1. 19 Nov, 2014 40 commits
    • Florian Westphal's avatar
      netfilter: nf_log: account for size of NLMSG_DONE attribute · 13117284
      Florian Westphal authored
      commit 9dfa1dfe upstream.
      
      We currently neither account for the nlattr size, nor do we consider
      the size of the trailing NLMSG_DONE when allocating nlmsg skb.
      
      This can result in nflog to stop working, as __nfulnl_send() re-tries
      sending forever if it failed to append NLMSG_DONE (which will never
      work if buffer is not large enough).
      Reported-by: default avatarHoucheng Lin <houcheng@gmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      13117284
    • Andrey Vagin's avatar
      ipc: always handle a new value of auto_msgmni · 04e7556e
      Andrey Vagin authored
      commit 1195d94e upstream.
      
      proc_dointvec_minmax() returns zero if a new value has been set.  So we
      don't need to check all charecters have been handled.
      
      Below you can find two examples.  In the new value has not been handled
      properly.
      
      $ strace ./a.out
      open("/proc/sys/kernel/auto_msgmni", O_WRONLY) = 3
      write(3, "0\n\0", 3)                    = 2
      close(3)                                = 0
      exit_group(0)
      $ cat /sys/kernel/debug/tracing/trace
      
      $strace ./a.out
      open("/proc/sys/kernel/auto_msgmni", O_WRONLY) = 3
      write(3, "0\n", 2)                      = 2
      close(3)                                = 0
      
      $ cat /sys/kernel/debug/tracing/trace
      a.out-697   [000] ....  3280.998235: unregister_ipcns_notifier <-proc_ipcauto_dointvec_minmax
      
      Fixes: 9eefe520 ("ipc: do not use a negative value to re-enable msgmni automatic recomputin")
      Signed-off-by: default avatarAndrey Vagin <avagin@openvz.org>
      Cc: Mathias Krause <minipli@googlemail.com>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: Joe Perches <joe@perches.com>
      Cc: Davidlohr Bueso <davidlohr@hp.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      04e7556e
    • Bjorn Helgaas's avatar
      clocksource: Remove "weak" from clocksource_default_clock() declaration · 0f207b54
      Bjorn Helgaas authored
      commit 96a2adbc upstream.
      
      kernel/time/jiffies.c provides a default clocksource_default_clock()
      definition explicitly marked "weak".  arch/s390 provides its own definition
      intended to override the default, but the "weak" attribute on the
      declaration applied to the s390 definition as well, so the linker chose one
      based on link order (see 10629d71 ("PCI: Remove __weak annotation from
      pcibios_get_phb_of_node decl")).
      
      Remove the "weak" attribute from the clocksource_default_clock()
      declaration so we always prefer a non-weak definition over the weak one,
      independent of link order.
      
      Fixes: f1b82746 ("clocksource: Cleanup clocksource selection")
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Acked-by: default avatarIngo Molnar <mingo@kernel.org>
      CC: Daniel Lezcano <daniel.lezcano@linaro.org>
      CC: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0f207b54
    • Bjorn Helgaas's avatar
      kgdb: Remove "weak" from kgdb_arch_pc() declaration · 33176fe6
      Bjorn Helgaas authored
      commit 107bcc6d upstream.
      
      kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition
      explicitly marked "weak".  Several architectures provide their own
      definitions intended to override the default, but the "weak" attribute on
      the declaration applied to the arch definitions as well, so the linker
      chose one based on link order (see 10629d71 ("PCI: Remove __weak
      annotation from pcibios_get_phb_of_node decl")).
      
      Remove the "weak" attribute from the declaration so we always prefer a
      non-weak definition over the weak one, independent of link order.
      
      Fixes: 688b744d ("kgdb: fix signedness mixmatches, add statics, add declaration to header")
      Tested-by: Vineet Gupta <vgupta@synopsys.com>	# for ARC build
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      33176fe6
    • Bjorn Helgaas's avatar
      vmcore: Remove "weak" from function declarations · c9813eda
      Bjorn Helgaas authored
      commit 5ab03ac5 upstream.
      
      For the following functions:
      
        elfcorehdr_alloc()
        elfcorehdr_free()
        elfcorehdr_read()
        elfcorehdr_read_notes()
        remap_oldmem_pfn_range()
      
      fs/proc/vmcore.c provides default definitions explicitly marked "weak".
      arch/s390 provides its own definitions intended to override the default
      ones, but the "weak" attribute on the declarations applied to the s390
      definitions as well, so the linker chose one based on link order (see
      10629d71 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node
      decl")).
      
      Remove the "weak" attribute from the declarations so we always prefer a
      non-weak definition over the weak one, independent of link order.
      
      Fixes: be8a8d06 ("vmcore: introduce ELF header in new memory feature")
      Fixes: 9cb21813 ("vmcore: introduce remap_oldmem_pfn_range()")
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      CC: Michael Holzheu <holzheu@linux.vnet.ibm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c9813eda
    • Trond Myklebust's avatar
      NFSv4.1: nfs41_clear_delegation_stateid shouldn't trust NFS_DELEGATED_STATE · eac34ad1
      Trond Myklebust authored
      commit 0c116cad upstream.
      
