1. 18 Jul, 2014 16 commits
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Remove ftrace_stop/start() from reading the trace file · 19a01928
      Steven Rostedt (Red Hat) authored
      commit 099ed151 upstream.
      
      Disabling reading and writing to the trace file should not be able to
      disable all function tracing callbacks. There's other users today
      (like kprobes and perf). Reading a trace file should not stop those
      from happening.
      Reviewed-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      19a01928
    • Michal Nazarewicz's avatar
      tools: ffs-test: fix header values endianess · cb116d6b
      Michal Nazarewicz authored
      commit f35f7124 upstream.
      
      It appears that no one ever run ffs-test on a big-endian machine,
      since it used cpu-endianess for fs_count and hs_count fields which
      should be in little-endian format.  Fix by wrapping the numbers in
      cpu_to_le32.
      Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cb116d6b
    • J. Bruce Fields's avatar
      nfsd: fix rare symlink decoding bug · 12ea9001
      J. Bruce Fields authored
      commit 76f47128 upstream.
      
      An NFS operation that creates a new symlink includes the symlink data,
      which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
      of zero-padding as required to reach a 4-byte boundary.
      
      The vfs, on the other hand, wants null-terminated data.
      
      The simple way to handle this would be by copying the data into a newly
      allocated buffer with space for the final null.
      
      The current nfsd_symlink code tries to be more clever by skipping that
      step in the (likely) case where the byte following the string is already
      0.
      
      But that assumes that the byte following the string is ours to look at.
      In fact, it might be the first byte of a page that we can't read, or of
      some object that another task might modify.
      
      Worse, the NFSv4 code tries to fix the problem by actually writing to
      that byte.
      
      In the NFSv2/v3 cases this actually appears to be safe:
      
      	- nfs3svc_decode_symlinkargs explicitly null-terminates the data
      	  (after first checking its length and copying it to a new
      	  page).
      	- NFSv2 limits symlinks to 1k.  The buffer holding the rpc
      	  request is always at least a page, and the link data (and
      	  previous fields) have maximum lengths that prevent the request
      	  from reaching the end of a page.
      
      In the NFSv4 case the CREATE op is potentially just one part of a long
      compound so can end up on the end of a page if you're unlucky.
      
      The minimal fix here is to copy and null-terminate in the NFSv4 case.
      The nfsd_symlink() interface here seems too fragile, though.  It should
      really either do the copy itself every time or just require a
      null-terminated string.
      Reported-by: default avatarJeff Layton <jlayton@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      12ea9001
    • Adam Thomson's avatar
      iio: of_iio_channel_get_by_name() returns non-null pointers for error legs · 8f2574b7
      Adam Thomson authored
      commit a2c12493 upstream.
      
      Currently in the inkern.c code for IIO framework, the function
      of_iio_channel_get_by_name() will return a non-NULL pointer when
      it cannot find a channel using of_iio_channel_get() and when it
      tries to search for 'io-channel-ranges' property and fails. This
      is incorrect behaviour as the function which calls this expects
      a NULL pointer for failure. This patch rectifies the issue.
      Signed-off-by: default avatarAdam Thomson <Adam.Thomson.Opensource@diasemi.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8f2574b7
    • Paolo Bonzini's avatar
      KVM: x86: preserve the high 32-bits of the PAT register · d964adc8
      Paolo Bonzini authored
      commit 7cb060a9 upstream.
      
      KVM does not really do much with the PAT, so this went unnoticed for a
      long time.  It is exposed however if you try to do rdmsr on the PAT
      register.
      Reported-by: default avatarValentine Sinitsyn <valentine.sinitsyn@gmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d964adc8
    • Nadav Amit's avatar
      KVM: x86: Increase the number of fixed MTRR regs to 10 · 35d3871e
      Nadav Amit authored
      commit 682367c4 upstream.
      
      Recent Intel CPUs have 10 variable range MTRRs. Since operating systems
      sometime make assumptions on CPUs while they ignore capability MSRs, it is
      better for KVM to be consistent with recent CPUs. Reporting more MTRRs than
      actually supported has no functional implications.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      35d3871e
    • Jan Kara's avatar
      ext4: Fix hole punching for files with indirect blocks · 9011a645
      Jan Kara authored
      commit a93cd4cf upstream.
      
