1. 01 Jun, 2016 40 commits
    • Richard Weinberger's avatar
      UBI: Fix static volume checks when Fastmap is used · 9ebe3bf5
      Richard Weinberger authored
      commit 1900149c upstream.
      
      Ezequiel reported that he's facing UBI going into read-only
      mode after power cut. It turned out that this behavior happens
      only when updating a static volume is interrupted and Fastmap is
      used.
      
      A possible trace can look like:
      ubi0 warning: ubi_io_read_vid_hdr [ubi]: no VID header found at PEB 2323, only 0xFF bytes
      ubi0 warning: ubi_eba_read_leb [ubi]: switch to read-only mode
      CPU: 0 PID: 833 Comm: ubiupdatevol Not tainted 4.6.0-rc2-ARCH #4
      Hardware name: SAMSUNG ELECTRONICS CO., LTD. 300E4C/300E5C/300E7C/NP300E5C-AD8AR, BIOS P04RAP 10/15/2012
      0000000000000286 00000000eba949bd ffff8800c45a7b38 ffffffff8140d841
      ffff8801964be000 ffff88018eaa4800 ffff8800c45a7bb8 ffffffffa003abf6
      ffffffff850e2ac0 8000000000000163 ffff8801850e2ac0 ffff8801850e2ac0
      Call Trace:
      [<ffffffff8140d841>] dump_stack+0x63/0x82
      [<ffffffffa003abf6>] ubi_eba_read_leb+0x486/0x4a0 [ubi]
      [<ffffffffa00453b3>] ubi_check_volume+0x83/0xf0 [ubi]
      [<ffffffffa0039d97>] ubi_open_volume+0x177/0x350 [ubi]
      [<ffffffffa00375d8>] vol_cdev_open+0x58/0xb0 [ubi]
      [<ffffffff8124b08e>] chrdev_open+0xae/0x1d0
      [<ffffffff81243bcf>] do_dentry_open+0x1ff/0x300
      [<ffffffff8124afe0>] ? cdev_put+0x30/0x30
      [<ffffffff81244d36>] vfs_open+0x56/0x60
      [<ffffffff812545f4>] path_openat+0x4f4/0x1190
      [<ffffffff81256621>] do_filp_open+0x91/0x100
      [<ffffffff81263547>] ? __alloc_fd+0xc7/0x190
      [<ffffffff812450df>] do_sys_open+0x13f/0x210
      [<ffffffff812451ce>] SyS_open+0x1e/0x20
      [<ffffffff81a99e32>] entry_SYSCALL_64_fastpath+0x1a/0xa4
      
      UBI checks static volumes for data consistency and reads the
      whole volume upon first open. If the volume is found erroneous
      users of UBI cannot read from it, but another volume update is
      possible to fix it. The check is performed by running
      ubi_eba_read_leb() on every allocated LEB of the volume.
      For static volumes ubi_eba_read_leb() computes the checksum of all
      data stored in a LEB. To verify the computed checksum it has to read
      the LEB's volume header which stores the original checksum.
      If the volume header is not found UBI treats this as fatal internal
      error and switches to RO mode. If the UBI device was attached via a
      full scan the assumption is correct, the volume header has to be
      present as it had to be there while scanning to get known as mapped.
      If the attach operation happened via Fastmap the assumption is no
      longer correct. When attaching via Fastmap UBI learns the mapping
      table from Fastmap's snapshot of the system state and not via a full
      scan. It can happen that a LEB got unmapped after a Fastmap was
      written to the flash. Then UBI can learn the LEB still as mapped and
      accessing it returns only 0xFF bytes. As UBI is not a FTL it is
      allowed to have mappings to empty PEBs, it assumes that the layer
      above takes care of LEB accounting and referencing.
      UBIFS does so using the LEB property tree (LPT).
      For static volumes UBI blindly assumes that all LEBs are present and
      therefore special actions have to be taken.
      
      The described situation can happen when updating a static volume is
      interrupted, either by a user or a power cut.
      The volume update code first unmaps all LEBs of a volume and then
      writes LEB by LEB. If the sequence of operations is interrupted UBI
      detects this either by the absence of LEBs, no volume header present
      at scan time, or corrupted payload, detected via checksum.
      In the Fastmap case the former method won't trigger as no scan
      happened and UBI automatically thinks all LEBs are present.
      Only by reading data from a LEB it detects that the volume header is
      missing and incorrectly treats this as fatal error.
      To deal with the situation ubi_eba_read_leb() from now on checks
      whether we attached via Fastmap and handles the absence of a
      volume header like a data corruption error.
      This way interrupted static volume updates will correctly get detected
      also when Fastmap is used.
      Reported-by: default avatarEzequiel Garcia <ezequiel@vanguardiasur.com.ar>
      Tested-by: default avatarEzequiel Garcia <ezequiel@vanguardiasur.com.ar>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ebe3bf5
    • Chris Mason's avatar
      Btrfs: fix handling of faults from btrfs_copy_from_user · 4704fa54
      Chris Mason authored
      commit 56244ef1 upstream.
      
      When btrfs_copy_from_user isn't able to copy all of the pages, we need
      to adjust our accounting to reflect the work that was actually done.
      
      Commit 2e78c927 changed around the decisions a little and we ended up
      skipping the accounting adjustments some of the time.  This commit makes
      sure that when we don't copy anything at all, we still hop into
      the adjustments, and switches to release_bytes instead of write_bytes,
      since write_bytes isn't aligned.
      
      The accounting errors led to warnings during btrfs_destroy_inode:
      
