1. 27 Aug, 2015 6 commits
  2. 22 Aug, 2015 6 commits
  3. 20 Aug, 2015 2 commits
    • Benjamin Randazzo's avatar
      md: use kzalloc() when bitmap is disabled · e46e18eb
      Benjamin Randazzo authored
      [ Upstream commit 33afeac2 ]
      
      commit b6878d9e upstream.
      
      In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
      mdu_bitmap_file_t called "file".
      
      5769         file = kmalloc(sizeof(*file), GFP_NOIO);
      5770         if (!file)
      5771                 return -ENOMEM;
      
      This structure is copied to user space at the end of the function.
      
      5786         if (err == 0 &&
      5787             copy_to_user(arg, file, sizeof(*file)))
      5788                 err = -EFAULT
      
      But if bitmap is disabled only the first byte of "file" is initialized
      with zero, so it's possible to read some bytes (up to 4095) of kernel
      space memory from user space. This is an information leak.
      
      5775         /* bitmap disabled, zero the first byte and copy out */
      5776         if (!mddev->bitmap_info.file)
      5777                 file->pathname[0] = '\0';
      Signed-off-by: default avatarBenjamin Randazzo <benjamin@randazzo.fr>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e46e18eb
    • NeilBrown's avatar
      phy: twl4030-usb: make runtime pm more reliable. · 35242ba6
      NeilBrown authored
      [ Upstream commit 56301df6 ]
      
      A construct like:
      
              if (pm_runtime_suspended(twl->dev))
                     pm_runtime_get_sync(twl->dev);
      
      is against the spirit of the runtime_pm interface as it
      makes the internal refcounting useless.
      
      In this case it is also racy, particularly as 'put_autosuspend'
      is used to drop a reference.
      When that happens a timer is started and the device is
      runtime-suspended after the timeout.
      If the above code runs in this window, the device will not be
      found to be suspended so no pm_runtime reference is taken.
      When the timer expires the device will be suspended, which is
      against the intention of the code.
      
      So be more direct is taking and dropping references.
      If twl->linkstat is VBUS_VALID or ID_GROUND, then hold a
      pm_runtime reference, otherwise don't.
      Define "cable_present()" to test for this condition.
      Tested-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      35242ba6
  4. 19 Aug, 2015 17 commits
    • Alan Stern's avatar
      usb: udc: core: add device_del() call to error pathway · 7c70eda7
      Alan Stern authored
      [ Upstream commit c93e64e9 ]
      
      This patch fixes a bug in the error pathway of
      usb_add_gadget_udc_release() in udc-core.c.  If the udc registration
      fails, the gadget registration is not fully undone; there's a
      put_device(&gadget->dev) call but no device_del().
      
      CC: <stable@vger.kernel.org>
      Acked-by: default avatarPeter Chen <peter.chen@freescale.com>
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7c70eda7
    • Dirk Behme's avatar
      USB: sierra: add 1199:68AB device ID · 6f3dd9c2
      Dirk Behme authored
      [ Upstream commit 74472233 ]
      
      Add support for the Sierra Wireless AR8550 device with
      USB descriptor 0x1199, 0x68AB.
      
      It is common with MC879x modules 1199:683c/683d which
      also are composite devices with 7 interfaces (0..6)
      and also MDM62xx based as the AR8550.
      
      The major difference are only the interface attributes
      02/02/01 on interfaces 3 and 4 on the AR8550. They are
      vendor specific ff/ff/ff on MC879x modules.
      
      lsusb reports:
      
