- 06 Jan, 2016 40 commits
-
-
Sifan Naeem authored
commit 58b0497d upstream. The requested bit rate can be outside the range supported by the driver. The maximum bit rate this driver supports at the moment is 400Khz. If the requested bit rate is larger than the maximum supported by the driver, set the bitrate to the maximum supported before bitrate_khz is calculated. Maximum speed supported by the driver can be increased to 1Mhz by adding support for "fast plus mode" in the future. Fixes: commit 27bce457 ("i2c: img-scb: Add Imagination Technologies I2C SCB driver") Signed-off-by: Sifan Naeem <sifan.naeem@imgtec.com> Acked-by: James Hogan <james.hogan@imgtec.com> Reviewed-by: James Hartley <james.hartley@imgtec.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Sifan Naeem authored
commit 1ed6faed upstream. Clear line status and all generated interrupts from the interrupt status register before starting a transfer, as we may have unserviced interrupts from previous transfers that might be handled in the context of the new transfer. Fixes: commit 27bce457 ("i2c: img-scb: Add Imagination Technologies I2C SCB driver") Signed-off-by: Sifan Naeem <sifan.naeem@imgtec.com> Acked-by: James Hogan <james.hogan@imgtec.com> Reviewed-by: James Hartley <james.hartley@imgtec.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Sifan Naeem authored
commit 987008db upstream. Currently, after determining the minimum value for the High period (TCKH) the remainder of the internal clock pulses is set as the Low period (TCKL). This causes the i2c clock duty cycle to be much less than 50%. Modify the starting position to TCKH and TCKL at 50% of the internal clock, and adjusts the TCKH and TCKL values from there should the minimum value for TCKL not be met. This results in duty cycles closer to 50%. Fixes: commit 27bce457 ("i2c: img-scb: Add Imagination Technologies I2C SCB driver") Signed-off-by: Sifan Naeem <sifan.naeem@imgtec.com> Acked-by: James Hogan <james.hogan@imgtec.com> Reviewed-by: James Hartley <james.hartley@imgtec.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Sifan Naeem authored
commit 5728d95f upstream. Using % can be slow depending on the architecture. Using DIV_ROUND_UP is nicer and more efficient way to do it. Fixes: commit 27bce457 ("i2c: img-scb: Add Imagination Technologies I2C SCB driver") Signed-off-by: Sifan Naeem <sifan.naeem@imgtec.com> Acked-by: James Hogan <james.hogan@imgtec.com> Reviewed-by: James Hartley <james.hartley@imgtec.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Sifan Naeem authored
commit 2aefb1bd upstream. Move scb_wr_rd_fence to before reading from fifo and writing to fifo to make sure the the first read/write is done after the required number of cycles. Fixes: commit 27bce457 ("i2c: img-scb: Add Imagination Technologies I2C SCB driver") Signed-off-by: Sifan Naeem <sifan.naeem@imgtec.com> Acked-by: James Hogan <james.hogan@imgtec.com> Reviewed-by: James Hartley <james.hartley@imgtec.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Sifan Naeem authored
commit 0e59378b upstream. The code to read from the master read fifo, and write to the master write fifo, checks a bit in an SCB register before every byte to ensure that the fifo is not full (write fifo) or empty (read fifo). Due to clock domain crossing inside the SCB block the updated value of this bit is only visible after 2 cycles. The scb_wr_rd_fence() function does 2 dummy writes (to the read-only revision register), and it's called before reading from or writing to the fifos to ensure that subsequent reads of the fifo status bits do not read stale values. As the 2 dummy writes are required in all versions of the ip, the version check is dropped. Fixes: commit 27bce457 ("i2c: img-scb: Add Imagination Technologies I2C SCB driver") Signed-off-by: Sifan Naeem <sifan.naeem@imgtec.com> Acked-by: James Hogan <james.hogan@imgtec.com> Reviewed-by: James Hartley <james.hartley@imgtec.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Eric W. Biederman authored
commit 850dcc4d upstream. After a packet has been encapsulated by a tunnel we should use the tunnel sockets local multicast loopback flag to control if the encapsulated packet should be locally loopback back. Pass sk into ip_local_out_sk so that in the rare case we are dealing with a tunneled packet whose tunnel destination address is a multicast address the kernel properly decides to loopback this packet. In practice I don't think this matters as ip_queue_xmit is used by tcp, l2tp and sctp none of which I am aware of uses ip level multicasting as they are all point to point communications protocols. Let's fix this before someone uses ip_queue_xmit for a tunnel protocol that does use multicast. Fixes: aad88724 ("ipv4: add a sock pointer to dst->output() path.") Fixes: b0270e91 ("ipv4: add a sock pointer to ip_queue_xmit()") Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Eric W. Biederman authored