      [   70.847532] WARNING: CPU: 10 PID: 514 at fs/btrfs/inode.c:9350 btrfs_destroy_inode+0x2b3/0x2c0
      [   70.847536] Modules linked in: i2c_piix4 virtio_net i2c_core input_leds button led_class serio_raw acpi_cpufreq sch_fq_codel autofs4 virtio_blk
      [   70.847538] CPU: 10 PID: 514 Comm: umount Tainted: G        W 4.6.0-rc6_00062_g2997da1-dirty #23
      [   70.847539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.0-1.fc24 04/01/2014
      [   70.847542]  0000000000000000 ffff880ff5cafab8 ffffffff8149d5e9 0000000000000202
      [   70.847543]  0000000000000000 0000000000000000 0000000000000000 ffff880ff5cafb08
      [   70.847547]  ffffffff8107bdfd ffff880ff5cafaf8 000024868120013d ffff880ff5cafb28
      [   70.847547] Call Trace:
      [   70.847550]  [<ffffffff8149d5e9>] dump_stack+0x51/0x78
      [   70.847551]  [<ffffffff8107bdfd>] __warn+0xfd/0x120
      [   70.847553]  [<ffffffff8107be3d>] warn_slowpath_null+0x1d/0x20
      [   70.847555]  [<ffffffff8139c9e3>] btrfs_destroy_inode+0x2b3/0x2c0
      [   70.847556]  [<ffffffff812003a1>] ? __destroy_inode+0x71/0x140
      [   70.847558]  [<ffffffff812004b3>] destroy_inode+0x43/0x70
      [   70.847559]  [<ffffffff810b7b5f>] ? wake_up_bit+0x2f/0x40
      [   70.847560]  [<ffffffff81200c68>] evict+0x148/0x1d0
      [   70.847562]  [<ffffffff81398ade>] ? start_transaction+0x3de/0x460
      [   70.847564]  [<ffffffff81200d49>] dispose_list+0x59/0x80
      [   70.847565]  [<ffffffff81201ba0>] evict_inodes+0x180/0x190
      [   70.847566]  [<ffffffff812191ff>] ? __sync_filesystem+0x3f/0x50
      [   70.847568]  [<ffffffff811e95f8>] generic_shutdown_super+0x48/0x100
      [   70.847569]  [<ffffffff810b75c0>] ? woken_wake_function+0x20/0x20
      [   70.847571]  [<ffffffff811e9796>] kill_anon_super+0x16/0x30
      [   70.847573]  [<ffffffff81365cde>] btrfs_kill_super+0x1e/0x130
      [   70.847574]  [<ffffffff811e99be>] deactivate_locked_super+0x4e/0x90
      [   70.847576]  [<ffffffff811e9e61>] deactivate_super+0x51/0x70
      [   70.847577]  [<ffffffff8120536f>] cleanup_mnt+0x3f/0x80
      [   70.847579]  [<ffffffff81205402>] __cleanup_mnt+0x12/0x20
      [   70.847581]  [<ffffffff81098358>] task_work_run+0x68/0xa0
      [   70.847582]  [<ffffffff810022b6>] exit_to_usermode_loop+0xd6/0xe0
      [   70.847583]  [<ffffffff81002e1d>] do_syscall_64+0xbd/0x170
      [   70.847586]  [<ffffffff817d4dbc>] entry_SYSCALL64_slow_path+0x25/0x25
      
      This is the test program I used to force short returns from
      btrfs_copy_from_user
      
      void *dontneed(void *arg)
      {
      	char *p = arg;
      	int ret;
      
      	while(1) {
      		ret = madvise(p, BUFSIZE/4, MADV_DONTNEED);
      		if (ret) {
      			perror("madvise");
      			exit(1);
      		}
      	}
      }
      
      int main(int ac, char **av) {
      	int ret;
      	int fd;
      	char *filename;
      	unsigned long offset;
      	char *buf;
      	int i;
      	pthread_t tid;
      
      	if (ac != 2) {
      		fprintf(stderr, "usage: dammitdave filename\n");
      		exit(1);
      	}
      
      	buf = mmap(NULL, BUFSIZE, PROT_READ|PROT_WRITE,
      		   MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
      	if (buf == MAP_FAILED) {
      		perror("mmap");
      		exit(1);
      	}
      	memset(buf, 'a', BUFSIZE);
      	filename = av[1];
      
      	ret = pthread_create(&tid, NULL, dontneed, buf);
      	if (ret) {
      		fprintf(stderr, "error %d from pthread_create\n", ret);
      		exit(1);
      	}
      
      	ret = pthread_detach(tid);
      	if (ret) {
      		fprintf(stderr, "pthread detach failed %d\n", ret);
      		exit(1);
      	}
      
      	while (1) {
      		fd = open(filename, O_RDWR | O_CREAT, 0600);
      		if (fd < 0) {
      			perror("open");
      			exit(1);
      		}
      
      		for (i = 0; i < ROUNDS; i++) {
      			int this_write = BUFSIZE;
      
      			offset = rand() % MAXSIZE;
      			ret = pwrite(fd, buf, this_write, offset);
      			if (ret < 0) {
      				perror("pwrite");
      				exit(1);
      			} else if (ret != this_write) {
      				fprintf(stderr, "short write to %s offset %lu ret %d\n",
      					filename, offset, ret);
      				exit(1);
      			}
      			if (i == ROUNDS - 1) {
      				ret = sync_file_range(fd, offset, 4096,
      				    SYNC_FILE_RANGE_WRITE);
      				if (ret < 0) {
      					perror("sync_file_range");
      					exit(1);
      				}
      			}
      		}
      		ret = ftruncate(fd, 0);
      		if (ret < 0) {
      			perror("ftruncate");
      			exit(1);
      		}
      		ret = close(fd);
      		if (ret) {
      			perror("close");
      			exit(1);
      		}
      		ret = unlink(filename);
      		if (ret) {
      			perror("unlink");
      			exit(1);
      		}
      
      	}
      	return 0;
      }
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Reported-by: default avatarDave Jones <dsj@fb.com>
      Fixes: 2e78c927Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4704fa54
    • Luke Dashjr's avatar
      btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl · b82bec5e
      Luke Dashjr authored
      commit 4c63c245 upstream.
      
      32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can
      be handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr
      fail.
      Signed-off-by: default avatarLuke Dashjr <luke-jr+git@utopios.org>
      Reviewed-by: default avatarJosef Bacik <jbacik@fb.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b82bec5e
    • James Hogan's avatar
      SIGNAL: Move generic copy_siginfo() to signal.h · cf1db059
      James Hogan authored
      commit ca9eb49a upstream.
      
      The generic copy_siginfo() is currently defined in
      asm-generic/siginfo.h, after including uapi/asm-generic/siginfo.h which
      defines the generic struct siginfo. However this makes it awkward for an
      architecture to use it if it has to define its own struct siginfo (e.g.
      MIPS and potentially IA64), since it means that asm-generic/siginfo.h
      can only be included after defining the arch-specific siginfo, which may
      be problematic if the arch-specific definition needs definitions from
      uapi/asm-generic/siginfo.h.
      
      It is possible to work around this by first including
      uapi/asm-generic/siginfo.h to get the constants before defining the
      arch-specific siginfo, and include asm-generic/siginfo.h after. However
      uapi headers can't be included by other uapi headers, so that first
      include has to be in an ifdef __kernel__, with the non __kernel__ case
      including the non-UAPI header instead.
      