      Bus 001 Device 004: ID 1199:68ab Sierra Wireless, Inc.
      Device Descriptor:
        bLength                18
        bDescriptorType         1
        bcdUSB               2.00
        bDeviceClass            0 (Defined at Interface level)
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        idVendor           0x1199 Sierra Wireless, Inc.
        idProduct          0x68ab
        bcdDevice            0.06
        iManufacturer           3 Sierra Wireless, Incorporated
        iProduct                2 AR8550
        iSerial                 0
        bNumConfigurations      1
        Configuration Descriptor:
          bLength                 9
          bDescriptorType         2
          wTotalLength          198
          bNumInterfaces          7
          bConfigurationValue     1
          iConfiguration          1 Sierra Configuration
          bmAttributes         0xe0
            Self Powered
            Remote Wakeup
          MaxPower                0mA
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        0
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x81  EP 1 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x01  EP 1 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        1
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x82  EP 2 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x02  EP 2 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        2
            bAlternateSetting       0
            bNumEndpoints           2
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x83  EP 3 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x03  EP 3 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        3
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass         2 Communications
            bInterfaceSubClass      2 Abstract (modem)
            bInterfaceProtocol      1 AT-commands (v.25ter)
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x84  EP 4 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               5
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x85  EP 5 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x04  EP 4 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        4
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass         2 Communications
            bInterfaceSubClass      2 Abstract (modem)
            bInterfaceProtocol      1 AT-commands (v.25ter)
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x86  EP 6 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               5
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x87  EP 7 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x05  EP 5 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        5
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x88  EP 8 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               5
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x89  EP 9 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x06  EP 6 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        6
            bAlternateSetting       0
            bNumEndpoints           3
            bInterfaceClass       255 Vendor Specific Class
            bInterfaceSubClass    255 Vendor Specific Subclass
            bInterfaceProtocol    255 Vendor Specific Protocol
            iInterface              0
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x8a  EP 10 IN
              bmAttributes            3
                Transfer Type            Interrupt
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0040  1x 64 bytes
              bInterval               5
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x8b  EP 11 IN
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
            Endpoint Descriptor:
              bLength                 7
              bDescriptorType         5
              bEndpointAddress     0x07  EP 7 OUT
              bmAttributes            2
                Transfer Type            Bulk
                Synch Type               None
                Usage Type               Data
              wMaxPacketSize     0x0200  1x 512 bytes
              bInterval              32
      Device Qualifier (for other device speed):
        bLength                10
        bDescriptorType         6
        bcdUSB               2.00
        bDeviceClass            0 (Defined at Interface level)
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        bNumConfigurations      1
      Device Status:     0x0001
        Self Powered
      Signed-off-by: default avatarDirk Behme <dirk.behme@de.bosch.com>
      Cc: Lars Melin <larsm17@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6f3dd9c2
    • Gavin Shan's avatar
      drivers/usb: Delete XHCI command timer if necessary · aab8865b
      Gavin Shan authored
      [ Upstream commit ffe5adcb ]
      
      When xhci_mem_cleanup() is called, it's possible that the command
      timer isn't initialized and scheduled. For those cases, to delete
      the command timer causes soft-lockup as below stack dump shows.
      
      The patch avoids deleting the command timer if it's not scheduled
      with the help of timer_pending().
      
      NMI watchdog: BUG: soft lockup - CPU#40 stuck for 23s! [kworker/40:1:8140]
            :
      NIP [c000000000150b30] lock_timer_base.isra.34+0x90/0xa0
      LR [c000000000150c24] try_to_del_timer_sync+0x34/0xa0
      Call Trace:
      [c000000f67c975e0] [c0000000015b84f8] mon_ops+0x0/0x8 (unreliable)
      [c000000f67c97620] [c000000000150c24] try_to_del_timer_sync+0x34/0xa0
      [c000000f67c97660] [c000000000150cf0] del_timer_sync+0x60/0x80
      [c000000f67c97690] [c00000000070ac0c] xhci_mem_cleanup+0x5c/0x5e0
      [c000000f67c97740] [c00000000070c2e8] xhci_mem_init+0x1158/0x13b0
      [c000000f67c97860] [c000000000700978] xhci_init+0x88/0x110
      [c000000f67c978e0] [c000000000701644] xhci_gen_setup+0x2b4/0x590
      [c000000f67c97970] [c0000000006d4410] xhci_pci_setup+0x40/0x190
      [c000000f67c979f0] [c0000000006b1af8] usb_add_hcd+0x418/0xba0
      [c000000f67c97ab0] [c0000000006cb15c] usb_hcd_pci_probe+0x1dc/0x5c0
      [c000000f67c97b50] [c0000000006d3ba4] xhci_pci_probe+0x64/0x1f0
      [c000000f67c97ba0] [c0000000004fe9ac] local_pci_probe+0x6c/0x130
      [c000000f67c97c30] [c0000000000e5ce8] work_for_cpu_fn+0x38/0x60
      [c000000f67c97c60] [c0000000000eacb8] process_one_work+0x198/0x470
      [c000000f67c97cf0] [c0000000000eb6ac] worker_thread+0x37c/0x5a0
      [c000000f67c97d80] [c0000000000f2730] kthread+0x110/0x130
      [c000000f67c97e30] [c000000000009660] ret_from_kernel_thread+0x5c/0x7c
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarPriya M. A <priyama2@in.ibm.com>
      Signed-off-by: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      aab8865b
    • Mathias Nyman's avatar
      xhci: fix off by one error in TRB DMA address boundary check · 38096a07
      Mathias Nyman authored
      [ Upstream commit 7895086a ]
      
