1. 10 Nov, 2016 40 commits
    • Ewan D. Milne's avatar
      scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded · 2a1a0a6f
      Ewan D. Milne authored
      commit 4d2b496f upstream.
      
      map_storep was not being vfree()'d in the module_exit call.
      Signed-off-by: default avatarEwan D. Milne <emilne@redhat.com>
      Reviewed-by: default avatarLaurence Oberman <loberman@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a1a0a6f
    • Marty Faltesek's avatar
      ath10k: cache calibration data when the core is stopped · 5bac4942
      Marty Faltesek authored
      commit f67b107d upstream.
      
      Commit 0b8e3c4c ("ath10k: move cal data len to hw_params") broke retrieving
      the calibration data from cal_data debugfs file. The length of file was always
      zero. The reason is:
      
          static ssize_t ath10k_debug_cal_data_read(struct file *file,
                                                char __user *user_buf,
                                                size_t count, loff_t *ppos)
          {
              struct ath10k *ar = file->private_data;
              void *buf = file->private_data;
      
      This is obviously bogus, private_data cannot contain both struct ath10k and the
      buffer. Fix it by caching calibration data to ar->debug.cal_data. This also
      allows it to be accessed when the device is not active (interface is down).
      
      The cal_data buffer is fixed size because during the first firmware probe we
      don't yet know what will be the lenght of the calibration data. It was simplest
      just to use a fixed length. There's a WARN_ON() in
      ath10k_debug_cal_data_fetch() if the buffer is too small.
      
      Tested with qca988x and firmware 10.2.4.70.56.
      Reported-by: default avatarNikolay Martynov <mar.kolya@gmail.com>
      Fixes: 0b8e3c4c ("ath10k: move cal data len to hw_params")
      Signed-off-by: default avatarMarty Faltesek <mfaltesek@google.com>
      [kvalo@qca.qualcomm.com: improve commit log and minor other changes]
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5bac4942
    • Felix Fietkau's avatar
      Revert "ath9k_hw: implement temperature compensation support for AR9003+" · a7d092e9
      Felix Fietkau authored
      commit 304e5ac1 upstream.
      
      This reverts commit 171f6402 ("ath9k_hw: implement temperature compensation
      support for AR9003+"). Some users report that this commit causes a regression
      in performance under some conditions.
      
      Fixes: 171f6402 ("ath9k_hw: implement temperature compensation support for AR9003+")
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      [kvalo@qca.qualcomm.com: improve commit log]
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7d092e9
    • Johannes Berg's avatar
      mac80211: discard multicast and 4-addr A-MSDUs · aea7cb3b
      Johannes Berg authored
      commit ea720935 upstream.
      
      In mac80211, multicast A-MSDUs are accepted in many cases that
      they shouldn't be accepted in:
       * drop A-MSDUs with a multicast A1 (RA), as required by the
         spec in 9.11 (802.11-2012 version)
       * drop A-MSDUs with a 4-addr header, since the fourth address
         can't actually be useful for them; unless 4-address frame
         format is actually requested, even though the fourth address
         is still not useful in this case, but ignored
      
      Accepting the first case, in particular, is very problematic
      since it allows anyone else with possession of a GTK to send
      unicast frames encapsulated in a multicast A-MSDU, even when
      the AP has client isolation enabled.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aea7cb3b
    • Stefan Richter's avatar
      firewire: net: fix fragmented datagram_size off-by-one · 27fa1e73
      Stefan Richter authored
      commit e9300a4b upstream.
      
      RFC 2734 defines the datagram_size field in fragment encapsulation
      headers thus:
      
          datagram_size:  The encoded size of the entire IP datagram.  The
          value of datagram_size [...] SHALL be one less than the value of
          Total Length in the datagram's IP header (see STD 5, RFC 791).
      
      Accordingly, the eth1394 driver of Linux 2.6.36 and older set and got
      this field with a -/+1 offset:
      
          ether1394_tx() /* transmit */
              ether1394_encapsulate_prep()
                  hdr->ff.dg_size = dg_size - 1;
      
          ether1394_data_handler() /* receive */
              if (hdr->common.lf == ETH1394_HDR_LF_FF)
                  dg_size = hdr->ff.dg_size + 1;
              else
                  dg_size = hdr->sf.dg_size + 1;
      
      Likewise, I observe OS X 10.4 and Windows XP Pro SP3 to transmit 1500
      byte sized datagrams in fragments with datagram_size=1499 if link
      fragmentation is required.
      
      Only firewire-net sets and gets datagram_size without this offset.  The
      result is lacking interoperability of firewire-net with OS X, Windows
      XP, and presumably Linux' eth1394.  (I did not test with the latter.)
      For example, FTP data transfers to a Linux firewire-net box with max_rec
      smaller than the 1500 bytes MTU
        - from OS X fail entirely,
        - from Win XP start out with a bunch of fragmented datagrams which
          time out, then continue with unfragmented datagrams because Win XP
          temporarily reduces the MTU to 576 bytes.
      
      So let's fix firewire-net's datagram_size accessors.
      