      Instead of that mess, move the generic copy_siginfo() definition into
      linux/signal.h, which allows an arch-specific uapi/asm/siginfo.h to
      include asm-generic/siginfo.h and define the arch-specific siginfo, and
      for the generic copy_siginfo() to see that arch-specific definition.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Petr Malat <oss@malat.biz>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Christopher Ferris <cferris@google.com>
      Cc: linux-arch@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: linux-ia64@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/12478/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf1db059
    • Heinz Mauelshagen's avatar
      md: md.c: fix oops in mddev_suspend for raid0 · 5269fcd7
      Heinz Mauelshagen authored
      commit 092398dc upstream.
      
      Introduced by upstream commit 70d9798b
      
      The raid0 personality does not create mddev->thread as oposed to
      other personalities leading to its unconditional access in
      mddev_suspend() causing an oops.
      
      Patch checks for mddev->thread in order to keep the
      intention of aforementioned commit.
      
      Fixes: 70d9798b ("MD: warn for potential deadlock")
      Signed-off-by: default avatarHeinz Mauelshagen <heinzm@redhat.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5269fcd7
    • Andreas Noever's avatar
      thunderbolt: Fix double free of drom buffer · 6e3ef902
      Andreas Noever authored
      commit 2ffa9a5d upstream.
      
      If tb_drom_read() fails, sw->drom is freed but not set to NULL.  sw->drom
      is then freed again in the error path of tb_switch_alloc().
      
      The bug can be triggered by unplugging a thunderbolt device shortly after
      it is detected by the thunderbolt driver.
      
      Clear sw->drom if tb_drom_read() fails.
      
      [bhelgaas: add Fixes:, stable versions of interest]
      Fixes: 343fcb8c ("thunderbolt: Fix nontrivial endpoint devices.")
      Signed-off-by: default avatarAndreas Noever <andreas.noever@gmail.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Lukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e3ef902
    • Bart Van Assche's avatar
      IB/srp: Fix srp_create_target() error handling · 80772cfb
      Bart Van Assche authored
      commit f83b2561 upstream.
      
      Avoid that the following kernel oops occurs if memory pool
      allocation fails:
      
      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP: [<ffffffffa048d0a0>] ib_drain_rq+0x0/0x20 [ib_core]
      Call Trace:
       [<ffffffffa04af386>] srp_create_target+0xca6/0x13a9 [ib_srp]
       [<ffffffff813cc863>] dev_attr_store+0x13/0x20
       [<ffffffff81214b50>] sysfs_kf_write+0x40/0x50
       [<ffffffff81213f1c>] kernfs_fop_write+0x13c/0x180
       [<ffffffff81197683>] __vfs_write+0x23/0xf0
       [<ffffffff81198744>] vfs_write+0xa4/0x1a0
       [<ffffffff81199a44>] SyS_write+0x44/0xa0
       [<ffffffff8159e3e9>] entry_SYSCALL_64_fastpath+0x1c/0xac
      
      Fixes: 1dc7b1f1 ("IB/srp: use the new CQ API")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Tested-by: default avatarLaurence Oberman <loberman@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80772cfb
    • Bart Van Assche's avatar
      IB/srp: Fix a debug kernel crash · a1e9e0f4
      Bart Van Assche authored
      commit 54f5c9c5 upstream.
      
      Avoid that the following BUG() is triggered against a debug
      kernel:
      
      kernel BUG at include/linux/scatterlist.h:92!
      RIP: 0010:[<ffffffffa0467199>]  [<ffffffffa0467199>] srp_map_idb+0x199/0x1a0 [ib_srp]
      Call Trace:
       [<ffffffffa04685fa>] srp_map_data+0x84a/0x890 [ib_srp]
       [<ffffffffa0469674>] srp_queuecommand+0x1e4/0x610 [ib_srp]
       [<ffffffff813f5a5e>] scsi_dispatch_cmd+0x9e/0x180
       [<ffffffff813f8b07>] scsi_request_fn+0x477/0x610
       [<ffffffff81298ffe>] __blk_run_queue+0x2e/0x40
       [<ffffffff81299070>] blk_delay_work+0x20/0x30
       [<ffffffff81071f07>] process_one_work+0x197/0x480
       [<ffffffff81072239>] worker_thread+0x49/0x490
       [<ffffffff810787ea>] kthread+0xea/0x100
       [<ffffffff8159b632>] ret_from_fork+0x22/0x40
      
      Fixes: f7f7aab1 ("IB/srp: Convert to new registration API")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Cc: Christoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarMax Gurtovoy <maxg@mellanox.com>
      Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1e9e0f4
    • Hui Wang's avatar
      ALSA: hda - Fix headset mic detection problem for one Dell machine · f7d3e0bb
      Hui Wang authored
      commit 86c72d1c upstream.
      
      Add the pin configuration value of this machine into the pin_quirk
      table to make DELL1_MIC_NO_PRESENCE apply to this machine.
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7d3e0bb
    • Kailang Yang's avatar
      ALSA: hda/realtek - Add support for ALC295/ALC3254 · 00527634
      Kailang Yang authored
      commit 7d727869 upstream.
      
      Add support for ALC295/ALC3254.
      They are simply compatible with ALC225 chip.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00527634
    • Kai-Heng Feng's avatar
      ALSA: hda - Fix headphone noise on Dell XPS 13 9360 · 64a09edf
      Kai-Heng Feng authored
      commit 423cd785 upstream.
      
      The headphone has noise when playing sound or switching microphone sources.
      It uses the same codec on XPS 13 9350, but with different subsystem ID.
      Applying the fixup can solve the issue.
      Also, changing the model name to better differentiate models.
      
      v2: Reorder by device ID.
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64a09edf
    • Kailang Yang's avatar
      ALSA: hda/realtek - New codecs support for ALC234/ALC274/ALC294 · ba1e0df3
      Kailang Yang authored
      commit dcd4f0db upstream.
      
      Support new codecs for ALC234/ALC274/ALC294.
      This three codecs was the same IC.
      But bonding is not the same.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba1e0df3
    • Andreas Werner's avatar
      mcb: Fixed bar number assignment for the gdd · 5aa78548
      Andreas Werner authored
      commit f75564d3 upstream.
      
      The bar number is found in reg2 within the gdd. Therefore
      we need to change the assigment from reg1 to reg2 which
      is the correct location.
      Signed-off-by: default avatarAndreas Werner <andreas.werner@men.de>
      Fixes: '3764e82e' drivers: Introduce MEN Chameleon Bus
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5aa78548
    • Ashutosh Dixit's avatar
      misc: mic: Fix for double fetch security bug in VOP driver · 2a936945
      Ashutosh Dixit authored
      commit 9bf292bf upstream.
      