      We need to check that a TRB is part of the current segment
      before calculating its DMA address.
      
      Previously a ring segment didn't use a full memory page, and every
      new ring segment got a new memory page, so the off by one
      error in checking the upper bound was never seen.
      
      Now that we use a full memory page, 256 TRBs (4096 bytes), the off by one
      didn't catch the case when a TRB was the first element of the next segment.
      
      This is triggered if the virtual memory pages for a ring segment are
      next to each in increasing order where the ring buffer wraps around and
      causes errors like:
      
      [  106.398223] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1
      [  106.398230] xhci_hcd 0000:00:14.0: Looking for event-dma fffd3000 trb-start fffd4fd0 trb-end fffd5000 seg-start fffd4000 seg-end fffd4ff0
      
      The trb-end address is one outside the end-seg address.
      
      Cc: <stable@vger.kernel.org>
      Tested-by: default avatarArkadiusz Miśkiewicz <arekm@maven.pl>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      38096a07
    • Brian King's avatar
      ipr: Fix invalid array indexing for HRRQ · d37dfe24
      Brian King authored
      [ Upstream commit 3f1c0581 ]
      
      Fixes another signed / unsigned array indexing bug in the ipr driver.
      Currently, when hrrq_index wraps, it becomes a negative number. We
      do the modulo, but still have a negative number, so we end up indexing
      backwards in the array. Given where the hrrq array is located in memory,
      we probably won't actually reference memory we don't own, but nonetheless
      ipr is still looking at data within struct ipr_ioa_cfg and interpreting it as
      struct ipr_hrr_queue data, so bad things could certainly happen.
      
      Each ipr adapter has anywhere from 1 to 16 HRRQs. By default, we use 2 on new
      adapters.  Let's take an example:
      
      Assume ioa_cfg->hrrq_index=0x7fffffffe and ioa_cfg->hrrq_num=4:
      
      The atomic_add_return will then return -1. We mod this with 3 and get -2, add
      one and get -1 for an array index.
      
      On adapters which support more than a single HRRQ, we dedicate HRRQ to adapter
      initialization and error interrupts so that we can optimize the other queues
      for fast path I/O. So all normal I/O uses HRRQ 1-15. So we want to spread the
      I/O requests across those HRRQs.
      
      With the default module parameter settings, this bug won't hit, only when
      someone sets the ipr.number_of_msix parameter to a value larger than 3 is when
      bad things start to happen.
      
      Cc: <stable@vger.kernel.org>
      Tested-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarGabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d37dfe24
    • Brian King's avatar
      ipr: Fix incorrect trace indexing · e383a58d
      Brian King authored
      [ Upstream commit bb7c5433 ]
      
      When ipr's internal driver trace was changed to an atomic, a signed/unsigned
      bug slipped in which results in us indexing backwards in our memory buffer
      writing on memory that does not belong to us. This patch fixes this by removing
      the modulo and instead just mask off the low bits.
      
