1. 02 Jul, 2014 40 commits
    • Nicholas Bellinger's avatar
      iscsi-target: Fix ABORT_TASK + connection reset iscsi_queue_req memory leak · 18b0e46a
      Nicholas Bellinger authored
      commit bbc05048 upstream.
      
      This patch fixes a iscsi_queue_req memory leak when ABORT_TASK response
      has been queued by TFO->queue_tm_rsp() -> lio_queue_tm_rsp() after a
      long standing I/O completes, but the connection has already reset and
      waiting for cleanup to complete in iscsit_release_commands_from_conn()
      -> transport_generic_free_cmd() -> transport_wait_for_tasks() code.
      
      It moves iscsit_free_queue_reqs_for_conn() after the per-connection command
      list has been released, so that the associated se_cmd tag can be completed +
      released by target-core before freeing any remaining iscsi_queue_req memory
      for the connection generated by lio_queue_tm_rsp().
      
      Cc: Thomas Glanzmann <thomas@glanzmann.de>
      Cc: Charalampos Pournaris <charpour@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      18b0e46a
    • Nicholas Bellinger's avatar
      target: Use complete_all for se_cmd->t_transport_stop_comp · ab7f3e46
      Nicholas Bellinger authored
      commit a95d6511 upstream.
      
      This patch fixes a bug where multiple waiters on ->t_transport_stop_comp
      occurs due to a concurrent ABORT_TASK and session reset both invoking
      transport_wait_for_tasks(), while waiting for the associated se_cmd
      descriptor backend processing to complete.
      
      For this case, complete_all() should be invoked in order to wake up
      both waiters in core_tmr_abort_task() + transport_generic_free_cmd()
      process contexts.
      
      Cc: Thomas Glanzmann <thomas@glanzmann.de>
      Cc: Charalampos Pournaris <charpour@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ab7f3e46
    • Nicholas Bellinger's avatar
      target: Set CMD_T_ACTIVE bit for Task Management Requests · a08f9367
      Nicholas Bellinger authored
      commit f15e9cd9 upstream.
      
      This patch fixes a bug where se_cmd descriptors associated with a
      Task Management Request (TMR) where not setting CMD_T_ACTIVE before
      being dispatched into target_tmr_work() process context.
      
      This is required in order for transport_generic_free_cmd() ->
      transport_wait_for_tasks() to wait on se_cmd->t_transport_stop_comp
      if a session reset event occurs while an ABORT_TASK is outstanding
      waiting for another I/O to complete.
      
      Cc: Thomas Glanzmann <thomas@glanzmann.de>
      Cc: Charalampos Pournaris <charpour@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a08f9367
    • Sagi Grimberg's avatar
      Target/iser: Wait for proper cleanup before unloading · 1d88b119
      Sagi Grimberg authored
      commit f5ebec96 upstream.
      
      disconnected_handler works are scheduled on system_wq.
      When attempting to unload, first make sure all works
      have cleaned up.
      Signed-off-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1d88b119
    • Sagi Grimberg's avatar
      Target/iser: Improve cm events handling · f3c158ab
      Sagi Grimberg authored
      commit 88c4015f upstream.
      
      There are 4 RDMA_CM events that all basically mean that
      the user should teardown the IB connection:
      - DISCONNECTED
      - ADDR_CHANGE
      - DEVICE_REMOVAL
      - TIMEWAIT_EXIT
      
      Only in DISCONNECTED/ADDR_CHANGE it makes sense to
      call rdma_disconnect (send DREQ/DREP to our initiator).
      So we keep the same teardown handler for all of them
      but only indicate calling rdma_disconnect for the relevant
      events.
      
      This patch also removes redundant debug prints for each single
      event.
      
      v2 changes:
       - Call isert_disconnected_handler() for DEVICE_REMOVAL (Or + Sag)
      Signed-off-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f3c158ab
    • Sagi Grimberg's avatar
      Target/iser: Fix hangs in connection teardown · 34992ea5
      Sagi Grimberg authored
      commit 9d49f5e2 upstream.
      
      In ungraceful teardowns isert close flows seem racy such that
      isert_wait_conn hangs as RDMA_CM_EVENT_DISCONNECTED never
      gets invoked (no one called rdma_disconnect).
      
      Both graceful and ungraceful teardowns will have rx flush errors
      (isert posts a batch once connection is established). Once all
      flush errors are consumed we invoke isert_wait_conn and it will
      be responsible for calling rdma_disconnect. This way it can be
      sure that rdma_disconnect was called and it won't wait forever.
      
      This patch also removes the logout_posted indicator. either the
      logout completion was consumed and no problem decrementing the
      post_send_buf_count, or it was consumed as a flush error. no point
      of keeping it for isert_wait_conn as there is no danger that
      isert_conn will be accidentally removed while it is running.
      