      The MIC VOP driver does two successive reads from user space to read a
      variable length data structure. Kernel memory corruption can result if
      the data structure changes between the two reads. This patch disallows
      the chance of this happening.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
      Reported by: Pengfei Wang <wpengfeinudt@gmail.com>
      Reviewed-by: default avatarSudeep Dutt <sudeep.dutt@intel.com>
      Signed-off-by: default avatarAshutosh Dixit <ashutosh.dixit@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a936945
    • Olga Kornievskaia's avatar
      Fixing oops in callback path · 8fa0eca9
      Olga Kornievskaia authored
      commit c2985d00 upstream.
      
      Commit 80f96427 ("NFSv4.x: Enforce the ca_maxreponsesize_cached
      on the back channel") causes an oops when it receives a callback with
      cachethis=yes.
      
      [  109.667378] BUG: unable to handle kernel NULL pointer dereference at 00000000000002c8
      [  109.669476] IP: [<ffffffffa08a3e68>] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
      [  109.671216] PGD 0
      [  109.671736] Oops: 0000 [#1] SMP
      [  109.705427] CPU: 1 PID: 3579 Comm: nfsv4.1-svc Not tainted 4.5.0-rc1+ #1
      [  109.706987] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
      [  109.709468] task: ffff8800b4408000 ti: ffff88008448c000 task.ti: ffff88008448c000
      [  109.711207] RIP: 0010:[<ffffffffa08a3e68>]  [<ffffffffa08a3e68>] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
      [  109.713521] RSP: 0018:ffff88008448fca0  EFLAGS: 00010286
      [  109.714762] RAX: ffff880081ee202c RBX: ffff8800b7b5b600 RCX: 0000000000000001
      [  109.716427] RDX: 0000000000000008 RSI: 0000000000000008 RDI: 0000000000000000
      [  109.718091] RBP: ffff88008448fda8 R08: 0000000000000000 R09: 000000000b000000
      [  109.719757] R10: ffff880137786000 R11: ffff8800b7b5b600 R12: 0000000001000000
      [  109.721415] R13: 0000000000000002 R14: 0000000053270000 R15: 000000000000000b
      [  109.723061] FS:  0000000000000000(0000) GS:ffff880139640000(0000) knlGS:0000000000000000
      [  109.724931] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  109.726278] CR2: 00000000000002c8 CR3: 0000000034d50000 CR4: 00000000001406e0
      [  109.727972] Stack:
      [  109.728465]  ffff880081ee202c ffff880081ee201c 000000008448fcc0 ffff8800baccb800
      [  109.730349]  ffff8800baccc800 ffffffffa08d0380 0000000000000000 0000000000000000
      [  109.732211]  ffff8800b7b5b600 0000000000000001 ffffffff81d073c0 ffff880081ee3090
      [  109.734056] Call Trace:
      [  109.734657]  [<ffffffffa03795d4>] svc_process_common+0x5c4/0x6c0 [sunrpc]
      [  109.736267]  [<ffffffffa0379a4c>] bc_svc_process+0x1fc/0x360 [sunrpc]
      [  109.737775]  [<ffffffffa08a2c2c>] nfs41_callback_svc+0x10c/0x1d0 [nfsv4]
      [  109.739335]  [<ffffffff810cb380>] ? prepare_to_wait_event+0xf0/0xf0
      [  109.740799]  [<ffffffffa08a2b20>] ? nfs4_callback_svc+0x50/0x50 [nfsv4]
      [  109.742349]  [<ffffffff810a6998>] kthread+0xd8/0xf0
      [  109.743495]  [<ffffffff810a68c0>] ? kthread_park+0x60/0x60
      [  109.744776]  [<ffffffff816abc4f>] ret_from_fork+0x3f/0x70
      [  109.746037]  [<ffffffff810a68c0>] ? kthread_park+0x60/0x60
      [  109.747324] Code: cc 45 31 f6 48 8b 85 00 ff ff ff 44 89 30 48 8b 85 f8 fe ff ff 44 89 20 48 8b 9d 38 ff ff ff 48 8b bd 30 ff ff ff 48 85 db 74 4c <4c> 8b af c8 02 00 00 4d 8d a5 08 02 00 00 49 81 c5 98 02 00 00
      [  109.754361] RIP  [<ffffffffa08a3e68>] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
      [  109.756123]  RSP <ffff88008448fca0>
      [  109.756951] CR2: 00000000000002c8
      [  109.757738] ---[ end trace 2b8555511ab5dfb4 ]---
      [  109.758819] Kernel panic - not syncing: Fatal exception
      [  109.760126] Kernel Offset: disabled
      [  118.938934] ---[ end Kernel panic - not syncing: Fatal exception
      
      It doesn't unlock the table nor does it set the cps->clp pointer which
      is later needed by nfs4_cb_free_slot().
      
      Fixes: 80f96427 ("NFSv4.x: Enforce the ca_maxresponsesize_cached ...")
      Signed-off-by: default avatarOlga Kornievskaia <kolga@netapp.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8fa0eca9
    • Jan Beulich's avatar
      objtool: Allow building with older libelf · 60863356
      Jan Beulich authored
      commit 2e51f262 upstream.
      
      The switch to elf_getshdr{num,strndx} post-dates the oldest tool chain
      the kernel is supposed to be able to build with, so try to cope with
      such an environment.
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jan Beulich <JBeulich@suse.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Link: http://lkml.kernel.org/r/732dae6872b7ff187d94f22bb699a12849d3fe04.1463430618.git.jpoimboe@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      60863356
    • Lucas Stach's avatar
      watchdog: sp5100_tco: properly check for new register layouts · 9411afb6
      Lucas Stach authored
      commit 46856fab upstream.
      
      Commits 190aa430 (Add AMD Mullins platform support) and
      cca118fa (Add AMD Carrizo platform support) enabled the
      driver on a lot more devices, but the following commit missed
      a single location in the code when checking if the SB800 register
      offsets should be used. This leads to the wrong register being
      written which in turn causes ACPI to go haywire.
      
      Fix this by introducing a helper function to check for the new
      register layout and use this consistently.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=114201
      https://bugzilla.redhat.com/show_bug.cgi?id=1329910
      Fixes: bdecfcdb (sp5100_tco: fix the device check for SB800
      and later chipsets)
      Signed-off-by: default avatarLucas Stach <dev@lynxeye.de>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9411afb6
    • Guenter Roeck's avatar
      watchdog: core: Fix circular locking dependency · 21abae56
      Guenter Roeck authored
      commit e1f30282 upstream.
      
      lockdep reports the following circular locking dependency.
      
