1. 20 Apr, 2016 36 commits
    • Helge Deller's avatar
      parisc: Unbreak handling exceptions from kernel modules · e213cce4
      Helge Deller authored
      [ Upstream commit 2ef4dfd9 ]
      
      Handling exceptions from modules never worked on parisc.
      It was just masked by the fact that exceptions from modules
      don't happen during normal use.
      
      When a module triggers an exception in get_user() we need to load the
      main kernel dp value before accessing the exception_data structure, and
      afterwards restore the original dp value of the module on exit.
      Noticed-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e213cce4
    • Helge Deller's avatar
      parisc: Fix kernel crash with reversed copy_from_user() · 9ccccafe
      Helge Deller authored
      [ Upstream commit ef72f311 ]
      
      The kernel module testcase (lib/test_user_copy.c) exhibited a kernel
      crash on parisc if the parameters for copy_from_user were reversed
      ("illegal reversed copy_to_user" testcase).
      
      Fix this potential crash by checking the fault handler if the faulting
      address is in the exception table.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9ccccafe
    • Helge Deller's avatar
      parisc: Avoid function pointers for kernel exception routines · 073cac90
      Helge Deller authored
      [ Upstream commit e3893027 ]
      
      We want to avoid the kernel module loader to create function pointers
      for the kernel fixup routines of get_user() and put_user(). Changing
      the external reference from function type to int type fixes this.
      
      This unbreaks exception handling for get_user() and put_user() when
      called from a kernel module.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      073cac90
    • Yong Li's avatar
      gpio: pca953x: Use correct u16 value for register word write · 7227a0df
      Yong Li authored
      [ Upstream commit 9b8e3ec3 ]
      
      The current implementation only uses the first byte in val,
      the second byte is always 0. Change it to use cpu_to_le16
      to write the two bytes into the register
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarYong Li <sdliyong@gmail.com>
      Reviewed-by: default avatarPhil Reid <preid@electromag.com.au>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7227a0df
    • Michael S. Tsirkin's avatar
      virtio: virtio 1.0 cs04 spec compliance for reset · 0ffbec8d
      Michael S. Tsirkin authored
      [ Upstream commit 05dbcb43 ]
      
      The spec says: after writing 0 to device_status, the driver MUST wait
      for a read of device_status to return 0 before reinitializing the
      device.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0ffbec8d
    • Bjørn Mork's avatar
      USB: option: add "D-Link DWM-221 B1" device id · e649832a
      Bjørn Mork authored
      [ Upstream commit d48d5691 ]
      
      Thomas reports:
      "Windows:
      
      00 diagnostics
      01 modem
      02 at-port
      03 nmea
      04 nic
      
      Linux:
      
      T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2001 ProdID=7e19 Rev=02.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
      Reported-by: default avatarThomas Schäfer <tschaefer@t-online.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e649832a
    • Martyn Welch's avatar
      USB: serial: cp210x: Adding GE Healthcare Device ID · ad660596
      Martyn Welch authored
      [ Upstream commit cddc9434 ]
      
      The CP2105 is used in the GE Healthcare Remote Alarm Box, with the
      Manufacturer ID of 0x1901 and Product ID of 0x0194.
      Signed-off-by: default avatarMartyn Welch <martyn.welch@collabora.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ad660596
    • Josh Boyer's avatar
      USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices · 2e007c67
      Josh Boyer authored
      [ Upstream commit ea6db90e ]
      
      A Fedora user reports that the ftdi_sio driver works properly for the
      ICP DAS I-7561U device.  Further, the user manual for these devices
      instructs users to load the driver and add the ids using the sysfs
      interface.
      
      Add support for these in the driver directly so that the devices work
      out of the box instead of needing manual configuration.
      
      Reported-by: <thesource@mail.ru>
      CC: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2e007c67
    • Filipe Manana's avatar
      Btrfs: fix file/data loss caused by fsync after rename and new inode · 033ad030
      Filipe Manana authored
      [ Upstream commit 56f23fdb ]
      
      If we rename an inode A (be it a file or a directory), create a new
      inode B with the old name of inode A and under the same parent directory,
      fsync inode B and then power fail, at log tree replay time we end up
      removing inode A completely. If inode A is a directory then all its files
      are gone too.
      
      Example scenarios where this happens:
      This is reproducible with the following steps, taken from a couple of
      test cases written for fstests which are going to be submitted upstream
      soon:
      
         # Scenario 1
      
         mkfs.btrfs -f /dev/sdc
         mount /dev/sdc /mnt
         mkdir -p /mnt/a/x
         echo "hello" > /mnt/a/x/foo
         echo "world" > /mnt/a/x/bar
         sync
         mv /mnt/a/x /mnt/a/y
         mkdir /mnt/a/x
         xfs_io -c fsync /mnt/a/x
         <power failure happens>
      
         The next time the fs is mounted, log tree replay happens and
         the directory "y" does not exist nor do the files "foo" and
         "bar" exist anywhere (neither in "y" nor in "x", nor the root
         nor anywhere).
      
         # Scenario 2
      
         mkfs.btrfs -f /dev/sdc
         mount /dev/sdc /mnt
         mkdir /mnt/a
         echo "hello" > /mnt/a/foo
         sync
         mv /mnt/a/foo /mnt/a/bar
         echo "world" > /mnt/a/foo
         xfs_io -c fsync /mnt/a/foo
         <power failure happens>
      
         The next time the fs is mounted, log tree replay happens and the
         file "bar" does not exists anymore. A file with the name "foo"
         exists and it matches the second file we created.
      