      Hole punching code for files with indirect blocks wrongly computed
      number of blocks which need to be cleared when traversing the indirect
      block tree. That could result in punching more blocks than actually
      requested and thus effectively cause a data loss. For example:
      
      fallocate -n -p 10240000 4096
      
      will punch the range 10240000 - 12632064 instead of the range 1024000 -
      10244096. Fix the calculation.
      
      Fixes: 8bad6fc8Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9011a645
    • Jan Kara's avatar
      ext4: Fix buffer double free in ext4_alloc_branch() · 18e64a6a
      Jan Kara authored
      commit c5c7b8dd upstream.
      
      Error recovery in ext4_alloc_branch() calls ext4_forget() even for
      buffer corresponding to indirect block it did not allocate. This leads
      to brelse() being called twice for that buffer (once from ext4_forget()
      and once from cleanup in ext4_ind_map_blocks()) leading to buffer use
      count misaccounting. Eventually (but often much later because there
      are other users of the buffer) we will see messages like:
      VFS: brelse: Trying to free free buffer
      
      Another manifestation of this problem is an error:
      JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh);
      inconsistent data on disk
      
      The fix is easy - don't forget buffer we did not allocate. Also add an
      explanatory comment because the indexing at ext4_alloc_branch() is
      somewhat subtle.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      18e64a6a
    • Tejun Heo's avatar
      blkcg: fix use-after-free in __blkg_release_rcu() by making blkcg_gq refcnt an atomic_t · 04e1cd73
      Tejun Heo authored
      commit a5049a8a upstream.
      
      Hello,
      
      So, this patch should do.  Joe, Vivek, can one of you guys please
      verify that the oops goes away with this patch?
      
      Jens, the original thread can be read at
      
        http://thread.gmane.org/gmane.linux.kernel/1720729
      
      The fix converts blkg->refcnt from int to atomic_t.  It does some
      overhead but it should be minute compared to everything else which is
      going on and the involved cacheline bouncing, so I think it's highly
      unlikely to cause any noticeable difference.  Also, the refcnt in
      question should be converted to a perpcu_ref for blk-mq anyway, so the
      atomic_t is likely to go away pretty soon anyway.
      
      Thanks.
      
      ------- 8< -------
      __blkg_release_rcu() may be invoked after the associated request_queue
      is released with a RCU grace period inbetween.  As such, the function
      and callbacks invoked from it must not dereference the associated
      request_queue.  This is clearly indicated in the comment above the
      function.
      
      Unfortunately, while trying to fix a different issue, 2a4fd070
      ("blkcg: move bulk of blkcg_gq release operations to the RCU
      callback") ignored this and added [un]locking of @blkg->q->queue_lock
      to __blkg_release_rcu().  This of course can cause oops as the
      request_queue may be long gone by the time this code gets executed.
      
        general protection fault: 0000 [#1] SMP
        CPU: 21 PID: 30 Comm: rcuos/21 Not tainted 3.15.0 #1
        Hardware name: Stratus ftServer 6400/G7LAZ, BIOS BIOS Version 6.3:57 12/25/2013
        task: ffff880854021de0 ti: ffff88085403c000 task.ti: ffff88085403c000
        RIP: 0010:[<ffffffff8162e9e5>]  [<ffffffff8162e9e5>] _raw_spin_lock_irq+0x15/0x60
        RSP: 0018:ffff88085403fdf0  EFLAGS: 00010086
        RAX: 0000000000020000 RBX: 0000000000000010 RCX: 0000000000000000
        RDX: 000060ef80008248 RSI: 0000000000000286 RDI: 6b6b6b6b6b6b6b6b
        RBP: ffff88085403fdf0 R08: 0000000000000286 R09: 0000000000009f39
        R10: 0000000000020001 R11: 0000000000020001 R12: ffff88103c17a130
        R13: ffff88103c17a080 R14: 0000000000000000 R15: 0000000000000000
        FS:  0000000000000000(0000) GS:ffff88107fca0000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000006e5ab8 CR3: 000000000193d000 CR4: 00000000000407e0
        Stack:
         ffff88085403fe18 ffffffff812cbfc2 ffff88103c17a130 0000000000000000
         ffff88103c17a130 ffff88085403fec0 ffffffff810d1d28 ffff880854021de0
         ffff880854021de0 ffff88107fcaec58 ffff88085403fe80 ffff88107fcaec30
        Call Trace:
         [<ffffffff812cbfc2>] __blkg_release_rcu+0x72/0x150
         [<ffffffff810d1d28>] rcu_nocb_kthread+0x1e8/0x300
         [<ffffffff81091d81>] kthread+0xe1/0x100
         [<ffffffff8163813c>] ret_from_fork+0x7c/0xb0
        Code: ff 47 04 48 8b 7d 08 be 00 02 00 00 e8 55 48 a4 ff 5d c3 0f 1f 00 66 66 66 66 90 55 48 89 e5
        +fa 66 66 90 66 66 90 b8 00 00 02 00 <f0> 0f c1 07 89 c2 c1 ea 10 66 39 c2 75 02 5d c3 83 e2 fe 0f
        +b7
        RIP  [<ffffffff8162e9e5>] _raw_spin_lock_irq+0x15/0x60
         RSP <ffff88085403fdf0>
      