      Cc: <stable@vger.kernel.org>
      Tested-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarGabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e383a58d
    • Brian King's avatar
      ipr: Fix locking for unit attention handling · e58bb36e
      Brian King authored
      [ Upstream commit 36b8e180 ]
      
      Make sure we have the host lock held when calling scsi_report_bus_reset. Fixes
      a crash seen as the __devices list in the scsi host was changing as we were
      iterating through it.
      
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
      Reviewed-by: default avatarGabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e58bb36e
    • Daniel Vetter's avatar
      drm/dp-mst: Remove debug WARN_ON · 3fa2a2f9
      Daniel Vetter authored
      [ Upstream commit 42639ba5 ]
      
      Apparently been in there since forever and fairly easy to hit when
      hotplugging really fast. I can do that since my mst hub has a manual
      button to flick the hpd line for reprobing. The resulting WARNING spam
      isn't pretty.
      
      Cc: Dave Airlie <airlied@gmail.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarThierry Reding <treding@nvidia.com>
      Reviewed-by: default avatarAnder Conselvan de Oliveira <conselvan2@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      3fa2a2f9
    • Alex Deucher's avatar
      drm/radeon/combios: add some validation of lvds values · 82fbf139
      Alex Deucher authored
      [ Upstream commit 0a90a0cf ]
      
      Fixes a broken hsync start value uncovered by:
      abc0b144
      (drm: Perform basic sanity checks on probed modes)
      
      The driver handled the bad hsync start elsewhere, but
      the above commit prevented it from getting added.
      
      bug:
      https://bugs.freedesktop.org/show_bug.cgi?id=91401Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      82fbf139
    • Chris Wilson's avatar
      drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop · 89cc0137
      Chris Wilson authored
      [ Upstream commit ee0a227b ]
      
      Since we may conceivably encounter situations where the upper part of the
      64bit register changes between reads, for example when a timestamp
      counter overflows, change the WARN into a retry loop.
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Michał Winiarski <michal.winiarski@intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      89cc0137
    • Jan Kara's avatar
      fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() · 81f2af92
      Jan Kara authored
      [ Upstream commit 8f2f3eb5 ]
      
      fsnotify_clear_marks_by_group_flags() can race with
      fsnotify_destroy_marks() so that when fsnotify_destroy_mark_locked()
      drops mark_mutex, a mark from the list iterated by
      fsnotify_clear_marks_by_group_flags() can be freed and thus the next
      entry pointer we have cached may become stale and we dereference free
      memory.
      
      Fix the problem by first moving marks to free to a special private list
      and then always free the first entry in the special list.  This method
      is safe even when entries from the list can disappear once we drop the
      lock.
      Signed-off-by: default avatarJan Kara <jack@suse.com>
      Reported-by: default avatarAshish Sangwan <a.sangwan@samsung.com>
      Reviewed-by: default avatarAshish Sangwan <a.sangwan@samsung.com>
      Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      81f2af92
    • David Daney's avatar
      MIPS: Make set_pte() SMP safe. · 204041c4
      David Daney authored
      [ Upstream commit 46011e6e ]
      
      On MIPS the GLOBAL bit of the PTE must have the same value in any
      aligned pair of PTEs.  These pairs of PTEs are referred to as
      "buddies".  In a SMP system is is possible for two CPUs to be calling
      set_pte() on adjacent PTEs at the same time.  There is a race between
      setting the PTE and a different CPU setting the GLOBAL bit in its
      buddy PTE.
      
      This race can be observed when multiple CPUs are executing
      vmap()/vfree() at the same time.
      
      Make setting the buddy PTE's GLOBAL bit an atomic operation to close
      the race condition.
      
      The case of CONFIG_64BIT_PHYS_ADDR && CONFIG_CPU_MIPS32 is *not*
      handled.
      Signed-off-by: default avatarDavid Daney <david.daney@cavium.com>
      Cc: <stable@vger.kernel.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/10835/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      204041c4
    • James Hogan's avatar
      MIPS: Flush RPS on kernel entry with EVA · e1c3e51c
      James Hogan authored
      [ Upstream commit 3aff47c0 ]
      
      When EVA is enabled, flush the Return Prediction Stack (RPS) present on
      some MIPS cores on entry to the kernel from user mode.
      