      Another related problem that does not involve file/data loss is when a
      new inode is created with the name of a deleted snapshot and we fsync it:
      
         mkfs.btrfs -f /dev/sdc
         mount /dev/sdc /mnt
         mkdir /mnt/testdir
         btrfs subvolume snapshot /mnt /mnt/testdir/snap
         btrfs subvolume delete /mnt/testdir/snap
         rmdir /mnt/testdir
         mkdir /mnt/testdir
         xfs_io -c fsync /mnt/testdir # or fsync some file inside /mnt/testdir
         <power failure>
      
         The next time the fs is mounted the log replay procedure fails because
         it attempts to delete the snapshot entry (which has dir item key type
         of BTRFS_ROOT_ITEM_KEY) as if it were a regular (non-root) entry,
         resulting in the following error that causes mount to fail:
      
         [52174.510532] BTRFS info (device dm-0): failed to delete reference to snap, inode 257 parent 257
         [52174.512570] ------------[ cut here ]------------
         [52174.513278] WARNING: CPU: 12 PID: 28024 at fs/btrfs/inode.c:3986 __btrfs_unlink_inode+0x178/0x351 [btrfs]()
         [52174.514681] BTRFS: Transaction aborted (error -2)
         [52174.515630] Modules linked in: btrfs dm_flakey dm_mod overlay crc32c_generic ppdev xor raid6_pq acpi_cpufreq parport_pc tpm_tis sg parport tpm evdev i2c_piix4 proc
         [52174.521568] CPU: 12 PID: 28024 Comm: mount Tainted: G        W       4.5.0-rc6-btrfs-next-27+ #1
         [52174.522805] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
         [52174.524053]  0000000000000000 ffff8801df2a7710 ffffffff81264e93 ffff8801df2a7758
         [52174.524053]  0000000000000009 ffff8801df2a7748 ffffffff81051618 ffffffffa03591cd
         [52174.524053]  00000000fffffffe ffff88015e6e5000 ffff88016dbc3c88 ffff88016dbc3c88
         [52174.524053] Call Trace:
         [52174.524053]  [<ffffffff81264e93>] dump_stack+0x67/0x90
         [52174.524053]  [<ffffffff81051618>] warn_slowpath_common+0x99/0xb2
         [52174.524053]  [<ffffffffa03591cd>] ? __btrfs_unlink_inode+0x178/0x351 [btrfs]
         [52174.524053]  [<ffffffff81051679>] warn_slowpath_fmt+0x48/0x50
         [52174.524053]  [<ffffffffa03591cd>] __btrfs_unlink_inode+0x178/0x351 [btrfs]
         [52174.524053]  [<ffffffff8118f5e9>] ? iput+0xb0/0x284
         [52174.524053]  [<ffffffffa0359fe8>] btrfs_unlink_inode+0x1c/0x3d [btrfs]
         [52174.524053]  [<ffffffffa038631e>] check_item_in_log+0x1fe/0x29b [btrfs]
         [52174.524053]  [<ffffffffa0386522>] replay_dir_deletes+0x167/0x1cf [btrfs]
         [52174.524053]  [<ffffffffa038739e>] fixup_inode_link_count+0x289/0x2aa [btrfs]
         [52174.524053]  [<ffffffffa038748a>] fixup_inode_link_counts+0xcb/0x105 [btrfs]
         [52174.524053]  [<ffffffffa038a5ec>] btrfs_recover_log_trees+0x258/0x32c [btrfs]
         [52174.524053]  [<ffffffffa03885b2>] ? replay_one_extent+0x511/0x511 [btrfs]
         [52174.524053]  [<ffffffffa034f288>] open_ctree+0x1dd4/0x21b9 [btrfs]
         [52174.524053]  [<ffffffffa032b753>] btrfs_mount+0x97e/0xaed [btrfs]
         [52174.524053]  [<ffffffff8108e1b7>] ? trace_hardirqs_on+0xd/0xf
         [52174.524053]  [<ffffffff8117bafa>] mount_fs+0x67/0x131
         [52174.524053]  [<ffffffff81193003>] vfs_kern_mount+0x6c/0xde
         [52174.524053]  [<ffffffffa032af81>] btrfs_mount+0x1ac/0xaed [btrfs]
         [52174.524053]  [<ffffffff8108e1b7>] ? trace_hardirqs_on+0xd/0xf
         [52174.524053]  [<ffffffff8108c262>] ? lockdep_init_map+0xb9/0x1b3
         [52174.524053]  [<ffffffff8117bafa>] mount_fs+0x67/0x131
         [52174.524053]  [<ffffffff81193003>] vfs_kern_mount+0x6c/0xde
         [52174.524053]  [<ffffffff8119590f>] do_mount+0x8a6/0x9e8
         [52174.524053]  [<ffffffff811358dd>] ? strndup_user+0x3f/0x59
         [52174.524053]  [<ffffffff81195c65>] SyS_mount+0x77/0x9f
         [52174.524053]  [<ffffffff814935d7>] entry_SYSCALL_64_fastpath+0x12/0x6b
         [52174.561288] ---[ end trace 6b53049efb1a3ea6 ]---
      
      Fix this by forcing a transaction commit when such cases happen.
      This means we check in the commit root of the subvolume tree if there
      was any other inode with the same reference when the inode we are
      fsync'ing is a new inode (created in the current transaction).
      
      Test cases for fstests, covering all the scenarios given above, were
      submitted upstream for fstests:
      
        * fstests: generic test for fsync after renaming directory
          https://patchwork.kernel.org/patch/8694281/
      
        * fstests: generic test for fsync after renaming file
          https://patchwork.kernel.org/patch/8694301/
      
        * fstests: add btrfs test for fsync after snapshot deletion
          https://patchwork.kernel.org/patch/8670671/
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      033ad030
    • Filipe Manana's avatar
      Btrfs: fix fsync after truncate when no_holes feature is enabled · 091537b5
      Filipe Manana authored
      [ Upstream commit a89ca6f2 ]
      
      When we have the no_holes feature enabled, if a we truncate a file to a
      smaller size, truncate it again but to a size greater than or equals to
      its original size and fsync it, the log tree will not have any information
      about the hole covering the range [truncate_1_offset, new_file_size[.
      Which means if the fsync log is replayed, the file will remain with the
      state it had before both truncate operations.
      