      (Drop unnecessary sleep_on_conn_wait_comp check in
       isert_cq_rx_comp_err - nab)
      Signed-off-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      34992ea5
    • Sagi Grimberg's avatar
      Target/iser: Bail from accept_np if np_thread is trying to close · 391416ca
      Sagi Grimberg authored
      commit e346ab34 upstream.
      
      In case np_thread state is in RESET/SHUTDOWN/EXIT states,
      no point for isert to stall there as we may get a hang in
      case no one will wake it up later.
      Signed-off-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      391416ca
    • Jukka Taimisto's avatar
      Bluetooth: Fix L2CAP deadlock · a9fb5766
      Jukka Taimisto authored
      commit 8a96f3cd upstream.
      
      -[0x01 Introduction
      
      We have found a programming error causing a deadlock in Bluetooth subsystem
      of Linux kernel. The problem is caused by missing release_sock() call when
      L2CAP connection creation fails due full accept queue.
      
      The issue can be reproduced with 3.15-rc5 kernel and is also present in
      earlier kernels.
      
      -[0x02 Details
      
      The problem occurs when multiple L2CAP connections are created to a PSM which
      contains listening socket (like SDP) and left pending, for example,
      configuration (the underlying ACL link is not disconnected between
      connections).
      
      When L2CAP connection request is received and listening socket is found the
      l2cap_sock_new_connection_cb() function (net/bluetooth/l2cap_sock.c) is called.
      This function locks the 'parent' socket and then checks if the accept queue
      is full.
      
      1178         lock_sock(parent);
      1179
      1180         /* Check for backlog size */
      1181         if (sk_acceptq_is_full(parent)) {
      1182                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
      1183                 return NULL;
      1184         }
      
      If case the accept queue is full NULL is returned, but the 'parent' socket
      is not released. Thus when next L2CAP connection request is received the code
      blocks on lock_sock() since the parent is still locked.
      
      Also note that for connections already established and waiting for
      configuration to complete a timeout will occur and l2cap_chan_timeout()
      (net/bluetooth/l2cap_core.c) will be called. All threads calling this
      function will also be blocked waiting for the channel mutex since the thread
      which is waiting on lock_sock() alread holds the channel mutex.
      
      We were able to reproduce this by sending continuously L2CAP connection
      request followed by disconnection request containing invalid CID. This left
      the created connections pending configuration.
      
      After the deadlock occurs it is impossible to kill bluetoothd, btmon will not
      get any more data etc. requiring reboot to recover.
      
      -[0x03 Fix
      
      Releasing the 'parent' socket when l2cap_sock_new_connection_cb() returns NULL
      seems to fix the issue.
      Signed-off-by: default avatarJukka Taimisto <jtt@codenomicon.com>
      Reported-by: default avatarTommi Mäkilä <tmakila@codenomicon.com>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a9fb5766
    • Felipe Balbi's avatar
      bluetooth: hci_ldisc: fix deadlock condition · 2223d1af
      Felipe Balbi authored
      commit da64c27d upstream.
      
      LDISCs shouldn't call tty->ops->write() from within
      ->write_wakeup().
      
      ->write_wakeup() is called with port lock taken and
      IRQs disabled, tty->ops->write() will try to acquire
      the same port lock and we will deadlock.
      Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Reviewed-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Reported-by: default avatarHuang Shijie <b32955@freescale.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Tested-by: default avatarAndreas Bießmann <andreas@biessmann.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2223d1af
    • Jianguo Wu's avatar
      ARM: 8037/1: mm: support big-endian page tables · 8f375cf8
      Jianguo Wu authored
      commit 86f40622 upstream.
      
      When enable LPAE and big-endian in a hisilicon board, while specify
      mem=384M mem=512M@7680M, will get bad page state:
      
      Freeing unused kernel memory: 180K (c0466000 - c0493000)
      BUG: Bad page state in process init  pfn:fa442
      page:c7749840 count:0 mapcount:-1 mapping:  (null) index:0x0
      page flags: 0x40000400(reserved)
      Modules linked in:
      CPU: 0 PID: 1 Comm: init Not tainted 3.10.27+ #66
      [<c000f5f0>] (unwind_backtrace+0x0/0x11c) from [<c000cbc4>] (show_stack+0x10/0x14)
      [<c000cbc4>] (show_stack+0x10/0x14) from [<c009e448>] (bad_page+0xd4/0x104)
      [<c009e448>] (bad_page+0xd4/0x104) from [<c009e520>] (free_pages_prepare+0xa8/0x14c)
      [<c009e520>] (free_pages_prepare+0xa8/0x14c) from [<c009f8ec>] (free_hot_cold_page+0x18/0xf0)
      [<c009f8ec>] (free_hot_cold_page+0x18/0xf0) from [<c00b5444>] (handle_pte_fault+0xcf4/0xdc8)
      [<c00b5444>] (handle_pte_fault+0xcf4/0xdc8) from [<c00b6458>] (handle_mm_fault+0xf4/0x120)
      [<c00b6458>] (handle_mm_fault+0xf4/0x120) from [<c0013754>] (do_page_fault+0xfc/0x354)
      [<c0013754>] (do_page_fault+0xfc/0x354) from [<c0008400>] (do_DataAbort+0x2c/0x90)
      [<c0008400>] (do_DataAbort+0x2c/0x90) from [<c0008fb4>] (__dabt_usr+0x34/0x40)
      