      Note that firewire-net thereby loses interoperability with unpatched
      firewire-net, but only if link fragmentation is employed.  (This happens
      with large broadcast datagrams, and with large datagrams on several
      FireWire CardBus cards with smaller max_rec than equivalent PCI cards,
      and it can be worked around by setting a small enough MTU.)
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27fa1e73
    • Stefan Richter's avatar
      firewire: net: guard against rx buffer overflows · 032430fb
      Stefan Richter authored
      commit 667121ac upstream.
      
      The IP-over-1394 driver firewire-net lacked input validation when
      handling incoming fragmented datagrams.  A maliciously formed fragment
      with a respectively large datagram_offset would cause a memcpy past the
      datagram buffer.
      
      So, drop any packets carrying a fragment with offset + length larger
      than datagram_size.
      
      In addition, ensure that
        - GASP header, unfragmented encapsulation header, or fragment
          encapsulation header actually exists before we access it,
        - the encapsulated datagram or fragment is of nonzero size.
      Reported-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
      Reviewed-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
      Fixes: CVE 2016-8633
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      032430fb
    • Patrick Scheuring's avatar
      Input: i8042 - add XMG C504 to keyboard reset table · facb17b6
      Patrick Scheuring authored
      commit da25311c upstream.
      
      The Schenker XMG C504 is a rebranded Gigabyte P35 v2 laptop.
      Therefore it also needs a keyboard reset to detect the Elantech touchpad.
      Otherwise the touchpad appears to be dead.
      
      With this patch the touchpad is detected:
      
      $ dmesg | grep -E "(i8042|Elantech|elantech)"
      
      [    2.675399] i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
      [    2.680372] i8042: Attempting to reset device connected to KBD port
      [    2.789037] serio: i8042 KBD port at 0x60,0x64 irq 1
      [    2.791586] serio: i8042 AUX port at 0x60,0x64 irq 12
      [    2.813840] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4
      [    3.811431] psmouse serio1: elantech: assuming hardware version 4 (with firmware version 0x361f0e)
      [    3.825424] psmouse serio1: elantech: Synaptics capabilities query result 0x00, 0x15, 0x0f.
      [    3.839424] psmouse serio1: elantech: Elan sample query result 03, 58, 74
      [    3.911349] input: ETPS/2 Elantech Touchpad as /devices/platform/i8042/serio1/input/input6
      Signed-off-by: default avatarPatrick Scheuring <patrick.scheuring.dev@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      facb17b6
    • Jes Sorensen's avatar
      rtl8xxxu: Fix rtl8723bu driver reload issue · 8b535f07
      Jes Sorensen authored
      commit ab05e5ec upstream.
      
      The generic disable_rf() function clears bits 22 and 23 in
      REG_RX_WAIT_CCA, however we did not re-enable them again in
      rtl8723b_enable_rf()
      
      This resolves the problem for me with 8723bu devices not working again
      after reloading the driver.
      Signed-off-by: default avatarJes Sorensen <Jes.Sorensen@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b535f07
    • Jes Sorensen's avatar
      rtl8xxxu: Fix big-endian problem reporting mactime · 1c9edb27
      Jes Sorensen authored
      commit 8a55698f upstream.
      
      The full RX descriptor is converted so converting tsfl again would
      return it to it's original endian value.
      Signed-off-by: default avatarJes Sorensen <Jes.Sorensen@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c9edb27
    • Jes Sorensen's avatar
      rtl8xxxu: Fix memory leak in handling rxdesc16 packets · ece1b51a
      Jes Sorensen authored
      commit 1e54134c upstream.
      
      A device running without RX package aggregation could return more data
      in the USB packet than the actual network packet. In this case we
      could would clone the skb but then determine that that there was no
      packet to handle and exit without freeing the cloned skb first.
      
      This has so far only been observed with 8188eu devices, but could
      affect others.
      Signed-off-by: default avatarJes Sorensen <Jes.Sorensen@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ece1b51a
    • Heinz Mauelshagen's avatar
      dm raid: fix activation of existing raid4/10 devices · 5a805cd2
      Heinz Mauelshagen authored
      commit b052b07c upstream.
      
      dm-raid 1.9.0 fails to activate existing RAID4/10 devices that have the
      old superblock format (which does not have takeover/reshaping support
      that was added via commit 33e53f06).
      
      Fix validation path for old superblocks by reverting to the old raid4
      layout and basing checks on mddev->new_{level,layout,...} members in
      super_init_validation().
      Signed-off-by: default avatarHeinz Mauelshagen <heinzm@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a805cd2
    • Andy Whitcroft's avatar
      dm raid: fix compat_features validation · 6e545676
      Andy Whitcroft authored
      commit 5c33677c upstream.
      
      In ecbfb9f1 ("dm raid: add raid level takeover support") a new
      compatible feature flag was added.  Validation for these compat_features
      was added but this only passes for new raid mappings with this feature
      flag.  This causes previously created raid mappings to be failed at
      import.
      
      Check compat_features for the only valid combination.
      