      Without the no_holes feature this does not happen, since when the inode
      is logged (full sync flag is set) it will find in the fs/subvol tree a
      leaf with a generation matching the current transaction id that has an
      explicit extent item representing the hole.
      
      Fix this by adding an explicit extent item representing a hole between
      the last extent and the inode's i_size if we are doing a full sync.
      
      The issue is easy to reproduce with the following test case for fstests:
      
        . ./common/rc
        . ./common/filter
        . ./common/dmflakey
      
        _need_to_be_root
        _supported_fs generic
        _supported_os Linux
        _require_scratch
        _require_dm_flakey
      
        # This test was motivated by an issue found in btrfs when the btrfs
        # no-holes feature is enabled (introduced in kernel 3.14). So enable
        # the feature if the fs being tested is btrfs.
        if [ $FSTYP == "btrfs" ]; then
            _require_btrfs_fs_feature "no_holes"
            _require_btrfs_mkfs_feature "no-holes"
            MKFS_OPTIONS="$MKFS_OPTIONS -O no-holes"
        fi
      
        rm -f $seqres.full
      
        _scratch_mkfs >>$seqres.full 2>&1
        _init_flakey
        _mount_flakey
      
        # Create our test files and make sure everything is durably persisted.
        $XFS_IO_PROG -f -c "pwrite -S 0xaa 0 64K"         \
                        -c "pwrite -S 0xbb 64K 61K"       \
                        $SCRATCH_MNT/foo | _filter_xfs_io
        $XFS_IO_PROG -f -c "pwrite -S 0xee 0 64K"         \
                        -c "pwrite -S 0xff 64K 61K"       \
                        $SCRATCH_MNT/bar | _filter_xfs_io
        sync
      
        # Now truncate our file foo to a smaller size (64Kb) and then truncate
        # it to the size it had before the shrinking truncate (125Kb). Then
        # fsync our file. If a power failure happens after the fsync, we expect
        # our file to have a size of 125Kb, with the first 64Kb of data having
        # the value 0xaa and the second 61Kb of data having the value 0x00.
        $XFS_IO_PROG -c "truncate 64K" \
                     -c "truncate 125K" \
                     -c "fsync" \
                     $SCRATCH_MNT/foo
      
        # Do something similar to our file bar, but the first truncation sets
        # the file size to 0 and the second truncation expands the size to the
        # double of what it was initially.
        $XFS_IO_PROG -c "truncate 0" \
                     -c "truncate 253K" \
                     -c "fsync" \
                     $SCRATCH_MNT/bar
      
        _load_flakey_table $FLAKEY_DROP_WRITES
        _unmount_flakey
      
        # Allow writes again, mount to trigger log replay and validate file
        # contents.
        _load_flakey_table $FLAKEY_ALLOW_WRITES
        _mount_flakey
      
        # We expect foo to have a size of 125Kb, the first 64Kb of data all
        # having the value 0xaa and the remaining 61Kb to be a hole (all bytes
        # with value 0x00).
        echo "File foo content after log replay:"
        od -t x1 $SCRATCH_MNT/foo
      
        # We expect bar to have a size of 253Kb and no extents (any byte read
        # from bar has the value 0x00).
        echo "File bar content after log replay:"
        od -t x1 $SCRATCH_MNT/bar
      
        status=0
        exit
      
      The expected file contents in the golden output are:
      
        File foo content after log replay:
        0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
        *
        0200000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        *
        0372000
        File bar content after log replay:
        0000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        *
        0772000
      
      Without this fix, their contents are:
      
        File foo content after log replay:
        0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
        *
        0200000 bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb
        *
        0372000
        File bar content after log replay:
        0000000 ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee
        *
        0200000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
        *
        0372000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        *
        0772000
      
      A test case submission for fstests follows soon.
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      091537b5
    • Filipe Manana's avatar
      Btrfs: fix fsync xattr loss in the fast fsync path · db4043df
      Filipe Manana authored
      [ Upstream commit 36283bf7 ]
      
      After commit 4f764e51 ("Btrfs: remove deleted xattrs on fsync log
      replay"), we can end up in a situation where during log replay we end up
      deleting xattrs that were never deleted when their file was last fsynced.
      
      This happens in the fast fsync path (flag BTRFS_INODE_NEEDS_FULL_SYNC is
      not set in the inode) if the inode has the flag BTRFS_INODE_COPY_EVERYTHING
      set, the xattr was added in a past transaction and the leaf where the
      xattr is located was not updated (COWed or created) in the current
      transaction. In this scenario the xattr item never ends up in the log
      tree and therefore at log replay time, which makes the replay code delete
      the xattr from the fs/subvol tree as it thinks that xattr was deleted
      prior to the last fsync.
      
      Fix this by always logging all xattrs, which is the simplest and most
      reliable way to detect deleted xattrs and replay the deletes at log replay
      time.
      
      This issue is reproducible with the following test case for fstests:
      
        seq=`basename $0`
        seqres=$RESULT_DIR/$seq
        echo "QA output created by $seq"
      
        here=`pwd`
        tmp=/tmp/$$
        status=1	# failure is the default!
      
        _cleanup()
        {
            _cleanup_flakey
            rm -f $tmp.*
        }
        trap "_cleanup; exit \$status" 0 1 2 3 15
      
        # get standard environment, filters and checks
        . ./common/rc
        . ./common/filter
        . ./common/dmflakey
        . ./common/attr
      
        # real QA test starts here
      
        # We create a lot of xattrs for a single file. Only btrfs and xfs are currently
        # able to store such a large mount of xattrs per file, other filesystems such
        # as ext3/4 and f2fs for example, fail with ENOSPC even if we attempt to add
        # less than 1000 xattrs with very small values.
        _supported_fs btrfs xfs
        _supported_os Linux
        _need_to_be_root
        _require_scratch
        _require_dm_flakey
        _require_attrs
        _require_metadata_journaling $SCRATCH_DEV
      
        rm -f $seqres.full
      
        _scratch_mkfs >> $seqres.full 2>&1
        _init_flakey
        _mount_flakey
      
        # Create the test file with some initial data and make sure everything is
        # durably persisted.
        $XFS_IO_PROG -f -c "pwrite -S 0xaa 0 32k" $SCRATCH_MNT/foo | _filter_xfs_io
        sync
      
