1. 22 Aug, 2016 40 commits
    • Dan Carpenter's avatar
      ACPI / sysfs: fix error code in get_status() · 37d5d109
      Dan Carpenter authored
      commit f18ebc21 upstream.
      
      The problem with ornamental, do-nothing gotos is that they lead to
      "forgot to set the error code" bugs.  We should be returning -EINVAL
      here but we don't.  It leads to an uninitalized variable in
      counter_show():
      
          drivers/acpi/sysfs.c:603 counter_show()
          error: uninitialized symbol 'status'.
      
      Fixes: 1c8fce27 (ACPI: introduce drivers/acpi/sysfs.c)
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      37d5d109
    • Sai Gurrappadi's avatar
      cpufreq: Fix GOV_LIMITS handling for the userspace governor · efabb408
      Sai Gurrappadi authored
      commit e43e94c1 upstream.
      
      Currently, the userspace governor only updates frequency on GOV_LIMITS
      if policy->cur falls outside policy->{min/max}. However, it is also
      necessary to update current frequency on GOV_LIMITS to match the user
      requested value if it can be achieved within the new policy->{max/min}.
      
      This was previously the behaviour in the governor until commit d1922f02
      ("cpufreq: Simplify userspace governor") which incorrectly assumed that
      policy->cur == user requested frequency via scaling_setspeed. This won't
      be true if the user requested frequency falls outside policy->{min/max}.
      Ex: a temporary thermal cap throttled the user requested frequency.
      
      Fix this by storing the user requested frequency in a seperate variable.
      The governor will then try to achieve this request on every GOV_LIMITS
      change.
      
      Fixes: d1922f02 (cpufreq: Simplify userspace governor)
      Signed-off-by: default avatarSai Gurrappadi <sgurrappadi@nvidia.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      efabb408
    • Lei Liu's avatar
      USB: serial: option: add even more ZTE device ids · dfba23e2
      Lei Liu authored
      commit 74d2a91a upstream.
      
      Add even more ZTE device ids.
      Signed-off-by: default avatarlei liu <liu.lei78@zte.com.cn>
      [johan: rebase and replace commit message ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dfba23e2
    • lei liu's avatar
      USB: serial: option: add more ZTE device ids · 9ec00b81
      lei liu authored
      commit f0d09463 upstream.
      
      More ZTE device ids.
      Signed-off-by: default avatarlei liu <liu.lei78@zte.com.cn>
      [properly sort them - gregkh]
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9ec00b81
    • Jiri Slaby's avatar
      tty: vt, return error when con_startup fails · 360b065e
      Jiri Slaby authored
      commit 6798df4c upstream.
      
      When csw->con_startup() fails in do_register_con_driver, we return no
      error (i.e. 0). This was changed back in 2006 by commit 3e795de7.
      Before that we used to return -ENODEV.
      
      So fix the return value to be -ENODEV in that case again.
      
      Fixes: 3e795de7 ("VT binding: Add binding/unbinding support for the VT console")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Reported-by: default avatar"Dan Carpenter" <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      360b065e
    • Andreas Werner's avatar
      mcb: Fixed bar number assignment for the gdd · 096eb844
      Andreas Werner authored
      commit f75564d3 upstream.
      
      The bar number is found in reg2 within the gdd. Therefore
      we need to change the assigment from reg1 to reg2 which
      is the correct location.
      Signed-off-by: default avatarAndreas Werner <andreas.werner@men.de>
      Fixes: '3764e82e' drivers: Introduce MEN Chameleon Bus
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      096eb844
    • Schemmel Hans-Christoph's avatar
      USB: serial: option: add support for Cinterion PH8 and AHxx · 249dc994
      Schemmel Hans-Christoph authored
      commit 444f94e9 upstream.
      
      Added support for Gemalto's Cinterion PH8 and AHxx products
      with 2 RmNet Interfaces and products with 1 RmNet + 1 USB Audio interface.
      
