1. 22 Aug, 2016 40 commits
    • Wei Fang's avatar
      fs/dcache.c: avoid soft-lockup in dput() · 5c0a3ca7
      Wei Fang authored
      [ Upstream commit 47be6184 ]
      
      We triggered soft-lockup under stress test which
      open/access/write/close one file concurrently on more than
      five different CPUs:
      
      WARN: soft lockup - CPU#0 stuck for 11s! [who:30631]
      ...
      [<ffffffc0003986f8>] dput+0x100/0x298
      [<ffffffc00038c2dc>] terminate_walk+0x4c/0x60
      [<ffffffc00038f56c>] path_lookupat+0x5cc/0x7a8
      [<ffffffc00038f780>] filename_lookup+0x38/0xf0
      [<ffffffc000391180>] user_path_at_empty+0x78/0xd0
      [<ffffffc0003911f4>] user_path_at+0x1c/0x28
      [<ffffffc00037d4fc>] SyS_faccessat+0xb4/0x230
      
      ->d_lock trylock may failed many times because of concurrently
      operations, and dput() may execute a long time.
      
      Fix this by replacing cpu_relax() with cond_resched().
      dput() used to be sleepable, so make it sleepable again
      should be safe.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarWei Fang <fangwei1@huawei.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5c0a3ca7
    • Linus Torvalds's avatar
      dcache: let the dentry count go down to zero without taking d_lock · ead2cea2
      Linus Torvalds authored
      [ Upstream commit 360f5479 ]
      
      We can be more aggressive about this, if we are clever and careful. This is subtle.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      ead2cea2
    • Benjamin Coddington's avatar
      nfs: don't create zero-length requests · cf4f30b2
      Benjamin Coddington authored
      [ Upstream commit 149a4fdd ]
      
      NFS doesn't expect requests with wb_bytes set to zero and may make
      unexpected decisions about how to handle that request at the page IO layer.
      Skip request creation if we won't have any wb_bytes in the request.
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Reviewed-by: default avatarWeston Andros Adamson <dros@primarydata.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      cf4f30b2
    • Andy Shevchenko's avatar
      gpio: intel-mid: Remove potentially harmful code · f9fef43a
      Andy Shevchenko authored
      [ Upstream commit 3dbd3212 ]
      
      The commit d56d6b3d ("gpio: langwell: add Intel Merrifield support")
      doesn't look at all as a proper support for Intel Merrifield and I dare to say
      that it distorts the behaviour of the hardware.
      
      The register map is different on Intel Merrifield, i.e. only 6 out of 8
      register have the same purpose but none of them has same location in the
      address space. The current case potentially harmful to existing hardware since
      it's poking registers on wrong offsets and may set some pin to be GPIO output
      when connected hardware doesn't expect such.
      
      Besides the above GPIO and pinctrl on Intel Merrifield have been located in
      different IP blocks. The functionality has been extended as well, i.e. added
      support of level interrupts, special registers for wake capable sources and
      thus, in my opinion, requires a completele separate driver.
      
      If someone wondering the existing gpio-intel-mid.c would be converted to actual
      pinctrl (which by the fact it is now), though I wouldn't be a volunteer to do
      that.
      
      Fixes: d56d6b3d ("gpio: langwell: add Intel Merrifield support")
      Cc: stable@vger.kernel.org # v3.13+
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Reviewed-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      f9fef43a
    • Feng Li's avatar
      iscsi-target: Fix panic when adding second TCP connection to iSCSI session · 7b37bc27
      Feng Li authored
      [ Upstream commit 8abc718d ]
      
      In MC/S scenario, the conn->sess has been set NULL in
      iscsi_login_non_zero_tsih_s1 when the second connection comes here,
      then kernel panic.
      
      The conn->sess will be assigned in iscsi_login_non_zero_tsih_s2. So
      we should check whether it's NULL before calling.
      Signed-off-by: default avatarFeng Li <lifeng1519@gmail.com>
      Tested-by: default avatarSumit Rai <sumit.rai@calsoftinc.com>
      Cc: stable@vger.kernel.org # 3.14+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      7b37bc27
    • Paul Moore's avatar
      audit: fix a double fetch in audit_log_single_execve_arg() · 3f4976f0
      Paul Moore authored
      [ Upstream commit 43761473 ]
      
      There is a double fetch problem in audit_log_single_execve_arg()
      where we first check the execve(2) argumnets for any "bad" characters
      which would require hex encoding and then re-fetch the arguments for
      logging in the audit record[1].  Of course this leaves a window of
      opportunity for an unsavory application to munge with the data.
      
      This patch reworks things by only fetching the argument data once[2]
      into a buffer where it is scanned and logged into the audit
      records(s).  In addition to fixing the double fetch, this patch
      improves on the original code in a few other ways: better handling
      of large arguments which require encoding, stricter record length
      checking, and some performance improvements (completely unverified,
      but we got rid of some strlen() calls, that's got to be a good
      thing).
      
      As part of the development of this patch, I've also created a basic
      regression test for the audit-testsuite, the test can be tracked on
      GitHub at the following link:
      
       * https://github.com/linux-audit/audit-testsuite/issues/25
      
      [1] If you pay careful attention, there is actually a triple fetch
      problem due to a strnlen_user() call at the top of the function.
      