      The bad pfn:fa442 is not system memory(mem=384M mem=512M@7680M), after debugging,
      I find in page fault handler, will get wrong pfn from pte just after set pte,
      as follow:
      do_anonymous_page()
      {
      	...
      	set_pte_at(mm, address, page_table, entry);
      
      	//debug code
      	pfn = pte_pfn(entry);
      	pr_info("pfn:0x%lx, pte:0x%llxn", pfn, pte_val(entry));
      
      	//read out the pte just set
      	new_pte = pte_offset_map(pmd, address);
      	new_pfn = pte_pfn(*new_pte);
      	pr_info("new pfn:0x%lx, new pte:0x%llxn", pfn, pte_val(entry));
      	...
      }
      
      pfn:   0x1fa4f5,     pte:0xc00001fa4f575f
      new_pfn:0xfa4f5, new_pte:0xc00000fa4f5f5f	//new pfn/pte is wrong.
      
      The bug is happened in cpu_v7_set_pte_ext(ptep, pte):
      An LPAE PTE is a 64bit quantity, passed to cpu_v7_set_pte_ext in the r2 and r3 registers.
      On an LE kernel, r2 contains the LSB of the PTE, and r3 the MSB.
      On a BE kernel, the assignment is reversed.
      
      Unfortunately, the current code always assumes the LE case,
      leading to corruption of the PTE when clearing/setting bits.
      
      This patch fixes this issue much like it has been done already in the
      cpu_v7_switch_mm case.
      Signed-off-by: default avatarJianguo Wu <wujianguo@huawei.com>
      Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8f375cf8
    • Russell King's avatar
      ARM: stacktrace: avoid listing stacktrace functions in stacktrace · da2212cb
      Russell King authored
      commit 3683f44c upstream.
      
      While debugging the FEC ethernet driver using stacktrace, it was noticed
      that the stacktraces always begin as follows:
      
       [<c00117b4>] save_stack_trace_tsk+0x0/0x98
       [<c0011870>] save_stack_trace+0x24/0x28
       ...
      
      This is because the stack trace code includes the stack frames for itself.
      This is incorrect behaviour, and also leads to "skip" doing the wrong
      thing (which is the number of stack frames to avoid recording.)
      
      Perversely, it does the right thing when passed a non-current thread.  Fix
      this by ensuring that we have a known constant number of frames above the
      main stack trace function, and always skip these.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      da2212cb
    • Olivier Langlois's avatar
      media: uvcvideo: Fix clock param realtime setting · d22659ae
      Olivier Langlois authored
      commit 3b35fc81 upstream.
      
      timestamps in v4l2 buffers returned to userspace are updated in
      uvc_video_clock_update() which uses timestamps fetched from
      uvc_video_clock_decode() by calling unconditionally ktime_get_ts().
      
      Hence setting the module clock param to realtime has no effect before
      this patch.
      
      This has been tested with ffmpeg:
      
      ffmpeg -y -f v4l2 -input_format yuyv422 -video_size 640x480 -framerate 30 -i /dev/video0 \
       -f alsa -acodec pcm_s16le -ar 16000 -ac 1 -i default \
       -c:v libx264 -preset ultrafast \
       -c:a libfdk_aac \
       out.mkv
      
      and inspecting the v4l2 input starting timestamp.
      Signed-off-by: default avatarOlivier Langlois <olivier@trillion01.com>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d22659ae
    • Lv Zheng's avatar
      ACPI: Fix conflict between customized DSDT and DSDT local copy · b9441d72
      Lv Zheng authored
      commit 73577d1d upstream.
      
      This patch fixes the following issue:
      If DSDT is customized, no local DSDT copy is needed.
      
      References: https://bugzilla.kernel.org/show_bug.cgi?id=69711Signed-off-by: default avatarEnrico Etxe Arte <goitizena.generoa@gmail.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      [rjw: Subject]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b9441d72
    • David Binderman's avatar
      ACPICA: utstring: Check array index bound before use. · 1da24fbd
      David Binderman authored
      commit 5d42b0fa upstream.
      
      ACPICA BZ 1077. David Binderman.
      
      References: https://bugs.acpica.org/show_bug.cgi?id=1077Signed-off-by: default avatarDavid Binderman <dcb314@hotmail.com>
      Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      1da24fbd
    • Ezequiel Garcia's avatar
      media: stk1160: Avoid stack-allocated buffer for control URBs · 956ff41a
      Ezequiel Garcia authored
      commit 85ac1a17 upstream.
      