      In addition some minor renaming and formatting.
      Signed-off-by: default avatarHans-Christoph Schemmel <hans-christoph.schemmel@gemalto.com>
      [johan: sort current entries and trim trailing whitespace ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      249dc994
    • Arnd Bergmann's avatar
      driver-core: use 'dev' argument in dev_dbg_ratelimited stub · 84fb87cb
      Arnd Bergmann authored
      commit 1f62ff34 upstream.
      
      dev_dbg_ratelimited() is a macro that ignores its first argument when DEBUG is
      not set, which can lead to unused variable warnings:
      
      ethernet/mellanox/mlxsw/pci.c: In function 'mlxsw_pci_cqe_sdq_handle':
      ethernet/mellanox/mlxsw/pci.c:646:18: warning: unused variable 'pdev' [-Wunused-variable]
      ethernet/mellanox/mlxsw/pci.c: In function 'mlxsw_pci_cqe_rdq_handle':
      ethernet/mellanox/mlxsw/pci.c:671:18: warning: unused variable 'pdev' [-Wunused-variable]
      
      The macro already ensures that all its other arguments are silently
      ignored by the compiler without triggering a warning, through the
      use of the no_printk() macro, but the dev argument is not passed into
      that.
      
      This changes the definition to use the same trick as no_printk() with
      an if(0) that leads the compiler to not evaluate the side-effects but
      still see that 'dev' might not be unused.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Suggested-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Fixes: 6f586e66 ("driver-core: Shut up dev_dbg_reatelimited() without DEBUG")
      Reviewed-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      84fb87cb
    • Geert Uytterhoeven's avatar
      char: Drop bogus dependency of DEVPORT on !M68K · a3fc1dcf
      Geert Uytterhoeven authored
      commit 309124e2 upstream.
      
      According to full-history-linux commit d3794f4fa7c3edc3 ("[PATCH] M68k
      update (part 25)"), port operations are allowed on m68k if CONFIG_ISA is
      defined.
      
      However, commit 153dcc54 ("[PATCH] mem driver: fix conditional
      on isa i/o support") accidentally changed an "||" into an "&&",
      disabling it completely on m68k. This logic was retained when
      introducing the DEVPORT symbol in commit 4f911d64 ("Make
      /dev/port conditional on config symbol").
      
      Drop the bogus dependency on !M68K to fix this.
      
      Fixes: 153dcc54 ("[PATCH] mem driver: fix conditional on isa i/o support")
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Tested-by: default avatarAl Stone <ahs3@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a3fc1dcf
    • Brian Bloniarz's avatar
      Fix OpenSSH pty regression on close · 2554b504
      Brian Bloniarz authored
      commit 0f40fbbc upstream.
      
      OpenSSH expects the (non-blocking) read() of pty master to return
      EAGAIN only if it has received all of the slave-side output after
      it has received SIGCHLD. This used to work on pre-3.12 kernels.
      
      This fix effectively forces non-blocking read() and poll() to
      block for parallel i/o to complete for all ttys. It also unwinds
      these changes:
      
      1) f8747d4a
         tty: Fix pty master read() after slave closes
      
      2) 52bce7f8
         pty, n_tty: Simplify input processing on final close
      
      3) 1a48632f
         pty: Fix input race when closing
      
      Inspired by analysis and patch from Marc Aurele La France <tsi@tuyoix.net>
      Reported-by: default avatarVolth <openssh@volth.com>
      Reported-by: default avatarMarc Aurele La France <tsi@tuyoix.net>
      BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=52
      BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=2492Signed-off-by: default avatarBrian Bloniarz <brian.bloniarz@gmail.com>
      Reviewed-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16:
       - No need to unwind commits 2 and 3
       - Keep using tty_flush_to_ldisc() rather than adding tty_buffer_flush_work()]]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2554b504
    • Peter Hurley's avatar
      Revert "tty: Fix pty master poll() after slave closes v2" · 402c9224
      Peter Hurley authored
      commit 2ce3c10c upstream.
      