        # Add many small xattrs to our file.
        # We create such a large amount because it's needed to trigger the issue found
        # in btrfs - we need to have an amount that causes the fs to have at least 3
        # btree leafs with xattrs stored in them, and it must work on any leaf size
        # (maximum leaf/node size is 64Kb).
        num_xattrs=2000
        for ((i = 1; i <= $num_xattrs; i++)); do
            name="user.attr_$(printf "%04d" $i)"
            $SETFATTR_PROG -n $name -v "val_$(printf "%04d" $i)" $SCRATCH_MNT/foo
        done
      
        # Sync the filesystem to force a commit of the current btrfs transaction, this
        # is a necessary condition to trigger the bug on btrfs.
        sync
      
        # Now update our file's data and fsync the file.
        # After a successful fsync, if the fsync log/journal is replayed we expect to
        # see all the xattrs we added before with the same values (and the updated file
        # data of course). Btrfs used to delete some of these xattrs when it replayed
        # its fsync log/journal.
        $XFS_IO_PROG -c "pwrite -S 0xbb 8K 16K" \
                     -c "fsync" \
                     $SCRATCH_MNT/foo | _filter_xfs_io
      
        # Simulate a crash/power loss.
        _load_flakey_table $FLAKEY_DROP_WRITES
        _unmount_flakey
      
        # Allow writes again and mount. This makes the fs replay its fsync log.
        _load_flakey_table $FLAKEY_ALLOW_WRITES
        _mount_flakey
      
        echo "File content after crash and log replay:"
        od -t x1 $SCRATCH_MNT/foo
      
        echo "File xattrs after crash and log replay:"
        for ((i = 1; i <= $num_xattrs; i++)); do
            name="user.attr_$(printf "%04d" $i)"
            echo -n "$name="
            $GETFATTR_PROG --absolute-names -n $name --only-values $SCRATCH_MNT/foo
            echo
        done
      
        status=0
        exit
      
      The golden output expects all xattrs to be available, and with the correct
      values, after the fsync log is replayed.
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      db4043df
    • Jerome Marchand's avatar
      assoc_array: don't call compare_object() on a node · 32d1b672
      Jerome Marchand authored
      [ Upstream commit 8d4a2ec1 ]
      
      Changes since V1: fixed the description and added KASan warning.
      
      In assoc_array_insert_into_terminal_node(), we call the
      compare_object() method on all non-empty slots, even when they're
      not leaves, passing a pointer to an unexpected structure to
      compare_object(). Currently it causes an out-of-bound read access
      in keyring_compare_object detected by KASan (see below). The issue
      is easily reproduced with keyutils testsuite.
      Only call compare_object() when the slot is a leave.
      
      KASan warning:
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in keyring_compare_object+0x213/0x240 at addr ffff880060a6f838
      Read of size 8 by task keyctl/1655
      =============================================================================
      BUG kmalloc-192 (Not tainted): kasan: bad access detected
      -----------------------------------------------------------------------------
      
      Disabling lock debugging due to kernel taint
      INFO: Allocated in assoc_array_insert+0xfd0/0x3a60 age=69 cpu=1 pid=1647
      	___slab_alloc+0x563/0x5c0
      	__slab_alloc+0x51/0x90
      	kmem_cache_alloc_trace+0x263/0x300
      	assoc_array_insert+0xfd0/0x3a60
      	__key_link_begin+0xfc/0x270
      	key_create_or_update+0x459/0xaf0
      	SyS_add_key+0x1ba/0x350
      	entry_SYSCALL_64_fastpath+0x12/0x76
      INFO: Slab 0xffffea0001829b80 objects=16 used=8 fp=0xffff880060a6f550 flags=0x3fff8000004080
      INFO: Object 0xffff880060a6f740 @offset=5952 fp=0xffff880060a6e5d1
      
      Bytes b4 ffff880060a6f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f740: d1 e5 a6 60 00 88 ff ff 0e 00 00 00 00 00 00 00  ...`............
      Object ffff880060a6f750: 02 cf 8e 60 00 88 ff ff 02 c0 8e 60 00 88 ff ff  ...`.......`....
      Object ffff880060a6f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7d0: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      CPU: 0 PID: 1655 Comm: keyctl Tainted: G    B           4.5.0-rc4-kasan+ #291
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
       0000000000000000 000000001b2800b4 ffff880060a179e0 ffffffff81b60491
       ffff88006c802900 ffff880060a6f740 ffff880060a17a10 ffffffff815e2969
       ffff88006c802900 ffffea0001829b80 ffff880060a6f740 ffff880060a6e650
      Call Trace:
       [<ffffffff81b60491>] dump_stack+0x85/0xc4
       [<ffffffff815e2969>] print_trailer+0xf9/0x150
       [<ffffffff815e9454>] object_err+0x34/0x40
       [<ffffffff815ebe50>] kasan_report_error+0x230/0x550
       [<ffffffff819949be>] ? keyring_get_key_chunk+0x13e/0x210
       [<ffffffff815ec62d>] __asan_report_load_n_noabort+0x5d/0x70
       [<ffffffff81994cc3>] ? keyring_compare_object+0x213/0x240
       [<ffffffff81994cc3>] keyring_compare_object+0x213/0x240
       [<ffffffff81bc238c>] assoc_array_insert+0x86c/0x3a60
       [<ffffffff81bc1b20>] ? assoc_array_cancel_edit+0x70/0x70
       [<ffffffff8199797d>] ? __key_link_begin+0x20d/0x270
       [<ffffffff8199786c>] __key_link_begin+0xfc/0x270
       [<ffffffff81993389>] key_create_or_update+0x459/0xaf0
       [<ffffffff8128ce0d>] ? trace_hardirqs_on+0xd/0x10
       [<ffffffff81992f30>] ? key_type_lookup+0xc0/0xc0
       [<ffffffff8199e19d>] ? lookup_user_key+0x13d/0xcd0
       [<ffffffff81534763>] ? memdup_user+0x53/0x80
       [<ffffffff819983ea>] SyS_add_key+0x1ba/0x350
       [<ffffffff81998230>] ? key_get_type_from_user.constprop.6+0xa0/0xa0
       [<ffffffff828bcf4e>] ? retint_user+0x18/0x23
       [<ffffffff8128cc7e>] ? trace_hardirqs_on_caller+0x3fe/0x580
       [<ffffffff81004017>] ? trace_hardirqs_on_thunk+0x17/0x19
       [<ffffffff828bc432>] entry_SYSCALL_64_fastpath+0x12/0x76
      Memory state around the buggy address:
       ffff880060a6f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
       ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
      >ffff880060a6f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
       ffff880060a6f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff880060a6f900: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
      ==================================================================
      Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      32d1b672
    • Dennis Kadioglu's avatar
      ALSA: usb-audio: Add a quirk for Plantronics BT300 · 7ec80465
      Dennis Kadioglu authored
      [ Upstream commit b4203ff5 ]
      