      This patch removes the assumption made previously, that we only need to
      check the delegation stateid when it matches the stateid on a cached
      open.
      
      If we believe that we hold a delegation for this file, then we must assume
      that its stateid may have been revoked or expired too. If we don't test it
      then our state recovery process may end up caching open/lock state in a
      situation where it should not.
      We therefore rename the function nfs41_clear_delegation_stateid as
      nfs41_check_delegation_stateid, and change it to always run through the
      delegation stateid test and recovery process as outlined in RFC5661.
      
      http://lkml.kernel.org/r/CAN-5tyHwG=Cn2Q9KsHWadewjpTTy_K26ee+UnSvHvG4192p-Xw@mail.gmail.comSigned-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      eac34ad1
    • Trond Myklebust's avatar
      NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return · 1f093632
      Trond Myklebust authored
      commit 869f9dfa upstream.
      
      Any attempt to call nfs_remove_bad_delegation() while a delegation is being
      returned is currently a no-op. This means that we can end up looping
      forever in nfs_end_delegation_return() if something causes the delegation
      to be revoked.
      This patch adds a mechanism whereby the state recovery code can communicate
      to the delegation return code that the delegation is no longer valid and
      that it should not be used when reclaiming state.
      It also changes the return value for nfs4_handle_delegation_recall_error()
      to ensure that nfs_end_delegation_return() does not reattempt the lock
      reclaim before state recovery is done.
      
      http://lkml.kernel.org/r/CAN-5tyHwG=Cn2Q9KsHWadewjpTTy_K26ee+UnSvHvG4192p-Xw@mail.gmail.comSigned-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1f093632
    • Jan Kara's avatar
      nfs: Fix use of uninitialized variable in nfs_getattr() · 77683fa6
      Jan Kara authored
      commit 16caf5b6 upstream.
      
      Variable 'err' needn't be initialized when nfs_getattr() uses it to
      check whether it should call generic_fillattr() or not. That can result
      in spurious error returns. Initialize 'err' properly.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      77683fa6
    • Trond Myklebust's avatar
      NFS: Don't try to reclaim delegation open state if recovery failed · a78d2dde
      Trond Myklebust authored
      commit f8ebf7a8 upstream.
      
      If state recovery failed, then we should not attempt to reclaim delegated
      state.
      
      http://lkml.kernel.org/r/CAN-5tyHwG=Cn2Q9KsHWadewjpTTy_K26ee+UnSvHvG4192p-Xw@mail.gmail.comSigned-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a78d2dde
    • Trond Myklebust's avatar
      NFSv4: Ensure that we remove NFSv4.0 delegations when state has expired · ae87d577
      Trond Myklebust authored
      commit 4dfd4f7a upstream.
      
      NFSv4.0 does not have TEST_STATEID/FREE_STATEID functionality, so
      unlike NFSv4.1, the recovery procedure when stateids have expired or
      have been revoked requires us to just forget the delegation.
      
      http://lkml.kernel.org/r/CAN-5tyHwG=Cn2Q9KsHWadewjpTTy_K26ee+UnSvHvG4192p-Xw@mail.gmail.comSigned-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ae87d577
    • Pali Rohár's avatar
      Input: alps - ignore bad data on Dell Latitudes E6440 and E7440 · 4d735897
      Pali Rohár authored
      commit a7ef82ae upstream.
      
      Sometimes on Dell Latitude laptops psmouse/alps driver receive invalid ALPS
      protocol V3 packets with bit7 set in last byte. More often it can be
      reproduced on Dell Latitude E6440 or E7440 with closed lid and pushing
      cover above touchpad.
      
      If bit7 in last packet byte is set then it is not valid ALPS packet. I was
      told that ALPS devices never send these packets. It is not know yet who
      send those packets, it could be Dell EC, bug in BIOS and also bug in
      touchpad firmware...
      
      With this patch alps driver does not process those invalid packets, but
      instead of reporting PSMOUSE_BAD_DATA, getting into out of sync state,
      getting back in sync with the next byte and spam dmesg we return
      PSMOUSE_FULL_PACKET. If driver is truly out of sync we'll fail the checks
      on the next byte and report PSMOUSE_BAD_DATA then.
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4d735897
    • Pali Rohár's avatar
      Input: alps - allow up to 2 invalid packets without resetting device · 335d898e
      Pali Rohár authored
      commit 9d720b34 upstream.
      
      On some Dell Latitude laptops ALPS device or Dell EC send one invalid byte
      in 6 bytes ALPS packet. In this case psmouse driver enter out of sync
      state. It looks like that all other bytes in packets are valid and also
      device working properly. So there is no need to do full device reset, just
      need to wait for byte which match condition for first byte (start of
      packet). Because ALPS packets are bigger (6 or 8 bytes) default limit is
      small.
      
      This patch increase number of invalid bytes to size of 2 ALPS packets which
      psmouse driver can drop before do full reset.
      
