1. 14 Dec, 2014 40 commits
    • Stefan Richter's avatar
      firewire: cdev: prevent kernel stack leaking into ioctl arguments · adfa08f5
      Stefan Richter authored
      commit eaca2d8e upstream.
      
      Found by the UC-KLEE tool:  A user could supply less input to
      firewire-cdev ioctls than write- or write/read-type ioctl handlers
      expect.  The handlers used data from uninitialized kernel stack then.
      
      This could partially leak back to the user if the kernel subsequently
      generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
      which notably would contain the _u64 closure field which many of the
      ioctl argument structures contain.
      
      The fact that the handlers would act on random garbage input is a
      lesser issue since all handlers must check their input anyway.
      
      The fix simply always null-initializes the entire ioctl argument buffer
      regardless of the actual length of expected user input.  That is, a
      runtime overhead of memset(..., 40) is added to each firewirew-cdev
      ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
      most likely to be already in the cache.]
      
      Remarks:
        - There was never any leak from kernel stack to the ioctl output
          buffer itself.  IOW, it was not possible to read kernel stack by a
          read-type or write/read-type ioctl alone; the leak could at most
          happen in combination with read()ing subsequent event data.
        - The actual expected minimum user input of each ioctl from
          include/uapi/linux/firewire-cdev.h is, in bytes:
          [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
          [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
          [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
          [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
          [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.
      Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      adfa08f5
    • Fabio Estevam's avatar
      ASoC: sgtl5000: Fix SMALL_POP bit definition · 0718a802
      Fabio Estevam authored
      commit c251ea7b upstream.
      
      On a mx28evk with a sgtl5000 codec we notice a loud 'click' sound  to happen
      5 seconds after the end of a playback.
      
      The SMALL_POP bit should fix this, but its definition is incorrect:
      according to the sgtl5000 manual it is bit 0 of CHIP_REF_CTRL register, not
      bit 1.
      
      Fix the definition accordingly and enable the bit as intended per the code
      comment.
      
      After applying this change, no loud 'click' sound is heard after playback
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0718a802
    • Ilya Dryomov's avatar
      libceph: do not crash on large auth tickets · 42fdf7a1
      Ilya Dryomov authored
      commit aaef3170 upstream.
      
      Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth
      tickets will have their buffers vmalloc'ed, which leads to the
      following crash in crypto:
      
      [   28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0
      [   28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
      [   28.686032] PGD 0
      [   28.688088] Oops: 0000 [#1] PREEMPT SMP
      [   28.688088] Modules linked in:
      [   28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305
      [   28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
      [   28.688088] Workqueue: ceph-msgr con_work
      [   28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000
      [   28.688088] RIP: 0010:[<ffffffff81392b42>]  [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
      [   28.688088] RSP: 0018:ffff8800d903f688  EFLAGS: 00010286
      [   28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0
      [   28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750
      [   28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880
      [   28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010
      [   28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000
      [   28.688088] FS:  00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
      [   28.688088] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0
      [   28.688088] Stack:
      [   28.688088]  ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32
      [   28.688088]  ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020
      [   28.688088]  ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010
      [   28.688088] Call Trace:
      [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
      [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
      [   28.688088]  [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220
      [   28.688088]  [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180
      [   28.688088]  [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30
      [   28.688088]  [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0
      [   28.688088]  [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0
      [   28.688088]  [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60
      [   28.688088]  [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0
      [   28.688088]  [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360
      [   28.688088]  [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0
      [   28.688088]  [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80
      [   28.688088]  [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0
      [   28.688088]  [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80
      [   28.688088]  [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0
      [   28.688088]  [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0
      [   28.688088]  [<ffffffff81559289>] try_read+0x1e59/0x1f10
      
      This is because we set up crypto scatterlists as if all buffers were
      kmalloc'ed.  Fix it.
      Signed-off-by: default avatarIlya Dryomov <idryomov@redhat.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      42fdf7a1
    • Stanislaw Gruszka's avatar
      rt2x00: do not align payload on modern H/W · f8ddde5a
      Stanislaw Gruszka authored
      commit cfd9167a upstream.
      
      RT2800 and newer hardware require padding between header and payload if
      header length is not multiple of 4.
      
      For historical reasons we also align payload to to 4 bytes boundary, but
      such alignment is not needed on modern H/W.
      