      Fixes: ecbfb9f1 ("dm raid: add raid level takeover support")
      Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
      Signed-off-by: default avatarHeinz Mauelshagen <heinzm@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e545676
    • Mike Snitzer's avatar
      dm rq: clear kworker_task if kthread_run() returned an error · 05629044
      Mike Snitzer authored
      commit 937fa62e upstream.
      
      cleanup_mapped_device() calls kthread_stop() if kworker_task is
      non-NULL.  Currently the assigned value could be a valid task struct or
      an error code (e.g -ENOMEM).  Reset md->kworker_task to NULL if
      kthread_run() returned an erorr.
      
      Fixes: 7193a9de ("dm rq: check kthread_run return for .request_fn request-based DM")
      Reported-by: default avatarTahsin Erdogan <tahsin@google.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      05629044
    • tang.junhui's avatar
      dm table: fix missing dm_put_target_type() in dm_table_add_target() · 13a59a86
      tang.junhui authored
      commit dafa724b upstream.
      
      dm_get_target_type() was previously called so any error returned from
      dm_table_add_target() must first call dm_put_target_type().  Otherwise
      the DM target module's reference count will leak and the associated
      kernel module will be unable to be removed.
      
      Also, leverage the fact that r is already -EINVAL and remove an extra
      newline.
      
      Fixes: 36a0456f ("dm table: add immutable feature")
      Fixes: cc6cbe14 ("dm table: add always writeable feature")
      Fixes: 3791e2fc ("dm table: add singleton feature")
      Signed-off-by: default avatartang.junhui <tang.junhui@zte.com.cn>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13a59a86
    • Heinz Mauelshagen's avatar
      dm mirror: fix read error on recovery after default leg failure · 159a17e8
      Heinz Mauelshagen authored
      commit dcb2ff56 upstream.
      
      If a default leg has failed, any read will cause a new operational
      default leg to be selected and the read is resubmitted.  But until now
      the read will return failure even though it was successful due to
      resubmission.  The reason for this is bio->bi_error was not being
      cleared before resubmitting the bio.
      
      Fix by clearing bio->bi_error before resubmission.
      
      Fixes: 4246a0b6 ("block: add a bi_error field to struct bio")
      Signed-off-by: default avatarHeinz Mauelshagen <heinzm@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      159a17e8
    • Matt Redfearn's avatar
      virtio: console: Unlock vqs while freeing buffers · d8db5234
      Matt Redfearn authored
      commit 34563769 upstream.
      
      Commit c6017e79 ("virtio: console: add locks around buffer removal
      in port unplug path") added locking around the freeing of buffers in the
      vq. However, when free_buf() is called with can_sleep = true and rproc
      is enabled, it calls dma_free_coherent() directly, requiring interrupts
      to be enabled. Currently a WARNING is triggered due to the spin locking
      around free_buf, with a call stack like this:
      
      WARNING: CPU: 3 PID: 121 at ./include/linux/dma-mapping.h:433
      free_buf+0x1a8/0x288
      Call Trace:
      [<8040c538>] show_stack+0x74/0xc0
      [<80757240>] dump_stack+0xd0/0x110
      [<80430d98>] __warn+0xfc/0x130
      [<80430ee0>] warn_slowpath_null+0x2c/0x3c
      [<807e7c6c>] free_buf+0x1a8/0x288
      [<807ea590>] remove_port_data+0x50/0xac
      [<807ea6a0>] unplug_port+0xb4/0x1bc
      [<807ea858>] virtcons_remove+0xb0/0xfc
      [<807b6734>] virtio_dev_remove+0x58/0xc0
      [<807f918c>] __device_release_driver+0xac/0x134
      [<807f924c>] device_release_driver+0x38/0x50
      [<807f7edc>] bus_remove_device+0xfc/0x130
      [<807f4b74>] device_del+0x17c/0x21c
      [<807f4c38>] device_unregister+0x24/0x38
      [<807b6b50>] unregister_virtio_device+0x28/0x44
      
      Fix this by restructuring the loops to allow the locks to only be taken
      where it is necessary to protect the vqs, and release it while the
      buffer is being freed.
      
      Fixes: c6017e79 ("virtio: console: add locks around buffer removal in port unplug path")
      Signed-off-by: default avatarMatt Redfearn <matt.redfearn@imgtec.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d8db5234
    • Will Deacon's avatar
      virtio_pci: Limit DMA mask to 44 bits for legacy virtio devices · 7569d22a
      Will Deacon authored
      commit a0be1db4 upstream.
      
      Legacy virtio defines the virtqueue base using a 32-bit PFN field, with
      a read-only register indicating a fixed page size of 4k.
      
      This can cause problems for DMA allocators that allocate top down from
      the DMA mask, which is set to 64 bits. In this case, the addresses are
      silently truncated to 44-bit, leading to IOMMU faults, failure to read
      from the queue or data corruption.
      
      This patch restricts the coherent DMA mask for legacy PCI virtio devices
      to 44 bits, which matches the specification.
      
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Cc: Benjamin Serebrin <serebrin@google.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7569d22a
    • Ladi Prosek's avatar
      virtio_ring: Make interrupt suppression spec compliant · 0c2f67a6
      Ladi Prosek authored
      commit 0ea1e4a6 upstream.
      