      Resetting ALPS devices take some time and when doing reset on some Dell
      laptops touchpad, trackstick and also keyboard do not respond. So it is
      better to do it only if really necessary.
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      335d898e
    • Pali Rohár's avatar
      Input: alps - ignore potential bare packets when device is out of sync · 92e2e274
      Pali Rohár authored
      commit 4ab8f7f3 upstream.
      
      5th and 6th byte of ALPS trackstick V3 protocol match condition for first
      byte of PS/2 3 bytes packet. When driver enters out of sync state and ALPS
      trackstick is sending data then driver match 5th, 6th and next 1st bytes as
      PS/2.
      
      It basically means if user is using trackstick when driver is in out of
      sync state driver will never resync. Processing these bytes as 3 bytes PS/2
      data cause total mess (random cursor movements, random clicks) and make
      trackstick unusable until psmouse driver decide to do full device reset.
      
      Lot of users reported problems with ALPS devices on Dell Latitude E6440,
      E6540 and E7440 laptops. ALPS device or Dell EC for unknown reason send
      some invalid ALPS PS/2 bytes which cause driver out of sync. It looks like
      that i8042 and psmouse/alps driver always receive group of 6 bytes packets
      so there are no missing bytes and no bytes were inserted between valid
      ones.
      
      This patch does not fix root of problem with ALPS devices found in Dell
      Latitude laptops but it does not allow to process some (invalid)
      subsequence of 6 bytes ALPS packets as 3 bytes PS/2 when driver is out of
      sync.
      
      So with this patch trackstick input device does not report bogus data when
      also driver is out of sync, so trackstick should be usable on those
      machines.
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      92e2e274
    • Heinz Mauelshagen's avatar
      dm raid: ensure superblock's size matches device's logical block size · e90b799e
      Heinz Mauelshagen authored
      commit 40d43c4b upstream.
      
      The dm-raid superblock (struct dm_raid_superblock) is padded to 512
      bytes and that size is being used to read it in from the metadata
      device into one preallocated page.
      
      Reading or writing this on a 512-byte sector device works fine but on
      a 4096-byte sector device this fails.
      
      Set the dm-raid superblock's size to the logical block size of the
      metadata device, because IO at that size is guaranteed too work.  Also
      add a size check to avoid silent partial metadata loss in case the
      superblock should ever grow past the logical block size or PAGE_SIZE.
      
      [includes pointer math fix from Dan Carpenter]
      Reported-by: default avatar"Liuhua Wang" <lwang@suse.com>
      Signed-off-by: default avatarHeinz Mauelshagen <heinzm@redhat.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e90b799e
    • Joe Thornber's avatar
      dm btree: fix a recursion depth bug in btree walking code · d0960e21
      Joe Thornber authored
      commit 9b460d36 upstream.
      
      The walk code was using a 'ro_spine' to hold it's locked btree nodes.
      But this data structure is designed for the rolling lock scheme, and
      as such automatically unlocks blocks that are two steps up the call
      chain.  This is not suitable for the simple recursive walk algorithm,
      which retraces its steps.
      
      This code is only used by the persistent array code, which in turn is
      only used by dm-cache.  In order to trigger it you need to have a
      mapping tree that is more than 2 levels deep; which equates to 8-16
      million cache blocks.  For instance a 4T ssd with a very small block
      size of 32k only just triggers this bug.
      
      The fix just places the locked blocks on the stack, and stops using
      the ro_spine altogether.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d0960e21
    • Mikulas Patocka's avatar
      dm bufio: change __GFP_IO to __GFP_FS in shrinker callbacks · d1bb12f6
      Mikulas Patocka authored
      commit 9d28eb12 upstream.
      
      The shrinker uses gfp flags to indicate what kind of operation can the
      driver wait for. If __GFP_IO flag is present, the driver can wait for
      block I/O operations, if __GFP_FS flag is present, the driver can wait on
      operations involving the filesystem.
      
      dm-bufio tested for __GFP_IO. However, dm-bufio can run on a loop block
      device that makes calls into the filesystem. If __GFP_IO is present and
      __GFP_FS isn't, dm-bufio could still block on filesystem operations if it
      runs on a loop block device.
      
      The change from __GFP_IO to __GFP_FS supposedly fixes one observed (though
      unreproducible) deadlock involving dm-bufio and loop device.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d1bb12f6
    • Jan Kara's avatar
      block: Fix computation of merged request priority · a39c8649
      Jan Kara authored
      commit ece9c72a upstream.
      
      Priority of a merged request is computed by ioprio_best(). If one of the
      requests has undefined priority (IOPRIO_CLASS_NONE) and another request
      has priority from IOPRIO_CLASS_BE, the function will return the
      undefined priority which is wrong. Fix the function to properly return
      priority of a request with the defined priority.
      
      Fixes: d58cdfb8Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a39c8649
    • Helge Deller's avatar
      parisc: Use compat layer for msgctl, shmat, shmctl and semtimedop syscalls · e29a7bc4
      Helge Deller authored
      commit 2fe749f5 upstream.
      