      This is important specifically for interAptiv with EVA enabled,
      otherwise kernel mode RPS mispredicts may trigger speculative fetches of
      user return addresses, which may be sensitive in the kernel address
      space due to EVA's overlapping user/kernel address spaces.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Markos Chandras <markos.chandras@imgtec.com>
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.15.x-
      Patchwork: https://patchwork.linux-mips.org/patch/10812/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e1c3e51c
    • James Hogan's avatar
      MIPS: show_stack: Fix stack trace with EVA · 101f1631
      James Hogan authored
      [ Upstream commit 1e77863a ]
      
      The show_stack() function deals exclusively with kernel contexts, but if
      it gets called in user context with EVA enabled, show_stacktrace() will
      attempt to access the stack using EVA accesses, which will either read
      other user mapped data, or more likely cause an exception which will be
      handled by __get_user().
      
      This is easily reproduced using SysRq t to show all task states, which
      results in the following stack dump output:
      
       Stack : (Bad stack address)
      
      Fix by setting the current user access mode to kernel around the call to
      show_stacktrace(). This causes __get_user() to use normal loads to read
      the kernel stack.
      
      Now we get the correct output, like this:
      
       Stack : 00000000 80168960 00000000 004a0000 00000000 00000000 8060016c 1f3abd0c
                 1f172cd8 8056f09c 7ff1e450 8014fc3c 00000001 806dd0b0 0000001d 00000002
                 1f17c6a0 1f17c804 1f17c6a0 8066f6e0 00000000 0000000a 00000000 00000000
                 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
                 00000000 00000000 00000000 00000000 00000000 0110e800 1f3abd6c 1f17c6a0
                 ...
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Markos Chandras <markos.chandras@imgtec.com>
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.15+
      Patchwork: https://patchwork.linux-mips.org/patch/10778/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      101f1631
    • James Hogan's avatar
      MIPS: do_mcheck: Fix kernel code dump with EVA · e5e8829b
      James Hogan authored
      [ Upstream commit 55c723e1 ]
      
      If a machine check exception is raised in kernel mode, user context,
      with EVA enabled, then the do_mcheck handler will attempt to read the
      code around the EPC using EVA load instructions, i.e. as if the reads
      were from user mode. This will either read random user data if the
      process has anything mapped at the same address, or it will cause an
      exception which is handled by __get_user, resulting in this output:
      
       Code: (Bad address in epc)
      
      Fix by setting the current user access mode to kernel if the saved
      register context indicates the exception was taken in kernel mode. This
      causes __get_user to use normal loads to read the kernel code.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Markos Chandras <markos.chandras@imgtec.com>
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.15+
      Patchwork: https://patchwork.linux-mips.org/patch/10777/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e5e8829b
    • Felix Fietkau's avatar
      MIPS: Fix sched_getaffinity with MT FPAFF enabled · be98cdc0
      Felix Fietkau authored
      [ Upstream commit 1d62d737 ]
      
      p->thread.user_cpus_allowed is zero-initialized and is only filled on
      the first sched_setaffinity call.
      
      To avoid adding overhead in the task initialization codepath, simply OR
      the returned mask in sched_getaffinity with p->cpus_allowed.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/10740/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      be98cdc0
    • James Hogan's avatar
      MIPS: Malta: Don't reinitialise RTC · edf9af78
      James Hogan authored
      [ Upstream commit 106eccb4 ]
      
      On Malta, since commit a87ea88d ("MIPS: Malta: initialise the RTC at
      boot"), the RTC is reinitialised and forced into binary coded decimal
      (BCD) mode during init, even if the bootloader has already initialised
      it, and may even have already put it into binary mode (as YAMON does).
      This corrupts the current time, can result in the RTC seconds being an
      invalid BCD (e.g. 0x1a..0x1f) for up to 6 seconds, as well as confusing
      YAMON for a while after reset, enough for it to report timeouts when
      attempting to load from TFTP (it actually uses the RTC in that code).
      