      ======================================================
      INFO: possible circular locking dependency detected ]
      4.6.0-rc3-00191-gfabf418 #162 Not tainted
      -------------------------------------------------------
      systemd/1 is trying to acquire lock:
      ((&(&wd_data->work)->work)){+.+...}, at: [<80141650>] flush_work+0x0/0x280
      
      but task is already holding lock:
      
      (&wd_data->lock){+.+...}, at: [<804acfa8>] watchdog_release+0x18/0x190
      
      which lock already depends on the new lock.
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&wd_data->lock){+.+...}:
      	[<80662310>] mutex_lock_nested+0x64/0x4a8
      	[<804aca4c>] watchdog_ping_work+0x18/0x4c
      	[<80143128>] process_one_work+0x1ac/0x500
      	[<801434b4>] worker_thread+0x38/0x554
      	[<80149510>] kthread+0xf4/0x108
      	[<80107c10>] ret_from_fork+0x14/0x24
      
      -> #0 ((&(&wd_data->work)->work)){+.+...}:
      	[<8017c4e8>] lock_acquire+0x70/0x90
      	[<8014169c>] flush_work+0x4c/0x280
      	[<801440f8>] __cancel_work_timer+0x9c/0x1e0
      	[<804acfcc>] watchdog_release+0x3c/0x190
      	[<8022c5e8>] __fput+0x80/0x1c8
      	[<80147b28>] task_work_run+0x94/0xc8
      	[<8010b998>] do_work_pending+0x8c/0xb4
      	[<80107ba8>] slow_work_pending+0xc/0x20
      
      other info that might help us debug this:
      Possible unsafe locking scenario:
      
      CPU0                    CPU1
      ----                    ----
      lock(&wd_data->lock);
                              lock((&(&wd_data->work)->work));
                              lock(&wd_data->lock);
      lock((&(&wd_data->work)->work));
      21abae56
    • Martin Sperl's avatar
      clk: bcm2835: add locking to pll*_on/off methods · cf63f060
      Martin Sperl authored
      commit ec36a5c6 upstream.
      
      Add missing locking to:
      * bcm2835_pll_divider_on
      * bcm2835_pll_divider_off
      to protect the read modify write cycle for the
      register access protecting both cm_reg and a2w_reg
      registers.
      
      Fixes: 41691b88 ("clk: bcm2835: Add support for programming the
      audio domain clocks")
      Signed-off-by: default avatarMartin Sperl <kernel@martin.sperl.org>
      Signed-off-by: default avatarEric Anholt <eric@anholt.net>
      Reviewed-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf63f060
    • Peter Zijlstra's avatar
      locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait() · 1267ee34
      Peter Zijlstra authored
      commit 54cf809b upstream.
      
      Similar to commits:
      
        51d7d520 ("powerpc: Add smp_mb() to arch_spin_is_locked()")
        d86b8da0 ("arm64: spinlock: serialise spin_unlock_wait against concurrent lockers")
      
      qspinlock suffers from the fact that the _Q_LOCKED_VAL store is
      unordered inside the ACQUIRE of the lock.
      
      And while this is not a problem for the regular mutual exclusive
      critical section usage of spinlocks, it breaks creative locking like:
      
      	spin_lock(A)			spin_lock(B)
      	spin_unlock_wait(B)		if (!spin_is_locked(A))
      	do_something()			  do_something()
      
      In that both CPUs can end up running do_something at the same time,
      because our _Q_LOCKED_VAL store can drop past the spin_unlock_wait()
      spin_is_locked() loads (even on x86!!).
      
      To avoid making the normal case slower, add smp_mb()s to the less used
      spin_unlock_wait() / spin_is_locked() side of things to avoid this
      problem.
      Reported-and-tested-by: default avatarDavidlohr Bueso <dave@stgolabs.net>
      Reported-by: default avatarGiovanni Gherdovich <ggherdovich@suse.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1267ee34
    • Chanwoo Choi's avatar
      serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() · 4eef792d
      Chanwoo Choi authored
      commit b8995f52 upstream.
      
      This patch fixes the broken serial log when changing the clock source
      of uart device. Before disabling the original clock source, this patch
      enables the new clock source to protect the clock off state for a split second.
      Signed-off-by: default avatarChanwoo Choi <cw00.choi@samsung.com>
      Reviewed-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      4eef792d
    • Andy Shevchenko's avatar
      serial: 8250_mid: recognize interrupt source in handler · 8b16f9dd
      Andy Shevchenko authored
      commit c42850f1 upstream.
      
      There is a special register that shows interrupt status by source. In
      particular case the source can be a combination of DMA Tx, DMA Rx, and UART.
      
      Read the register and call the handlers only for sources that request an
      interrupt.
      
      Fixes: 6ede6dcd ("serial: 8250_mid: add support for DMA engine handling from UART MMIO")
      Reviewed-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b16f9dd
    • Andy Shevchenko's avatar
      serial: 8250_mid: use proper bar for DNV platform · 21f45545
      Andy Shevchenko authored
      commit 107e15fc upstream.
      
      Unlike Intel Medfield and Tangier platforms DNV uses PCI BAR0 for IO compatible
      resources and BAR1 for MMIO. We need latter in a way to support DMA. Introduce
      an additional field in the internal structure and pass PCI BAR based on device
      ID.
      Reported-by: default avatar"Lai, Poey Seng" <poey.seng.lai@intel.com>
      Fixes: 6ede6dcd ("serial: 8250_mid: add support for DMA engine handling from UART MMIO")
      Reviewed-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21f45545
    • David Müller's avatar
      serial: 8250_pci: fix divide error bug if baud rate is 0 · 9706e39b
      David Müller authored
      commit 6f210c18 upstream.
      
      Since commit 21947ba6 ("serial: 8250_pci: replace switch-case by
      formula"), the 8250 driver crashes in the byt_set_termios() function
      with a divide error. This is caused by the fact that a baud rate of 0 (B0)
      is not handled properly. Fix it by falling back to B9600 in this case.
      Signed-off-by: default avatarDavid Müller <d.mueller@elsoft.ch>
      Fixes: 21947ba6 ("serial: 8250_pci: replace switch-case by formula")
      Suggested-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9706e39b
    • Brian Bloniarz's avatar
      Fix OpenSSH pty regression on close · 0412bb0f
      Brian Bloniarz authored
      commit 0f40fbbc upstream.
      