      Switch over the msgctl, shmat, shmctl and semtimedop syscalls to use the compat
      layer. The problem was found with the debian procenv package, which called
      	shmctl(0, SHM_INFO, &info);
      in which the shmctl syscall then overwrote parts of the surrounding areas on
      the stack on which the info variable was stored and thus lead to a segfault
      later on.
      
      Additionally fix the definition of struct shminfo64 to use unsigned longs like
      the other architectures. This has no impact on userspace since we only have a
      32bit userspace up to now.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: John David Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e29a7bc4
    • Christoph Hellwig's avatar
      scsi: only re-lock door after EH on devices that were reset · 7a6e7a36
      Christoph Hellwig authored
      commit 48379270 upstream.
      
      Setups that use the blk-mq I/O path can lock up if a host with a single
      device that has its door locked enters EH.  Make sure to only send the
      command to re-lock the door to devices that actually were reset and thus
      might have lost their state.  Otherwise the EH code might be get blocked
      on blk_get_request as all requests for non-reset devices might be in use.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarMeelis Roos <meelis.roos@ut.ee>
      Tested-by: default avatarMeelis Roos <meelis.roos@ut.ee>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7a6e7a36
    • Peng Tao's avatar
      nfs: fix pnfs direct write memory leak · d0c8187c
      Peng Tao authored
      commit 8c393f9a upstream.
      
      For pNFS direct writes, layout driver may dynamically allocate ds_cinfo.buckets.
      So we need to take care to free them when freeing dreq.
      
      Ideally this needs to be done inside layout driver where ds_cinfo.buckets
      are allocated. But buckets are attached to dreq and reused across LD IO iterations.
      So I feel it's OK to free them in the generic layer.
      Signed-off-by: default avatarPeng Tao <tao.peng@primarydata.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d0c8187c
    • Stefan Richter's avatar
      firewire: cdev: prevent kernel stack leaking into ioctl arguments · 9fb5f68e
      Stefan Richter authored
      commit eaca2d8e upstream.
      
      Found by the UC-KLEE tool:  A user could supply less input to
      firewire-cdev ioctls than write- or write/read-type ioctl handlers
      expect.  The handlers used data from uninitialized kernel stack then.
      
      This could partially leak back to the user if the kernel subsequently
      generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
      which notably would contain the _u64 closure field which many of the
      ioctl argument structures contain.
      
      The fact that the handlers would act on random garbage input is a
      lesser issue since all handlers must check their input anyway.
      
      The fix simply always null-initializes the entire ioctl argument buffer
      regardless of the actual length of expected user input.  That is, a
      runtime overhead of memset(..., 40) is added to each firewirew-cdev
      ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
      most likely to be already in the cache.]
      
      Remarks:
        - There was never any leak from kernel stack to the ioctl output
          buffer itself.  IOW, it was not possible to read kernel stack by a
          read-type or write/read-type ioctl alone; the leak could at most
          happen in combination with read()ing subsequent event data.
        - The actual expected minimum user input of each ioctl from
          include/uapi/linux/firewire-cdev.h is, in bytes:
          [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
          [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
          [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
          [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
          [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.
      Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9fb5f68e
    • Kyle McMartin's avatar
      arm64: __clear_user: handle exceptions on strb · beb762ba
      Kyle McMartin authored
      commit 97fc1543 upstream.
      
      ARM64 currently doesn't fix up faults on the single-byte (strb) case of
      __clear_user... which means that we can cause a nasty kernel panic as an
      ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
      i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
      
      This is a pretty obscure bug in the general case since we'll only
      __do_kernel_fault (since there's no extable entry for pc) if the
      mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
      always fault.
      
      if (!down_read_trylock(&mm->mmap_sem)) {
      	if (!user_mode(regs) && !search_exception_tables(regs->pc))
      		goto no_context;
      retry:
      	down_read(&mm->mmap_sem);
      } else {
      	/*
      	 * The above down_read_trylock() might have succeeded in
      	 * which
      	 * case, we'll have missed the might_sleep() from
      	 * down_read().
      	 */
      	might_sleep();
      	if (!user_mode(regs) && !search_exception_tables(regs->pc))
      		goto no_context;
      }
      
      Fix that by adding an extable entry for the strb instruction, since it
      touches user memory, similar to the other stores in __clear_user.
      Signed-off-by: default avatarKyle McMartin <kyle@redhat.com>
      Reported-by: default avatarMiloš Prchlík <mprchlik@redhat.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      beb762ba
    • Joe Thornber's avatar
      dm thin: grab a virtual cell before looking up the mapping · 2c49ae54
      Joe Thornber authored
      commit c822ed96 upstream.
      
      Avoids normal IO racing with discard.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2c49ae54
    • Will Deacon's avatar
      ARM: 8191/1: decompressor: ensure I-side picks up relocated code · f0a72a0e
      Will Deacon authored
      commit 238962ac upstream.
      