      According to the spec, if the VIRTIO_RING_F_EVENT_IDX feature bit is
      negotiated the driver MUST set flags to 0. Not dirtying the available
      ring in virtqueue_disable_cb also has a minor positive performance
      impact, improving L1 dcache load missed by ~0.5% in vring_bench.
      
      Writes to the used event field (vring_used_event) are still unconditional.
      
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarLadi Prosek <lprosek@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0c2f67a6
    • John David Anglin's avatar
      parisc: Ensure consistent state when switching to kernel stack at syscall entry · c528df92
      John David Anglin authored
      commit 6ed51832 upstream.
      
      We have one critical section in the syscall entry path in which we switch from
      the userspace stack to kernel stack. In the event of an external interrupt, the
      interrupt code distinguishes between those two states by analyzing the value of
      sr7. If sr7 is zero, it uses the kernel stack. Therefore it's important, that
      the value of sr7 is in sync with the currently enabled stack.
      
      This patch now disables interrupts while executing the critical section.  This
      prevents the interrupt handler to possibly see an inconsistent state which in
      the worst case can lead to crashes.
      
      Interestingly, in the syscall exit path interrupts were already disabled in the
      critical section which switches back to the userspace stack.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c528df92
    • Miklos Szeredi's avatar
      ovl: fsync after copy-up · 592de100
      Miklos Szeredi authored
      commit 641089c1 upstream.
      
      Make sure the copied up file hits the disk before renaming to the final
      destination.  If this is not done then the copy-up may corrupt the data in
      the file in case of a crash.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      592de100
    • Miklos Szeredi's avatar
      ovl: update S_ISGID when setting posix ACLs · 3ad464da
      Miklos Szeredi authored
      commit fd3220d3 upstream.
      
      This change fixes xfstest generic/375, which failed to clear the
      setgid bit in the following test case on overlayfs:
      
        touch $testfile
        chown 100:100 $testfile
        chmod 2755 $testfile
        _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
      Reported-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Tested-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Fixes: d837a49b ("ovl: fix POSIX ACL setting")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ad464da
    • Miklos Szeredi's avatar
      ovl: fix get_acl() on tmpfs · be901546
      Miklos Szeredi authored
      commit b93d4a0e upstream.
      
      tmpfs doesn't have ->get_acl() because it only uses cached acls.
      
      This fixes the acl tests in pjdfstest when tmpfs is used as the upper layer
      of the overlay.
      Reported-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: 39a25b2b ("ovl: define ->get_acl() for overlay inodes")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be901546
    • Matt Redfearn's avatar
      MIPS: KASLR: Fix handling of NULL FDT · 2b632307
      Matt Redfearn authored
      commit 47366979 upstream.
      
      If platform code returns a NULL pointer to the FDT, initial_boot_params
      will not get set to a valid pointer and attempting to find the /chosen
      node in it will cause a NULL pointer dereference and the kernel to crash
      immediately on startup - with no output to the console.
      
      Fix this by checking that initial_boot_params is valid before using it.
      
      Fixes: 405bc8fd ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE")
      Signed-off-by: default avatarMatt Redfearn <matt.redfearn@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/14414/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b632307
    • Chuck Lever's avatar
      nfsd: Fix general protection fault in release_lock_stateid() · 1734afcc
      Chuck Lever authored
      commit f46c445b upstream.
      
      When I push NFSv4.1 / RDMA hard, (xfstests generic/089, for example),
      I get this crash on the server:
      