      OpenSSH expects the (non-blocking) read() of pty master to return
      EAGAIN only if it has received all of the slave-side output after
      it has received SIGCHLD. This used to work on pre-3.12 kernels.
      
      This fix effectively forces non-blocking read() and poll() to
      block for parallel i/o to complete for all ttys. It also unwinds
      these changes:
      
      1) f8747d4a
         tty: Fix pty master read() after slave closes
      
      2) 52bce7f8
         pty, n_tty: Simplify input processing on final close
      
      3) 1a48632f
         pty: Fix input race when closing
      
      Inspired by analysis and patch from Marc Aurele La France <tsi@tuyoix.net>
      Reported-by: default avatarVolth <openssh@volth.com>
      Reported-by: default avatarMarc Aurele La France <tsi@tuyoix.net>
      BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=52
      BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=2492Signed-off-by: default avatarBrian Bloniarz <brian.bloniarz@gmail.com>
      Reviewed-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0412bb0f
    • Alexandre Belloni's avatar
      tty/serial: atmel: fix hardware handshake selection · c106d26d
      Alexandre Belloni authored
      commit 5be605ac upstream.
      
      Commit 1cf6e8fc ("tty/serial: at91: fix RTS line management when
      hardware handshake is enabled") actually allowed to enable hardware
      handshaking.
      Before, the CRTSCTS flags was silently ignored.
      
      As the DMA controller can't drive RTS (as explain in the commit message).
      Ensure that hardware flow control stays disabled when DMA is used and FIFOs
      are not available.
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Fixes: 1cf6e8fc ("tty/serial: at91: fix RTS line management when hardware handshake is enabled")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c106d26d
    • Jiri Slaby's avatar
      TTY: n_gsm, fix false positive WARN_ON · 3550c6da
      Jiri Slaby authored
      commit d175feca upstream.
      
      Dmitry reported, that the current cleanup code in n_gsm can trigger a
      warning:
      WARNING: CPU: 2 PID: 24238 at drivers/tty/n_gsm.c:2048 gsm_cleanup_mux+0x166/0x6b0()
      ...
      Call Trace:
      ...
       [<ffffffff81247ab9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:490
       [<ffffffff828d0456>] gsm_cleanup_mux+0x166/0x6b0 drivers/tty/n_gsm.c:2048
       [<ffffffff828d4d87>] gsmld_open+0x5b7/0x7a0 drivers/tty/n_gsm.c:2386
       [<ffffffff828b9078>] tty_ldisc_open.isra.2+0x78/0xd0 drivers/tty/tty_ldisc.c:447
       [<ffffffff828b973a>] tty_set_ldisc+0x1ca/0xa70 drivers/tty/tty_ldisc.c:567
       [<     inline     >] tiocsetd drivers/tty/tty_io.c:2650
       [<ffffffff828a14ea>] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2883
      ...
      
      But this is a legal path when open fails to find a space in the
      gsm_mux array and tries to clean up. So make it a standard test
      instead of a warning.
      Reported-by: default avatar"Dmitry Vyukov" <dvyukov@google.com>
      Cc: Alan Cox <alan@linux.intel.com>
      Link: http://lkml.kernel.org/r/CACT4Y+bHQbAB68VFi7Romcs-Z9ZW3kQRvcq+BvHH1oa5NcAdLA@mail.gmail.com
      Fixes: 5a640967 ("tty/n_gsm.c: fix a memory leak in gsmld_open()")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3550c6da
    • Jiri Slaby's avatar
      tty: vt, return error when con_startup fails · f015378c
      Jiri Slaby authored
      commit 6798df4c upstream.
      
      When csw->con_startup() fails in do_register_con_driver, we return no
      error (i.e. 0). This was changed back in 2006 by commit 3e795de7.
      Before that we used to return -ENODEV.
      
      So fix the return value to be -ENODEV in that case again.
      
      Fixes: 3e795de7 ("VT binding: Add binding/unbinding support for the VT console")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Reported-by: default avatar"Dan Carpenter" <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f015378c
    • Dave Hansen's avatar
      x86/cpufeature, x86/mm/pkeys: Fix broken compile-time disabling of pkeys · e06916ba
      Dave Hansen authored
      commit e8df1a95 upstream.
      
      When I added support for the Memory Protection Keys processor
      feature, I had to reindent the REQUIRED/DISABLED_MASK macros, and
      also consult the later cpufeature words.
      
      I'm not quite sure how I bungled it, but I consulted the wrong
      word at the end.  This only affected required or disabled cpu
      features in cpufeature words 14, 15 and 16.  So, only Protection
      Keys itself was screwed over here.
      
      The result was that if you disabled pkeys in your .config, you
      might still see some code show up that should have been compiled
      out.  There should be no functional problems, though.
      
      In verifying this patch I also realized that the DISABLE_PKU/OSPKE
      macros were defined backwards and that the cpu_has() check in
      setup_pku() was not doing the compile-time disabled checks.
      
      So also fix the macro for DISABLE_PKU/OSPKE and add a compile-time
      check for pkeys being enabled in setup_pku().
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Dave Hansen <dave@sr71.net>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Fixes: dfb4a70f ("x86/cpufeature, x86/mm/pkeys: Add protection keys related CPUID definitions")
      Link: http://lkml.kernel.org/r/20160513221328.C200930B@viggo.jf.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e06916ba
    • Stefano Stabellini's avatar
      xen/x86: actually allocate legacy interrupts on PV guests · 618e09a5
      Stefano Stabellini authored
      commit 702f9260 upstream.
      
      b4ff8389 is incomplete: relies on nr_legacy_irqs() to get the number
      of legacy interrupts when actually nr_legacy_irqs() returns 0 after
      probe_8259A(). Use NR_IRQS_LEGACY instead.
      Signed-off-by: default avatarStefano Stabellini <sstabellini@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      618e09a5
    • James Hogan's avatar
      MIPS: KVM: Fix timer IRQ race when writing CP0_Compare · a6e88c7d
      James Hogan authored
      commit b45bacd2 upstream.
      
      Writing CP0_Compare clears the timer interrupt pending bit
      (CP0_Cause.TI), but this wasn't being done atomically. If a timer
      interrupt raced with the write of the guest CP0_Compare, the timer
      interrupt could end up being pending even though the new CP0_Compare is
      nowhere near CP0_Count.
      