      To speed up decompression, the decompressor sets up a flat, cacheable
      mapping of memory. However, when there is insufficient space to hold
      the page tables for this mapping, we don't bother to enable the caches
      and subsequently skip all the cache maintenance hooks.
      
      Skipping the cache maintenance before jumping to the relocated code
      allows the processor to predict the branch and populate the I-cache
      with stale data before the relocation loop has completed (since a
      bootloader may have SCTLR.I set, which permits normal, cacheable
      instruction fetches regardless of SCTLR.M).
      
      This patch moves the cache maintenance check into the maintenance
      routines themselves, allowing the v6/v7 versions to invalidate the
      I-cache regardless of the MMU state.
      Reported-by: default avatarMarc Carino <marc.ceeeee@gmail.com>
      Tested-by: default avatarJulien Grall <julien.grall@linaro.org>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f0a72a0e
    • Nathan Lynch's avatar
      ARM: 8198/1: make kuser helpers depend on MMU · d8149279
      Nathan Lynch authored
      commit 08b964ff upstream.
      
      The kuser helpers page is not set up on non-MMU systems, so it does
      not make sense to allow CONFIG_KUSER_HELPERS to be enabled when
      CONFIG_MMU=n.  Allowing it to be set on !MMU results in an oops in
      set_tls (used in execve and the arm_syscall trap handler):
      
      Unhandled exception: IPSR = 00000005 LR = fffffff1
      CPU: 0 PID: 1 Comm: swapper Not tainted 3.18.0-rc1-00041-ga30465a #216
      task: 8b838000 ti: 8b82a000 task.ti: 8b82a000
      PC is at flush_thread+0x32/0x40
      LR is at flush_thread+0x21/0x40
      pc : [<8f00157a>]    lr : [<8f001569>]    psr: 4100000b
      sp : 8b82be20  ip : 00000000  fp : 8b83c000
      r10: 00000001  r9 : 88018c84  r8 : 8bb85000
      r7 : 8b838000  r6 : 00000000  r5 : 8bb77400  r4 : 8b82a000
      r3 : ffff0ff0  r2 : 8b82a000  r1 : 00000000  r0 : 88020354
      xPSR: 4100000b
      CPU: 0 PID: 1 Comm: swapper Not tainted 3.18.0-rc1-00041-ga30465a #216
      [<8f002bc1>] (unwind_backtrace) from [<8f002033>] (show_stack+0xb/0xc)
      [<8f002033>] (show_stack) from [<8f00265b>] (__invalid_entry+0x4b/0x4c)
      
      As best I can tell this issue existed for the set_tls ARM syscall
      before commit fbfb872f "ARM: 8148/1: flush TLS and thumbee
      register state during exec" consolidated the TLS manipulation code
      into the set_tls helper function, but now that we're using it to flush
      register state during execve, !MMU users encounter the oops at the
      first exec.
      
      Prevent CONFIG_MMU=n configurations from enabling
      CONFIG_KUSER_HELPERS.
      
      Fixes: fbfb872f (ARM: 8148/1: flush TLS and thumbee register state during exec)
      Signed-off-by: default avatarNathan Lynch <nathan_lynch@mentor.com>
      Reported-by: default avatarStefan Agner <stefan@agner.ch>
      Acked-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d8149279
    • Alex Deucher's avatar
      drm/radeon: add missing crtc unlock when setting up the MC · 984e580d
      Alex Deucher authored
      commit f0d7bfb9 upstream.
      
      Need to unlock the crtc after updating the blanking state.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      984e580d
    • Alex Deucher's avatar
      drm/radeon: make sure mode init is complete in bandwidth_update · 30c45d8c
      Alex Deucher authored
      commit 8efe82ca upstream.
      
      The power management code calls into the display code for
      certain things.  If certain power management sysfs attributes
      are called before the driver has finished initializing all of
      the hardware we can run into problems with uninitialized
      modesetting state.  Add a check to make sure modesetting
      init has completed to the bandwidth update callbacks to
      fix this.  Can be triggered by the tlp and laptop start
      up scripts depending on the timing.
      
      bugs:
      https://bugzilla.kernel.org/show_bug.cgi?id=83611
      https://bugs.freedesktop.org/show_bug.cgi?id=85771Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      30c45d8c
    • Jammy Zhou's avatar
      drm/radeon: set correct CE ram size for CIK · 37dc0956
      Jammy Zhou authored
      commit dc4edad6 upstream.
      
      CE ram size is 32k/0k/0k for GFX/CS0/CS1 with CIK
      
      Ported from amdgpu driver.
      Signed-off-by: default avatarJammy Zhou <Jammy.Zhou@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      37dc0956
    • Johannes Berg's avatar
      mac80211: fix use-after-free in defragmentation · 8384cbaf
      Johannes Berg authored
      commit b8fff407 upstream.
      
      Upon receiving the last fragment, all but the first fragment
      are freed, but the multicast check for statistics at the end
      of the function refers to the current skb (the last fragment)
      causing a use-after-free bug.
      