      Currently stk1160_read_reg() uses a stack-allocated char to get the
      read control value. This is wrong because usb_control_msg() requires
      a kmalloc-ed buffer.
      
      This commit fixes such issue by kmalloc'ating a 1-byte buffer to receive
      the read value.
      
      While here, let's remove the urb_buf array which was meant for a similar
      purpose, but never really used.
      
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarEzequiel Garcia <ezequiel.garcia@free-electrons.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      956ff41a
    • Takashi Iwai's avatar
      media: ivtv: Fix Oops when no firmware is loaded · 30d8ffb3
      Takashi Iwai authored
      commit deb29e90 upstream.
      
      When ivtv PCM device is accessed at the state where no firmware is
      loaded, it oopses like:
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
        IP: [<ffffffffa049a881>] try_mailbox.isra.0+0x11/0x50 [ivtv]
        Call Trace:
          [<ffffffffa049aa20>] ivtv_api_call+0x160/0x6b0 [ivtv]
          [<ffffffffa049af86>] ivtv_api+0x16/0x40 [ivtv]
          [<ffffffffa049b10c>] ivtv_vapi+0xac/0xc0 [ivtv]
          [<ffffffffa049d40d>] ivtv_start_v4l2_encode_stream+0x19d/0x630 [ivtv]
          [<ffffffffa0530653>] snd_ivtv_pcm_capture_open+0x173/0x1c0 [ivtv_alsa]
          [<ffffffffa04526f1>] snd_pcm_open_substream+0x51/0x100 [snd_pcm]
          [<ffffffffa0452853>] snd_pcm_open+0xb3/0x260 [snd_pcm]
          [<ffffffffa0452a37>] snd_pcm_capture_open+0x37/0x50 [snd_pcm]
          [<ffffffffa033f557>] snd_open+0xa7/0x1e0 [snd]
          [<ffffffff8118a628>] chrdev_open+0x88/0x1d0
          [<ffffffff811840be>] do_dentry_open+0x1de/0x270
          [<ffffffff81193a73>] do_last+0x1c3/0xec0
          [<ffffffff81194826>] path_openat+0xb6/0x670
          [<ffffffff81195b65>] do_filp_open+0x35/0x80
          [<ffffffff81185449>] do_sys_open+0x129/0x210
          [<ffffffff815b782d>] system_call_fastpath+0x1a/0x1f
      
      This patch adds the check of firmware at PCM open callback like other
      open callbacks of this driver.
      
      Bugzilla: https://apibugzilla.novell.com/show_bug.cgi?id=875440Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      30d8ffb3
    • Johan Hovold's avatar
      USB: serial: fix potential runtime pm imbalance at device remove · 957bd4c3
      Johan Hovold authored
      commit c14829fa upstream.
      
      Only call usb_autopm_put_interface() if the corresponding
      usb_autopm_get_interface() was successful.
      
      This prevents a potential runtime PM counter imbalance should
      usb_autopm_get_interface() fail. Note that the USB PM usage counter is
      reset when the interface is unbound, but that the runtime PM counter may
      be left unbalanced.
      
      Also add comment on why we don't need to worry about racing
      resume/suspend on autopm_get failures.
      
      Fixes: d5fd650c ("usb: serial: prevent suspend/resume from racing
      against probe/remove")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      957bd4c3
    • Johan Hovold's avatar
      USB: sierra: fix remote wakeup · 59f8ef8d
      Johan Hovold authored
      commit 80cc0fcb upstream.
      
      Make sure that needs_remote_wake up is always set when there are open
      ports.
      
      Currently close() would unconditionally set needs_remote_wakeup to 0
      even though there might still be open ports. This could lead to blocked
      input and possibly dropped data on devices that do not support remote
      wakeup (and which must therefore not be runtime suspended while open).
      
      Add an open_ports counter (protected by the susp_lock) and only clear
      needs_remote_wakeup when the last port is closed.
      
      Fixes: e6929a90 ("USB: support for autosuspend in sierra while
      online")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      59f8ef8d
    • Johan Hovold's avatar
      USB: sierra: fix urb and memory leak on disconnect · 7e7ccedc
      Johan Hovold authored
      commit 014333f7 upstream.
      
      The delayed-write queue was never emptied on disconnect, something which
      would lead to leaked urbs and transfer buffers if the device is
      disconnected before being runtime resumed due to a write.
      
      Fixes: e6929a90 ("USB: support for autosuspend in sierra while
      online")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7e7ccedc
    • Johan Hovold's avatar
      USB: sierra: fix urb and memory leak in resume error path · a2aa7319
      Johan Hovold authored
      commit 7fdd26a0 upstream.
      
      Neither the transfer buffer or the urb itself were released in the
      resume error path for delayed writes. Also on errors, the remainder of
      the queue was not even processed, which leads to further urb and buffer
      leaks.
      