      Patch fixes skb_under_panic problems reported from time to time:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=84911
      https://bugzilla.kernel.org/show_bug.cgi?id=72471
      http://marc.info/?l=linux-wireless&m=139108549530402&w=2
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1087591
      
      Panic happened because we eat 4 bytes of skb headroom on each
      (re)transmission when sending frame without the payload and the header
      length not being multiple of 4 (i.e. QoS header has 26 bytes). On such
      case because paylad_aling=2 is bigger than header_align=0 we increase
      header_align by 4 bytes. To prevent that we could change the check to:
      
      	if (payload_length && payload_align > header_align)
      		header_align += 4;
      
      but not aligning payload at all is more effective and alignment is not
      really needed by H/W (that has been tested on OpenWrt project for few
      years now).
      Reported-and-tested-by: default avatarAntti S. Lankila <alankila@bel.fi>
      Debugged-by: default avatarAntti S. Lankila <alankila@bel.fi>
      Reported-by: default avatarHenrik Asp <solenskiner@gmail.com>
      Originally-From: Helmut Schaa <helmut.schaa@googlemail.com>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f8ddde5a
    • Miklos Szeredi's avatar
      audit: keep inode pinned · 51a8f21b
      Miklos Szeredi authored
      commit 799b6014 upstream.
      
      Audit rules disappear when an inode they watch is evicted from the cache.
      This is likely not what we want.
      
      The guilty commit is "fsnotify: allow marks to not pin inodes in core",
      which didn't take into account that audit_tree adds watches with a zero
      mask.
      
      Adding any mask should fix this.
      
      Fixes: 90b1e7a5 ("fsnotify: allow marks to not pin inodes in core")
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51a8f21b
    • Christoph Hellwig's avatar
      scsi: only re-lock door after EH on devices that were reset · cfc515ec
      Christoph Hellwig authored
      commit 48379270 upstream.
      
      Setups that use the blk-mq I/O path can lock up if a host with a single
      device that has its door locked enters EH.  Make sure to only send the
      command to re-lock the door to devices that actually were reset and thus
      might have lost their state.  Otherwise the EH code might be get blocked
      on blk_get_request as all requests for non-reset devices might be in use.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarMeelis Roos <meelis.roos@ut.ee>
      Tested-by: default avatarMeelis Roos <meelis.roos@ut.ee>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cfc515ec
    • Preston Fick's avatar
      USB: serial: cp210x: add IDs for CEL MeshConnect USB Stick · 8c952daa
      Preston Fick authored
      commit ffcfe30e upstream.
      Signed-off-by: default avatarPreston Fick <pffick@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8c952daa
    • Pali Rohár's avatar
      Input: alps - allow up to 2 invalid packets without resetting device · b4c57768
      Pali Rohár authored
      commit 9d720b34 upstream.
      
      On some Dell Latitude laptops ALPS device or Dell EC send one invalid byte
      in 6 bytes ALPS packet. In this case psmouse driver enter out of sync
      state. It looks like that all other bytes in packets are valid and also
      device working properly. So there is no need to do full device reset, just
      need to wait for byte which match condition for first byte (start of
      packet). Because ALPS packets are bigger (6 or 8 bytes) default limit is
      small.
      
      This patch increase number of invalid bytes to size of 2 ALPS packets which
      psmouse driver can drop before do full reset.
      
      Resetting ALPS devices take some time and when doing reset on some Dell
      laptops touchpad, trackstick and also keyboard do not respond. So it is
      better to do it only if really necessary.
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b4c57768
    • Pali Rohár's avatar
      Input: alps - ignore potential bare packets when device is out of sync · 6c952f13
      Pali Rohár authored
      commit 4ab8f7f3 upstream.
      
      5th and 6th byte of ALPS trackstick V3 protocol match condition for first
      byte of PS/2 3 bytes packet. When driver enters out of sync state and ALPS
      trackstick is sending data then driver match 5th, 6th and next 1st bytes as
      PS/2.
      
      It basically means if user is using trackstick when driver is in out of
      sync state driver will never resync. Processing these bytes as 3 bytes PS/2
      data cause total mess (random cursor movements, random clicks) and make
      trackstick unusable until psmouse driver decide to do full device reset.
      
      Lot of users reported problems with ALPS devices on Dell Latitude E6440,
      E6540 and E7440 laptops. ALPS device or Dell EC for unknown reason send
      some invalid ALPS PS/2 bytes which cause driver out of sync. It looks like
      that i8042 and psmouse/alps driver always receive group of 6 bytes packets
      so there are no missing bytes and no bytes were inserted between valid
      ones.
      
      This patch does not fix root of problem with ALPS devices found in Dell
      Latitude laptops but it does not allow to process some (invalid)
      subsequence of 6 bytes ALPS packets as 3 bytes PS/2 when driver is out of
      sync.
      
      So with this patch trackstick input device does not report bogus data when
      also driver is out of sync, so trackstick should be usable on those
      machines.
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6c952f13
    • Thor Thayer's avatar
      spi: dw: Fix dynamic speed change. · 656378a5
      Thor Thayer authored
      commit 0a8727e6 upstream.
      
      An IOCTL call that calls spi_setup() and then dw_spi_setup() will
      overwrite the persisted last transfer speed. On each transfer, the
      SPI speed is compared to the last transfer speed to determine if the
      clock divider registers need to be updated (did the speed change?).
      This bug was observed with the spidev driver using spi-config to
      update the max transfer speed.
      
