp_mask);
      
      That function ends up doing this:
      
      			cfq_init_cfqq(cfqd, cfqq, current->pid, is_sync);
      			cfq_init_prio_data(cfqq, cic);
      
      cfq_init_cfqq marks the priority as having changed.  Then, cfq_init_prio
      data does this:
      
      	ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
      	switch (ioprio_class) {
      	default:
      		printk(KERN_ERR "cfq: bad prio %x\n", ioprio_class);
      	case IOPRIO_CLASS_NONE:
      		/*
      		 * no prio set, inherit CPU scheduling settings
      		 */
      		cfqq->ioprio = task_nice_ioprio(tsk);
      		cfqq->ioprio_class = task_nice_ioclass(tsk);
      		break;
      
      So we basically have two code paths that treat IOPRIO_CLASS_NONE
      differently, which results in an RT async cfqq filed into a best effort
      bucket.
      
      Attached is a patch which fixes the problem.  I'm not sure how to make
      it cleaner.  Suggestions would be welcome.
      Signed-off-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Tested-by: default avatarHidehiro Kawai <hidehiro.kawai.ez@hitachi.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      
      (cherry picked from commit c6ce1943)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b111d408
    • Konstantin Khlebnikov's avatar
      cfq-iosched: handle failure of cfq group allocation · 4acc465c
      Konstantin Khlebnikov authored
      Cfq_lookup_create_cfqg() allocates struct blkcg_gq using GFP_ATOMIC.
      In cfq_find_alloc_queue() possible allocation failure is not handled.
      As a result kernel oopses on NULL pointer dereference when
      cfq_link_cfqq_cfqg() calls cfqg_get() for NULL pointer.
      
      Bug was introduced in v3.5 in commit cd1604fa ("blkcg: factor
      out blkio_group creation"). Prior to that commit cfq group lookup
      had returned pointer to root group as fallback.
      
      This patch handles this error using existing fallback oom_cfqq.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      Fixes: cd1604fa ("blkcg: factor out blkio_group creation")
      Cc: stable@kernel.org
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      
      (cherry picked from commit 69abaffe)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4acc465c
    • Nicholas Bellinger's avatar
      iscsi-target: Drop problematic active_ts_list usage · 2b5d8f41
      Nicholas Bellinger authored
      This patch drops legacy active_ts_list usage within iscsi_target_tq.c
      code.  It was originally used to track the active thread sets during
      iscsi-target shutdown, and is no longer used by modern upstream code.
      
      Two people have reported list corruption using traditional iscsi-target
      and iser-target with the following backtrace, that appears to be related
      to iscsi_thread_set->ts_list being used across both active_ts_list and
      inactive_ts_list.
      