      Since multicast frames cannot be fragmented and we check for
      this early in the function, just modify that check to also
      do the accounting to fix the issue.
      Reported-by: default avatarYosef Khyal <yosefx.khyal@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8384cbaf
    • Luciano Coelho's avatar
      mac80211: schedule the actual switch of the station before CSA count 0 · e7ba6308
      Luciano Coelho authored
      commit ff1e417c upstream.
      
      Due to the time it takes to process the beacon that started the CSA
      process, we may be late for the switch if we try to reach exactly
      beacon 0.  To avoid that, use count - 1 when calculating the switch time.
      Reported-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarLuciano Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e7ba6308
    • Johannes Berg's avatar
      mac80211: properly flush delayed scan work on interface removal · 3a5a7cd8
      Johannes Berg authored
      commit 46238845 upstream.
      
      When an interface is deleted, an ongoing hardware scan is canceled and
      the driver must abort the scan, at the very least reporting completion
      while the interface is removed.
      
      However, if it scheduled the work that might only run after everything
      is said and done, which leads to cfg80211 warning that the scan isn't
      reported as finished yet; this is no fault of the driver, it already
      did, but mac80211 hasn't processed it.
      
      To fix this situation, flush the delayed work when the interface being
      removed is the one that was executing the scan.
      Reported-by: default avatarSujith Manoharan <sujith@msujith.org>
      Tested-by: default avatarSujith Manoharan <sujith@msujith.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3a5a7cd8
    • Junjie Mao's avatar
      mac80211_hwsim: release driver when ieee80211_register_hw fails · 4d2ff0c7
      Junjie Mao authored
      commit 805dbe17 upstream.
      
      The driver is not released when ieee80211_register_hw fails in
      mac80211_hwsim_create_radio, leading to the access to the unregistered (and
      possibly freed) device in platform_driver_unregister:
      