      This fix: Don't overwrite the persisted last transaction clock speed
      when updating the SPI parameters in dw_spi_setup(). On the next
      transaction, the new speed won't match the persisted last speed
      and the hardware registers will be updated.
      On initialization, the persisted last transaction clock
      speed will be 0 but will be updated after the first SPI
      transaction.
      
      Move zeroed clock divider check into clock change test because
      chip->clk_div is zero on startup and would cause a divide-by-zero
      error. The calculation was wrong as well (can't support odd #).
      Reported-by: default avatarVlastimil Setka <setka@vsis.cz>
      Signed-off-by: default avatarVlastimil Setka <setka@vsis.cz>
      Signed-off-by: default avatarThor Thayer <tthayer@opensource.altera.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      656378a5
    • Imre Deak's avatar
      tty/vt: don't set font mappings on vc not supporting this · 2e0f55ea
      Imre Deak authored
      commit 9e326f78 upstream.
      
      We can call this function for a dummy console that doesn't support
      setting the font mapping, which will result in a null ptr BUG. So check
      for this case and return error for consoles w/o font mapping support.
      
      Reference: https://bugzilla.kernel.org/show_bug.cgi?id=59321Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: this function doesn't take a lock, so doesn't
       need to unlock on error]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2e0f55ea
    • Peter Hurley's avatar
      tty: Fix high cpu load if tty is unreleaseable · 069347b2
      Peter Hurley authored
      commit 37b16457 upstream.
      
      Kernel oops can cause the tty to be unreleaseable (for example, if
      n_tty_read() crashes while on the read_wait queue). This will cause
      tty_release() to endlessly loop without sleeping.
      
      Use a killable sleep timeout which grows by 2n+1 jiffies over the interval
      [0, 120 secs.) and then jumps to forever (but still killable).
      
      NB: killable just allows for the task to be rewoken manually, not
      to be terminated.
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      069347b2
    • Peter Hurley's avatar
      serial: Fix divide-by-zero fault in uart_get_divisor() · 2eb38b76
      Peter Hurley authored
      commit 547039ec upstream.
      
      uart_get_baud_rate() will return baud == 0 if the max rate is set
      to the "magic" 38400 rate and the SPD_* flags are also specified.
      On the first iteration, if the current baud rate is higher than the
      max, the baud rate is clamped at the max (which in the degenerate
      case is 38400). On the second iteration, the now-"magic" 38400 baud
      rate selects the possibly higher alternate baud rate indicated by
      the SPD_* flag. Since only two loop iterations are performed, the
      loop is exited, a kernel WARNING is generated and a baud rate of
      0 is returned.
      
      Reproducible with:
       setserial /dev/ttyS0 spd_hi base_baud 38400
      
      Only perform the "magic" 38400 -> SPD_* baud transform on the first
      loop iteration, which prevents the degenerate case from recognizing
      the clamped baud rate as the "magic" 38400 value.
      Reported-by: default avatarRobert Święcki <robert@swiecki.net>
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2eb38b76
    • Johan Hovold's avatar
      USB: cdc-acm: only raise DTR on transitions from B0 · ae11f62a
      Johan Hovold authored
      commit 4473d054 upstream.
      
      Make sure to only raise DTR on transitions from B0 in set_termios.
      
      Also allow set_termios to be called from open with a termios_old of
      NULL. Note that DTR will not be raised prematurely in this case.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ae11f62a
    • Lars-Peter Clausen's avatar
      staging:iio:ade7758: Remove "raw" from channel name · b05ff47c
      Lars-Peter Clausen authored
      commit b598aacc upstream.
      
      "raw" is a property of a channel, but should not be part of the name of
      channel.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      [bwh: Backported to 3.2: using IIO_CHAN() macro to initialise the structures]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b05ff47c
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix device_del() sysfs warnings at disconnect · f61457d8
      Takashi Iwai authored
      commit 0725dda2 upstream.
      