      This reverts commit c4dc3046.
      This fix is superseded by commit 52bce7f8,
      'pty, n_tty: Simplify input processing on final close'.
      
      The final close now waits for input processing to complete before
      destroying the pty, so poll() does not need to special case this
      condition.
      
      Cc: Francesco Ruggeri <fruggeri@arista.com>
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      402c9224
    • Matthias Schiffer's avatar
      MIPS: ath79: make bootconsole wait for both THRE and TEMT · d443308d
      Matthias Schiffer authored
      commit f5b556c9 upstream.
      
      This makes the ath79 bootconsole behave the same way as the generic 8250
      bootconsole.
      
      Also waiting for TEMT (transmit buffer is empty) instead of just THRE
      (transmit buffer is not full) ensures that all characters have been
      transmitted before the real serial driver starts reconfiguring the serial
      controller (which would sometimes result in garbage being transmitted.)
      This change does not cause a visible performance loss.
      
      In addition, this seems to fix a hang observed in certain configurations on
      many AR7xxx/AR9xxx SoCs during autoconfig of the real serial driver.
      
      A more complete follow-up patch will disable 8250 autoconfig for ath79
      altogether (the serial controller is detected as a 16550A, which is not
      fully compatible with the ath79 serial, and the autoconfig may lead to
      undefined behavior on ath79.)
      Signed-off-by: default avatarMatthias Schiffer <mschiffer@universe-factory.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d443308d
    • Theodore Ts'o's avatar
      ext4: clean up error handling when orphan list is corrupted · 9de12e45
      Theodore Ts'o authored
      commit 7827a7f6 upstream.
      
      Instead of just printing warning messages, if the orphan list is
      corrupted, declare the file system is corrupted.  If there are any
      reserved inodes in the orphaned inode list, declare the file system
      corrupted and stop right away to avoid doing more potential damage to
      the file system.
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.16: leave error code as EIO]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9de12e45
    • Theodore Ts'o's avatar
      ext4: fix hang when processing corrupted orphaned inode list · 29cc7c13
      Theodore Ts'o authored
      commit c9eb13a9 upstream.
      
      If the orphaned inode list contains inode #5, ext4_iget() returns a
      bad inode (since the bootloader inode should never be referenced
      directly).  Because of the bad inode, we end up processing the inode
      repeatedly and this hangs the machine.
      
      This can be reproduced via:
      
         mke2fs -t ext4 /tmp/foo.img 100
         debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
         mount -o loop /tmp/foo.img /mnt
      
      (But don't do this if you are using an unpatched kernel if you care
      about the system staying functional.  :-)
      
      This bug was found by the port of American Fuzzy Lop into the kernel
      to find file system problems[1].  (Since it *only* happens if inode #5
      shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
      surprising that AFL needed two hours before it found it.)
      
      [1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
      
      Reported by: Vegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      29cc7c13
    • Raghava Aditya Renukunta's avatar
      aacraid: Fix for aac_command_thread hang · 139b7913
      Raghava Aditya Renukunta authored
      commit fc4bf75e upstream.
      
      Typically under error conditions, it is possible for aac_command_thread()
      to miss the wakeup from kthread_stop() and go back to sleep, causing it
      to hang aac_shutdown.
      
      In the observed scenario, the adapter is not functioning correctly and so
      aac_fib_send() never completes (or time-outs depending on how it was
      called). Shortly after aac_command_thread() starts it performs
      aac_fib_send(SendHostTime) which hangs. When aac_probe_one
      /aac_get_adapter_info send time outs, kthread_stop is called which breaks
      the command thread out of it's hang.
      
      The code will still go back to sleep in schedule_timeout() without
      checking kthread_should_stop() so it causes aac_probe_one to hang until
      the schedule_timeout() which is 30 minutes.
      