      Plantronics BT300 does not support reading the sample rate which leads
      to many lines of "cannot get freq at ep 0x1". This patch adds the USB
      ID of the BT300 to quirks.c and avoids those error messages.
      Signed-off-by: default avatarDennis Kadioglu <denk@post.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7ec80465
    • David Disseldorp's avatar
      rbd: use GFP_NOIO consistently for request allocations · 54080a77
      David Disseldorp authored
      [ Upstream commit 2224d879 ]
      
      As of 5a60e876, RBD object request
      allocations are made via rbd_obj_request_create() with GFP_NOIO.
      However, subsequent OSD request allocations in rbd_osd_req_create*()
      use GFP_ATOMIC.
      
      With heavy page cache usage (e.g. OSDs running on same host as krbd
      client), rbd_osd_req_create() order-1 GFP_ATOMIC allocations have been
      observed to fail, where direct reclaim would have allowed GFP_NOIO
      allocations to succeed.
      
      Cc: stable@vger.kernel.org # 3.18+
      Suggested-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Suggested-by: default avatarNeil Brown <neilb@suse.com>
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      54080a77
    • Paolo Bonzini's avatar
      compiler-gcc: disable -ftracer for __noclone functions · 9b561b87
      Paolo Bonzini authored
      [ Upstream commit 95272c29 ]
      
      -ftracer can duplicate asm blocks causing compilation to fail in
      noclone functions.  For example, KVM declares a global variable
      in an asm like
      
          asm("2: ... \n
               .pushsection data \n
               .global vmx_return \n
               vmx_return: .long 2b");
      
      and -ftracer causes a double declaration.
      
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Marek <mmarek@suse.cz>
      Cc: stable@vger.kernel.org
      Cc: kvm@vger.kernel.org
      Reported-by: default avatarLinda Walsh <lkml@tlinx.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9b561b87
    • Joe Perches's avatar
      compiler-gcc: integrate the various compiler-gcc[345].h files · f320793e
      Joe Perches authored
      [ Upstream commit cb984d10 ]
      
      As gcc major version numbers are going to advance rather rapidly in the
      future, there's no real value in separate files for each compiler
      version.
      
      Deduplicate some of the macros #defined in each file too.
      
      Neaten comments using normal kernel commenting style.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Michal Marek <mmarek@suse.cz>
      Cc: Segher Boessenkool <segher@kernel.crashing.org>
      Cc: Sasha Levin <levinsasha928@gmail.com>
      Cc: Anton Blanchard <anton@samba.org>
      Cc: Alan Modra <amodra@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f320793e
    • Johannes Berg's avatar
      mac80211: properly deal with station hashtable insert errors · d2bccdc9
      Johannes Berg authored
      [ Upstream commit 62b14b24 ]
      
      The original hand-implemented hash-table in mac80211 couldn't result
      in insertion errors, and while converting to rhashtable I evidently
      forgot to check the errors.
      
      This surfaced now only because Ben is adding many identical keys and
      that resulted in hidden insertion errors.
      
      Cc: stable@vger.kernel.org
      Fixes: 7bedd0cf ("mac80211: use rhashtable for station table")
      Reported-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d2bccdc9
    • Lyude's avatar
      drm/i915: Fix race condition in intel_dp_destroy_mst_connector() · e4ad83b4
      Lyude authored
      [ Upstream commit 9e60290d ]
      
      After unplugging a DP MST display from the system, we have to go through
      and destroy all of the DRM connectors associated with it since none of
      them are valid anymore. Unfortunately, intel_dp_destroy_mst_connector()
      doesn't do a good enough job of ensuring that throughout the destruction
      process that no modesettings can be done with the connectors. As it is
      right now, intel_dp_destroy_mst_connector() works like this:
      
      * Take all modeset locks
      * Clear the configuration of the crtc on the connector, if there is one
      * Drop all modeset locks, this is required because of circular
        dependency issues that arise with trying to remove the connector from
        sysfs with modeset locks held
      * Unregister the connector
      * Take all modeset locks, again
      * Do the rest of the required cleaning for destroying the connector
      * Finally drop all modeset locks for good
      
      This only works sometimes. During the destruction process, it's very
      possible that a userspace application will attempt to do a modesetting
      using the connector. When we drop the modeset locks, an ioctl handler
      such as drm_mode_setcrtc has the oppurtunity to take all of the modeset
      locks from us. When this happens, one thing leads to another and
      eventually we end up committing a mode with the non-existent connector:
      
      	[drm:intel_dp_link_training_clock_recovery [i915]] *ERROR* failed to enable link training
      	[drm:intel_dp_aux_ch] dp_aux_ch timeout status 0x7cf0001f
      	[drm:intel_dp_start_link_train [i915]] *ERROR* failed to start channel equalization
      	[drm:intel_dp_aux_ch] dp_aux_ch timeout status 0x7cf0001f
      	[drm:intel_mst_pre_enable_dp [i915]] *ERROR* failed to allocate vcpi
      
      And in some cases, such as with the T460s using an MST dock, this
      results in breaking modesetting and/or panicking the system.
      