      Some USB-audio devices show weird sysfs warnings at disconnecting the
      devices, e.g.
       usb 1-3: USB disconnect, device number 3
       ------------[ cut here ]------------
       WARNING: CPU: 0 PID: 973 at fs/sysfs/group.c:216 device_del+0x39/0x180()
       sysfs group ffffffff8183df40 not found for kobject 'midiC1D0'
       Call Trace:
        [<ffffffff814a3e38>] ? dump_stack+0x49/0x71
        [<ffffffff8103cb72>] ? warn_slowpath_common+0x82/0xb0
        [<ffffffff8103cc55>] ? warn_slowpath_fmt+0x45/0x50
        [<ffffffff813521e9>] ? device_del+0x39/0x180
        [<ffffffff81352339>] ? device_unregister+0x9/0x20
        [<ffffffff81352384>] ? device_destroy+0x34/0x40
        [<ffffffffa00ba29f>] ? snd_unregister_device+0x7f/0xd0 [snd]
        [<ffffffffa025124e>] ? snd_rawmidi_dev_disconnect+0xce/0x100 [snd_rawmidi]
        [<ffffffffa00c0192>] ? snd_device_disconnect+0x62/0x90 [snd]
        [<ffffffffa00c025c>] ? snd_device_disconnect_all+0x3c/0x60 [snd]
        [<ffffffffa00bb574>] ? snd_card_disconnect+0x124/0x1a0 [snd]
        [<ffffffffa02e54e8>] ? usb_audio_disconnect+0x88/0x1c0 [snd_usb_audio]
        [<ffffffffa015260e>] ? usb_unbind_interface+0x5e/0x1b0 [usbcore]
        [<ffffffff813553e9>] ? __device_release_driver+0x79/0xf0
        [<ffffffff81355485>] ? device_release_driver+0x25/0x40
        [<ffffffff81354e11>] ? bus_remove_device+0xf1/0x130
        [<ffffffff813522b9>] ? device_del+0x109/0x180
        [<ffffffffa01501d5>] ? usb_disable_device+0x95/0x1f0 [usbcore]
        [<ffffffffa014634f>] ? usb_disconnect+0x8f/0x190 [usbcore]
        [<ffffffffa0149179>] ? hub_thread+0x539/0x13a0 [usbcore]
        [<ffffffff810669f5>] ? sched_clock_local+0x15/0x80
        [<ffffffff81066c98>] ? sched_clock_cpu+0xb8/0xd0
        [<ffffffff81070730>] ? bit_waitqueue+0xb0/0xb0
        [<ffffffffa0148c40>] ? usb_port_resume+0x430/0x430 [usbcore]
        [<ffffffffa0148c40>] ? usb_port_resume+0x430/0x430 [usbcore]
        [<ffffffff8105973e>] ? kthread+0xce/0xf0
        [<ffffffff81059670>] ? kthread_create_on_node+0x1c0/0x1c0
        [<ffffffff814a8b7c>] ? ret_from_fork+0x7c/0xb0
        [<ffffffff81059670>] ? kthread_create_on_node+0x1c0/0x1c0
       ---[ end trace 40b1928d1136b91e ]---
      
      This comes from the fact that usb-audio driver may receive the
      disconnect callback multiple times, per each usb interface.  When a
      device has both audio and midi interfaces, it gets called twice, and
      currently the driver tries to release resources at the last call.
      At this point, the first parent interface has been already deleted,
      thus deleting a child of the first parent hits such a warning.
      
      For fixing this problem, we need to call snd_card_disconnect() and
      cancel pending operations at the very first disconnect while the
      release of the whole objects waits until the last disconnect call.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80931Reported-and-tested-by: default avatarTomas Gayoso <tgayoso@gmail.com>
      Reported-and-tested-by: default avatarChris J Arges <chris.j.arges@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f61457d8
    • Oliver Neukum's avatar
      xhci: no switching back on non-ULT Haswell · 906341cd
      Oliver Neukum authored
      commit b45abacd upstream.
      
      The switch back is limited to ULT even on HP. The contrary
      finding arose by bad luck in BIOS versions for testing.
      This fixes spontaneous resume from S3 on some HP laptops.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      906341cd
    • Alan Stern's avatar
      usb-storage: handle a skipped data phase · 85e66060
      Alan Stern authored
      commit 93c9bf4d upstream.
      
      Sometimes mass-storage devices using the Bulk-only transport will
      mistakenly skip the data phase of a command.  Rather than sending the
      data expected by the host or sending a zero-length packet, they go
      directly to the status phase and send the CSW.
      
      This causes problems for usb-storage, for obvious reasons.  The driver
      will interpret the CSW as a short data transfer and will wait to
      receive a CSW.  The device won't have anything left to send, so the
      command eventually times out.
      
      The SCSI layer doesn't retry commands after they time out (this is a
      relatively recent change).  Therefore we should do our best to detect
      a skipped data phase and handle it promptly.
      
      This patch adds code to do that.  If usb-storage receives a short
      13-byte data transfer from the device, and if the first four bytes of
      the data match the CSW signature, the driver will set the residue to
      the full transfer length and interpret the data as a CSW.
      
      This fixes Bugzilla #86611.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
      Tested-by: default avatarPaul Osmialowski <newchief@king.net.pl>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: use US_DEBUGP() not usb_stor_dbg()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      85e66060
    • Hans de Goede's avatar
      usb: Do not allow usb_alloc_streams on unconfigured devices · 4fee2090
      Hans de Goede authored
      commit 90a646c7 upstream.
      