commit fd2874b3 upstream. In the rare case where sk != skb->sk ip_local_out_sk arranges to call dst->output differently if the skb is queued or not. This is a bug. Fix this bug by passing the sk parameter of ip_local_out_sk through from ip_local_out_sk to __ip_local_out_sk (skipping __ip_local_out). Fixes: 7026b1dd ("netfilter: Pass socket pointer down through okfn().") Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Flavio Leitner authored
commit 0647e708 upstream. Remove __nf_conntrack_find() from headers. Fixes: dcd93ed4 ("netfilter: nf_conntrack: remove dead code") Signed-off-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Dan Carpenter authored
commit 1f35d04a upstream. The iomap[] array has PCIM_IOMAP_MAX (6) elements and not DEVICE_COUNT_RESOURCE (16). This bug was found using a static checker. It may be that the "if (!(mask & (1 << i)))" check means we never actually go past the end of the array in real life. Fixes: ec04b075 ('iomap: implement pcim_iounmap_regions()') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Ezequiel Garcia authored
commit a5d42b8c upstream. When the diver is removed and all the resources are deallocated, we should be iterating through the created devices only. Currently, the iteration ends when vivid_devs[i] is NULL. Since the array contains VIVID_MAX_DEVS elements, it will oops if n_devs=VIVID_MAX_DEVS because in that case, no element is NULL. Fixes: c88a96b0 ('[media] vivid: add core driver code') Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Eric Dumazet authored
commit 38cb5245 upstream. This fixes a typo : We want to store the NAPI id on child socket. Presumably nobody really uses busy polling, on short lived flows. Fixes: 3d97379a ("tcp: move sk_mark_napi_id() at the right place") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Andy Shevchenko authored
commit 39416677 upstream. We replace __fls() by __ffs() since we have to find a *minimum* data width that satisfies both source and destination. While here, rename dwc_fast_fls() to dwc_fast_ffs() which it really is. Fixes: 4c2d56c5 (dw_dmac: introduce dwc_fast_fls()) Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Vinod Koul <vinod.koul@intel.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Valentin Rothberg authored
commit 90adf98d upstream. Since commit 1c6c6952 ("genirq: Reject bogus threaded irq requests") threaded IRQs without a primary handler need to be requested with IRQF_ONESHOT, otherwise the request will fail. scripts/coccinelle/misc/irqf_oneshot.cocci detected this issue. Fixes: b5874f33 ("wm831x_power: Use genirq") Signed-off-by: Valentin Rothberg <valentinrothberg@gmail.com> Signed-off-by: Sebastian Reichel <sre@kernel.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Arnaldo Carvalho de Melo authored
commit 6076e2a4 upstream. Cut'n'paste mistake, it should eval the name of the function defined right next to it, in the next line, fix it. Before: $ make -C tools/lib/bpf/ make: Entering directory '/home/git/linux/tools/lib/bpf' Auto-detecting system features: ... libelf: [ on ] ... libelf-getphdrnum: [ on ] ... libelf-mmap: [ on ] ... bpf: [ on ] <SNIP> After: $ make -C tools/lib/bpf/ make: Entering directory '/home/git/linux/tools/lib/bpf' Auto-detecting system features: ... libelf: [ on ] ... libelf-getphdrnum: [ OFF ] ... libelf-mmap: [ OFF ] ... bpf: [ on ] <SNIP> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexei Starovoitov <ast@plumgrid.com> Cc: Borislav Petkov <bp@suse.de> Cc: David Ahern <dsahern@gmail.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Stephane Eranian <eranian@google.com> Cc: Wang Nan <wangnan0@huawei.com> Cc: pi3orama@163.com Fixes: 58d4f00f ("perf build: Fix feature_check name clash") Link: http://lkml.kernel.org/n/tip-dzu1c4sruukgfq5d5b1c4r30@git.kernel.orgSigned-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Nicolas Iooss authored
commit 97bce7e0 upstream. Module crc32c-intel uses a special read-only data section named .rotata. This section is defined for K_table, and its name seems to be a spelling mistake for .rodata. Fixes: 473946e6 ("crypto: crc32c-pclmul - Shrink K_table to 32-bit words") Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Thadeu Lima de Souza Cascardo authored