      Therefore only initialise the RTC to the extent that is necessary so
      that Linux avoids interfering with the bootloader setup, while also
      allowing it to estimate the CPU frequency without hanging, without a
      bootloader necessarily having done anything with the RTC (for example
      when the kernel is loaded via EJTAG).
      
      The divider control is configured for a 32KHZ reference clock if
      necessary, and the SET bit of the RTC_CONTROL register is cleared if
      necessary without changing any other bits (this bit will be set when
      coming out of reset if the battery has been disconnected).
      
      Fixes: a87ea88d ("MIPS: Malta: initialise the RTC at boot")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Reviewed-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Maciej W. Rozycki <macro@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.14+
      Patchwork: https://patchwork.linux-mips.org/patch/10739/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      edf9af78
  5. 07 Aug, 2015 1 commit
  6. 06 Aug, 2015 2 commits
    • Ming Lei's avatar
      blk-mq: fix CPU hotplug handling · df0e5109
      Ming Lei authored
      [ Upstream commit 2a34c087 ]
      
      hctx->tags has to be set as NULL in case that it is to be unmapped
      no matter if set->tags[hctx->queue_num] is NULL or not in blk_mq_map_swqueue()
      because shared tags can be freed already from another request queue.
      
      The same situation has to be considered during handling CPU online too.
      Unmapped hw queue can be remapped after CPU topo is changed, so we need
      to allocate tags for the hw queue in blk_mq_map_swqueue(). Then tags
      allocation for hw queue can be removed in hctx cpu online notifier, and it
      is reasonable to do that after mapping is updated.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarDongsu Park <dongsu.park@profitbricks.com>
      Tested-by: default avatarDongsu Park <dongsu.park@profitbricks.com>
      Signed-off-by: default avatarMing Lei <ming.lei@canonical.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      df0e5109
    • Mike Christie's avatar
      SCSI: add 1024 max sectors black list flag · bda69f1a
      Mike Christie authored
      [ Upstream commit 35e9a9f9 ]
      
      This works around a issue with qnap iscsi targets not handling large IOs
      very well.
      
      The target returns:
      
      VPD INQUIRY: Block limits page (SBC)
        Maximum compare and write length: 1 blocks
        Optimal transfer length granularity: 1 blocks
        Maximum transfer length: 4294967295 blocks
        Optimal transfer length: 4294967295 blocks
        Maximum prefetch, xdread, xdwrite transfer length: 0 blocks
        Maximum unmap LBA count: 8388607
        Maximum unmap block descriptor count: 1
        Optimal unmap granularity: 16383
        Unmap granularity alignment valid: 0
        Unmap granularity alignment: 0
        Maximum write same length: 0xffffffff blocks
        Maximum atomic transfer length: 0
        Atomic alignment: 0
        Atomic transfer length granularity: 0
      
      and it is *sometimes* able to handle at least one IO of size up to 8 MB. We
      have seen in traces where it will sometimes work, but other times it
      looks like it fails and it looks like it returns failures if we send
      multiple large IOs sometimes. Also it looks like it can return 2 different
      errors. It will sometimes send iscsi reject errors indicating out of
      resources or it will send invalid cdb illegal requests check conditions.
      And then when it sends iscsi rejects it does not seem to handle retries
      when there are command sequence holes, so I could not just add code to
      try and gracefully handle that error code.
      
      The problem is that we do not have a good contact for the company,
      so we are not able to determine under what conditions it returns
      which error and why it sometimes works.
      
      So, this patch just adds a new black list flag to set targets like this to
      the old max safe sectors of 1024. The max_hw_sectors changes added in 3.19
      caused this regression, so I also ccing stable.
      Reported-by: default avatarChristian Hesse <list@eworm.de>
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      bda69f1a
  7. 04 Aug, 2015 6 commits