      We were already updating the hrtimer expiry with
      kvm_mips_update_hrtimer(), which used both kvm_mips_freeze_hrtimer() and
      kvm_mips_resume_hrtimer(). Close the race window by expanding out
      kvm_mips_update_hrtimer(), and clearing CP0_Cause.TI and setting
      CP0_Compare between the freeze and resume. Since the pending timer
      interrupt should not be cleared when CP0_Compare is written via the KVM
      user API, an ack argument is added to distinguish the source of the
      write.
      
      Fixes: e30492bb ("MIPS: KVM: Rewrite count/compare timer emulation")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim KrčmáÅ" <rkrcmar@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: kvm@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6e88c7d
    • James Hogan's avatar
      MIPS: KVM: Fix timer IRQ race when freezing timer · 5a1a83e4
      James Hogan authored
      commit 4355c44f upstream.
      
      There's a particularly narrow and subtle race condition when the
      software emulated guest timer is frozen which can allow a guest timer
      interrupt to be missed.
      
      This happens due to the hrtimer expiry being inexact, so very
      occasionally the freeze time will be after the moment when the emulated
      CP0_Count transitions to the same value as CP0_Compare (so an IRQ should
      be generated), but before the moment when the hrtimer is due to expire
      (so no IRQ is generated). The IRQ won't be generated when the timer is
      resumed either, since the resume CP0_Count will already match CP0_Compare.
      
      With VZ guests in particular this is far more likely to happen, since
      the soft timer may be frozen frequently in order to restore the timer
      state to the hardware guest timer. This happens after 5-10 hours of
      guest soak testing, resulting in an overflow in guest kernel timekeeping
      calculations, hanging the guest. A more focussed test case to
      intentionally hit the race (with the help of a new hypcall to cause the
      timer state to migrated between hardware & software) hits the condition
      fairly reliably within around 30 seconds.
      
      Instead of relying purely on the inexact hrtimer expiry to determine
      whether an IRQ should be generated, read the guest CP0_Compare and
      directly check whether the freeze time is before or after it. Only if
      CP0_Count is on or after CP0_Compare do we check the hrtimer expiry to
      determine whether the last IRQ has already been generated (which will
      have pushed back the expiry by one timer period).
      
      Fixes: e30492bb ("MIPS: KVM: Rewrite count/compare timer emulation")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim KrčmáÅ" <rkrcmar@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: kvm@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a1a83e4
    • Gavin Shan's avatar
      KVM: PPC: Book3S HV: Fix build error in book3s_hv.c · 65a541b9
      Gavin Shan authored
      commit 07f8ab25 upstream.
      
      When CONFIG_KVM_XICS is enabled, CPU_UP_PREPARE and other macros for
      CPU states in linux/cpu.h are needed by arch/powerpc/kvm/book3s_hv.c.
      Otherwise, build error as below is seen:
      
         gwshan@gwshan:~/sandbox/l$ make arch/powerpc/kvm/book3s_hv.o
          :
         CC      arch/powerpc/kvm/book3s_hv.o
         arch/powerpc/kvm/book3s_hv.c: In function ‘kvmppc_cpu_notify’:
         arch/powerpc/kvm/book3s_hv.c:3072:7: error: ‘CPU_UP_PREPARE’ \
         undeclared (first use in this function)
      
      This fixes the issue introduced by commit <6f3bb809> ("KVM: PPC:
      Book3S HV: kvmppc_host_rm_ops - handle offlining CPUs").
      
      Fixes: 6f3bb809Signed-off-by: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Reviewed-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarPaul Mackerras <paulus@samba.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65a541b9
    • Bruce Rogers's avatar
      KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset · 3bae6132
      Bruce Rogers authored
      commit f2463247 upstream.
      
      Commit d28bc9dd reversed the order of two lines which initialize cr0,
      allowing the current (old) cr0 value to mess up vcpu initialization.
      This was observed in the checks for cr0 X86_CR0_WP bit in the context of
      kvm_mmu_reset_context(). Besides, setting vcpu->arch.cr0 after vmx_set_cr0()
      is completely redundant. Change the order back to ensure proper vcpu
      initialization.
      
      The combination of booting with ovmf firmware when guest vcpus > 1 and kvm's
      ept=N option being set results in a VM-entry failure. This patch fixes that.
      
      Fixes: d28bc9dd ("KVM: x86: INIT and reset sequences are different")
      Signed-off-by: default avatarBruce Rogers <brogers@suse.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3bae6132
    • Andy Honig's avatar
      KVM: MTRR: remove MSR 0x2f8 · 0602824f
      Andy Honig authored
      commit 9842df62 upstream.
      
      MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
      was introduced by 9ba075a6 ("KVM: MTRR support").
      
      0x2f8 became harmful when 910a6aae ("KVM: MTRR: exactly define the
      size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
      which made access to index 124 out of bounds.  The surrounding code only
      WARNs in this situation, thus the guest gained a limited read/write
      access to struct kvm_arch_vcpu.
      
      0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
      MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
      was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
      not implemented in KVM, therefore 0x2f8 could never do anything useful
      and getting rid of it is safe.
      
      This fixes CVE-2016-3713.
      
      Fixes: 910a6aae ("KVM: MTRR: exactly define the size of variable MTRRs")
      Reported-by: default avatarDavid Matlack <dmatlack@google.com>
      Signed-off-by: default avatarAndy Honig <ahonig@google.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0602824f
    • H Hartley Sweeten's avatar
      staging: comedi: das1800: fix possible NULL dereference · 655ffc26
      H Hartley Sweeten authored
      commit d375278d upstream.
      
      DMA is optional with this driver. If it was not enabled the devpriv->dma
      pointer will be NULL.
      
      Fix the possible NULL pointer dereference when trying to disable the DMA
      channels in das1800_ai_cancel() and tidy up the comments to fix the
      checkpatch.pl issues:
      WARNING: line over 80 characters
      
      It's probably harmless in das1800_ai_setup_dma() because the 'desc' pointer
      will not be used if DMA is disabled but fix it there also.
      
      Fixes: 99dfc335 ("staging: comedi: das1800: remove depends on ISA_DMA_API limitation")
      Signed-off-by: default avatarH Hartley Sweeten <hsweeten@visionengravers.com>
      Reviewed-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      655ffc26
    • Yoshihiro Shimoda's avatar
      usb: host: xhci-rcar: Avoid long wait in xhci_reset() · 9dfa1658
      Yoshihiro Shimoda authored
      commit f879fc32 upstream.
      