commit c4047f53 upstream. Redo commit ed1acc8c. Commit 822b3b2e ("net: Add max rate tx queue attribute") moved get_netdev_queue_index around, but kept the old version. Probably because of a reuse of the original patch from before Eric's change to that function. Remove one inline keyword, and no need for a loop to find an index into a table. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com> Fixes: 822b3b2e ("net: Add max rate tx queue attribute") Acked-by: Or Gerlitz <ogerlitz@mellanox.com> Acked-by: John Fastabend <john.r.fastabend@intel.com> Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Takashi Sakamoto authored
ALSA: pcm: remove structure member of 'struct snd_pcm_hwptr_log *' type because this structure had been removed commit 0052b7dc upstream. This structure was added by 4d96eb25 ('ALSA: pcm_lib - add possibility to log last 10 DMA ring buffer positions') to store PCM pointers information of latest 10 pointer movements (=XRUN_LOG_CNT). When CONFIG_SND_PCM_XRUN_DEBUG is configured, 'struct snd_pcm_runtime' has 'hwptr_log' member with a pointer to the structure. When calling xrun_log() in pcm_lib.c, the structure was allocated to the pointer. When calling snd_pcm_detach_substream() in pcm.c, the allocated pointer is released. In f5914908 ('ALSA: pcm: Replace PCM hwptr tracking with tracepoints'), the pointer logging is replaced with using Linux Kernel Tracepoints. The structure was also removed, while it's just declared. The member and kfree still remains. This commit removes the member and related codes. I think this was overlooked because it brings no errors/warnings to C compilers. Fixes: f5914908 ('ALSA: pcm: Replace PCM hwptr tracking with tracepoints') Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Hartmut Knaack authored
commit 2427d22d upstream. Sort the entry for bmc105_magn in Kconfig and Makefile to its correct position. Also add the minor module information for completeness. Fixes: c91746a2 ("iio: magn: Add support for BMC150 magnetometer") Signed-off-by: Hartmut Knaack <knaack.h@gmx.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Al Viro authored
commit cadfbb6e upstream. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Reported-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Jens Axboe <axboe@fb.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Eric Biggers authored
commit 6ae08069 upstream. pipe_write() would return 0 if it failed to merge the beginning of the data to write with the last, partially filled pipe buffer. It should return an error code instead. Userspace programs could be confused by write() returning 0 when called with a nonzero 'count'. The EFAULT error case was a regression from f0d1bec9 ("new helper: copy_page_from_iter()"), while the ops->confirm() error case was a much older bug. Test program: #include <assert.h> #include <errno.h> #include <unistd.h> int main(void) { int fd[2]; char data[1] = {0}; assert(0 == pipe(fd)); assert(1 == write(fd[1], data, 1)); /* prior to this patch, write() returned 0 here */ assert(-1 == write(fd[1], NULL, 1)); assert(errno == EFAULT); } Signed-off-by: Eric Biggers <ebiggers3@gmail.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Maciej W. Rozycki authored
commit b582ef5c upstream. Do not clobber the buffer space passed from `search_binary_handler' and originally preloaded by `prepare_binprm' with the executable's file header by overwriting it with its interpreter's file header. Instead keep the buffer space intact and directly use the data structure locally allocated for the interpreter's file header, fixing a bug introduced in 2.1.14 with loadable module support (linux-mips.org commit beb11695 [Import of Linux/MIPS 2.1.14], predating kernel.org repo's history). Adjust the amount of data read from the interpreter's file accordingly. This was not an issue before loadable module support, because back then `load_elf_binary' was executed only once for a given ELF executable, whether the function succeeded or failed. With loadable module support supported and enabled, upon a failure of `load_elf_binary' -- which may for example be caused by architecture code rejecting an executable due to a missing hardware feature requested in the file header -- a module load is attempted and then the function reexecuted by `search_binary_handler'. With the executable's file header replaced with its interpreter's file header the executable can then be erroneously accepted in this subsequent attempt. Signed-off-by: Maciej W. Rozycki <macro@imgtec.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
David Howells authored