      [2] This is a tiny white lie, we do make a call to strnlen_user()
      prior to fetching the argument data.  I don't like it, but due to the
      way the audit record is structured we really have no choice unless we
      copy the entire argument at once (which would require a rather
      wasteful allocation).  The good news is that with this patch the
      kernel no longer relies on this strnlen_user() value for anything
      beyond recording it in the log, we also update it with a trustworthy
      value whenever possible.
      Reported-by: default avatarPengfei Wang <wpengfeinudt@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      3f4976f0
    • Linus Torvalds's avatar
      Fix broken audit tests for exec arg len · a59a2f6b
      Linus Torvalds authored
      [ Upstream commit 45820c29 ]
      
      The "fix" in commit 0b08c5e5 ("audit: Fix check of return value of
      strnlen_user()") didn't fix anything, it broke things.  As reported by
      Steven Rostedt:
      
       "Yes, strnlen_user() returns 0 on fault, but if you look at what len is
        set to, than you would notice that on fault len would be -1"
      
      because we just subtracted one from the return value.  So testing
      against 0 doesn't test for a fault condition, it tests against a
      perfectly valid empty string.
      
      Also fix up the usual braindamage wrt using WARN_ON() inside a
      conditional - make it part of the conditional and remove the explicit
      unlikely() (which is already part of the WARN_ON*() logic, exactly so
      that you don't have to write unreadable code.
      Reported-and-tested-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Paul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      a59a2f6b
    • Jan Kara's avatar
      audit: Fix check of return value of strnlen_user() · c786cc5e
      Jan Kara authored
      [ Upstream commit 0b08c5e5 ]
      
      strnlen_user() returns 0 when it hits fault, not -1. Fix the test in
      audit_log_single_execve_arg(). Luckily this shouldn't ever happen unless
      there's a kernel bug so it's mostly a cosmetic fix.
      
      CC: Paul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      c786cc5e
    • Rabin Vincent's avatar
      cifs: fix crash due to race in hmac(md5) handling · eeeec288
      Rabin Vincent authored
      [ Upstream commit bd975d1e ]
      
      The secmech hmac(md5) structures are present in the TCP_Server_Info
      struct and can be shared among multiple CIFS sessions.  However, the
      server mutex is not currently held when these structures are allocated
      and used, which can lead to a kernel crashes, as in the scenario below:
      
      mount.cifs(8) #1				mount.cifs(8) #2
      
      Is secmech.sdeschmaccmd5 allocated?
      // false
      
      						Is secmech.sdeschmaccmd5 allocated?
      						// false
      
      secmech.hmacmd = crypto_alloc_shash..
      secmech.sdeschmaccmd5 = kzalloc..
      sdeschmaccmd5->shash.tfm = &secmec.hmacmd;
      
      						secmech.sdeschmaccmd5 = kzalloc
      						// sdeschmaccmd5->shash.tfm
      						// not yet assigned
      
      crypto_shash_update()
       deref NULL sdeschmaccmd5->shash.tfm
      
       Unable to handle kernel paging request at virtual address 00000030
       epc   : 8027ba34 crypto_shash_update+0x38/0x158
       ra    : 8020f2e8 setup_ntlmv2_rsp+0x4bc/0xa84
       Call Trace:
        crypto_shash_update+0x38/0x158
        setup_ntlmv2_rsp+0x4bc/0xa84
        build_ntlmssp_auth_blob+0xbc/0x34c
        sess_auth_rawntlmssp_authenticate+0xac/0x248
        CIFS_SessSetup+0xf0/0x178
        cifs_setup_session+0x4c/0x84
        cifs_get_smb_ses+0x2c8/0x314
        cifs_mount+0x38c/0x76c
        cifs_do_mount+0x98/0x440
        mount_fs+0x20/0xc0
        vfs_kern_mount+0x58/0x138
        do_mount+0x1e8/0xccc
        SyS_mount+0x88/0xd4
        syscall_common+0x30/0x54
      
      Fix this by locking the srv_mutex around the code which uses these
      hmac(md5) structures.  All the other secmech algos already have similar
      locking.
      
      Fixes: 95dc8dd1 ("Limit allocation of crypto mechanisms to dialect which requires")
      Signed-off-by: default avatarRabin Vincent <rabinv@axis.com>
      Acked-by: default avatarSachin Prabhu <sprabhu@redhat.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      eeeec288
    • Nicholas Bellinger's avatar
      target: Fix race between iscsi-target connection shutdown + ABORT_TASK · cb0a0062
      Nicholas Bellinger authored
      [ Upstream commit 064cdd2d ]
      
      This patch fixes a race in iscsit_release_commands_from_conn() ->
      iscsit_free_cmd() -> transport_generic_free_cmd() + wait_for_tasks=1,
      where CMD_T_FABRIC_STOP could end up being set after the final
      kref_put() is called from core_tmr_abort_task() context.
      
      This results in transport_generic_free_cmd() blocking indefinately
      on se_cmd->cmd_wait_comp, because the target_release_cmd_kref()
      check for CMD_T_FABRIC_STOP returns false.
      
      To address this bug, make iscsit_release_commands_from_conn()
      do list_splice and set CMD_T_FABRIC_STOP early while holding
      iscsi_conn->cmd_lock.  Also make iscsit_aborted_task() only
      remove iscsi_cmd_t if CMD_T_FABRIC_STOP has not already been
      set.
      
      Finally in target_release_cmd_kref(), only honor fabric_stop
      if CMD_T_ABORTED has been set.
      