      This commit fixes the following oops:
      
      [10238.622067] scsi host3: uas_eh_bus_reset_handler start
      [10240.766164] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
      [10245.779365] usb 3-4: device descriptor read/8, error -110
      [10245.883331] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
      [10250.897603] usb 3-4: device descriptor read/8, error -110
      [10251.058200] BUG: unable to handle kernel NULL pointer dereference at  0000000000000040
      [10251.058244] IP: [<ffffffff815ac6e1>] xhci_check_streams_endpoint+0x91/0x140
      <snip>
      [10251.059473] Call Trace:
      [10251.059487]  [<ffffffff815aca6c>] xhci_calculate_streams_and_bitmask+0xbc/0x130
      [10251.059520]  [<ffffffff815aeb5f>] xhci_alloc_streams+0x10f/0x5a0
      [10251.059548]  [<ffffffff810a4685>] ? check_preempt_curr+0x75/0xa0
      [10251.059575]  [<ffffffff810a46dc>] ? ttwu_do_wakeup+0x2c/0x100
      [10251.059601]  [<ffffffff810a49e6>] ? ttwu_do_activate.constprop.111+0x66/0x70
      [10251.059635]  [<ffffffff815779ab>] usb_alloc_streams+0xab/0xf0
      [10251.059662]  [<ffffffffc0616b48>] uas_configure_endpoints+0x128/0x150 [uas]
      [10251.059694]  [<ffffffffc0616bac>] uas_post_reset+0x3c/0xb0 [uas]
      [10251.059722]  [<ffffffff815727d9>] usb_reset_device+0x1b9/0x2a0
      [10251.059749]  [<ffffffffc0616f42>] uas_eh_bus_reset_handler+0xb2/0x190 [uas]
      [10251.059781]  [<ffffffff81514293>] scsi_try_bus_reset+0x53/0x110
      [10251.059808]  [<ffffffff815163b7>] scsi_eh_bus_reset+0xf7/0x270
      <snip>
      
      The problem is the following call sequence (simplified):
      
      1) usb_reset_device
      2)  usb_reset_and_verify_device
      2)   hub_port_init
      3)    hub_port_finish_reset
      3)     xhci_discover_or_reset_device
              This frees xhci->devs[slot_id]->eps[ep_index].ring for all eps but 0
      4)    usb_get_device_descriptor
             This fails
      5)   hub_port_init fails
      6)  usb_reset_and_verify_device fails, does not restore device config
      7)  uas_post_reset
      8)   xhci_alloc_streams
            NULL deref on the free-ed ring
      
      This commit fixes this by not allowing usb_alloc_streams to continue if
      the device is not configured.
      
      Note that we do allow usb_free_streams to continue after a (logical)
      disconnect, as it is necessary to explicitly free the streams at the xhci
      controller level.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4fee2090
    • Johan Hovold's avatar
      USB: cdc-acm: add device id for GW Instek AFG-2225 · c31af119
      Johan Hovold authored
      commit cf84a691 upstream.
      
      Add device-id entry for GW Instek AFG-2225, which has a byte swapped
      bInterfaceSubClass (0x20).
      Reported-by: default avatarKarl Palsson <karlp@tweak.net.au>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c31af119
    • Johannes Berg's avatar
      mac80211: fix use-after-free in defragmentation · bc11c708
      Johannes Berg authored
      commit b8fff407 upstream.
      
      Upon receiving the last fragment, all but the first fragment
      are freed, but the multicast check for statistics at the end
      of the function refers to the current skb (the last fragment)
      causing a use-after-free bug.
      
      Since multicast frames cannot be fragmented and we check for
      this early in the function, just modify that check to also
      do the accounting to fix the issue.
      Reported-by: default avatarYosef Khyal <yosefx.khyal@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bc11c708
    • Johan Hovold's avatar
      USB: opticon: fix non-atomic allocation in write path · 7ce77510
      Johan Hovold authored
      commit e681286d upstream.
      
      Write may be called from interrupt context so make sure to use
      GFP_ATOMIC for all allocations in write.
      
      Fixes: 0d930e51 ("USB: opticon: Add Opticon OPN2001 write support")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7ce77510
    • Johan Hovold's avatar
      USB: kobil_sct: fix non-atomic allocation in write path · 18c2ebca
      Johan Hovold authored
      commit 19125283 upstream.
      
      Write may be called from interrupt context so make sure to use
      GFP_ATOMIC for all allocations in write.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [bwh: Backported to 3.2:
       - s/interrupt_out_urb/write_urb/
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      18c2ebca
    • Jan Kara's avatar
      block: Fix computation of merged request priority · 731738e0
      Jan Kara authored
      commit ece9c72a upstream.
      
      Priority of a merged request is computed by ioprio_best(). If one of the
      requests has undefined priority (IOPRIO_CLASS_NONE) and another request
      has priority from IOPRIO_CLASS_BE, the function will return the
      undefined priority which is wrong. Fix the function to properly return
      priority of a request with the defined priority.
      
      Fixes: d58cdfb8Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      731738e0
    • Sinclair Yeh's avatar
      drm/vmwgfx: Filter out modes those cannot be supported by the current VRAM size. · a8f42325
      Sinclair Yeh authored
      commit 9a72384d upstream.
      