      The request_queue locking was added because blkcg_gq->refcnt is an int
      protected with the queue lock and __blkg_release_rcu() needs to put
      the parent.  Let's fix it by making blkcg_gq->refcnt an atomic_t and
      dropping queue locking in the function.
      
      Given the general heavy weight of the current request_queue and blkcg
      operations, this is unlikely to cause any noticeable overhead.
      Moreover, blkcg_gq->refcnt is likely to be converted to percpu_ref in
      the near future, so whatever (most likely negligible) overhead it may
      add is temporary.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      Link: http://lkml.kernel.org/g/alpine.DEB.2.02.1406081816540.17948@jlaw-desktop.mno.stratus.comSigned-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      04e1cd73
    • Steve French's avatar
      CIFS: fix mount failure with broken pathnames when smb3 mount with mapchars option · 10bdb522
      Steve French authored
      commit ce36d9ab upstream.
      
      When we SMB3 mounted with mapchars (to allow reserved characters : \ / > < * ?
      via the Unicode Windows to POSIX remap range) empty paths
      (eg when we open "" to query the root of the SMB3 directory on mount) were not
      null terminated so we sent garbarge as a path name on empty paths which caused
      SMB2/SMB2.1/SMB3 mounts to fail when mapchars was specified.  mapchars is
      particularly important since Unix Extensions for SMB3 are not supported (yet)
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Reviewed-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      10bdb522
    • Rafał Miłecki's avatar
      b43: fix frequency reported on G-PHY with /new/ firmware · bf792b9b
      Rafał Miłecki authored
      commit 2fc68eb1 upstream.
      
      Support for firmware rev 508+ was added years ago, but we never noticed
      it reports channel in a different way for G-PHY devices. Instead of
      offset from 2400 MHz it simply passes channel id (AKA hw_value).
      
      So far it was (most probably) affecting monitor mode users only, but
      the following recent commit made it noticeable for quite everybody:
      
      commit 3afc2167
      Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
      Date:   Tue Mar 4 16:50:13 2014 +0200
      
          cfg80211/mac80211: ignore signal if the frame was heard on wrong channel
      Reported-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarRafał Miłecki <zajec5@gmail.com>
      Tested-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bf792b9b
    • Maxime Ripard's avatar
      net: allwinner: emac: Add missing free_irq · 9b272249
      Maxime Ripard authored
      commit b9111328 upstream.
      
      If the mdio probe function fails in emac_open, the interrupt we just requested
      isn't freed. If emac_open is called again, for example because we try to set up
      the interface again, the kernel will oops because the interrupt wasn't properly
      released.
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9b272249
    • ChiaHao's avatar
      arm64: Bug fix in stack alignment exception · 0c935c95
      ChiaHao authored
      commit 3906c2b5 upstream.
      
      The value of ESR has been stored into x1, and should be directly pass to
      do_sp_pc_abort function, "MOV x1, x25" is an extra operation and do_sp_pc_abort
      will get the wrong value of ESR.
      Signed-off-by: default avatarChiaHao <andy.jhshiu@gmail.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0c935c95
    • David R. Piegdon's avatar
      ARM: OMAP2+: Fix parser-bug in platform muxing code · 356d96c5
      David R. Piegdon authored
      commit c021f241 upstream.
      