      Oct 28 22:04:30 klimt kernel: general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
      Oct 28 22:04:30 klimt kernel: Modules linked in: cts rpcsec_gss_krb5 iTCO_wdt iTCO_vendor_support sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm btrfs irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd xor pcspkr raid6_pq i2c_i801 i2c_smbus lpc_ich mfd_core sg mei_me mei ioatdma shpchp wmi ipmi_si ipmi_msghandler rpcrdma ib_ipoib rdma_ucm acpi_power_meter acpi_pad ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb ahci libahci ptp mlx4_core pps_core dca libata i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod
      Oct 28 22:04:30 klimt kernel: CPU: 7 PID: 1558 Comm: nfsd Not tainted 4.9.0-rc2-00005-g82cd754 #8
      Oct 28 22:04:30 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015
      Oct 28 22:04:30 klimt kernel: task: ffff880835c3a100 task.stack: ffff8808420d8000
      Oct 28 22:04:30 klimt kernel: RIP: 0010:[<ffffffffa05a759f>]  [<ffffffffa05a759f>] release_lock_stateid+0x1f/0x60 [nfsd]
      Oct 28 22:04:30 klimt kernel: RSP: 0018:ffff8808420dbce0  EFLAGS: 00010246
      Oct 28 22:04:30 klimt kernel: RAX: ffff88084e6660f0 RBX: ffff88084e667020 RCX: 0000000000000000
      Oct 28 22:04:30 klimt kernel: RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff88084e667020
      Oct 28 22:04:30 klimt kernel: RBP: ffff8808420dbcf8 R08: 0000000000000001 R09: 0000000000000000
      Oct 28 22:04:30 klimt kernel: R10: ffff880835c3a100 R11: ffff880835c3aca8 R12: 6b6b6b6b6b6b6b6b
      Oct 28 22:04:30 klimt kernel: R13: ffff88084e6670d8 R14: ffff880835f546f0 R15: ffff880835f1c548
      Oct 28 22:04:30 klimt kernel: FS:  0000000000000000(0000) GS:ffff88087bdc0000(0000) knlGS:0000000000000000
      Oct 28 22:04:30 klimt kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      Oct 28 22:04:30 klimt kernel: CR2: 00007ff020389000 CR3: 0000000001c06000 CR4: 00000000001406e0
      Oct 28 22:04:30 klimt kernel: Stack:
      Oct 28 22:04:30 klimt kernel: ffff88084e667020 0000000000000000 ffff88084e6670d8 ffff8808420dbd20
      Oct 28 22:04:30 klimt kernel: ffffffffa05ac80d ffff880835f54548 ffff88084e640008 ffff880835f545b0
      Oct 28 22:04:30 klimt kernel: ffff8808420dbd70 ffffffffa059803d ffff880835f1c768 0000000000000870
      Oct 28 22:04:30 klimt kernel: Call Trace:
      Oct 28 22:04:30 klimt kernel: [<ffffffffa05ac80d>] nfsd4_free_stateid+0xfd/0x1b0 [nfsd]
      Oct 28 22:04:30 klimt kernel: [<ffffffffa059803d>] nfsd4_proc_compound+0x40d/0x690 [nfsd]
      Oct 28 22:04:30 klimt kernel: [<ffffffffa0583114>] nfsd_dispatch+0xd4/0x1d0 [nfsd]
      Oct 28 22:04:30 klimt kernel: [<ffffffffa047bbf9>] svc_process_common+0x3d9/0x700 [sunrpc]
      Oct 28 22:04:30 klimt kernel: [<ffffffffa047ca64>] svc_process+0xf4/0x330 [sunrpc]
      Oct 28 22:04:30 klimt kernel: [<ffffffffa05827ca>] nfsd+0xfa/0x160 [nfsd]
      Oct 28 22:04:30 klimt kernel: [<ffffffffa05826d0>] ? nfsd_destroy+0x170/0x170 [nfsd]
      Oct 28 22:04:30 klimt kernel: [<ffffffff810b367b>] kthread+0x10b/0x120
      Oct 28 22:04:30 klimt kernel: [<ffffffff810b3570>] ? kthread_stop+0x280/0x280
      Oct 28 22:04:30 klimt kernel: [<ffffffff8174e8ba>] ret_from_fork+0x2a/0x40
      Oct 28 22:04:30 klimt kernel: Code: c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 48 8b 87 b0 00 00 00 48 89 fb 4c 8b a0 98 00 00 00 <49> 8b 44 24 20 48 8d b8 80 03 00 00 e8 10 66 1a e1 48 89 df e8
      Oct 28 22:04:30 klimt kernel: RIP  [<ffffffffa05a759f>] release_lock_stateid+0x1f/0x60 [nfsd]
      Oct 28 22:04:30 klimt kernel: RSP <ffff8808420dbce0>
      Oct 28 22:04:30 klimt kernel: ---[ end trace cf5d0b371973e167 ]---
      
      Jeff Layton says:
      > Hm...now that I look though, this is a little suspicious:
      >
      >    struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
      >
      > I wonder if it's possible for the openstateid to have already been
      > destroyed at this point.
      >
      > We might be better off doing something like this to get the client pointer:
      >
      >    stp->st_stid.sc_client;
      >
      > ...which should be more direct and less dependent on other stateids
      > staying valid.
      
      With the suggested change, I am no longer able to reproduce the above oops.
      
      v2: Fix unhash_lock_stateid() as well
      Fix-suggested-by: default avatarJeff Layton <jlayton@redhat.com>
      Fixes: 42691398 ('nfsd: Fix race between FREE_STATEID and LOCK')
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1734afcc
    • Linus Walleij's avatar
      ARM: dts: fix the SD card on the Snowball · 202c6676
      Linus Walleij authored
      commit 1b283eea upstream.
      
      This fixes a very annoying regression on the Snowball SD card
      that has been around for a while. It turns out that the device
      tree does not configure the direction pins properly, nor sets
      up the pins for the voltage converter properly at boot. Unless
      all things are correctly set up, the feedback clock will not
      work, and makes the driver spew messages in the console (but
      it works, very slowly):
      
      root@Ux500:/ mount /dev/mmcblk0p2 /mnt/
      [    9.953460] mmci-pl18x 80126000.sdi0_per1: error during DMA transfer!
      [    9.960296] mmcblk0: error -110 sending status command, retrying
      [    9.966461] mmcblk0: error -110 sending status command, retrying
      [    9.972534] mmcblk0: error -110 sending status command, aborting
      
      Fix this by rectifying the device tree to correspond to that of
      the Ux500 HREF boards plus the DAT31DIR setting that is unique for
      the Snowball, and things start working smoothly. Add in the SDR12
      and SDR25 modes which this host can do without any problems.
      
      I don't know if this has ever been correct, sadly. It works after
      this patch.
      Reported-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Cc: Ulf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      202c6676
    • Gregory CLEMENT's avatar
      ARM: mvebu: Select corediv clk for all mvebu v7 SoC · db20b510
      Gregory CLEMENT authored
      commit 33c45ef8 upstream.
      