      [   60.782534] ------------[ cut here ]------------
      [   60.782543] WARNING: CPU: 0 PID: 9430 at lib/list_debug.c:53 __list_del_entry+0x63/0xd0()
      [   60.782545] list_del corruption, ffff88045b00d180->next is LIST_POISON1 (dead000000100100)
      [   60.782546] Modules linked in: ib_srpt tcm_qla2xxx qla2xxx tcm_loop tcm_fc libfc scsi_transport_fc scsi_tgt ib_isert rdma_cm iw_cm ib_addr iscsi_target_mod target_core_pscsi target_core_file target_core_iblock target_core_mod configfs ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables bridge stp llc autofs4 sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 ib_ipoib ib_cm ib_uverbs ib_umad mlx4_en mlx4_ib ib_sa ib_mad ib_core mlx4_core dm_mirror dm_region_hash dm_log dm_mod vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support microcode serio_raw pcspkr sb_edac edac_core sg i2c_i801 lpc_ich mfd_core mtip32xx igb i2c_algo_bit i2c_core ptp pps_core ioatdma dca wmi ext3(F) jbd(F) mbcache(F) sd_mod(F) crc_t10dif(F) crct10dif_common(F) ahci(F) libahci(F) isci(F) libsas(F) scsi_transport_sas(F) [last unloaded: speedstep_lib]
      [   60.782597] CPU: 0 PID: 9430 Comm: iscsi_ttx Tainted: GF 3.12.19+ #2
      [   60.782598] Hardware name: Supermicro X9DRX+-F/X9DRX+-F, BIOS 3.00 07/09/2013
      [   60.782599]  0000000000000035 ffff88044de31d08 ffffffff81553ae7 0000000000000035
      [   60.782602]  ffff88044de31d58 ffff88044de31d48 ffffffff8104d1cc 0000000000000002
      [   60.782605]  ffff88045b00d180 ffff88045b00d0c0 ffff88045b00d0c0 ffff88044de31e58
      [   60.782607] Call Trace:
      [   60.782611]  [<ffffffff81553ae7>] dump_stack+0x49/0x62
      [   60.782615]  [<ffffffff8104d1cc>] warn_slowpath_common+0x8c/0xc0
      [   60.782618]  [<ffffffff8104d2b6>] warn_slowpath_fmt+0x46/0x50
      [   60.782620]  [<ffffffff81280933>] __list_del_entry+0x63/0xd0
      [   60.782622]  [<ffffffff812809b1>] list_del+0x11/0x40
      [   60.782630]  [<ffffffffa06e7cf9>] iscsi_del_ts_from_active_list+0x29/0x50 [iscsi_target_mod]
      [   60.782635]  [<ffffffffa06e87b1>] iscsi_tx_thread_pre_handler+0xa1/0x180 [iscsi_target_mod]
      [   60.782642]  [<ffffffffa06fb9ae>] iscsi_target_tx_thread+0x4e/0x220 [iscsi_target_mod]
      [   60.782647]  [<ffffffffa06fb960>] ? iscsit_handle_snack+0x190/0x190 [iscsi_target_mod]
      [   60.782652]  [<ffffffffa06fb960>] ? iscsit_handle_snack+0x190/0x190 [iscsi_target_mod]
      [   60.782655]  [<ffffffff8106f99e>] kthread+0xce/0xe0
      [   60.782657]  [<ffffffff8106f8d0>] ? kthread_freezable_should_stop+0x70/0x70
      [   60.782660]  [<ffffffff8156026c>] ret_from_fork+0x7c/0xb0
      [   60.782662]  [<ffffffff8106f8d0>] ? kthread_freezable_should_stop+0x70/0x70
      [   60.782663] ---[ end trace 9662f4a661d33965 ]---
      
      Since this code is no longer used, go ahead and drop the problematic usage
      all-together.
      Reported-by: default avatarGavin Guo <gavin.guo@canonical.com>
      Reported-by: default avatarMoussa Ba <moussaba@micron.com>
      Cc: stable@vger.kernel.org # 3.1+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      
      (cherry picked from commit 3fd7b60f)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2b5d8f41
    • Trond Myklebust's avatar
      NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args · 478143a0
      Trond Myklebust authored
      If the call to decode_rc_list() fails due to a memory allocation error,
      then we need to truncate the array size to ensure that we only call
      kfree() on those pointer that were allocated.
      Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
      Fixes: 4aece6a1 ("nfs41: cb_sequence xdr implementation")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      
      (cherry picked from commit d8ba1f97)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      478143a0
    • honclo's avatar
      Added Little Endian support to vtpm module · 097dbc6b
      honclo authored
      The tpm_ibmvtpm module is affected by an unaligned access problem.
      ibmvtpm_crq_get_version failed with rc=-4 during boot when vTPM is
      enabled in Power partition, which supports both little endian and
      big endian modes.
      