      When screen objects are enabled, the bpp is assumed to be 32, otherwise
      it is set to 16.
      
      v2:
      * Use u32 instead of u64 for assumed_bpp.
      * Fixed mechanism to check for screen objects
      * Limit the back buffer size to VRAM.
      Signed-off-by: default avatarSinclair Yeh <syeh@vmware.com>
      Reviewed-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      [bwh: Backported to 3.2: drop changes for dev_priv->prim_bb_mem]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a8f42325
    • Rabin Vincent's avatar
      tracing/syscalls: Ignore numbers outside NR_syscalls' range · 80437614
      Rabin Vincent authored
      commit 086ba77a upstream.
      
      ARM has some private syscalls (for example, set_tls(2)) which lie
      outside the range of NR_syscalls.  If any of these are called while
      syscall tracing is being performed, out-of-bounds array access will
      occur in the ftrace and perf sys_{enter,exit} handlers.
      
       # trace-cmd record -e raw_syscalls:* true && trace-cmd report
       ...
       true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
       true-653   [000]   384.675812: sys_exit:             NR 192 = 1995915264
       true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
       true-653   [000]   384.675988: sys_exit:             NR 983045 = 0
       ...
      
       # trace-cmd record -e syscalls:* true
       [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace
       [   17.289590] pgd = 9e71c000
       [   17.289696] [aaaaaace] *pgd=00000000
       [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
       [   17.290169] Modules linked in:
       [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
       [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
       [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
       [   17.290866] LR is at syscall_trace_enter+0x124/0x184
      
      Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
      
      Commit cd0980fc "tracing: Check invalid syscall nr while tracing syscalls"
      added the check for less than zero, but it should have also checked
      for greater than NR_syscalls.
      
      Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
      
      Fixes: cd0980fc "tracing: Check invalid syscall nr while tracing syscalls"
      Signed-off-by: default avatarRabin Vincent <rabin@rab.in>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      80437614
    • Will Deacon's avatar
      tracing/syscalls: Fix perf syscall tracing when syscall_nr == -1 · 6f25b4e7
      Will Deacon authored
      commit 60916a93 upstream.
      
      syscall_get_nr can return -1 in the case that the task is not executing
      a system call.
      
      This patch fixes perf_syscall_{enter,exit} to check that the syscall
      number is valid before using it as an index into a bitmap.
      
      Link: http://lkml.kernel.org/r/1345137254-7377-1-git-send-email-will.deacon@arm.com
      
      Cc: Jason Baron <jbaron@redhat.com>
      Cc: Wade Farnsworth <wade_farnsworth@mentor.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6f25b4e7
    • Cyril Brulebois's avatar
      wireless: rt2x00: add new rt2800usb device · 5f2f9600
      Cyril Brulebois authored
      commit 664d6a79 upstream.
      
      0x1b75 0xa200 AirLive WN-200USB wireless 11b/g/n dongle
      
      References: https://bugs.debian.org/766802Reported-by: default avatarMartin Mokrejs <mmokrejs@fold.natur.cuni.cz>
      Signed-off-by: default avatarCyril Brulebois <kibi@debian.org>
      Acked-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5f2f9600
    • Ulrich Eckhardt's avatar
      ds3000: fix LNB supply voltage on Tevii S480 on initialization · 4601d5d1
      Ulrich Eckhardt authored
      commit 8c5bcded upstream.
      
      The Tevii S480 outputs 18V on startup for the LNB supply voltage and does not
      automatically power down. This blocks other receivers connected
      to a satellite channel router (EN50494), since the receivers can not send the
      required DiSEqC sequences when the Tevii card is connected to a the same SCR.
      
      This patch switches off the LNB supply voltage on initialization of the frontend.
      
      [mchehab@osg.samsung.com: add a comment about why we're explicitly
       turning off voltage at device init]
      Signed-off-by: default avatarUlrich Eckhardt <uli@uli-eckhardt.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4601d5d1
    • Jan Kara's avatar
      ext4: bail out from make_indexed_dir() on first error · 9769c00c
      Jan Kara authored
      commit 6050d47a upstream.
      
      When ext4_handle_dirty_dx_node() or ext4_handle_dirty_dirent_node()
      fail, there's really something wrong with the fs and there's no point in
      continuing further. Just return error from make_indexed_dir() in that
      case. Also initialize frames array so that if we return early due to
      error, dx_release() doesn't try to dereference uninitialized memory
      (which could happen also due to error in do_split()).
      
      Coverity-id: 741300
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2:
       - We have ext4_handle_dirty_metadata() not
         ext4_handle_dirty_{dx,dirent}_node()]
       - do_split() returns errors by reference not with ERR_PTR()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9769c00c
    • Jan Kara's avatar
      ext4: fix oops when loading block bitmap failed · 93604e76
      Jan Kara authored
      commit 599a9b77 upstream.
      
      When we fail to load block bitmap in __ext4_new_inode() we will
      dereference NULL pointer in ext4_journal_get_write_access(). So check
      for error from ext4_read_block_bitmap().
      