      Fixed by: Adding another kthread_should_stop() before schedule_timeout()
      Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      139b7913
    • Raghava Aditya Renukunta's avatar
      aacraid: Relinquish CPU during timeout wait · c43b7e9d
      Raghava Aditya Renukunta authored
      commit 07beca2b upstream.
      
      aac_fib_send has a special function case for initial commands during
      driver initialization using wait < 0(pseudo sync mode). In this case,
      the command does not sleep but rather spins checking for timeout.This
      loop is calls cpu_relax() in an attempt to allow other processes/threads
      to use the CPU, but this function does not relinquish the CPU and so the
      command will hog the processor. This was observed in a KDUMP
      "crashkernel" and that prevented the "command thread" (which is
      responsible for completing the command from being timed out) from
      starting because it could not get the CPU.
      
      Fixed by replacing "cpu_relax()" call with "schedule()"
      Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c43b7e9d
    • Marc Zyngier's avatar
      arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables · 18b12d81
      Marc Zyngier authored
      commit d4b9e079 upstream.
      
      The ARM architecture mandates that when changing a page table entry
      from a valid entry to another valid entry, an invalid entry is first
      written, TLB invalidated, and only then the new entry being written.
      
      The current code doesn't respect this, directly writing the new
      entry and only then invalidating TLBs. Let's fix it up.
      Reported-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      18b12d81
    • Luke Dashjr's avatar
      btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl · 85b0924b
      Luke Dashjr authored
      commit 4c63c245 upstream.
      
      32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can
      be handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr
      fail.
      Signed-off-by: default avatarLuke Dashjr <luke-jr+git@utopios.org>
      Reviewed-by: default avatarJosef Bacik <jbacik@fb.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      85b0924b
    • Marek Szyprowski's avatar
      crypto: s5p-sss - fix incorrect usage of scatterlists api · 59ef2a4c
      Marek Szyprowski authored
      commit d1497977 upstream.
      
      sg_dma_len() macro can be used only on scattelists which are mapped, so
      all calls to it before dma_map_sg() are invalid. Replace them by proper
      check for direct sg segment length read.
      
      Fixes: a49e490c ("crypto: s5p-sss - add S5PV210 advanced crypto engine support")
      Fixes: 9e4a1100 ("crypto: s5p-sss - Handle unaligned buffers")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Acked-by: default avatarVladimir Zapolskiy <vz@mleia.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      [bwh: Backported to 3.16: unaligned DMA is unsupported so there is a different
       set of calls to replace]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      59ef2a4c
    • Bjorn Helgaas's avatar
      alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO · 8e1ec948
      Bjorn Helgaas authored
      commit c20e1280 upstream.
      
      The alpha pci_mmap_resource() is used for both IORESOURCE_MEM and
      IORESOURCE_IO resources, but iomem_is_exclusive() is only applicable for
      IORESOURCE_MEM.
      
      Call iomem_is_exclusive() only for IORESOURCE_MEM resources, and do it
      earlier to match the generic version of pci_mmap_resource().
      
      Fixes: 10a0ef39 ("PCI/alpha: pci sysfs resources")
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8e1ec948
    • Bjorn Helgaas's avatar
      PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() · 6eb6abdd
      Bjorn Helgaas authored
      commit ca620723 upstream.
      
      iomem_is_exclusive() requires a CPU physical address, but on some arches we
      supplied a PCI bus address instead.
      
      On most arches, pci_resource_to_user(res) returns "res->start", which is a
      CPU physical address.  But on microblaze, mips, powerpc, and sparc, it
      returns the PCI bus address corresponding to "res->start".
      
      The result is that pci_mmap_resource() may fail when it shouldn't (if the
      bus address happens to match an existing resource), or it may succeed when
      it should fail (if the resource is exclusive but the bus address doesn't
      match it).
      
      Call iomem_is_exclusive() with "res->start", which is always a CPU physical
      address, not the result of pci_resource_to_user().
      
      Fixes: e8de1481 ("resource: allow MMIO exclusivity for device drivers")
      Suggested-by: default avatarYinghai Lu <yinghai@kernel.org>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Arjan van de Ven <arjan@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6eb6abdd
    • Krzysztof Kozlowski's avatar
      crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks · fd815747
      Krzysztof Kozlowski authored
      commit 79152e8d upstream.
      