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: stable@vger.kernel.org # 3.14+
      Tested-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      cb0a0062
    • Nicholas Bellinger's avatar
      target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP · b4a8ca6b
      Nicholas Bellinger authored
      [ Upstream commit 5e2c956b ]
      
      During transport_generic_free_cmd() with a concurrent TMR
      ABORT_TASK and shutdown CMD_T_FABRIC_STOP bit set, the
      caller will be blocked on se_cmd->cmd_wait_stop completion
      until the final kref_put() -> target_release_cmd_kref()
      has been invoked to call complete().
      
      However, when ABORT_TASK is completed with FUNCTION_COMPLETE
      in core_tmr_abort_task(), the aborted se_cmd will have already
      been removed from se_sess->sess_cmd_list via list_del_init().
      
      This results in target_release_cmd_kref() hitting the
      legacy list_empty() == true check, invoking ->release_cmd()
      but skipping complete() to wakeup se_cmd->cmd_wait_stop
      blocked earlier in transport_generic_free_cmd() code.
      
      To address this bug, it's safe to go ahead and drop the
      original list_empty() check so that fabric_stop invokes
      the complete() as expected, since list_del_init() can
      safely be used on a empty list.
      
      Cc: Mike Christie <mchristi@redhat.com>
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: stable@vger.kernel.org # 3.14+
      Tested-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b4a8ca6b
    • Hector Palacios's avatar
      mtd: nand: fix bug writing 1 byte less than page size · bdcbb059
      Hector Palacios authored
      [ Upstream commit 144f4c98 ]
      
      nand_do_write_ops() determines if it is writing a partial page with the
      formula:
      	part_pagewr = (column || writelen < (mtd->writesize - 1))
      
      When 'writelen' is exactly 1 byte less than the NAND page size the formula
      equates to zero, so the code doesn't process it as a partial write,
      although it should.
      As a consequence the function remains in the while(1) loop with 'writelen'
      becoming 0xffffffff and iterating endlessly.
      
      The bug may not be easy to reproduce in Linux since user space tools
      usually force the padding or round-up the write size to a page-size
      multiple.
      This was discovered in U-Boot where the issue can be reproduced by
      writing any size that is 1 byte less than a page-size multiple.
      For example, on a NAND with 2K page (0x800):
      	=> nand erase.part <partition>
      	=> nand write $loadaddr <partition> 7ff
      
      [Editor's note: the bug was added in commit 29072b96, but moved
      around in commit 66507c7b ("mtd: nand: Add support to use nand_base
      poi databuf as bounce buffer")]
      
      Fixes: 29072b96 ("[MTD] NAND: add subpage write support")
      Signed-off-by: default avatarHector Palacios <hector.palacios@digi.com>
      Acked-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      bdcbb059
    • Will Deacon's avatar
      arm64: debug: unmask PSTATE.D earlier · 8317c7f7
      Will Deacon authored
      [ Upstream commit 2ce39ad1 ]
      
      Clearing PSTATE.D is one of the requirements for generating a debug
      exception. The arm64 booting protocol requires that PSTATE.D is set,
      since many of the debug registers (for example, the hw_breakpoint
      registers) are UNKNOWN out of reset and could potentially generate
      spurious, fatal debug exceptions in early boot code if PSTATE.D was
      clear. Once the debug registers have been safely initialised, PSTATE.D
      is cleared, however this is currently broken for two reasons:
      
      (1) The boot CPU clears PSTATE.D in a postcore_initcall and secondary
          CPUs clear PSTATE.D in secondary_start_kernel. Since the initcall
          runs after SMP (and the scheduler) have been initialised, there is
          no guarantee that it is actually running on the boot CPU. In this
          case, the boot CPU is left with PSTATE.D set and is not capable of
          generating debug exceptions.
      
      (2) In a preemptible kernel, we may explicitly schedule on the IRQ
          return path to EL1. If an IRQ occurs with PSTATE.D set in the idle
          thread, then we may schedule the kthread_init thread, run the
          postcore_initcall to clear PSTATE.D and then context switch back
          to the idle thread before returning from the IRQ. The exception
          return path will then restore PSTATE.D from the stack, and set it
          again.
      
      This patch fixes the problem by moving the clearing of PSTATE.D earlier
      to proc.S. This has the desirable effect of clearing it in one place for
      all CPUs, long before we have to worry about the scheduler or any
      exception handling. We ensure that the previous reset of MDSCR_EL1 has
      completed before unmasking the exception, so that any spurious
      exceptions resulting from UNKNOWN debug registers are not generated.
      
      Without this patch applied, the kprobes selftests have been seen to fail
      under KVM, where we end up attempting to step the OOL instruction buffer
      with PSTATE.D set and therefore fail to complete the step.
      
      Cc: <stable@vger.kernel.org>
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Reported-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      8317c7f7
    • Herbert Xu's avatar
      crypto: scatterwalk - Fix test in scatterwalk_done · 57eed939
      Herbert Xu authored
      [ Upstream commit 5f070e81 ]
      
      When there is more data to be processed, the current test in
      scatterwalk_done may prevent us from calling pagedone even when
      we should.
      
      In particular, if we're on an SG entry spanning multiple pages
      where the last page is not a full page, we will incorrectly skip
      calling pagedone on the second last page.
      