      We added little endian support to fix this problem:
      1) added cpu_to_be64 calls to ensure BE data is sent from an LE OS.
      2) added be16_to_cpu and be32_to_cpu calls to make sure data received
         is in LE format on a LE OS.
      Signed-off-by: default avatarHon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
      Signed-off-by: default avatarJoy Latten <jmlatten@linux.vnet.ibm.com>
      Cc: <stable@vger.kernel.org>
      [phuewe: manually applied the patch :( ]
      Reviewed-by: default avatarAshley Lai <ashley@ahsleylai.com>
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      
      (cherry picked from commit eb71f8a5)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      097dbc6b
    • Hon Ching (Vicky) Lo's avatar
      tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma · 9625e371
      Hon Ching (Vicky) Lo authored
      There was an oops in tpm_ibmvtpm_get_desired_dma, which caused
      kernel panic during boot when vTPM is enabled in Power partition
      configured in AMS mode.
      
      vio_bus_probe calls vio_cmo_bus_probe which calls
      tpm_ibmvtpm_get_desired_dma to get the size needed for DMA allocation.
      The problem is, vio_cmo_bus_probe is called before calling probe, which
      for vtpm is tpm_ibmvtpm_probe and it's this function that initializes
      and sets up vtpm's CRQ and gets required data values.  Therefore,
      since this has not yet been done, NULL is returned in attempt to get
      the size for DMA allocation.
      
      We added a NULL check.  In addition, a default buffer size will
      be set when NULL is returned.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHon Ching (Vicky) Lo <honclo@linux.vnet.ibm.com>
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      
      (cherry picked from commit 84eb186b)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9625e371
    • Scot Doyle's avatar
      tpm_tis: verify interrupt during init · 28a080ce
      Scot Doyle authored
      Some machines, such as the Acer C720 and Toshiba CB35, have TPMs that do
      not send IRQs while also having an ACPI TPM entry indicating that they
      will be sent. These machines freeze on resume while the tpm_tis module
      waits for an IRQ, eventually timing out.
      
      When in interrupt mode, the tpm_tis module should receive an IRQ during
      module init. Fall back to polling mode if none is received when expected.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarScot Doyle <lkml14@scotdoyle.com>
      Tested-by: default avatarMichael Mullin <masmullin@gmail.com>
      Reviewed-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      [phuewe: minor checkpatch fixed]
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      
      (cherry picked from commit 448e9c55)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      28a080ce
    • Dmitry Eremin-Solenikov's avatar
      ARM: 8284/1: sa1100: clear RCSR_SMR on resume · d2ce5716
      Dmitry Eremin-Solenikov authored
      StrongARM core uses RCSR SMR bit to tell to bootloader that it was reset
      by entering the sleep mode. After we have resumed, there is little point
      in having that bit enabled. Moreover, if this bit is set before reboot,
      the bootloader can become confused. Thus clear the SMR bit on resume
      just before clearing the scratchpad (resume address) register.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      
      (cherry picked from commit e461894d)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d2ce5716
    • Vikram Mulukutla's avatar
      tracing: Fix unmapping loop in tracing_mark_write · 699afa12
      Vikram Mulukutla authored
      Commit 6edb2a8a introduced
      an array map_pages that contains the addresses returned by
      kmap_atomic. However, when unmapping those pages, map_pages[0]
      is unmapped before map_pages[1], breaking the nesting requirement
      as specified in the documentation for kmap_atomic/kunmap_atomic.
      
      This was caught by the highmem debug code present in kunmap_atomic.
      Fix the loop to do the unmapping properly.
      
      Link: http://lkml.kernel.org/r/1418871056-6614-1-git-send-email-markivx@codeaurora.org
      
      Cc: stable@vger.kernel.org # 3.5+
      Reviewed-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Reported-by: default avatarLime Yang <limey@codeaurora.org>
      Signed-off-by: default avatarVikram Mulukutla <markivx@codeaurora.org>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      
      (cherry picked from commit 7215853e)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      699afa12
    • James Hogan's avatar
      MIPS: Export MSA functions used by lose_fpu(1) for KVM · 47d8c15e
      James Hogan authored
      Export the _save_msa asm function used by the lose_fpu(1) macro to GPL
      modules so that KVM can make use of it when it is built as a module.
      
      This fixes the following build error when CONFIG_KVM=m and
      CONFIG_CPU_HAS_MSA=y due to commit f798217d ("KVM: MIPS: Don't leak
      FPU/DSP to guest"):
      
      ERROR: "_save_msa" [arch/mips/kvm/kvm.ko] undefined!
      