commit 102f4d90 upstream. Handle a write being requested to the page immediately beyond the EOF marker on a cache object. Currently this gets an assertion failure in CacheFiles because the EOF marker is used there to encode information about a partial page at the EOF - which could lead to an unknown blank spot in the file if we extend the file over it. The problem is actually in fscache where we check the index of the page being written against store_limit. store_limit is set to the number of pages that we're allowed to store by fscache_set_store_limit() - which means it's one more than the index of the last page we're allowed to store. The problem is that we permit writing to a page with an index _equal_ to the store limit - when we should reject that case. Whilst we're at it, change the triggered assertion in CacheFiles to just return -ENOBUFS instead. The assertion failure looks something like this: CacheFiles: Assertion failed 1000 < 7b1 is false ------------[ cut here ]------------ kernel BUG at fs/cachefiles/rdwr.c:962! ... RIP: 0010:[<ffffffffa02c9e83>] [<ffffffffa02c9e83>] cachefiles_write_page+0x273/0x2d0 [cachefiles] Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Kinglong Mee authored
commit b130ed59 upstream. Only override netfs->primary_index when registering success. Signed-off-by: Kinglong Mee <kinglongmee@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Kinglong Mee authored
commit 86108c2e upstream. If netfs exist, fscache should not increase the reference of parent's usage and n_children, otherwise, never be decreased. v2: thanks David's suggest, move increasing reference of parent if success use kmem_cache_free() freeing primary_index directly v3: don't move "netfs->primary_index->parent = &fscache_fsdef_index;" Signed-off-by: Kinglong Mee <kinglongmee@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Egbert Eich authored
commit 28fb4cb7 upstream. Due to a missing initialization there was no way to map fbdev memory. Thus for example using the Xserver with the fbdev driver failed. This fix adds initialization for fix.smem_start and fix.smem_len in the fb_info structure, which fixes this problem. Requested-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Egbert Eich <eich@suse.de> [pulled from SuSE tree by me - airlied] Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Jason Liu authored
commit 1cc8e345 upstream. There is an alignment mismatch issue between the of_reserved_mem and the CMA setup requirement. The of_reserved_mem will try to get the alignment value from the DTS and pass it to __memblock_alloc_base to do the memory block base allocation, but the alignment value specified in the DTS may not satisfy the CAM setup requirement since CMA setup required the alignment as the following in the code: align = PAGE_SIZE << max(MAX_ORDER - 1, pageblock_order); The sanity check in the function of rmem_cma_setup will fail if the alignment does not setup correctly and thus CMA will fail to setup. This patch is to fixup the alignment to meet the CMA setup required. Mailing-list-thread: https://lkml.org/lkml/2015/11/9/138Signed-off-by: Jason Liu <r64343@freescale.com> Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> Cc: Grant Likely <grant.likely@linaro.org> Cc: Rob Herring <robh+dt@kernel.org> Signed-off-by: Rob Herring <robh@kernel.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
K. Y. Srinivasan authored
commit 8cf308e1 upstream. Don't set the SRB_FLAGS_QUEUE_ACTION_ENABLE flag since we are not specifying tags. Without this, the qlogic driver doesn't work properly with storvsc. Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: James Bottomley <JBottomley@Odin.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Hans de Goede authored
commit f71c882d upstream. Like some of the other Yoga models the Lenovo Yoga 900 does not have a hw rfkill switch, and trying to read the hw rfkill switch through the ideapad module causes it to always reported blocking breaking wifi. This commit adds the Lenovo Yoga 900 to the no_hw_rfkill dmi list, fixing the wifi breakage. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1275490Reported-and-tested-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Darren Hart <dvhart@linux.intel.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Peter Oberparleiter authored
commit 863e02d0 upstream. Writing a number to /sys/bus/scsi/devices/<sdev>/queue_ramp_up_period returns the value of that number instead of the number of bytes written. This behavior can confuse programs expecting POSIX write() semantics. Fix this by returning the number of bytes written instead. Signed-off-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com> Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com> Reviewed-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Peter Zijlstra authored