      This patch fixes this by adding a separate test for whether we've
      reached the end of a page.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      57eed939
    • Amadeusz Sławiński's avatar
      Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU · 6da47287
      Amadeusz Sławiński authored
      [ Upstream commit 23bc6ab0 ]
      
      When we retrieve imtu value from userspace we should use 16 bit pointer
      cast instead of 32 as it's defined that way in headers. Fixes setsockopt
      calls on big-endian platforms.
      Signed-off-by: default avatarAmadeusz Sławiński <amadeusz.slawinski@tieto.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6da47287
    • Daniele Palmas's avatar
      USB: serial: option: add support for Telit LE910 PID 0x1206 · b94d5a7f
      Daniele Palmas authored
      [ Upstream commit 3c0415fa ]
      
      This patch adds support for 0x1206 PID of Telit LE910.
      
      Since the interfaces positions are the same than the ones for
      0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used.
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b94d5a7f
    • Michael Neuling's avatar
      powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint() · b2185081
      Michael Neuling authored
      [ Upstream commit 6bcb8014 ]
      
      At the start of __tm_recheckpoint() we save the kernel stack pointer
      (r1) in SPRG SCRATCH0 (SPRG2) so that we can restore it after the
      trecheckpoint.
      
      Unfortunately, the same SPRG is used in the SLB miss handler.  If an
      SLB miss is taken between the save and restore of r1 to the SPRG, the
      SPRG is changed and hence r1 is also corrupted.  We can end up with
      the following crash when we start using r1 again after the restore
      from the SPRG:
      
        Oops: Bad kernel stack pointer, sig: 6 [#1]
        SMP NR_CPUS=2048 NUMA pSeries
        CPU: 658 PID: 143777 Comm: htm_demo Tainted: G            EL   X 4.4.13-0-default #1
        task: c0000b56993a7810 ti: c00000000cfec000 task.ti: c0000b56993bc000
        NIP: c00000000004f188 LR: 00000000100040b8 CTR: 0000000010002570
        REGS: c00000000cfefd40 TRAP: 0300   Tainted: G            EL   X  (4.4.13-0-default)
        MSR: 8000000300001033 <SF,ME,IR,DR,RI,LE>  CR: 02000424  XER: 20000000
        CFAR: c000000000008468 DAR: 00003ffd84e66880 DSISR: 40000000 SOFTE: 0
        PACATMSCRATCH: 00003ffbc865e680
        GPR00: fffffffcfabc4268 00003ffd84e667a0 00000000100d8c38 000000030544bb80
        GPR04: 0000000000000002 00000000100cf200 0000000000000449 00000000100cf100
        GPR08: 000000000000c350 0000000000002569 0000000000002569 00000000100d6c30
        GPR12: 00000000100d6c28 c00000000e6a6b00 00003ffd84660000 0000000000000000
        GPR16: 0000000000000003 0000000000000449 0000000010002570 0000010009684f20
        GPR20: 0000000000800000 00003ffd84e5f110 00003ffd84e5f7a0 00000000100d0f40
        GPR24: 0000000000000000 0000000000000000 0000000000000000 00003ffff0673f50
        GPR28: 00003ffd84e5e960 00000000003d0f00 00003ffd84e667a0 00003ffd84e5e680
        NIP [c00000000004f188] restore_gprs+0x110/0x17c
        LR [00000000100040b8] 0x100040b8
        Call Trace:
        Instruction dump:
        f8a1fff0 e8e700a8 38a00000 7ca10164 e8a1fff8 e821fff0 7c0007dd 7c421378
        7db142a6 7c3242a6 38800002 7c810164 <e9c100e0> e9e100e8 ea0100f0 ea2100f8
      
      We hit this on large memory machines (> 2TB) but it can also be hit on
      smaller machines when 1TB segments are disabled.
      
      To hit this, you also need to be virtualised to ensure SLBs are
      periodically removed by the hypervisor.
      
      This patches moves the saving of r1 to the SPRG to the region where we
      are guaranteed not to take any further SLB misses.
      
      Fixes: 98ae22e1 ("powerpc: Add helper functions for transactional memory context switching")
      Cc: stable@vger.kernel.org # v3.9+
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Acked-by: default avatarCyril Bur <cyrilbur@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b2185081
    • Michael Neuling's avatar
      powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 · 9f4c899e
      Michael Neuling authored
      [ Upstream commit 190ce869 ]
      
      Currently we have 2 segments that are bolted for the kernel linear
      mapping (ie 0xc000... addresses). This is 0 to 1TB and also the kernel
      stacks. Anything accessed outside of these regions may need to be
      faulted in. (In practice machines with TM always have 1T segments)
      
      If a machine has < 2TB of memory we never fault on the kernel linear
      mapping as these two segments cover all physical memory. If a machine
      has > 2TB of memory, there may be structures outside of these two
      segments that need to be faulted in. This faulting can occur when
      running as a guest as the hypervisor may remove any SLB that's not
      bolted.
      
      When we treclaim and trecheckpoint we have a window where we need to
      run with the userspace GPRs. This means that we no longer have a valid
      stack pointer in r1. For this window we therefore clear MSR RI to
      indicate that any exceptions taken at this point won't be able to be
      handled. This means that we can't take segment misses in this RI=0
      window.
      
      In this RI=0 region, we currently access the thread_struct for the
      process being context switched to or from. This thread_struct access
      may cause a segment fault since it's not guaranteed to be covered by
      the two bolted segment entries described above.
      