      To work around this, we now unregister the connector at the very
      beginning of intel_dp_destroy_mst_connector(), grab all the modesetting
      locks, and then hold them until we finish the rest of the function.
      
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarLyude <cpaul@redhat.com>
      Signed-off-by: default avatarRob Clark <rclark@redhat.com>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/1458155884-13877-1-git-send-email-cpaul@redhat.com
      (cherry picked from commit 1f771755)
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e4ad83b4
    • Maarten Lankhorst's avatar
      drm/i915: Update atomic state when removing mst connector, v3. · fc726488
      Maarten Lankhorst authored
      [ Upstream commit 20fae983 ]
      
      Fully remove the MST connector from the atomic state, and remove the
      early returns in check_*_state for MST connectors.
      
      With atomic the state can be made consistent all the time.
      
      Thanks to Sivakumar Thulasimani for the idea of using
      drm_atomic_helper_set_config.
      
      Changes since v1:
      - Remove the MST check in intel_connector_check_state too.
      Changes since v2:
      - Use drm_atomic_helper_set_config.
      Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Cc: Sivakumar Thulasimani <sivakumar.thulasimani@intel.com>
      Reviewed-by: default avatarSivakumar Thulasimani <sivakumar.thulasimani@intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fc726488
    • Andy Shevchenko's avatar
      dmaengine: hsu: correct use of channel status register · 2d6e4631
      Andy Shevchenko authored
      [ Upstream commit 4f4bc0ab ]
      
      There is a typo in documentation regarding to descriptor empty bit (DESCE)
      which is set to 1 when descriptor is empty. Thus, status register at the end of
      a transfer usually returns all DESCE bits set and thus it will never be zero.
      
      Moreover, there are 2 bits (CDESC) that encode current descriptor, on which
      interrupt has been asserted. In case when we have few descriptors programmed we
      might have non-zero value.
      
      Remove DESCE and CDESC bits from DMA channel status register (HSU_CH_SR) when
      reading it.
      
      Fixes: 2b49e0c5 ("dmaengine: append hsu DMA driver")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2d6e4631
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done() · be851faf
      Yoshihiro Shimoda authored
      [ Upstream commit 4fccb076 ]
      
      This patch fixes an issue that usbhsg_queue_done() may cause kernel
      panic when dma callback is running and usb_ep_disable() is called
      by interrupt handler. (Especially, we can reproduce this issue using
      g_audio with usb-dmac driver.)
      
      For example of a flow:
       usbhsf_dma_complete (on tasklet)
        --> usbhsf_pkt_handler (on tasklet)
         --> usbhsg_queue_done (on tasklet)
          *** interrupt happened and usb_ep_disable() is called ***
          --> usbhsg_queue_pop (on tasklet)
           Then, oops happened.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Cc: <stable@vger.kernel.org> # v3.1+
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      be851faf
    • Boris Ostrovsky's avatar
      xen/events: Mask a moving irq · 41391719
      Boris Ostrovsky authored
      [ Upstream commit ff1e22e7 ]
      
      Moving an unmasked irq may result in irq handler being invoked on both
      source and target CPUs.
      
      With 2-level this can happen as follows:
      
      On source CPU:
              evtchn_2l_handle_events() ->
                  generic_handle_irq() ->
                      handle_edge_irq() ->
                         eoi_pirq():
                             irq_move_irq(data);
      
                             /***** WE ARE HERE *****/
      
                             if (VALID_EVTCHN(evtchn))
                                 clear_evtchn(evtchn);
      
      If at this moment target processor is handling an unrelated event in
      evtchn_2l_handle_events()'s loop it may pick up our event since target's
      cpu_evtchn_mask claims that this event belongs to it *and* the event is
      unmasked and still pending. At the same time, source CPU will continue
      executing its own handle_edge_irq().
      
      With FIFO interrupt the scenario is similar: irq_move_irq() may result
      in a EVTCHNOP_unmask hypercall which, in turn, may make the event
      pending on the target CPU.
      
      We can avoid this situation by moving and clearing the event while
      keeping event masked.
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      41391719
    • Takashi Iwai's avatar
      ALSA: usb-audio: Add a sample rate quirk for Phoenix Audio TMX320 · fc4d092b
      Takashi Iwai authored
      [ Upstream commit f03b24a8 ]
      
      Phoenix Audio TMX320 gives the similar error when the sample rate is
      asked:
        usb 2-1.3: 2:1: cannot get freq at ep 0x85
        usb 2-1.3: 1:1: cannot get freq at ep 0x2
        ....
      
      Add the corresponding USB-device ID (1de7:0014) to
      snd_usb_get_sample_rate_quirk() list.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110221
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fc4d092b
    • Theodore Ts'o's avatar
      ext4: ignore quota mount options if the quota feature is enabled · c1f5eb60
      Theodore Ts'o authored
      [ Upstream commit c325a67c ]
      
      Previously, ext4 would fail the mount if the file system had the quota
      feature enabled and quota mount options (used for the older quota
      setups) were present.  This broke xfstests, since xfs silently ignores
      the usrquote and grpquota mount options if they are specified.  This
      commit changes things so that we are consistent with xfs; having the
      mount options specified is harmless, so no sense break users by
      forbidding them.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c1f5eb60
    • Yuki Shibuya's avatar
      KVM: x86: Inject pending interrupt even if pending nmi exist · cc157620
      Yuki Shibuya authored
      [ Upstream commit 321c5658 ]
      
      Non maskable interrupts (NMI) are preferred to interrupts in current
      implementation. If a NMI is pending and NMI is blocked by the result
      of nmi_allowed(), pending interrupt is not injected and
      enable_irq_window() is not executed, even if interrupts injection is
      allowed.
      