      The same error path also failed to balance the outstanding-urb counter,
      something which results in degraded throughput or completely blocked
      writes.
      
      Fix this by releasing urb and buffer and balancing counters on errors,
      and by always processing the whole queue even when submission of one urb
      fails.
      
      Fixes: e6929a90 ("USB: support for autosuspend in sierra while
      online")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a2aa7319
    • Johan Hovold's avatar
      USB: sierra: fix use after free at suspend/resume · 06974d79
      Johan Hovold authored
      commit 8452727d upstream.
      
      Fix use after free or NULL-pointer dereference during suspend and
      resume.
      
      The port data may never have been allocated (port probe failed)
      or may already have been released by port_remove (e.g. driver is
      unloaded) when suspend and resume are called.
      
      Fixes: e6929a90 ("USB: support for autosuspend in sierra while
      online")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      06974d79
    • Johan Hovold's avatar
      USB: sierra: fix AA deadlock in open error path · 8ae7a23b
      Johan Hovold authored
      commit 353fe198 upstream.
      
      Fix AA deadlock in open error path that would call close() and try to
      grab the already held disc_mutex.
      
      Fixes: b9a44bc1 ("sierra: driver urb handling improvements")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8ae7a23b
    • Johan Hovold's avatar
      USB: usb_wwan: fix potential blocked I/O after resume · 7a797aa0
      Johan Hovold authored
      commit fb7ad4f9 upstream.
      
      Keep trying to submit urbs rather than bail out on first read-urb
      submission error, which would also prevent I/O for any further ports
      from being resumed.
      
      Instead keep an error count, for all types of failed submissions, and
      let USB core know that something went wrong.
      
      Also make sure to always clear the suspended flag. Currently a failed
      read-urb submission would prevent cached writes as well as any
      subsequent writes from being submitted until next suspend-resume cycle,
      something which may not even necessarily happen.
      
      Note that USB core currently only logs an error if an interface resume
      failed.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7a797aa0
    • Johan Hovold's avatar
      USB: usb_wwan: fix potential NULL-deref at resume · bfd75a49
      Johan Hovold authored
      commit 9096f1fb upstream.
      
      The interrupt urb was submitted unconditionally at resume, something
      which could lead to a NULL-pointer dereference in the urb completion
      handler as resume may be called after the port and port data is gone.
      
      Fix this by making sure the interrupt urb is only submitted and active
      when the port is open.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bfd75a49
    • Johan Hovold's avatar
      USB: usb_wwan: fix urb leak at shutdown · 9b71d5c3
      Johan Hovold authored
      commit 79eed03e upstream.
      
      The delayed-write queue was never emptied at shutdown (close), something
      which could lead to leaked urbs if the port is closed before being
      runtime resumed due to a write.
      
      When this happens the output buffer would not drain on close
      (closing_wait timeout), and after consecutive opens, writes could be
      corrupted with previously buffered data, transfered with reduced
      throughput or completely blocked.
      
      Note that unbusy_queued_urb() was simply moved out of CONFIG_PM.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9b71d5c3
    • Johan Hovold's avatar
      USB: usb_wwan: fix write and suspend race · 09728099
      Johan Hovold authored
      commit 170fad9e upstream.
      
      Fix race between write() and suspend() which could lead to writes being
      dropped (or I/O while suspended) if the device is runtime suspended
      while a write request is being processed.
      
      Specifically, suspend() releases the susp_lock after determining the
      device is idle but before setting the suspended flag, thus leaving a
      window where a concurrent write() can submit an urb.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      09728099
    • xiao jin's avatar
      USB: usb_wwan: fix race between write and resume · 8cba48ef
      xiao jin authored
      commit d9e93c08 upstream.
      
      We find a race between write and resume. usb_wwan_resume run play_delayed()
      and spin_unlock, but intfdata->suspended still is not set to zero.
      At this time usb_wwan_write is called and anchor the urb to delay
      list. Then resume keep running but the delayed urb have no chance
      to be commit until next resume. If the time of next resume is far
      away, tty will be blocked in tty_wait_until_sent during time. The
      race also can lead to writes being reordered.
      
      This patch put play_Delayed and intfdata->suspended together in the
      spinlock, it's to avoid the write race during resume.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarxiao jin <jin.xiao@intel.com>
      Signed-off-by: default avatarZhang, Qi1 <qi1.zhang@intel.com>
      Reviewed-by: default avatarDavid Cohen <david.a.cohen@linux.intel.com>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8cba48ef
    • xiao jin's avatar
      USB: usb_wwan: fix urb leak in write error path · 2d08bfbd
      xiao jin authored
      commit db090473 upstream.
      
      When enable usb serial for modem data, sometimes the tty is blocked
      in tty_wait_until_sent because portdata->out_busy always is set and
      have no chance to be cleared.
      
      We find a bug in write error path. usb_wwan_write set portdata->out_busy
      firstly, then try autopm async with error. No out urb submit and no
      usb_wwan_outdat_callback to this write, portdata->out_busy can't be
      cleared.
      