      We've seen this with a crash when running as a guest with > 2TB of
      memory on PowerVM:
      
        Unrecoverable exception 4100 at c00000000004f138
        Oops: Unrecoverable exception, sig: 6 [#1]
        SMP NR_CPUS=2048 NUMA pSeries
        CPU: 1280 PID: 7755 Comm: kworker/1280:1 Tainted: G                 X 4.4.13-46-default #1
        task: c000189001df4210 ti: c000189001d5c000 task.ti: c000189001d5c000
        NIP: c00000000004f138 LR: 0000000010003a24 CTR: 0000000010001b20
        REGS: c000189001d5f730 TRAP: 4100   Tainted: G                 X  (4.4.13-46-default)
        MSR: 8000000100001031 <SF,ME,IR,DR,LE>  CR: 24000048  XER: 00000000
        CFAR: c00000000004ed18 SOFTE: 0
        GPR00: ffffffffc58d7b60 c000189001d5f9b0 00000000100d7d00 000000003a738288
        GPR04: 0000000000002781 0000000000000006 0000000000000000 c0000d1f4d889620
        GPR08: 000000000000c350 00000000000008ab 00000000000008ab 00000000100d7af0
        GPR12: 00000000100d7ae8 00003ffe787e67a0 0000000000000000 0000000000000211
        GPR16: 0000000010001b20 0000000000000000 0000000000800000 00003ffe787df110
        GPR20: 0000000000000001 00000000100d1e10 0000000000000000 00003ffe787df050
        GPR24: 0000000000000003 0000000000010000 0000000000000000 00003fffe79e2e30
        GPR28: 00003fffe79e2e68 00000000003d0f00 00003ffe787e67a0 00003ffe787de680
        NIP [c00000000004f138] restore_gprs+0xd0/0x16c
        LR [0000000010003a24] 0x10003a24
        Call Trace:
        [c000189001d5f9b0] [c000189001d5f9f0] 0xc000189001d5f9f0 (unreliable)
        [c000189001d5fb90] [c00000000001583c] tm_recheckpoint+0x6c/0xa0
        [c000189001d5fbd0] [c000000000015c40] __switch_to+0x2c0/0x350
        [c000189001d5fc30] [c0000000007e647c] __schedule+0x32c/0x9c0
        [c000189001d5fcb0] [c0000000007e6b58] schedule+0x48/0xc0
        [c000189001d5fce0] [c0000000000deabc] worker_thread+0x22c/0x5b0
        [c000189001d5fd80] [c0000000000e7000] kthread+0x110/0x130
        [c000189001d5fe30] [c000000000009538] ret_from_kernel_thread+0x5c/0xa4
        Instruction dump:
        7cb103a6 7cc0e3a6 7ca222a6 78a58402 38c00800 7cc62838 08860000 7cc000a6
        38a00006 78c60022 7cc62838 0b060000 <e8c701a0> 7ccff120 e8270078 e8a70098
        ---[ end trace 602126d0a1dedd54 ]---
      
      This fixes this by copying the required data from the thread_struct to
      the stack before we clear MSR RI. Then once we clear RI, we only access
      the stack, guaranteeing there's no segment miss.
      
      We also tighten the region over which we set RI=0 on the treclaim()
      path. This may have a slight performance impact since we're adding an
      mtmsr instruction.
      
      Fixes: 090b9284 ("powerpc/tm: Clear MSR RI in non-recoverable TM code")
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Reviewed-by: default avatarCyril Bur <cyrilbur@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      9f4c899e
    • Vegard Nossum's avatar
      ext4: short-cut orphan cleanup on error · 69759a98
      Vegard Nossum authored
      [ Upstream commit c65d5c6c ]
      
      If we encounter a filesystem error during orphan cleanup, we should stop.
      Otherwise, we may end up in an infinite loop where the same inode is
      processed again and again.
      
          EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
          EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters
          Aborting journal on device loop0-8.
          EXT4-fs (loop0): Remounting filesystem read-only
          EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted
          EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
          EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
          EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure
          EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted
          EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted
          EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
          EXT4-fs (loop0): Inode 16 (00000000618192a0): orphan list check failed!
          [...]
          EXT4-fs (loop0): Inode 16 (0000000061819748): orphan list check failed!
          [...]
          EXT4-fs (loop0): Inode 16 (0000000061819bf0): orphan list check failed!
          [...]
      
      See-also: c9eb13a9 ("ext4: fix hang when processing corrupted orphaned inode list")
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      69759a98
    • Alex Deucher's avatar
      drm/radeon: support backlight control for UNIPHY3 · dc31456f
      Alex Deucher authored
      [ Upstream commit d3200be6 ]
      
      Same interface as other UNIPHY blocks
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      dc31456f
    • Jim Mattson's avatar
      KVM: nVMX: Fix memory corruption when using VMCS shadowing · 2aa2e066
      Jim Mattson authored
      [ Upstream commit 2f1fe811 ]
      
      When freeing the nested resources of a vcpu, there is an assumption that
      the vcpu's vmcs01 is the current VMCS on the CPU that executes
      nested_release_vmcs12(). If this assumption is violated, the vcpu's
      vmcs01 may be made active on multiple CPUs at the same time, in
      violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
      not VMCLEARed on every CPU on which it is active, it can linger in a
      CPU's VMCS cache after it has been freed and potentially
      repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
      miss can result in memory corruption.
      