      In old kernel (e.g. 2.6.32), schedule() is often called in NMI context.
      In this case, interrupts are needed to execute iret that intends end
      of NMI. The flag of blocking new NMI is not cleared until the guest
      execute the iret, and interrupts are blocked by pending NMI. Due to
      this, iret can't be invoked in the guest, and the guest is starved
      until block is cleared by some events (e.g. canceling injection).
      
      This patch injects pending interrupts, when it's allowed, even if NMI
      is blocked. And, If an interrupts is pending after executing
      inject_pending_event(), enable_irq_window() is executed regardless of
      NMI pending counter.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarYuki Shibuya <shibuya.yk@ncos.nec.co.jp>
      Suggested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      cc157620
    • Theodore Ts'o's avatar
      ext4: add lockdep annotations for i_data_sem · 031b34dd
      Theodore Ts'o authored
      [ Upstream commit daf647d2 ]
      
      With the internal Quota feature, mke2fs creates empty quota inodes and
      quota usage tracking is enabled as soon as the file system is mounted.
      Since quotacheck is no longer preallocating all of the blocks in the
      quota inode that are likely needed to be written to, we are now seeing
      a lockdep false positive caused by needing to allocate a quota block
      from inside ext4_map_blocks(), while holding i_data_sem for a data
      inode.  This results in this complaint:
      
        Possible unsafe locking scenario:
      
              CPU0                    CPU1
              ----                    ----
         lock(&ei->i_data_sem);
                                      lock(&s->s_dquot.dqio_mutex);
                                      lock(&ei->i_data_sem);
         lock(&s->s_dquot.dqio_mutex);
      
      Google-Bug-Id: 27907753
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      031b34dd
    • Martin K. Petersen's avatar
      sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes · 9dcc54b4
      Martin K. Petersen authored
      [ Upstream commit f08bb1e0 ]
      
      During revalidate we check whether device capacity has changed before we
      decide whether to output disk information or not.
      
      The check for old capacity failed to take into account that we scaled
      sdkp->capacity based on the reported logical block size. And therefore
      the capacity test would always fail for devices with sectors bigger than
      512 bytes and we would print several copies of the same discovery
      information.
      
      Avoid scaling sdkp->capacity and instead adjust the value on the fly
      when setting the block device capacity and generating fake C/H/S
      geometry.
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarHannes Reinecke <hare@suse.de>
      Reviewed-by: default avatarHannes Reinicke <hare@suse.de>
      Reviewed-by: default avatarEwan Milne <emilne@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9dcc54b4
    • Mauro Carvalho Chehab's avatar
      [media] au0828: Fix dev_state handling · 6175a5af
      Mauro Carvalho Chehab authored
      [ Upstream commit e8e3039f ]
      
      The au0828 dev_state is actually a bit mask. It should not be
      checking with "==" but, instead, with a logic and. There are some
      places where it was doing it wrong.
      
      Fix that by replacing the dev_state set/clear/test with the
      bitops.
      
      As reviewed by Shuah:
      	"Looks good. Tested running bind/unbind au0828 loop for 1000 times.
      	Didn't see any problems and the v4l2_querycap() problem has been
      	fixed with this patch.
      
      	After the above test, ran bind/unbind snd_usb_audio 1000 times.
      	Didn't see any problems. Generated media graph and the graph
      	looks good."
      
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Tested-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6175a5af
    • Shuah Khan's avatar
      [media] au0828: fix au0828_v4l2_close() dev_state race condition · ec91ceae
      Shuah Khan authored
      [ Upstream commit ed940cd2 ]
      
      au0828_v4l2_close() check for dev_state == DEV_DISCONNECTED will fail to
      detect the device disconnected state correctly, if au0828_v4l2_open() runs
      to set the DEV_INITIALIZED bit. A loop test of bind/unbind found this bug
      by increasing the likelihood of au0828_v4l2_open() occurring while unbind
      is in progress. When au0828_v4l2_close() fails to detect that the device
      is in disconnect state, it attempts to power down the device and fails with
      the following general protection fault:
      
      [  260.992962] Call Trace:
      [  260.993008]  [<ffffffffa0f80f0f>] ? xc5000_sleep+0x8f/0xd0 [xc5000]
      [  260.993095]  [<ffffffffa0f6803c>] ? fe_standby+0x3c/0x50 [tuner]
      [  260.993186]  [<ffffffffa0ef541c>] au0828_v4l2_close+0x53c/0x620 [au0828]
      [  260.993298]  [<ffffffffa0d08ec0>] v4l2_release+0xf0/0x210 [videodev]
      [  260.993382]  [<ffffffff81570f9c>] __fput+0x1fc/0x6c0
      [  260.993449]  [<ffffffff815714ce>] ____fput+0xe/0x10
      [  260.993519]  [<ffffffff8116eb83>] task_work_run+0x133/0x1f0
      [  260.993602]  [<ffffffff810035d0>] exit_to_usermode_loop+0x140/0x170
      [  260.993681]  [<ffffffff810061ca>] syscall_return_slowpath+0x16a/0x1a0
      [  260.993754]  [<ffffffff82835fb3>] entry_SYSCALL_64_fastpath+0xa6/0xa8
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ec91ceae
    • Oliver Neukum's avatar
      USB: digi_acceleport: do sanity checking for the number of ports · 15f57224
      Oliver Neukum authored
      [ Upstream commit 5a07975a ]
      
      The driver can be crashed with devices that expose crafted descriptors
      with too few endpoints.
      
      See: http://seclists.org/bugtraq/2016/Mar/61Signed-off-by: default avatarOliver Neukum <ONeukum@suse.com>
      [johan: fix OOB endpoint check and add error messages ]
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      15f57224
    • Oliver Neukum's avatar
      USB: cypress_m8: add endpoint sanity check · 45f4b9ca
      Oliver Neukum authored
      [ Upstream commit c55aee1b ]
      
      An attack using missing endpoints exists.
      