commit b71b437e upstream. Arnaldo reported that tracepoint filters seem to misbehave (ie. not apply) on inherited events. The fix is obvious; filters are only set on the actual (parent) event, use the normal pattern of using this parent event for filters. This is safe because each child event has a reference to it. Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org> Tested-by: Arnaldo Carvalho de Melo <acme@kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: David Ahern <dsahern@gmail.com> Cc: Frédéric Weisbecker <fweisbec@gmail.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Wang Nan <wangnan0@huawei.com> Link: http://lkml.kernel.org/r/20151102095051.GN17308@twins.programming.kicks-ass.netSigned-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Helge Deller authored
commit d0cf62fb upstream. This patch fixes some bugs and partly cleans up the parisc uapi header files to what glibc defined: - compat_semid64_ds was wrong and did not take the endianess into account - ipc64_perm exported userspace types which broke building userspace packages on debian (e.g. trinity) - ipc64_perm needs to use a 32bit mode_t on 64bit kernel - msqid64_ds and semid64_ds needs unsigned longs for various struct members - shmid64_ds exported size_t instead of __kernel_size_t And finally add some compile-time checks for the sizes of those structs to avoid future breakage. Runtime-tested with the Linux Test Project (LTP) testsuite. Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Greg Thelen authored
commit 0f930902 upstream. Since 5cec38ac ("fs, seq_file: fallback to vmalloc instead of oom kill processes") seq_buf_alloc() avoids calling the oom killer for PAGE_SIZE or smaller allocations; but larger allocations can use the oom killer via vmalloc(). Thus reads of small files can return ENOMEM, but larger files use the oom killer to avoid ENOMEM. The effect of this bug is that reads from /proc and other virtual filesystems can return ENOMEM instead of the preferred behavior - oom killing something (possibly the calling process). I don't know of anyone except Google who has noticed the issue. I suspect the fix is more needed in smaller systems where there isn't any reclaimable memory. But these seem like the kinds of systems which probably don't use the oom killer for production situations. Memory overcommit requires use of the oom killer to select a victim regardless of file size. Enable oom killer for small seq_buf_alloc() allocations. Fixes: 5cec38ac ("fs, seq_file: fallback to vmalloc instead of oom kill processes") Signed-off-by: David Rientjes <rientjes@google.com> Signed-off-by: Greg Thelen <gthelen@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Andy Shevchenko authored
commit 9f029f54 upstream. There is a classical off-by-one error in case when we try to place, for example, 1+1 bytes as hex in the buffer of size 6. The expected result is to get an output truncated, but in the reality we get 6 bytes filed followed by terminating NUL. Change the logic how we fill the output in case of byte dumping into limited space. This will follow the snprintf() behaviour by truncating output even on half bytes. Fixes: 114fc1af (hexdump: make it return number of bytes placed in buffer) Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reported-by: Aaro Koskinen <aaro.koskinen@nokia.com> Tested-by: Aaro Koskinen <aaro.koskinen@nokia.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Mathias Krause authored
commit 3824657c upstream. The following statement of ABI/testing/dev-kmsg is not quite right: It is not possible to inject messages from userspace with the facility number LOG_KERN (0), to make sure that the origin of the messages can always be reliably determined. Userland actually can inject messages with a facility of 0 by abusing the fact that the facility is stored in a u8 data type. By using a facility which is a multiple of 256 the assignment of msg->facility in log_store() implicitly truncates it to 0, i.e. LOG_KERN, allowing users of /dev/kmsg to spoof kernel messages as shown below: The following call... # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg ...leads to the following log entry (dmesg -x | tail -n 1): user :emerg : [ 66.137758] Kernel panic - not syncing: beer empty However, this call... # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg ...leads to the slightly different log entry (note the kernel facility): kern :emerg : [ 74.177343] Kernel panic - not syncing: beer empty Fix that by limiting the user provided facility to 8 bit right from the beginning and catch the truncation early. Fixes: 7ff9554b ("printk: convert byte-buffer to variable-length...") Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Petr Mladek <pmladek@suse.cz> Cc: Alex Elder <elder@linaro.org> Cc: Joe Perches <joe@perches.com> Cc: Kay Sievers <kay@vrfy.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Oleg Nesterov authored