      It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
      the vcpu in question was last loaded on a different CPU, it must be
      migrated to the current CPU before calling vmx_load_vmcs01().
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      2aa2e066
    • Joseph Salisbury's avatar
      usb: quirks: Add no-lpm quirk for Elan · 6ef4fa7a
      Joseph Salisbury authored
      [ Upstream commit 25b1f9ac ]
      
      BugLink: http://bugs.launchpad.net/bugs/1498667
      
      As reported in BugLink, this device has an issue with Linux Power
      Management so adding a quirk.  This quirk was reccomended by Alan Stern:
      
      http://lkml.iu.edu/hypermail/linux/kernel/1606.2/05590.htmlSigned-off-by: default avatarJoseph Salisbury <joseph.salisbury@canonical.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6ef4fa7a
    • Adrien Vergé's avatar
      USB: quirks: Fix another ELAN touchscreen · 84aec61c
      Adrien Vergé authored
      [ Upstream commit df36c5be ]
      
      Like other buggy models that had their fixes [1], the touchscreen with
      id 04f3:21b8 from ELAN Microelectronics needs the device-qualifier
      quirk. Otherwise, it fails to respond, blocks the boot for a random
      amount of time and pollutes dmesg with:
      
      [ 2887.373196] usb 1-5: new full-speed USB device number 41 using xhci_hcd
      [ 2889.502000] usb 1-5: unable to read config index 0 descriptor/start: -71
      [ 2889.502005] usb 1-5: can't read configurations, error -71
      [ 2889.654571] usb 1-5: new full-speed USB device number 42 using xhci_hcd
      [ 2891.783438] usb 1-5: unable to read config index 0 descriptor/start: -71
      [ 2891.783443] usb 1-5: can't read configurations, error -71
      
      [1]: See commits c68929f7, 876af5d4, d7499475, a32c99e7 and dc703ec2.
      Tested-by: default avatarAdrien Vergé <adrienverge@gmail.com>
      Signed-off-by: default avatarAdrien Vergé <adrienverge@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      84aec61c
    • Sasha Levin's avatar
      s390/mm: fix gmap tlb flush issues · 5e33de12
      Sasha Levin authored
      [ Upstream commit f0454029 ]
      
      __tlb_flush_asce() should never be used if multiple asce belong to a mm.
      
      As this function changes mm logic determining if local or global tlb
      flushes will be neded, we might end up flushing only the gmap asce on all
      CPUs and a follow up mm asce flushes will only flush on the local CPU,
      although that asce ran on multiple CPUs.
      
      The missing tlb flushes will provoke strange faults in user space and even
      low address protections in user space, crashing the kernel.
      
      Fixes: 1b948d6c ("s390/mm,tlb: optimize TLB flushing for zEC12")
      Cc: stable@vger.kernel.org # 3.15+
      Reported-by: default avatarSascha Silbe <silbe@linux.vnet.ibm.com>
      Acked-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarDavid Hildenbrand <dahi@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5e33de12
    • Sachin Prabhu's avatar
      cifs: Check for existing directory when opening file with O_CREAT · b2637b76
      Sachin Prabhu authored
      [ Upstream commit 8d9535b6 ]
      
      When opening a file with O_CREAT flag, check to see if the file opened
      is an existing directory.
      
      This prevents the directory from being opened which subsequently causes
      a crash when the close function for directories cifs_closedir() is called
      which frees up the file->private_data memory while the file is still
      listed on the open file list for the tcon.
      Signed-off-by: default avatarSachin Prabhu <sprabhu@redhat.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      CC: Stable <stable@vger.kernel.org>
      Reported-by: default avatarXiaoli Feng <xifeng@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b2637b76
    • Matthew Leach's avatar
      [media] media: usbtv: prevent access to free'd resources · d5dec668
      Matthew Leach authored
      [ Upstream commit 2a00932f ]
      
      When disconnecting the usbtv device, the sound card is unregistered
      from ALSA and the snd member of the usbtv struct is set to NULL.  If
      the usbtv snd_trigger work is running, this can cause a race condition
      where the kernel will attempt to access free'd resources, shown in
      [1].
      
      This patch fixes the disconnection code by cancelling any snd_trigger
      work before unregistering the sound card from ALSA and checking that
      the snd member still exists in the work function.
      
      [1]:
       usb 3-1.2: USB disconnect, device number 6
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
       IP: [<ffffffff81093850>] process_one_work+0x30/0x480
       PGD 405bbf067 PUD 405bbe067 PMD 0
       Call Trace:
        [<ffffffff81093ce8>] worker_thread+0x48/0x4e0
        [<ffffffff81093ca0>] ? process_one_work+0x480/0x480
        [<ffffffff81093ca0>] ? process_one_work+0x480/0x480
        [<ffffffff81099998>] kthread+0xd8/0xf0
        [<ffffffff815c73c2>] ret_from_fork+0x22/0x40
        [<ffffffff810998c0>] ? kthread_worker_fn+0x170/0x170
       ---[ end trace 0f3dac5c1a38e610 ]---
      Signed-off-by: default avatarMatthew Leach <matthew@mattleach.net>
      Tested-by: default avatarPeter Sutton <foxxy@foxdogstudios.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      d5dec668
    • Dmitry Tunin's avatar
      Bluetooth: Add support of 13d3:3490 AR3012 device · def5e119
      Dmitry Tunin authored
      [ Upstream commit 12d86896 ]
      