      Coverity-id: 989065
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      93604e76
    • Jan Kara's avatar
      ext4: fix overflow when updating superblock backups after resize · 2bd34f24
      Jan Kara authored
      commit 9378c676 upstream.
      
      When there are no meta block groups update_backups() will compute the
      backup block in 32-bit arithmetics thus possibly overflowing the block
      number and corrupting the filesystem. OTOH filesystems without meta
      block groups larger than 16 TB should be rare. Fix the problem by doing
      the counting in 64-bit arithmetics.
      
      Coverity-id: 741252
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarLukas Czerner <lczerner@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2bd34f24
    • Johannes Berg's avatar
      mac80211: properly flush delayed scan work on interface removal · 4dedbafc
      Johannes Berg authored
      commit 46238845 upstream.
      
      When an interface is deleted, an ongoing hardware scan is canceled and
      the driver must abort the scan, at the very least reporting completion
      while the interface is removed.
      
      However, if it scheduled the work that might only run after everything
      is said and done, which leads to cfg80211 warning that the scan isn't
      reported as finished yet; this is no fault of the driver, it already
      did, but mac80211 hasn't processed it.
      
      To fix this situation, flush the delayed work when the interface being
      removed is the one that was executing the scan.
      Reported-by: default avatarSujith Manoharan <sujith@msujith.org>
      Tested-by: default avatarSujith Manoharan <sujith@msujith.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [bwh: Backported to 3.2:
       - No rcu_access_pointer() needed
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4dedbafc
    • Jan Kara's avatar
      lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}() · de42f272
      Jan Kara authored
      commit ea5d05b3 upstream.
      
      If __bitmap_shift_left() or __bitmap_shift_right() are asked to shift by
      a multiple of BITS_PER_LONG, they will try to shift a long value by
      BITS_PER_LONG bits which is undefined.  Change the functions to avoid
      the undefined shift.
      
      Coverity id: 1192175
      Coverity id: 1192174
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      de42f272
    • David Rientjes's avatar
      mm, thp: fix collapsing of hugepages on madvise · 37e867c1
      David Rientjes authored
      commit 6d50e60c upstream.
      
      If an anonymous mapping is not allowed to fault thp memory and then
      madvise(MADV_HUGEPAGE) is used after fault, khugepaged will never
      collapse this memory into thp memory.
      
      This occurs because the madvise(2) handler for thp, hugepage_madvise(),
      clears VM_NOHUGEPAGE on the stack and it isn't stored in vma->vm_flags
      until the final action of madvise_behavior().  This causes the
      khugepaged_enter_vma_merge() to be a no-op in hugepage_madvise() when
      the vma had previously had VM_NOHUGEPAGE set.
      
      Fix this by passing the correct vma flags to the khugepaged mm slot
      handler.  There's no chance khugepaged can run on this vma until after
      madvise_behavior() returns since we hold mm->mmap_sem.
      
      It would be possible to clear VM_NOHUGEPAGE directly from vma->vm_flags
      in hugepage_advise(), but I didn't want to introduce special case
      behavior into madvise_behavior().  I think it's best to just let it
      always set vma->vm_flags itself.
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Reported-by: default avatarSuleiman Souhlal <suleiman@google.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      37e867c1
    • Wang Nan's avatar
      cgroup/kmemleak: add kmemleak_free() for cgroup deallocations. · e0fb1fad
      Wang Nan authored
      commit 401507d6 upstream.
      
      Commit ff7ee93f ("cgroup/kmemleak: Annotate alloc_page() for cgroup
      allocations") introduces kmemleak_alloc() for alloc_page_cgroup(), but
      corresponding kmemleak_free() is missing, which makes kmemleak be
      wrongly disabled after memory offlining.  Log is pasted at the end of
      this commit message.
      
      This patch add kmemleak_free() into free_page_cgroup().  During page
      offlining, this patch removes corresponding entries in kmemleak rbtree.
      After that, the freed memory can be allocated again by other subsystems
      without killing kmemleak.
      
        bash # for x in 1 2 3 4; do echo offline > /sys/devices/system/memory/memory$x/state ; sleep 1; done ; dmesg | grep leak
      