      Fixes: f798217d (KVM: MIPS: Don't leak FPU/DSP to guest)
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Paul Burton <paul.burton@imgtec.com>
      Cc: Gleb Natapov <gleb@kernel.org>
      Cc: kvm@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.15+
      Patchwork: https://patchwork.linux-mips.org/patch/9261/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      
      (cherry picked from commit ca5d2564)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      47d8c15e
    • James Hogan's avatar
      MIPS: Export FP functions used by lose_fpu(1) for KVM · dc9871e7
      James Hogan authored
      Export the _save_fp asm function used by the lose_fpu(1) macro to GPL
      modules so that KVM can make use of it when it is built as a module.
      
      This fixes the following build error when CONFIG_KVM=m due to commit
      f798217d ("KVM: MIPS: Don't leak FPU/DSP to guest"):
      
      ERROR: "_save_fp" [arch/mips/kvm/kvm.ko] undefined!
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Fixes: f798217d (KVM: MIPS: Don't leak FPU/DSP to guest)
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Paul Burton <paul.burton@imgtec.com>
      Cc: Gleb Natapov <gleb@kernel.org>
      Cc: kvm@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.10+
      Patchwork: https://patchwork.linux-mips.org/patch/9260/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      
      (cherry picked from commit 3ce465e0)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      dc9871e7
    • Trond Myklebust's avatar
      NFS: struct nfs_commit_info.lock must always point to inode->i_lock · aa547301
      Trond Myklebust authored
      Commit 411a99ad (nfs: clear_request_commit while holding i_lock)
      assumes that the nfs_commit_info always points to the inode->i_lock.
      For historical reasons, that is not the case for O_DIRECT writes.
      
      Cc: Weston Andros Adamson <dros@primarydata.com>
      Fixes: 411a99ad ("nfs: clear_request_commit while holding i_lock")
      Cc: stable@vger.kernel.org # 3.17.x
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      
      (cherry picked from commit f4086a3d)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      aa547301
    • Krzysztof Kozlowski's avatar
      power_supply: 88pm860x: Fix leaked power supply on probe fail · 6f65afc3
      Krzysztof Kozlowski authored
      Driver forgot to unregister power supply if request_threaded_irq()
      failed in probe(). In such case the memory associated with power supply
      leaked.
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Fixes: a830d28b ("power_supply: Enable battery-charger for 88pm860x")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      
      (cherry picked from commit 24727b45)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6f65afc3
    • Adrian Knoth's avatar
      ALSA: hdspm - Constrain periods to 2 on older cards · 7445c35c
      Adrian Knoth authored
      RME RayDAT and AIO use a fixed buffer size of 16384 samples. With period
      sizes of 32-4096, this translates to 4-512 periods.
      
      The older RME cards have a variable buffer size but require exactly two
      periods.
      
      This patch enforces nperiods=2 on those cards.
      Signed-off-by: default avatarAdrian Knoth <adi@drcomp.erfurt.thur.de>
      Cc: <stable@vger.kernel.org> # 2.6.39+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      
      (cherry picked from commit f0153c3d)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7445c35c
    • Dan Carpenter's avatar
      ALSA: off by one bug in snd_riptide_joystick_probe() · c31056ec
      Dan Carpenter authored
      The problem here is that we check:
      
      	if (dev >= SNDRV_CARDS)
      
      Then we increment "dev".
      
             if (!joystick_port[dev++])
      
      Then we use it as an offset into a array with SNDRV_CARDS elements.
      
      	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {
      
      This has 3 effects:
      1) If you use the module option to specify the joystick port then it has
         to be shifted one space over.
      2) The wrong error message will be printed on failure if you have over
         32 cards.
      3) Static checkers will correctly complain that are off by one.
      
      Fixes: db1005ec ('ALSA: riptide - Fix joystick resource handling')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      
      (cherry picked from commit e4940626)
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c31056ec