      T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=05 Dev#= 5 Spd=12 MxCh= 0
      D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=13d3 ProdID=3490 Rev=00.01
      C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      
      BugLink: https://bugs.launchpad.net/bugs/1600623Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      def5e119
    • Lauro Costa's avatar
      Bluetooth: Add USB ID 13D3:3487 to ath3k · 77756a71
      Lauro Costa authored
      [ Upstream commit 72f9f8b5 ]
      
      Add hw id to ath3k usb device list and btusb blacklist
      
      T:  Bus=01 Lev=01 Prnt=01 Port=08 Cnt=02 Dev#=  4 Spd=12  MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3487 Rev=00.02
      C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      
      Requires these firmwares:
      ar3k/AthrBT_0x11020100.dfu and ar3k/ramps_0x11020100_40.dfu
      Firmwares are available in linux-firmware.
      
      Device found in a laptop ASUS model N552VW. It's an Atheros AR9462 chip.
      Signed-off-by: default avatarLauro Costa <lauro@polilinux.com.br>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      77756a71
    • Jonathan McDowell's avatar
      [media] Fix RC5 decoding with Fintek CIR chipset · 9bf4930d
      Jonathan McDowell authored
      [ Upstream commit bbdb34c9 ]
      
      Fix RC5 decoding with Fintek CIR chipset
      
      Commit e87b540b tightened up the RC5
      decoding by adding a check for trailing silence to ensure a valid RC5
      command had been received. Unfortunately the trailer length checked was
      10 units and the Fintek CIR device does not want to provide details of a
      space longer than 6350us. This meant that RC5 remotes working on a
      Fintek setup on 3.16 failed on 3.17 and later. Fix this by shortening
      the trailer check to 6 units (allowing for a previous space in the
      received remote command).
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117221Signed-off-by: default avatarJonathan McDowell <noodles@earth.li>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid Härdeman <david@hardeman.nu>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      9bf4930d
    • Soeren Moch's avatar
      [media] media: dvb_ringbuffer: Add memory barriers · 5d3e4a33
      Soeren Moch authored
      [ Upstream commit ca6e6126 ]
      
      Implement memory barriers according to Documentation/circular-buffers.txt:
      - use smp_store_release() to update ringbuffer read/write pointers
      - use smp_load_acquire() to load write pointer on reader side
      - use ACCESS_ONCE() to load read pointer on writer side
      
      This fixes data stream corruptions observed e.g. on an ARM Cortex-A9
      quad core system with different types (PCI, USB) of DVB tuners.
      Signed-off-by: default avatarSoeren Moch <smoch@web.de>
      Cc: stable@vger.kernel.org # 3.14+
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5d3e4a33
    • Lyude's avatar
      drm/radeon: Poll for both connect/disconnect on analog connectors · 4b35be43
      Lyude authored
      [ Upstream commit 14ff8d48 ]
      
      DRM_CONNECTOR_POLL_CONNECT only enables polling for connections, not
      disconnections. Because of this, we end up losing hotplug polling for
      analog connectors once they get connected.
      
      Easy way to reproduce:
       - Grab a machine with a radeon GPU and a VGA port
       - Plug a monitor into the VGA port, wait for it to update the connector
         from disconnected to connected
       - Disconnect the monitor on VGA, a hotplug event is never sent for the
         removal of the connector.
      
      Originally, only using DRM_CONNECTOR_POLL_CONNECT might have been a good
      idea since doing VGA polling can sometimes result in having to mess with
      the DAC voltages to figure out whether or not there's actually something
      there since VGA doesn't have HPD. Doing this would have the potential of
      showing visible artifacts on the screen every time we ran a poll while a
      VGA display was connected. Luckily, radeon_vga_detect() only resorts to
      this sort of polling if the poll is forced, and DRM's polling helper
      doesn't force it's polls.
      
      Additionally, this removes some assignments to connector->polled that
      weren't actually doing anything.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLyude <cpaul@redhat.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      4b35be43
    • Alex Deucher's avatar
      drm/radeon: add a delay after ATPX dGPU power off · 5a88bc52
      Alex Deucher authored
      [ Upstream commit d814b24f ]
      
      ATPX dGPU power control requires a 200ms delay between
      power off and on.  This should fix dGPU failures on
      resume from power off.
      Reviewed-by: default avatarHawking Zhang <Hawking.Zhang@amd.com>
      Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5a88bc52
    • Theodore Ts'o's avatar
      ext4: validate s_reserved_gdt_blocks on mount · 5467159c
      Theodore Ts'o authored
      [ Upstream commit e1d8c1feecf672379c50ab045fd94548468bc987 ]
      
      [ Upstream commit 5b9554dc ]
      
      If s_reserved_gdt_blocks is extremely large, it's possible for
      ext4_init_block_bitmap(), which is called when ext4 sets up an
      uninitialized block bitmap, to corrupt random kernel memory.  Add the
      same checks which e2fsck has --- it must never be larger than
      blocksize / sizeof(__u32) --- and then add a backup check in
      ext4_init_block_bitmap() in case the superblock gets modified after
      the file system is mounted.
      Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5467159c
    • Hans de Goede's avatar
      ARM: dts: sunxi: Add a startup delay for fixed regulator enabled phys · 926d244d
      Hans de Goede authored
      [ Upstream commit fc51b632 ]
      
      It seems that recent kernels have a shorter timeout when scanning for
      ethernet phys causing us to hit a timeout on boards where the phy's
      regulator gets enabled just before scanning, which leads to non working
      ethernet.
      