      Since the commit bd3677ff ("clk: mvebu: Remove corediv clock from
      Armada XP"), the corediv clk is no more selected for Armada XP, however
      this clock is used for Armada XP using the compatible
      armada-370-corediv-clock.
      
      While since commit 1594d568 ("clk: mvebu: Move corediv config to
      mvebu config") Armada 38x and Armada 375 got corediv support again, not
      only Armada XP was missed but also Armada 39x.
      
      Actually all the SoC selecting MVEBU_V7 config need this clock:
      git grep "\-corediv-clock" arch/arm/boot/dts
      arch/arm/boot/dts/armada-370-xp.dtsi: compatible = "marvell,armada-370-corediv-clock";
      arch/arm/boot/dts/armada-375.dtsi:    compatible = "marvell,armada-375-corediv-clock";
      arch/arm/boot/dts/armada-38x.dtsi:    compatible = "marvell,armada-380-corediv-clock";
      arch/arm/boot/dts/armada-39x.dtsi:    compatible = "marvell,armada-390-corediv-clock"
      
      This commit now fixes this behavior by letting MVEBU_V7 select
      MVEBU_CLK_COREDIV.
      
      Fixes: bd3677ff ("clk: mvebu: Remove corediv clock from Armada XP")
      Reported-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Acked-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db20b510
    • James Hogan's avatar
      KVM: MIPS: Precalculate MMIO load resume PC · c627b2e7
      James Hogan authored
      commit e1e575f6 upstream.
      
      The advancing of the PC when completing an MMIO load is done before
      re-entering the guest, i.e. before restoring the guest ASID. However if
      the load is in a branch delay slot it may need to access guest code to
      read the prior branch instruction. This isn't safe in TLB mapped code at
      the moment, nor in the future when we'll access unmapped guest segments
      using direct user accessors too, as it could read the branch from host
      user memory instead.
      
      Therefore calculate the resume PC in advance while we're still in the
      right context and save it in the new vcpu->arch.io_pc (replacing the no
      longer needed vcpu->arch.pending_load_cause), and restore it on MMIO
      completion.
      
      Fixes: e685c689 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: kvm@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c627b2e7
    • James Hogan's avatar
      KVM: MIPS: Make ERET handle ERL before EXL · f3a0c969
      James Hogan authored
      commit ede5f3e7 upstream.
      
      The ERET instruction to return from exception is used for returning from
      exception level (Status.EXL) and error level (Status.ERL). If both bits
      are set however we should be returning from ERL first, as ERL can
      interrupt EXL, for example when an NMI is taken. KVM however checks EXL
      first.
      
      Fix the order of the checks to match the pseudocode in the instruction
      set manual.
      
      Fixes: e685c689 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: kvm@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3a0c969
    • Janosch Frank's avatar
      KVM: s390: Fix STHYI buffer alignment for diag224 · 961cf133
      Janosch Frank authored
      commit 45c7ee43 upstream.
      
      Diag224 requires a page-aligned 4k buffer to store the name table
      into. kmalloc does not guarantee page alignment, hence we replace it
      with __get_free_page for the buffer allocation.
      Reported-by: default avatarMichael Holzheu <holzheu@linux.vnet.ibm.com>
      Signed-off-by: default avatarJanosch Frank <frankja@linux.vnet.ibm.com>
      Reviewed-by: default avatarCornelia Huck <cornelia.huck@de.ibm.com>
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      961cf133
    • Ido Yariv's avatar
      KVM: x86: fix wbinvd_dirty_mask use-after-free · 88aca01f
      Ido Yariv authored
      commit bd768e14 upstream.
      
      vcpu->arch.wbinvd_dirty_mask may still be used after freeing it,
      corrupting memory. For example, the following call trace may set a bit
      in an already freed cpu mask:
          kvm_arch_vcpu_load
          vcpu_load
          vmx_free_vcpu_nested
          vmx_free_vcpu
          kvm_arch_vcpu_free
      
      Fix this by deferring freeing of wbinvd_dirty_mask.
      Signed-off-by: default avatarIdo Yariv <ido@wizery.com>
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88aca01f
    • Tahsin Erdogan's avatar
      dm: free io_barrier after blk_cleanup_queue call · ea261d17
      Tahsin Erdogan authored
      commit d09960b0 upstream.
      
      dm_old_request_fn() has paths that access md->io_barrier.  The party
      destroying io_barrier should ensure that no future execution of
      dm_old_request_fn() is possible.  Move io_barrier destruction to below
      blk_cleanup_queue() to ensure this and avoid a NULL pointer crash during
      request-based DM device shutdown.
      Signed-off-by: default avatarTahsin Erdogan <tahsin@google.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea261d17
    • Aditya Shankar's avatar
      Staging: wilc1000: Fix kernel Oops on opening the device · 377a2a27
      Aditya Shankar authored
      commit 1d4f1d53 upstream.
      