      [    0.447547] mac80211_hwsim: ieee80211_register_hw failed (-2)
      [    0.448292] ------------[ cut here ]------------
      [    0.448854] WARNING: CPU: 0 PID: 1 at ../include/linux/kref.h:47 kobject_get+0x33/0x50()
      [    0.449839] CPU: 0 PID: 1 Comm: swapper Not tainted 3.17.0-00001-gdd46990-dirty #2
      [    0.450813] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.451512]  00000000 00000000 78025e38 7967c6c6 78025e68 7905e09b 7988b480 00000000
      [    0.452579]  00000001 79887d62 0000002f 79170bb3 79170bb3 78397008 79ac9d74 00000001
      [    0.453614]  78025e78 7905e15d 00000009 00000000 78025e84 79170bb3 78397000 78025e8c
      [    0.454632] Call Trace:
      [    0.454921]  [<7967c6c6>] dump_stack+0x16/0x18
      [    0.455453]  [<7905e09b>] warn_slowpath_common+0x6b/0x90
      [    0.456067]  [<79170bb3>] ? kobject_get+0x33/0x50
      [    0.456612]  [<79170bb3>] ? kobject_get+0x33/0x50
      [    0.457155]  [<7905e15d>] warn_slowpath_null+0x1d/0x20
      [    0.457748]  [<79170bb3>] kobject_get+0x33/0x50
      [    0.458274]  [<7925824f>] get_device+0xf/0x20
      [    0.458779]  [<7925b5cd>] driver_detach+0x3d/0xa0
      [    0.459331]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.459927]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.460660]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.461248]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.461824]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.462507]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.463161]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.463758]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.464393]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.465001]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.465569]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.466345]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.466972]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.467546]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.468072]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.468658]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.469303]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.469829] ---[ end trace ad8ac403ff8aef5c ]---
      [    0.470509] ------------[ cut here ]------------
      [    0.471047] WARNING: CPU: 0 PID: 1 at ../kernel/locking/lockdep.c:3161 __lock_acquire.isra.22+0x7aa/0xb00()
      [    0.472163] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS)
      [    0.472774] CPU: 0 PID: 1 Comm: swapper Tainted: G        W      3.17.0-00001-gdd46990-dirty #2
      [    0.473815] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.474492]  78025de0 78025de0 78025da0 7967c6c6 78025dd0 7905e09b 79888931 78025dfc
      [    0.475515]  00000001 79888a93 00000c59 7907f33a 7907f33a 78028000 fffe9d09 00000000
      [    0.476519]  78025de8 7905e10e 00000009 78025de0 79888931 78025dfc 78025e24 7907f33a
      [    0.477523] Call Trace:
      [    0.477821]  [<7967c6c6>] dump_stack+0x16/0x18
      [    0.478352]  [<7905e09b>] warn_slowpath_common+0x6b/0x90
      [    0.478976]  [<7907f33a>] ? __lock_acquire.isra.22+0x7aa/0xb00
      [    0.479658]  [<7907f33a>] ? __lock_acquire.isra.22+0x7aa/0xb00
      [    0.480417]  [<7905e10e>] warn_slowpath_fmt+0x2e/0x30
      [    0.480479]  [<7907f33a>] __lock_acquire.isra.22+0x7aa/0xb00
      [    0.480479]  [<79078aa5>] ? sched_clock_cpu+0xb5/0xf0
      [    0.480479]  [<7907fd06>] lock_acquire+0x56/0x70
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<79682d11>] mutex_lock_nested+0x61/0x2a0
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.480479]  [<7925b5e8>] driver_detach+0x58/0xa0
      [    0.480479]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.480479]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.480479]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.480479]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.480479]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.480479]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.480479]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.480479]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.480479]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.480479]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.480479]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.480479]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.480479]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.480479]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.480479]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.480479]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.480479]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.480479] ---[ end trace ad8ac403ff8aef5d ]---
      [    0.495478] BUG: unable to handle kernel paging request at 00200200
      [    0.496257] IP: [<79682de5>] mutex_lock_nested+0x135/0x2a0
      [    0.496923] *pde = 00000000
      [    0.497290] Oops: 0002 [#1]
      [    0.497653] CPU: 0 PID: 1 Comm: swapper Tainted: G        W      3.17.0-00001-gdd46990-dirty #2
      [    0.498659] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [    0.499321] task: 78028000 ti: 78024000 task.ti: 78024000
      [    0.499955] EIP: 0060:[<79682de5>] EFLAGS: 00010097 CPU: 0
      [    0.500620] EIP is at mutex_lock_nested+0x135/0x2a0
      [    0.501145] EAX: 00200200 EBX: 78397434 ECX: 78397460 EDX: 78025e70
      [    0.501816] ESI: 00000246 EDI: 78028000 EBP: 78025e8c ESP: 78025e54
      [    0.502497]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
      [    0.503076] CR0: 8005003b CR2: 00200200 CR3: 01b9d000 CR4: 00000690
      [    0.503773] Stack:
      [    0.503998]  00000000 00000001 00000000 7925b5e8 78397460 7925b5e8 78397474 78397460
      [    0.504944]  00200200 11111111 78025e70 78397000 79ac9d74 00000001 78025ea0 7925b5e8
      [    0.505451]  79ac9d74 fffffffe 00000001 78025ebc 7925a3ff 7a251398 78025ec8 7925bf80
      [    0.505451] Call Trace:
      [    0.505451]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.505451]  [<7925b5e8>] ? driver_detach+0x58/0xa0
      [    0.505451]  [<7925b5e8>] driver_detach+0x58/0xa0
      [    0.505451]  [<7925a3ff>] bus_remove_driver+0x8f/0xb0
      [    0.505451]  [<7925bf80>] ? class_unregister+0x40/0x80
      [    0.505451]  [<7925bad7>] driver_unregister+0x47/0x50
      [    0.505451]  [<7925c033>] ? class_destroy+0x13/0x20
      [    0.505451]  [<7925d07b>] platform_driver_unregister+0xb/0x10
      [    0.505451]  [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
      [    0.505451]  [<79b30c58>] do_one_initcall+0x106/0x1a9
      [    0.505451]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.505451]  [<79b517b8>] ? if_spi_init_module+0xac/0xac
      [    0.505451]  [<79071935>] ? parse_args+0x2f5/0x480
      [    0.505451]  [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
      [    0.505451]  [<79b30dd9>] kernel_init_freeable+0xde/0x17d
      [    0.505451]  [<79b304d6>] ? do_early_param+0x7a/0x7a
      [    0.505451]  [<79677b1b>] kernel_init+0xb/0xe0
      [    0.505451]  [<79075f42>] ? schedule_tail+0x12/0x40
      [    0.505451]  [<79686580>] ret_from_kernel_thread+0x20/0x30
      [    0.505451]  [<79677b10>] ? rest_init+0xc0/0xc0
      [    0.505451] Code: 89 d8 e8 cf 9b 9f ff 8b 4f 04 8d 55 e4 89 d8 e8 72 9d 9f ff 8d 43 2c 89 c1 89 45 d8 8b 43 30 8d 55 e4 89 53 30 89 4d e4 89 45 e8 <89> 10 8b 55 dc 8b 45 e0 89 7d ec e8 db af 9f ff eb 11 90 31 c0
      [    0.505451] EIP: [<79682de5>] mutex_lock_nested+0x135/0x2a0 SS:ESP 0068:78025e54
      [    0.505451] CR2: 0000000000200200
      [    0.505451] ---[ end trace ad8ac403ff8aef5e ]---
      [    0.505451] Kernel panic - not syncing: Fatal exception
      
      Fixes: 9ea92774 ("mac80211_hwsim: Register and bind to driver")
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarJunjie Mao <eternal.n08@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4d2ff0c7
    • Herbert Xu's avatar
      macvtap: Fix csum_start when VLAN tags are present · 6e2b9478
      Herbert Xu authored
      commit 3ce9b20f upstream.
      
      When VLAN is in use in macvtap_put_user, we end up setting
      csum_start to the wrong place.  The result is that the whoever
      ends up doing the checksum setting will corrupt the packet instead
      of writing the checksum to the expected location, usually this
      means writing the checksum with an offset of -4.
      
      This patch fixes this by adjusting csum_start when VLAN tags are
      detected.
      