      CVE-2016-3137
      Signed-off-by: default avatarOliver Neukum <ONeukum@suse.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      45f4b9ca
    • Oliver Neukum's avatar
      USB: mct_u232: add sanity checking in probe · 4b8d00f5
      Oliver Neukum authored
      [ Upstream commit 4e9a0b05 ]
      
      An attack using the lack of sanity checking in probe is known. This
      patch checks for the existence of a second port.
      
      CVE-2016-3136
      Signed-off-by: default avatarOliver Neukum <ONeukum@suse.com>
      CC: stable@vger.kernel.org
      [johan: add error message ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4b8d00f5
    • John Keeping's avatar
      drm/qxl: fix cursor position with non-zero hotspot · 6b659bbd
      John Keeping authored
      [ Upstream commit d59a1f71 ]
      
      The SPICE protocol considers the position of a cursor to be the location
      of its active pixel on the display, so the cursor is drawn with its
      top-left corner at "(x - hot_spot_x, y - hot_spot_y)" but the DRM cursor
      position gives the location where the top-left corner should be drawn,
      with the hotspot being a hint for drivers that need it.
      
      This fixes the location of the window resize cursors when using Fluxbox
      with the QXL DRM driver and both the QXL and modesetting X drivers.
      Signed-off-by: default avatarJohn Keeping <john@metanate.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: stable@vger.kernel.org
      Link: http://patchwork.freedesktop.org/patch/msgid/1447845445-2116-1-git-send-email-john@metanate.comSigned-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6b659bbd
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer · 5c059995
      Yoshihiro Shimoda authored
      [ Upstream commit 6490865c ]
      
      This patch adds a code to surely disable TX IRQ of the pipe before
      starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
      may happen in rare cases when DMAC is used.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Cc: <stable@vger.kernel.org> # v3.1+
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5c059995
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler() · 250443d8
      Yoshihiro Shimoda authored
      [ Upstream commit 894f2fc4 ]
      
      When unexpected situation happened (e.g. tx/rx irq happened while
      DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL
      pointer dereference like the followings:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = c0004000
      [00000000] *pgd=00000000
      Internal error: Oops: 80000007 [#1] SMP ARM
      Modules linked in: usb_f_acm u_serial g_serial libcomposite
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63
      Hardware name: Generic R8A7790 (Flattened Device Tree)
      task: c0729c00 ti: c0724000 task.ti: c0724000
      PC is at 0x0
      LR is at usbhsf_pkt_handler+0xac/0x118
      pc : [<00000000>]    lr : [<c03257e0>]    psr: 60000193
      sp : c0725db8  ip : 00000000  fp : c0725df4
      r10: 00000001  r9 : 00000193  r8 : ef3ccab4
      r7 : ef3cca10  r6 : eea4586c  r5 : 00000000  r4 : ef19ceb4
      r3 : 00000000  r2 : 0000009c  r1 : c0725dc4  r0 : ef19ceb4
      
      This patch adds a condition to avoid the dereference.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Cc: <stable@vger.kernel.org> # v3.1+
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      250443d8
    • Lokesh Vutla's avatar
      ARM: OMAP2+: hwmod: Fix updating of sysconfig register · 071072ef
      Lokesh Vutla authored
      [ Upstream commit 3ca4a238 ]
      
      Commit 127500cc ("ARM: OMAP2+: Only write the sysconfig on idle
      when necessary") talks about verification of sysconfig cache value before
      updating it, only during idle path. But the patch is adding the
      verification in the enable path. So, adding the check in a proper place
      as per the commit description.
      
      Not keeping this check during enable path as there is a chance of losing
      context and it is safe to do on idle as the context of the register will
      never be lost while the device is active.
      Signed-off-by: default avatarLokesh Vutla <lokeshvutla@ti.com>
      Acked-by: default avatarTero Kristo <t-kristo@ti.com>
      Cc: Jon Hunter <jonathanh@nvidia.com>
      Cc: <stable@vger.kernel.org> # 3.12+
      Fixes: commit 127500cc "ARM: OMAP2+: Only write the sysconfig on idle when necessary"
      [paul@pwsan.com: appears to have been caused by my own mismerge of the
       originally posted patch]
      Signed-off-by: default avatarPaul Walmsley <paul@pwsan.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      071072ef
  2. 19 Apr, 2016 2 commits
    • Alan Stern's avatar
      HID: usbhid: fix inconsistent reset/resume/reset-resume behavior · 8db1fb6a
      Alan Stern authored
      [ Upstream commit 972e6a99 ]
      
      The usbhid driver has inconsistently duplicated code in its post-reset,
      resume, and reset-resume pathways.
      
      	reset-resume doesn't check HID_STARTED before trying to
      	restart the I/O queues.
      
      	resume fails to clear the HID_SUSPENDED flag if HID_STARTED
      	isn't set.
      
      	resume calls usbhid_restart_queues() with usbhid->lock held
      	and the others call it without holding the lock.
      
      The first item in particular causes a problem following a reset-resume
      if the driver hasn't started up its I/O.  URB submission fails because
      usbhid->urbin is NULL, and this triggers an unending reset-retry loop.
      
      This patch fixes the problem by creating a new subroutine,
      hid_restart_io(), to carry out all the common activities.  It also
      adds some checks that were missing in the original code:
      
      	After a reset, there's no need to clear any halted endpoints.
      
      	After a resume, if a reset is pending there's no need to
      	restart any I/O until the reset is finished.
      
      	After a resume, if the interrupt-IN endpoint is halted there's
      	no need to submit the input URB until the halt has been
      	cleared.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarDaniel Fraga <fragabr@gmail.com>
      Tested-by: default avatarDaniel Fraga <fragabr@gmail.com>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      8db1fb6a
    • Sasha Levin's avatar
      Linux 4.1.22 · 6fe78bc1
      Sasha Levin authored
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6fe78bc1
  3. 18 Apr, 2016 2 commits