      This patch clear portdata->out_busy if usb_wwan_write try autopm async
      with error.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarxiao jin <jin.xiao@intel.com>
      Signed-off-by: default avatarZhang, Qi1 <qi1.zhang@intel.com>
      Reviewed-by: default avatarDavid Cohen <david.a.cohen@linux.intel.com>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2d08bfbd
    • Mikulas Patocka's avatar
      matroxfb: perform a dummy read of M_STATUS · f01bea2e
      Mikulas Patocka authored
      commit 972754cf upstream.
      
      I had occasional screen corruption with the matrox framebuffer driver and
      I found out that the reason for the corruption is that the hardware
      blitter accesses the videoram while it is being written to.
      
      The matrox driver has a macro WaitTillIdle() that should wait until the
      blitter is idle, but it sometimes doesn't work. I added a dummy read
      mga_inl(M_STATUS) to WaitTillIdle() to fix the problem. The dummy read
      will flush the write buffer in the PCI chipset, and the next read of
      M_STATUS will return the hardware status.
      
      Since applying this patch, I had no screen corruption at all.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f01bea2e
    • Maurizio Lombardi's avatar
      ext4: fix wrong assert in ext4_mb_normalize_request() · 516bf04c
      Maurizio Lombardi authored
      commit b5b60778 upstream.
      
      The variable "size" is expressed as number of blocks and not as
      number of clusters, this could trigger a kernel panic when using
      ext4 with the size of a cluster different from the size of a block.
      Signed-off-by: default avatarMaurizio Lombardi <mlombard@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      516bf04c
    • Jan Kara's avatar
      ext4: fix zeroing of page during writeback · 7e78f828
      Jan Kara authored
      commit eeece469 upstream.
      
      Tail of a page straddling inode size must be zeroed when being written
      out due to POSIX requirement that modifications of mmaped page beyond
      inode size must not be written to the file. ext4_bio_write_page() did
      this only for blocks fully beyond inode size but didn't properly zero
      blocks partially beyond inode size. Fix this.
      
      The problem has been uncovered by mmap_11-4 test in openposix test suite
      (part of LTP).
      Reported-by: default avatarXiaoguang Wang <wangxg.fnst@cn.fujitsu.com>
      Fixes: 5a0dc736
      Fixes: bd2d0210
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7e78f828
    • Namjae Jeon's avatar
      ext4: fix data integrity sync in ordered mode · 76516da4
      Namjae Jeon authored
      commit 1c8349a1 upstream.
      
      When we perform a data integrity sync we tag all the dirty pages with
      PAGECACHE_TAG_TOWRITE at start of ext4_da_writepages.  Later we check
      for this tag in write_cache_pages_da and creates a struct
      mpage_da_data containing contiguously indexed pages tagged with this
      tag and sync these pages with a call to mpage_da_map_and_submit.  This
      process is done in while loop until all the PAGECACHE_TAG_TOWRITE
      pages are synced. We also do journal start and stop in each iteration.
      journal_stop could initiate journal commit which would call
      ext4_writepage which in turn will call ext4_bio_write_page even for
      delayed OR unwritten buffers. When ext4_bio_write_page is called for
      such buffers, even though it does not sync them but it clears the
      PAGECACHE_TAG_TOWRITE of the corresponding page and hence these pages
      are also not synced by the currently running data integrity sync. We
      will end up with dirty pages although sync is completed.
      
      This could cause a potential data loss when the sync call is followed
      by a truncate_pagecache call, which is exactly the case in
      collapse_range.  (It will cause generic/127 failure in xfstests)
      
      To avoid this issue, we can use set_page_writeback_keepwrite instead of
      set_page_writeback, which doesn't clear TOWRITE tag.
      Signed-off-by: default avatarNamjae Jeon <namjae.jeon@samsung.com>
      Signed-off-by: default avatarAshish Sangwan <a.sangwan@samsung.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      76516da4
    • Christian Borntraeger's avatar
      s390/lowcore: reserve 96 bytes for IRB in lowcore · 2375be78
      Christian Borntraeger authored
      commit 993072ee upstream.
      
      The IRB might be 96 bytes if the extended-I/O-measurement facility is
      used. This feature is currently not used by Linux, but struct irb
      already has the emw defined. So let's make the irb in lowcore match the
      size of the internal data structure to be future proof.
      We also have to add a pad, to correctly align the paste.
      
      The bigger irb field also circumvents a bug in some QEMU versions that
      always write the emw field on test subchannel and therefore destroy the
      paste definitions of this CPU. Running under these QEMU version broke
      some timing functions in the VDSO and all users of these functions,
      e.g. some JREs.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
      Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2375be78
    • Lai Jiangshan's avatar
      idr: fix overflow bug during maximum ID calculation at maximum height · 09b6ffbb
      Lai Jiangshan authored
      commit 3afb69cb upstream.
      
      idr_replace() open-codes the logic to calculate the maximum valid ID
      given the height of the idr tree; unfortunately, the open-coded logic
      doesn't account for the fact that the top layer may have unused slots
      and over-shifts the limit to zero when the tree is at its maximum
      height.
      