      Fixes: f09e2249 ("macvtap: restore vlan header on user read")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e2b9478
    • Ilya Dryomov's avatar
      libceph: do not crash on large auth tickets · 8ad76662
      Ilya Dryomov authored
      commit aaef3170 upstream.
      
      Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth
      tickets will have their buffers vmalloc'ed, which leads to the
      following crash in crypto:
      
      [   28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0
      [   28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
      [   28.686032] PGD 0
      [   28.688088] Oops: 0000 [#1] PREEMPT SMP
      [   28.688088] Modules linked in:
      [   28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305
      [   28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
      [   28.688088] Workqueue: ceph-msgr con_work
      [   28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000
      [   28.688088] RIP: 0010:[<ffffffff81392b42>]  [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
      [   28.688088] RSP: 0018:ffff8800d903f688  EFLAGS: 00010286
      [   28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0
      [   28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750
      [   28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880
      [   28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010
      [   28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000
      [   28.688088] FS:  00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
      [   28.688088] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0
      [   28.688088] Stack:
      [   28.688088]  ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32
      [   28.688088]  ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020
      [   28.688088]  ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010
      [   28.688088] Call Trace:
      [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
      [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
      [   28.688088]  [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220
      [   28.688088]  [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180
      [   28.688088]  [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30
      [   28.688088]  [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0
      [   28.688088]  [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0
      [   28.688088]  [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60
      [   28.688088]  [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0
      [   28.688088]  [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360
      [   28.688088]  [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0
      [   28.688088]  [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80
      [   28.688088]  [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0
      [   28.688088]  [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80
      [   28.688088]  [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0
      [   28.688088]  [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0
      [   28.688088]  [<ffffffff81559289>] try_read+0x1e59/0x1f10
      
      This is because we set up crypto scatterlists as if all buffers were
      kmalloc'ed.  Fix it.
      Signed-off-by: default avatarIlya Dryomov <idryomov@redhat.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8ad76662
    • Max Filippov's avatar
      xtensa: re-wire umount syscall to sys_oldumount · 89e4b776
      Max Filippov authored
      commit 2651cc69 upstream.
      
      Userspace actually passes single parameter (path name) to the umount
      syscall, so new umount just fails. Fix it by requesting old umount
      syscall implementation and re-wiring umount to it.
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      89e4b776
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix memory leak in FTU quirk · 9e7e0e10
      Takashi Iwai authored
      commit 1a290581 upstream.
      
      M-audio FastTrack Ultra quirk doesn't release the kzalloc'ed memory.
      This patch adds the private_free callback to release it properly.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9e7e0e10
    • Tejun Heo's avatar
      ahci: disable MSI instead of NCQ on Samsung pci-e SSDs on macbooks · 9c599f2b
      Tejun Heo authored
      commit 66a7cbc3 upstream.
      
      Samsung pci-e SSDs on macbooks failed miserably on NCQ commands, so
      67809f85 ("ahci: disable NCQ on Samsung pci-e SSDs on macbooks")
      disabled NCQ on them.  It turns out that NCQ is fine as long as MSI is
      not used, so let's turn off MSI and leave NCQ on.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=60731
      Tested-by: <dorin@i51.org>
      Tested-by: default avatarImre Kaloz <kaloz@openwrt.org>
      Fixes: 67809f85 ("ahci: disable NCQ on Samsung pci-e SSDs on macbooks")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9c599f2b
    • James Ralston's avatar
      ahci: Add Device IDs for Intel Sunrise Point PCH · 8a489593
      James Ralston authored
      commit 690000b9 upstream.
      
      This patch adds the AHCI-mode SATA Device IDs for the Intel Sunrise Point PCH.
      Signed-off-by: default avatarJames Ralston <james.d.ralston@intel.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8a489593
    • Miklos Szeredi's avatar
      audit: keep inode pinned · 24c0902a
      Miklos Szeredi authored
      commit 799b6014 upstream.
      
      Audit rules disappear when an inode they watch is evicted from the cache.
      This is likely not what we want.
      
      The guilty commit is "fsnotify: allow marks to not pin inodes in core",
      which didn't take into account that audit_tree adds watches with a zero
      mask.
      
      Adding any mask should fix this.
      
      Fixes: 90b1e7a5 ("fsnotify: allow marks to not pin inodes in core")
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      24c0902a
    • Andy Lutomirski's avatar
      x86, x32, audit: Fix x32's AUDIT_ARCH wrt audit · d45d0a5e
      Andy Lutomirski authored
      commit 81f49a8f upstream.
      
      is_compat_task() is the wrong check for audit arch; the check should
      be is_ia32_task(): x32 syscalls should be AUDIT_ARCH_X86_64, not
      AUDIT_ARCH_I386.
      
      CONFIG_AUDITSYSCALL is currently incompatible with x32, so this has
      no visible effect.
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Link: http://lkml.kernel.org/r/a0138ed8c709882aec06e4acc30bfa9b623b8717.1409954077.git.luto@amacapital.netSigned-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d45d0a5e