      Commit 2518ac59 ("staging: wilc1000: Replace kthread with workqueue
      for host interface") adds an unconditional destroy_workqueue() on the
      wilc's "hif_workqueue" soon after its creation thereby rendering
      it unusable. It then further attempts to queue work onto this
      non-existing hif_worqueue and results in:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000010
      pgd = de478000
      [00000010] *pgd=3eec0831, *pte=00000000, *ppte=00000000
      Internal error: Oops: 17 [#1] ARM
      Modules linked in: wilc1000_sdio(C) wilc1000(C)
      CPU: 0 PID: 825 Comm: ifconfig Tainted: G         C      4.8.0-rc8+ #37
      Hardware name: Atmel SAMA5
      task: df56f800 task.stack: deeb0000
      PC is at __queue_work+0x90/0x284
      LR is at __queue_work+0x58/0x284
      pc : [<c0126bb0>]    lr : [<c0126b78>]    psr: 600f0093
      sp : deeb1aa0  ip : def22d78  fp : deea6000
      r10: 00000000  r9 : c0a08150  r8 : c0a2f058
      r7 : 00000001  r6 : dee9b600  r5 : def22d74  r4 : 00000000
      r3 : 00000000  r2 : def22d74  r1 : 07ffffff  r0 : 00000000
      Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
      ...
      [<c0127060>] (__queue_work) from [<c0127298>] (queue_work_on+0x34/0x40)
      [<c0127298>] (queue_work_on) from [<bf0076b4>] (wilc_enqueue_cmd+0x54/0x64 [wilc1000])
      [<bf0076b4>] (wilc_enqueue_cmd [wilc1000]) from [<bf0082b4>] (wilc_set_wfi_drv_handler+0x48/0x70 [wilc1000])
      [<bf0082b4>] (wilc_set_wfi_drv_handler [wilc1000]) from [<bf00509c>] (wilc_mac_open+0x214/0x250 [wilc1000])
      [<bf00509c>] (wilc_mac_open [wilc1000]) from [<c04fde98>] (__dev_open+0xb8/0x11c)
      [<c04fde98>] (__dev_open) from [<c04fe128>] (__dev_change_flags+0x94/0x158)
      [<c04fe128>] (__dev_change_flags) from [<c04fe204>] (dev_change_flags+0x18/0x48)
      [<c04fe204>] (dev_change_flags) from [<c0557d5c>] (devinet_ioctl+0x6b4/0x788)
      [<c0557d5c>] (devinet_ioctl) from [<c04e40a0>] (sock_ioctl+0x154/0x2cc)
      [<c04e40a0>] (sock_ioctl) from [<c01b16e0>] (do_vfs_ioctl+0x9c/0x878)
      [<c01b16e0>] (do_vfs_ioctl) from [<c01b1ef0>] (SyS_ioctl+0x34/0x5c)
      [<c01b1ef0>] (SyS_ioctl) from [<c0107520>] (ret_fast_syscall+0x0/0x3c)
      Code: e5932004 e1520006 01a04003 0affffff (e5943010)
      ---[ end trace b612328adaa6bf20 ]---
      
      This fix removes the unnecessary call to destroy_workqueue() while opening
      the device to avoid the above kernel panic. The deinit routine already
      does a good job of terminating the workqueue when no longer needed.
      Reported-by: default avatarNicolas Ferre <Nicolas.Ferre@microchip.com>
      Fixes: 2518ac59 ("staging: wilc1000: Replace kthread with workqueue for host interface")
      Signed-off-by: default avatarAditya Shankar <Aditya.Shankar@microchip.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      377a2a27
    • Sandhya Bankar's avatar
      iio:chemical:atlas-ph-sensor: Fix use of 32 bit int to hold 16 bit big endian value · 0c4ffbf9
      Sandhya Bankar authored
      commit d1fe85ec upstream.
      
      This will result in a random value being reported on big endian architectures.
      (thanks to Lars-Peter Clausen for pointing out the effects of this bug)
      
      Only effects a value printed to the log, but as this reports the settings of
      the probe in question it may be of direct interest to users.
      
      Also, fixes the following sparse endianness warnings:
      
      drivers/iio/chemical/atlas-ph-sensor.c:215:9: warning: cast to restricted __be16
      drivers/iio/chemical/atlas-ph-sensor.c:215:9: warning: cast to restricted __be16
      drivers/iio/chemical/atlas-ph-sensor.c:215:9: warning: cast to restricted __be16
      drivers/iio/chemical/atlas-ph-sensor.c:215:9: warning: cast to restricted __be16
      drivers/iio/chemical/atlas-ph-sensor.c:215:9: warning: cast to restricted __be16
      drivers/iio/chemical/atlas-ph-sensor.c:215:9: warning: cast to restricted __be16
      drivers/iio/chemical/atlas-ph-sensor.c:215:9: warning: cast to restricted __be16
      drivers/iio/chemical/atlas-ph-sensor.c:215:9: warning: cast to restricted __be16
      Signed-off-by: default avatarSandhya Bankar <bankarsandhya512@gmail.com>
      Fixes: e8dd92bf ("iio: chemical: atlas-ph-sensor: add EC feature")
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0c4ffbf9
    • Marcin Wojtas's avatar
      arm64: dts: marvell: fix clocksource for CP110 master SPI0 · 52a1e76f
      Marcin Wojtas authored
      commit 51227bf5 upstream.
      