      The following test code shows it fails to replace the value for
      id=((1<<27)+42):
      
        static void test5(void)
        {
              int id;
              DEFINE_IDR(test_idr);
        #define TEST5_START ((1<<27)+42) /* use the highest layer */
      
              printk(KERN_INFO "Start test5\n");
              id = idr_alloc(&test_idr, (void *)1, TEST5_START, 0, GFP_KERNEL);
              BUG_ON(id != TEST5_START);
              TEST_BUG_ON(idr_replace(&test_idr, (void *)2, TEST5_START) != (void *)1);
              idr_destroy(&test_idr);
              printk(KERN_INFO "End of test5\n");
        }
      
      Fix the bug by using idr_max() which correctly takes into account the
      maximum allowed shift.
      
      sub_alloc() shares the same problem and may incorrectly fail with
      -EAGAIN; however, this bug doesn't affect correct operation because
      idr_get_empty_slot(), which already uses idr_max(), retries with the
      increased @id in such cases.
      
      [tj@kernel.org: Updated patch description.]
      Signed-off-by: default avatarLai Jiangshan <laijs@cn.fujitsu.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      09b6ffbb
    • Will Deacon's avatar
      arm64: ptrace: change fs when passing kernel pointer to regset code · 177ee132
      Will Deacon authored
      commit c1688707 upstream.
      
      Our compat PTRACE_POKEUSR implementation simply passes the user data to
      regset_copy_from_user after some simple range checking. Unfortunately,
      the data in question has already been copied to the kernel stack by this
      point, so the subsequent access_ok check fails and the ptrace request
      returns -EFAULT. This causes problems tracing fork() with older versions
      of strace.
      
      This patch briefly changes the fs to KERNEL_DS, so that the access_ok
      check passes even with a kernel address.
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      177ee132
    • Matthew Dempsky's avatar
      ptrace: fix fork event messages across pid namespaces · 7b41b264
      Matthew Dempsky authored
      commit 4e52365f upstream.
      
      When tracing a process in another pid namespace, it's important for fork
      event messages to contain the child's pid as seen from the tracer's pid
      namespace, not the parent's.  Otherwise, the tracer won't be able to
      correlate the fork event with later SIGTRAP signals it receives from the
      child.
      
      We still risk a race condition if a ptracer from a different pid
      namespace attaches after we compute the pid_t value.  However, sending a
      bogus fork event message in this unlikely scenario is still a vast
      improvement over the status quo where we always send bogus fork event
      messages to debuggers in a different pid namespace than the forking
      process.
      Signed-off-by: default avatarMatthew Dempsky <mdempsky@chromium.org>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Julien Tinnes <jln@chromium.org>
      Cc: Roland McGrath <mcgrathr@chromium.org>
      Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7b41b264
    • Johannes Weiner's avatar
      mm: vmscan: clear kswapd's special reclaim powers before exiting · c25f8a8b
      Johannes Weiner authored
      commit 71abdc15 upstream.
      
      When kswapd exits, it can end up taking locks that were previously held
      by allocating tasks while they waited for reclaim.  Lockdep currently
      warns about this:
      
      On Wed, May 28, 2014 at 06:06:34PM +0800, Gu Zheng wrote:
      >  inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-R} usage.
      >  kswapd2/1151 [HC0[0]:SC0[0]:HE1:SE1] takes:
      >   (&sig->group_rwsem){+++++?}, at: exit_signals+0x24/0x130
      >  {RECLAIM_FS-ON-W} state was registered at:
      >     mark_held_locks+0xb9/0x140
      >     lockdep_trace_alloc+0x7a/0xe0
      >     kmem_cache_alloc_trace+0x37/0x240
      >     flex_array_alloc+0x99/0x1a0
      >     cgroup_attach_task+0x63/0x430
      >     attach_task_by_pid+0x210/0x280
      >     cgroup_procs_write+0x16/0x20
      >     cgroup_file_write+0x120/0x2c0
      >     vfs_write+0xc0/0x1f0
      >     SyS_write+0x4c/0xa0
      >     tracesys+0xdd/0xe2
      >  irq event stamp: 49
      >  hardirqs last  enabled at (49):  _raw_spin_unlock_irqrestore+0x36/0x70
      >  hardirqs last disabled at (48):  _raw_spin_lock_irqsave+0x2b/0xa0
      >  softirqs last  enabled at (0):  copy_process.part.24+0x627/0x15f0
      >  softirqs last disabled at (0):            (null)
      >
      >  other info that might help us debug this:
      >   Possible unsafe locking scenario:
      >
      >         CPU0
      >         ----
      >    lock(&sig->group_rwsem);
      >    <Interrupt>
      >      lock(&sig->group_rwsem);
      >
      >   *** DEADLOCK ***
      >
      >  no locks held by kswapd2/1151.
      >
      >  stack backtrace:
      >  CPU: 30 PID: 1151 Comm: kswapd2 Not tainted 3.10.39+ #4
      >  Call Trace:
      >    dump_stack+0x19/0x1b
      >    print_usage_bug+0x1f7/0x208
      >    mark_lock+0x21d/0x2a0
      >    __lock_acquire+0x52a/0xb60
      >    lock_acquire+0xa2/0x140
      >    down_read+0x51/0xa0
      >    exit_signals+0x24/0x130
      >    do_exit+0xb5/0xa50
      >    kthread+0xdb/0x100
      >    ret_from_fork+0x7c/0xb0
      