        Offlined Pages 32768
        kmemleak: Cannot insert 0xffff880016969000 into the object search tree (overlaps existing)
        CPU: 0 PID: 412 Comm: sleep Not tainted 3.17.0-rc5+ #86
        Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        Call Trace:
          dump_stack+0x46/0x58
          create_object+0x266/0x2c0
          kmemleak_alloc+0x26/0x50
          kmem_cache_alloc+0xd3/0x160
          __sigqueue_alloc+0x49/0xd0
          __send_signal+0xcb/0x410
          send_signal+0x45/0x90
          __group_send_sig_info+0x13/0x20
          do_notify_parent+0x1bb/0x260
          do_exit+0x767/0xa40
          do_group_exit+0x44/0xa0
          SyS_exit_group+0x17/0x20
          system_call_fastpath+0x16/0x1b
      
        kmemleak: Kernel memory leak detector disabled
        kmemleak: Object 0xffff880016900000 (size 524288):
        kmemleak:   comm "swapper/0", pid 0, jiffies 4294667296
        kmemleak:   min_count = 0
        kmemleak:   count = 0
        kmemleak:   flags = 0x1
        kmemleak:   checksum = 0
        kmemleak:   backtrace:
              log_early+0x63/0x77
              kmemleak_alloc+0x4b/0x50
              init_section_page_cgroup+0x7f/0xf5
              page_cgroup_init+0xc5/0xd0
              start_kernel+0x333/0x408
              x86_64_start_reservations+0x2a/0x2c
              x86_64_start_kernel+0xf5/0xfc
      
      Fixes: ff7ee93f (cgroup/kmemleak: Annotate alloc_page() for cgroup allocations)
      Signed-off-by: default avatarWang Nan <wangnan0@huawei.com>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarMichal Hocko <mhocko@suse.cz>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e0fb1fad
    • Kuninori Morimoto's avatar
      ASoC: fsi: remove unsupported PAUSE flag · f0c3c236
      Kuninori Morimoto authored
      commit c1b9b9b1 upstream.
      
      FSI doesn't support PAUSE.
      Remove SNDRV_PCM_INFO_PAUSE flags from snd_pcm_hardware info
      Signed-off-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f0c3c236
    • Will Deacon's avatar
      zap_pte_range: update addr when forcing flush after TLB batching faiure · bfcd39f0
      Will Deacon authored
      commit ce9ec37b upstream.
      
      When unmapping a range of pages in zap_pte_range, the page being
      unmapped is added to an mmu_gather_batch structure for asynchronous
      freeing. If we run out of space in the batch structure before the range
      has been completely unmapped, then we break out of the loop, force a
      TLB flush and free the pages that we have batched so far. If there are
      further pages to unmap, then we resume the loop where we left off.
      
      Unfortunately, we forget to update addr when we break out of the loop,
      which causes us to truncate the range being invalidated as the end
      address is exclusive. When we re-enter the loop at the same address, the
      page has already been freed and the pte_present test will fail, meaning
      that we do not reconsider the address for invalidation.
      
      This patch fixes the problem by incrementing addr by the PAGE_SIZE
      before breaking out of the loop on batch failure.
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context; add braces]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bfcd39f0
    • Alex Deucher's avatar
      drm/radeon: remove invalid pci id · 8e489bc7
      Alex Deucher authored
      commit 8c3e4347 upstream.
      
      0x4c6e is a secondary device id so should not be used
      by the driver.
      Noticed-by: default avatarMark Kettenis <mark.kettenis@xs4all.nl>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8e489bc7
    • Dmitry Kasatkin's avatar
      evm: check xattr value length and type in evm_inode_setxattr() · fcd6fc68
      Dmitry Kasatkin authored
      commit 3b1deef6 upstream.
      
      evm_inode_setxattr() can be called with no value. The function does not
      check the length so that following command can be used to produce the
      kernel oops: setfattr -n security.evm FOO. This patch fixes it.
      
      Changes in v3:
      * there is no reason to return different error codes for EVM_XATTR_HMAC
        and non EVM_XATTR_HMAC. Remove unnecessary test then.
      
      Changes in v2:
      * testing for validity of xattr type
      
      [ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [ 1106.398192] IP: [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
      [ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0
      [ 1106.399953] Oops: 0000 [#1] SMP
      [ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
      [ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936
      [ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000
      [ 1106.400020] RIP: 0010:[<ffffffff812af7b8>]  [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
      [ 1106.400020] RSP: 0018:ffff88002917fd50  EFLAGS: 00010246
      [ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000
      [ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8
      [ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df
      [ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00
      [ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      [ 1106.400020] FS:  00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
      [ 1106.400020] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0
      [ 1106.400020] Stack:
      [ 1106.400020]  ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98
      [ 1106.400020]  ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000
      [ 1106.400020]  0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8
      [ 1106.400020] Call Trace:
      [ 1106.400020]  [<ffffffff812a1030>] security_inode_setxattr+0x5d/0x6a
      [ 1106.400020]  [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f
      [ 1106.400020]  [<ffffffff8116d1e0>] setxattr+0x122/0x16c
      [ 1106.400020]  [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
      [ 1106.400020]  [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143
      [ 1106.400020]  [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
      [ 1106.400020]  [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f
      [ 1106.400020]  [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0
      [ 1106.400020]  [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b
      [ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83
      [ 1106.400020] RIP  [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
      [ 1106.400020]  RSP <ffff88002917fd50>
      [ 1106.400020] CR2: 0000000000000000
      [ 1106.428061] ---[ end trace ae08331628ba3050 ]---
      Reported-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fcd6fc68