      The firmware of R-Car USB 3.0 host controller will control the reset.
      So, if the xhci driver doesn't do firmware downloading (e.g. kernel
      configuration is CONFIG_USB_XHCI_PLATFORM=y and CONFIG_USB_XHCI_RCAR
      is not set), the reset of USB 3.0 host controller doesn't work
      correctly. Then, the host controller will cause long wait in
      xhci_reset() because the CMD_RESET bit of op_regs->command is not
      cleared for 10 seconds.
      
      So, this patch modifies the Kconfig to enable both CONFIG_USB_XHCI_PLATFORM
      and CONFIG_USB_XHCI_RCAR.
      
      Fixes: 4ac8918f (usb: host: xhci-plat: add support for the R-Car H2 and M2 xHCI controllers)
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Reviewed-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9dfa1658
    • Chris Bainbridge's avatar
      usb: core: hub: hub_port_init lock controller instead of bus · 43a0d891
      Chris Bainbridge authored
      commit feb26ac3 upstream.
      
      The XHCI controller presents two USB buses to the system - one for USB2
      and one for USB3. The hub init code (hub_port_init) is reentrant but
      only locks one bus per thread, leading to a race condition failure when
      two threads attempt to simultaneously initialise a USB2 and USB3 device:
      
      [    8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
      [   13.183701] usb 3-3: device descriptor read/all, error -110
      
      On a test system this failure occurred on 6% of all boots.
      
      The call traces at the point of failure are:
      
      Call Trace:
       [<ffffffff81b9bab7>] schedule+0x37/0x90
       [<ffffffff817da7cd>] usb_kill_urb+0x8d/0xd0
       [<ffffffff8111e5e0>] ? wake_up_atomic_t+0x30/0x30
       [<ffffffff817dafbe>] usb_start_wait_urb+0xbe/0x150
       [<ffffffff817db10c>] usb_control_msg+0xbc/0xf0
       [<ffffffff817d07de>] hub_port_init+0x51e/0xb70
       [<ffffffff817d4697>] hub_event+0x817/0x1570
       [<ffffffff810f3e6f>] process_one_work+0x1ff/0x620
       [<ffffffff810f3dcf>] ? process_one_work+0x15f/0x620
       [<ffffffff810f4684>] worker_thread+0x64/0x4b0
       [<ffffffff810f4620>] ? rescuer_thread+0x390/0x390
       [<ffffffff810fa7f5>] kthread+0x105/0x120
       [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
       [<ffffffff81ba183f>] ret_from_fork+0x3f/0x70
       [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
      
      Call Trace:
       [<ffffffff817fd36d>] xhci_setup_device+0x53d/0xa40
       [<ffffffff817fd87e>] xhci_address_device+0xe/0x10
       [<ffffffff817d047f>] hub_port_init+0x1bf/0xb70
       [<ffffffff811247ed>] ? trace_hardirqs_on+0xd/0x10
       [<ffffffff817d4697>] hub_event+0x817/0x1570
       [<ffffffff810f3e6f>] process_one_work+0x1ff/0x620
       [<ffffffff810f3dcf>] ? process_one_work+0x15f/0x620
       [<ffffffff810f4684>] worker_thread+0x64/0x4b0
       [<ffffffff810f4620>] ? rescuer_thread+0x390/0x390
       [<ffffffff810fa7f5>] kthread+0x105/0x120
       [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
       [<ffffffff81ba183f>] ret_from_fork+0x3f/0x70
       [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
      
      Which results from the two call chains:
      
      hub_port_init
       usb_get_device_descriptor
        usb_get_descriptor
         usb_control_msg
          usb_internal_control_msg
           usb_start_wait_urb
            usb_submit_urb / wait_for_completion_timeout / usb_kill_urb
      
      hub_port_init
       hub_set_address
        xhci_address_device
         xhci_setup_device
      
      Mathias Nyman explains the current behaviour violates the XHCI spec:
      
       hub_port_reset() will end up moving the corresponding xhci device slot
       to default state.
      
       As hub_port_reset() is called several times in hub_port_init() it
       sounds reasonable that we could end up with two threads having their
       xhci device slots in default state at the same time, which according to
       xhci 4.5.3 specs still is a big no no:
      
       "Note: Software shall not transition more than one Device Slot to the
        Default State at a time"
      
       So both threads fail at their next task after this.
       One fails to read the descriptor, and the other fails addressing the
       device.
      
      Fix this in hub_port_init by locking the USB controller (instead of an
      individual bus) to prevent simultaneous initialisation of both buses.
      
      Fixes: 638139eb ("usb: hub: allow to process more usb hub events in parallel")
      Link: https://lkml.org/lkml/2016/2/8/312
      Link: https://lkml.org/lkml/2016/2/4/748Signed-off-by: default avatarChris Bainbridge <chris.bainbridge@gmail.com>
      Acked-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43a0d891
    • Yoshihiro Shimoda's avatar
      usb: gadget: udc: core: Fix argument of dev_err() in usb_gadget_map_request() · d5a52aef
      Yoshihiro Shimoda authored
      commit 5096c4d3 upstream.
      
      The argument of dev_err() in usb_gadget_map_request() should be dev
      instead of &gadget->dev.
      
      Fixes: 7ace8fc8 ("usb: gadget: udc: core: Fix argument of dma_map_single for IOMMU")
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5a52aef
    • Alan Stern's avatar
      USB: leave LPM alone if possible when binding/unbinding interface drivers · b97df9a8
      Alan Stern authored
      commit 6fb650d4 upstream.
      
      When a USB driver is bound to an interface (either through probing or
      by claiming it) or is unbound from an interface, the USB core always
      disables Link Power Management during the transition and then
      re-enables it afterward.  The reason is because the driver might want
      to prevent hub-initiated link power transitions, in which case the HCD
      would have to recalculate the various LPM parameters.  This
      recalculation takes place when LPM is re-enabled and the new
      parameters are sent to the device and its parent hub.
      
      However, if the driver does not want to prevent hub-initiated link
      power transitions then none of this work is necessary.  The parameters
      don't need to be recalculated, and LPM doesn't need to be disabled and
      re-enabled.
      
      It turns out that disabling and enabling LPM can be time-consuming,
      enough so that it interferes with user programs that want to claim and
      release interfaces rapidly via usbfs.  Since the usbfs kernel driver
      doesn't set the disable_hub_initiated_lpm flag, we can speed things up
      and get the user programs to work by leaving LPM alone whenever the
      flag isn't set.
      
      And while we're improving the way disable_hub_initiated_lpm gets used,
      let's also fix its kerneldoc.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Tested-by: default avatarMatthew Giassa <matthew@giassa.net>
      CC: Mathias Nyman <mathias.nyman@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b97df9a8