      A 10ms startup delay seems to be enough to fix it, this commit adds a
      20ms startup delay just to be safe.
      
      This has been tested on a sun4i-a10-a1000 and sun5i-a10s-wobo-i5 board,
      both of which have non-working ethernet on recent kernels without this
      fix.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      926d244d
    • Vegard Nossum's avatar
      ext4: don't call ext4_should_journal_data() on the journal inode · 94dd8b9a
      Vegard Nossum authored
      [ Upstream commit 6a7fd522 ]
      
      If ext4_fill_super() fails early, it's possible for ext4_evict_inode()
      to call ext4_should_journal_data() before superblock options and flags
      are fully set up.  In that case, the iput() on the journal inode can
      end up causing a BUG().
      
      Work around this problem by reordering the tests so we only call
      ext4_should_journal_data() after we know it's not the journal inode.
      
      Fixes: 2d859db3 ("ext4: fix data corruption in inodes with journalled data")
      Fixes: 2b405bfa ("ext4: fix data=journal fast mount/umount hang")
      Cc: Jan Kara <jack@suse.cz>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      94dd8b9a
    • Jan Kara's avatar
      ext4: fix deadlock during page writeback · aba6b2d8
      Jan Kara authored
      [ Upstream commit 646caa9c ]
      
      Commit 06bd3c36 (ext4: fix data exposure after a crash) uncovered a
      deadlock in ext4_writepages() which was previously much harder to hit.
      After this commit xfstest generic/130 reproduces the deadlock on small
      filesystems.
      
      The problem happens when ext4_do_update_inode() sets LARGE_FILE feature
      and marks current inode handle as synchronous. That subsequently results
      in ext4_journal_stop() called from ext4_writepages() to block waiting for
      transaction commit while still holding page locks, reference to io_end,
      and some prepared bio in mpd structure each of which can possibly block
      transaction commit from completing and thus results in deadlock.
      
      Fix the problem by releasing page locks, io_end reference, and
      submitting prepared bio before calling ext4_journal_stop().
      
      [ Changed to defer the call to ext4_journal_stop() only if the handle
        is synchronous.  --tytso ]
      Reported-and-tested-by: default avatarEryu Guan <eguan@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      aba6b2d8
    • Vegard Nossum's avatar
      ext4: check for extents that wrap around · cbe04d2b
      Vegard Nossum authored
      [ Upstream commit f70749ca ]
      
      An extent with lblock = 4294967295 and len = 1 will pass the
      ext4_valid_extent() test:
      
      	ext4_lblk_t last = lblock + len - 1;
      
      	if (len == 0 || lblock > last)
      		return 0;
      
      since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
      the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
      
      We can simplify it by removing the - 1 altogether and changing the test
      to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
      lblock and it fails, and if len > 0 then lblock + len > lblock in order
      to pass (i.e. it doesn't overflow).
      
      Fixes: 5946d089 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
      Fixes: 2f974865 ("ext4: check for zero length extent explicitly")
      Cc: Eryu Guan <guaneryu@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPhil Turnbull <phil.turnbull@oracle.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      cbe04d2b
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() · 7d989fc4
      Yoshihiro Shimoda authored
      [ Upstream commit 15e4292a ]
      
      This patch fixes an issue that the CFIFOSEL register value is possible
      to be changed by usbhsg_ep_enable() wrongly. And then, a data transfer
      using CFIFO may not work correctly.
      
      For example:
       # modprobe g_multi file=usb-storage.bin
       # ifconfig usb0 192.168.1.1 up
       (During the USB host is sending file to the mass storage)
       # ifconfig usb0 down
      
      In this case, since the u_ether.c may call usb_ep_enable() in
      eth_stop(), if the renesas_usbhs driver is also using CFIFO for
      mass storage, the mass storage may not work correctly.
      
      So, this patch adds usbhs_lock() and usbhs_unlock() calling in
      usbhsg_ep_enable() to protect CFIFOSEL register. This is because:
       - CFIFOSEL.CURPIPE = 0 is also needed for the pipe configuration
       - The CFIFOSEL (fifo->sel) is already protected by usbhs_lock()
      
      Fixes: 97664a20 ("usb: renesas_usbhs: shrink spin lock area")
      Cc: <stable@vger.kernel.org> # v3.1+
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      7d989fc4
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() · df09c563
      Yoshihiro Shimoda authored
      [ Upstream commit 4fdef698 ]
      
      This patch fixes an issue that the xfer_work() is possible to cause
      NULL pointer dereference if the usb cable is disconnected while data
      transfer is running.
      
      In such case, a gadget driver may call usb_ep_disable()) before
      xfer_work() is actually called. In this case, the usbhs_pkt_pop()
      will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo()
      in xfer_work() will return NULL.
      
      Fixes: e73a9891 ("usb: renesas_usbhs: add DMAEngine support")
      Cc: <stable@vger.kernel.org> # v3.1+
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      df09c563
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: fix the sequence in xfer_work() · 68960057
      Yoshihiro Shimoda authored
      [ Upstream commit 9b53d9af ]
      
      This patch fixes the setup sequence in xfer_work(). Otherwise,
      sometimes a usb transaction will get stuck.
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      68960057