      This is because the kswapd thread is still marked as a reclaimer at the
      time of exit.  But because it is exiting, nobody is actually waiting on
      it to make reclaim progress anymore, and it's nothing but a regular
      thread at this point.  Be tidy and strip it of all its powers
      (PF_MEMALLOC, PF_SWAPWRITE, PF_KSWAPD, and the lockdep reclaim state)
      before returning from the thread function.
      Signed-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Reported-by: default avatarGu Zheng <guz.fnst@cn.fujitsu.com>
      Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: Tang Chen <tangchen@cn.fujitsu.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c25f8a8b
    • Kees Cook's avatar
      HID: core: fix validation of report id 0 · ebbc3be9
      Kees Cook authored
      commit 1b15d2e5 upstream.
      
      Some drivers use the first HID report in the list instead of using an
      index. In these cases, validation uses ID 0, which was supposed to mean
      "first known report". This fixes the problem, which was causing at least
      the lgff family of devices to stop working since hid_validate_values
      was being called with ID 0, but the devices used single numbered IDs
      for their reports:
      
      0x05, 0x01,         /*  Usage Page (Desktop),                   */
      0x09, 0x05,         /*  Usage (Gamepad),                        */
      0xA1, 0x01,         /*  Collection (Application),               */
      0xA1, 0x02,         /*      Collection (Logical),               */
      0x85, 0x01,         /*          Report ID (1),                  */
      ...
      Reported-by: default avatarSimon Wood <simon@mungewell.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ebbc3be9
    • Hugh Dickins's avatar
      mm: fix sleeping function warning from __put_anon_vma · 6e74114b
      Hugh Dickins authored
      commit 7f39dda9 upstream.
      
      Trinity reports BUG:
      
        sleeping function called from invalid context at kernel/locking/rwsem.c:47
        in_atomic(): 0, irqs_disabled(): 0, pid: 5787, name: trinity-c27
      
      __might_sleep < down_write < __put_anon_vma < page_get_anon_vma <
      migrate_pages < compact_zone < compact_zone_order < try_to_compact_pages ..
      
      Right, since conversion to mutex then rwsem, we should not put_anon_vma()
      from inside an rcu_read_lock()ed section: fix the two places that did so.
      And add might_sleep() to anon_vma_free(), as suggested by Peter Zijlstra.
      
      Fixes: 88c22088 ("mm: optimize page_lock_anon_vma() fast-path")
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6e74114b
    • Naoya Horiguchi's avatar
      mm/memory-failure.c: support use of a dedicated thread to handle SIGBUS(BUS_MCEERR_AO) · 79035696
      Naoya Horiguchi authored
      commit 3ba08129 upstream.
      
      Currently memory error handler handles action optional errors in the
      deferred manner by default.  And if a recovery aware application wants
      to handle it immediately, it can do it by setting PF_MCE_EARLY flag.
      However, such signal can be sent only to the main thread, so it's
      problematic if the application wants to have a dedicated thread to
      handler such signals.
      
      So this patch adds dedicated thread support to memory error handler.  We
      have PF_MCE_EARLY flags for each thread separately, so with this patch
      AO signal is sent to the thread with PF_MCE_EARLY flag set, not the main
      thread.  If you want to implement a dedicated thread, you call prctl()
      to set PF_MCE_EARLY on the thread.
      
      Memory error handler collects processes to be killed, so this patch lets
      it check PF_MCE_EARLY flag on each thread in the collecting routines.
      
      No behavioral change for all non-early kill cases.
      
      Tony said:
      
      : The old behavior was crazy - someone with a multithreaded process might
      : well expect that if they call prctl(PF_MCE_EARLY) in just one thread, then
      : that thread would see the SIGBUS with si_code = BUS_MCEERR_A0 - even if
      : that thread wasn't the main thread for the process.
      
      [akpm@linux-foundation.org: coding-style fixes]
      Signed-off-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Reviewed-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: Kamil Iskra <iskra@mcs.anl.gov>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Chen Gong <gong.chen@linux.jf.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      79035696