      I2C and SPI interfaces share common clock trees within the CP110 HW block.
      It occurred that SPI0 interface has wrong clock assignment in the device
      tree, which is fixed in this commit to a proper value.
      
      Fixes: 728dacc7 ("arm64: dts: marvell: initial DT description of ...")
      Signed-off-by: default avatarMarcin Wojtas <mw@semihalf.com>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52a1e76f
    • Dmitry Vyukov's avatar
      tty: limit terminal size to 4M chars · 0dff3c63
      Dmitry Vyukov authored
      commit 32b2921e upstream.
      
      Size of kmalloc() in vc_do_resize() is controlled by user.
      Too large kmalloc() size triggers WARNING message on console.
      Put a reasonable upper bound on terminal size to prevent WARNINGs.
      Signed-off-by: default avatarDmitry Vyukov <dvyukov@google.com>
      CC: David Rientjes <rientjes@google.com>
      Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Jiri Slaby <jslaby@suse.com>
      Cc: Peter Hurley <peter@hurleysoftware.com>
      Cc: linux-kernel@vger.kernel.org
      Cc: syzkaller@googlegroups.com
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dff3c63
    • Mathias Nyman's avatar
      xhci: workaround for hosts missing CAS bit · 44f0722d
      Mathias Nyman authored
      commit 346e9973 upstream.
      
      If a device is unplugged and replugged during Sx system suspend
      some  Intel xHC hosts will overwrite the CAS (Cold attach status) flag
      and no device connection is noticed in resume.
      
      A device in this state can be identified in resume if its link state
      is in polling or compliance mode, and the current connect status is 0.
      A device in this state needs to be warm reset.
      
      Intel 100/c230 series PCH specification update Doc #332692-006 Errata #8
      
      Observed on Cherryview and Apollolake as they go into compliance mode
      if LFPS times out during polling, and re-plugged devices are not
      discovered at resume.
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44f0722d
    • Mathias Nyman's avatar
      xhci: add restart quirk for Intel Wildcatpoint PCH · 0894224a
      Mathias Nyman authored
      commit 4c39135a upstream.
      
      xHC in Wildcatpoint-LP PCH is similar to LynxPoint-LP and need the
      same quirks to prevent machines from spurious restart while
      shutting them down.
      Reported-by: default avatarHasan Mahmood <hasan.mahm@gmail.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0894224a
    • Long Li's avatar
      hv: do not lose pending heartbeat vmbus packets · b2d28d93
      Long Li authored
      commit 407a3aee upstream.
      
      The host keeps sending heartbeat packets independent of the
      guest responding to them.  Even though we respond to the heartbeat messages at
      interrupt level, we can have situations where there maybe multiple heartbeat
      messages pending that have not been responded to. For instance this occurs when the
      VM is paused and the host continues to send the heartbeat messages.
      Address this issue by draining and responding to all
      the heartbeat messages that maybe pending.
      Signed-off-by: default avatarLong Li <longli@microsoft.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2d28d93
    • Scot Doyle's avatar
      vt: clear selection before resizing · eeae0a12
      Scot Doyle authored
      commit 009e39ae upstream.
      
      When resizing a vt its selection may exceed the new size, resulting in
      an invalid memory access [1]. Clear the selection before resizing.
      
      [1] http://lkml.kernel.org/r/CACT4Y+acDTwy4umEvf5ROBGiRJNrxHN4Cn5szCXE5Jw-d1B=Xw@mail.gmail.comReported-and-tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarScot Doyle <lkml14@scotdoyle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eeae0a12
    • Thomas Gleixner's avatar
      x86/smpboot: Init apic mapping before usage · 9710f5b1
      Thomas Gleixner authored
      commit 1e90a13d upstream.
      
      The recent changes, which forced the registration of the boot cpu on UP
      systems, which do not have ACPI tables, have been fixed for systems w/o
      local APIC, but left a wreckage for systems which have neither ACPI nor
      mptables, but the CPU has an APIC, e.g. virtualbox.
      
      The boot process crashes in prefill_possible_map() as it wants to register
      the boot cpu, which needs to access the local apic, but the local APIC is
      not yet mapped.
      
      There is no reason why init_apic_mapping() can't be invoked before
      prefill_possible_map(). So instead of playing another silly early mapping
      game, as the ACPI/mptables code does, we just move init_apic_mapping()
      before the call to prefill_possible_map().
      
      In hindsight, I should have noticed that combination earlier.
      
      Sorry for the churn (also in stable)!
      
      Fixes: ff856051 ("x86/boot/smp: Don't try to poke disabled/non-existent APIC")
      Reported-and-debugged-by: default avatarMichal Necasek <michal.necasek@oracle.com>
      Reported-and-tested-by: default avatarWolfgang Bauer <wbauer@tmo.at>
      Cc: prarit@redhat.com
      Cc: ville.syrjala@linux.intel.com
      Cc: michael.thayer@oracle.com
      Cc: knut.osmundsen@oracle.com
      Cc: frank.mehnert@oracle.com
      Cc: Borislav Petkov <bp@alien8.de>
      Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1610282114380.5053@nanosSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9710f5b1