commit 54708d28 upstream. The commit 96d0df79 ("proc: make proc_fd_permission() thread-friendly") fixed the access to /proc/self/fd from sub-threads, but introduced another problem: a sub-thread can't access /proc/<tid>/fd/ or /proc/thread-self/fd if generic_permission() fails. Change proc_fd_permission() to check same_thread_group(pid_task(), current). Fixes: 96d0df79 ("proc: make proc_fd_permission() thread-friendly") Reported-by: "Jin, Yihua" <yihua.jin@intel.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Takashi Iwai authored
commit 60603950 upstream. Another Lifebook machine that needs the same quirk as other similar models to make the driver working. Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=883192Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Zi Shen Lim authored
commit 14e589ff upstream. Turns out in the case of modulo by zero in a BPF program: A = A % X; (X == 0) the expected behavior is to terminate with return value 0. The bug in JIT is exposed by a new test case [1]. [1] https://lkml.org/lkml/2015/11/4/499Signed-off-by: Zi Shen Lim <zlim.lnx@gmail.com> Reported-by: Yang Shi <yang.shi@linaro.org> Reported-by: Xi Wang <xi.wang@gmail.com> CC: Alexei Starovoitov <ast@plumgrid.com> Fixes: e54bcde3 ("arm64: eBPF JIT compiler") Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Zi Shen Lim authored
commit 251599e1 upstream. In the case of division by zero in a BPF program: A = A / X; (X == 0) the expected behavior is to terminate with return value 0. This is confirmed by the test case introduced in commit 86bf1721 ("test_bpf: add tests checking that JIT/interpreter sets A and X to 0."). Reported-by: Yang Shi <yang.shi@linaro.org> Tested-by: Yang Shi <yang.shi@linaro.org> CC: Xi Wang <xi.wang@gmail.com> CC: Alexei Starovoitov <ast@plumgrid.com> CC: linux-arm-kernel@lists.infradead.org CC: linux-kernel@vger.kernel.org Fixes: e54bcde3 ("arm64: eBPF JIT compiler") Signed-off-by: Zi Shen Lim <zlim.lnx@gmail.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-
Michal Hocko authored
commit c12176d3 upstream. Commit 424cdc14 ("memcg: convert threshold to bytes") has fixed a regression introduced by 3e32cb2e ("mm: memcontrol: lockless page counters") where thresholds were silently converted to use page units rather than bytes when interpreting the user input. The fix is not complete, though, as properly pointed out by Ben Hutchings during stable backport review. The page count is converted to bytes but unsigned long is used to hold the value which would be obviously not sufficient for 32b systems with more than 4G thresholds. The same applies to usage as taken from mem_cgroup_usage which might overflow. Let's remove this bytes vs. pages internal tracking differences and handle thresholds in page units internally. Chage mem_cgroup_usage() to return the value in page units and revert 424cdc14 because this should be sufficient for the consistent handling. mem_cgroup_read_u64 as the only users of mem_cgroup_usage outside of the threshold handling code is converted to give the proper in bytes result. It is doing that already for page_counter output so this is more consistent as well. The value presented to the userspace is still in bytes units. Fixes: 424cdc14 ("memcg: convert threshold to bytes") Fixes: 3e32cb2e ("mm: memcontrol: lockless page counters") Signed-off-by: Michal Hocko <mhocko@suse.com> Reported-by: Ben Hutchings <ben@decadent.org.uk> Reviewed-by: Vladimir Davydov <vdavydov@virtuozzo.com> Acked-by: Johannes Weiner <hannes@cmpxchg.org> From: Michal Hocko <mhocko@kernel.org> Subject: memcg-fix-thresholds-for-32b-architectures-fix Cc: Ben Hutchings <ben@decadent.org.uk> Cc: Vladimir Davydov <vdavydov@virtuozzo.com> Cc: Johannes Weiner <hannes@cmpxchg.org> From: Andrew Morton <akpm@linux-foundation.org> Subject: memcg-fix-thresholds-for-32b-architectures-fix-fix don't attempt to inline mem_cgroup_usage() The compiler ignores the inline anwyay. And __always_inlining it adds 600 bytes of goop to the .o file. Cc: Ben Hutchings <ben@decadent.org.uk> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Vladimir Davydov <vdavydov@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
-