      Fix a parser-bug in the omap2 muxing code where muxtable-entries will be
      wrongly selected if the requested muxname is a *prefix* of their
      m0-entry and they have a matching mN-entry. Fix by additionally checking
      that the length of the m0_entry is equal.
      
      For example muxing of "dss_data2.dss_data2" on omap32xx will fail
      because the prefix "dss_data2" will match the mux-entries "dss_data2" as
      well as "dss_data20", with the suffix "dss_data2" matching m0 (for
      dss_data2) and m4 (for dss_data20). Thus both are recognized as signal
      path candidates:
      
      Relevant muxentries from mux34xx.c:
              _OMAP3_MUXENTRY(DSS_DATA20, 90,
                      "dss_data20", NULL, "mcspi3_somi", "dss_data2",
                      "gpio_90", NULL, NULL, "safe_mode"),
              _OMAP3_MUXENTRY(DSS_DATA2, 72,
                      "dss_data2", NULL, NULL, NULL,
                      "gpio_72", NULL, NULL, "safe_mode"),
      
      This will result in a failure to mux the pin at all:
      
       _omap_mux_get_by_name: Multiple signal paths (2) for dss_data2.dss_data2
      
      Patch should apply to linus' latest master down to rather old linux-2.6
      trees.
      Signed-off-by: default avatarDavid R. Piegdon <lkml@p23q.org>
      Cc: stable@vger.kernel.org
      [tony@atomide.com: updated description to include full description]
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      356d96c5
    • Steve Capper's avatar
      arm64: mm: Make icache synchronisation logic huge page aware · 53d968ca
      Steve Capper authored
      commit 923b8f50 upstream.
      
      The __sync_icache_dcache routine will only flush the dcache for the
      first page of a compound page, potentially leading to stale icache
      data residing further on in a hugetlb page.
      
      This patch addresses this issue by taking into consideration the
      order of the page when flushing the dcache.
      Reported-by: default avatarMark Brown <broonie@linaro.org>
      Tested-by: default avatarMark Brown <broonie@linaro.org>
      Signed-off-by: default avatarSteve Capper <steve.capper@linaro.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      53d968ca
    • David Rientjes's avatar
      mm, pcp: allow restoring percpu_pagelist_fraction default · 6b500267
      David Rientjes authored
      commit 7cd2b0a3 upstream.
      
      Oleg reports a division by zero error on zero-length write() to the
      percpu_pagelist_fraction sysctl:
      
          divide error: 0000 [#1] SMP DEBUG_PAGEALLOC
          CPU: 1 PID: 9142 Comm: badarea_io Not tainted 3.15.0-rc2-vm-nfs+ #19
          Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
          task: ffff8800d5aeb6e0 ti: ffff8800d87a2000 task.ti: ffff8800d87a2000
          RIP: 0010: percpu_pagelist_fraction_sysctl_handler+0x84/0x120
          RSP: 0018:ffff8800d87a3e78  EFLAGS: 00010246
          RAX: 0000000000000f89 RBX: ffff88011f7fd000 RCX: 0000000000000000
          RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000010
          RBP: ffff8800d87a3e98 R08: ffffffff81d002c8 R09: ffff8800d87a3f50
          R10: 000000000000000b R11: 0000000000000246 R12: 0000000000000060
          R13: ffffffff81c3c3e0 R14: ffffffff81cfddf8 R15: ffff8801193b0800
          FS:  00007f614f1e9740(0000) GS:ffff88011f440000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
          CR2: 00007f614f1fa000 CR3: 00000000d9291000 CR4: 00000000000006e0
          Call Trace:
            proc_sys_call_handler+0xb3/0xc0
            proc_sys_write+0x14/0x20
            vfs_write+0xba/0x1e0
            SyS_write+0x46/0xb0
            tracesys+0xe1/0xe6
      
      However, if the percpu_pagelist_fraction sysctl is set by the user, it
      is also impossible to restore it to the kernel default since the user
      cannot write 0 to the sysctl.
      
      This patch allows the user to write 0 to restore the default behavior.
      It still requires a fraction equal to or larger than 8, however, as
      stated by the documentation for sanity.  If a value in the range [1, 7]
      is written, the sysctl will return EINVAL.
      
      This successfully solves the divide by zero issue at the same time.
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Reported-by: default avatarOleg Drokin <green@linuxhacker.ru>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6b500267
  2. 17 Jul, 2014 24 commits