      The tcrypt testing module on Exynos5422-based Odroid XU3/4 board failed on
      testing 8 kB size blocks:
      
      	$ sudo modprobe tcrypt sec=1 mode=500
      	testing speed of async ecb(aes) (ecb-aes-s5p) encryption
      	test 0 (128 bit key, 16 byte blocks): 21971 operations in 1 seconds (351536 bytes)
      	test 1 (128 bit key, 64 byte blocks): 21731 operations in 1 seconds (1390784 bytes)
      	test 2 (128 bit key, 256 byte blocks): 21932 operations in 1 seconds (5614592 bytes)
      	test 3 (128 bit key, 1024 byte blocks): 21685 operations in 1 seconds (22205440 bytes)
      	test 4 (128 bit key, 8192 byte blocks):
      
      This was caused by a race issue of missed BRDMA_DONE ("Block cipher
      Receiving DMA") interrupt. Device starts processing the data in DMA mode
      immediately after setting length of DMA block: receiving (FCBRDMAL) or
      transmitting (FCBTDMAL). The driver sets these lengths from interrupt
      handler through s5p_set_dma_indata() function (or xxx_setdata()).
      
      However the interrupt handler was first dealing with receive buffer
      (dma-unmap old, dma-map new, set receive block length which starts the
      operation), then with transmit buffer and finally was clearing pending
      interrupts (FCINTPEND). Because of the time window between setting
      receive buffer length and clearing pending interrupts, the operation on
      receive buffer could end already and driver would miss new interrupt.
      
      User manual for Exynos5422 confirms in example code that setting DMA
      block lengths should be the last operation.
      
      The tcrypt hang could be also observed in following blocked-task dmesg:
      
      INFO: task modprobe:258 blocked for more than 120 seconds.
            Not tainted 4.6.0-rc4-next-20160419-00005-g9eac8b7b7753-dirty #42
      "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      modprobe        D c06b09d8     0   258    256 0x00000000
      [<c06b09d8>] (__schedule) from [<c06b0f24>] (schedule+0x40/0xac)
      [<c06b0f24>] (schedule) from [<c06b49f8>] (schedule_timeout+0x124/0x178)
      [<c06b49f8>] (schedule_timeout) from [<c06b17fc>] (wait_for_common+0xb8/0x144)
      [<c06b17fc>] (wait_for_common) from [<bf0013b8>] (test_acipher_speed+0x49c/0x740 [tcrypt])
      [<bf0013b8>] (test_acipher_speed [tcrypt]) from [<bf003e8c>] (do_test+0x2240/0x30ec [tcrypt])
      [<bf003e8c>] (do_test [tcrypt]) from [<bf008048>] (tcrypt_mod_init+0x48/0xa4 [tcrypt])
      [<bf008048>] (tcrypt_mod_init [tcrypt]) from [<c010177c>] (do_one_initcall+0x3c/0x16c)
      [<c010177c>] (do_one_initcall) from [<c0191ff0>] (do_init_module+0x5c/0x1ac)
      [<c0191ff0>] (do_init_module) from [<c0185610>] (load_module+0x1a30/0x1d08)
      [<c0185610>] (load_module) from [<c0185ab0>] (SyS_finit_module+0x8c/0x98)
      [<c0185ab0>] (SyS_finit_module) from [<c01078c0>] (ret_fast_syscall+0x0/0x3c)
      
      Fixes: a49e490c ("crypto: s5p-sss - add S5PV210 advanced crypto engine support")
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Tested-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fd815747
    • Jan Kara's avatar
      ext4: fix data exposure after a crash · b274508e
      Jan Kara authored
      commit 06bd3c36 upstream.
      
      Huang has reported that in his powerfail testing he is seeing stale
      block contents in some of recently allocated blocks although he mounts
      ext4 in data=ordered mode. After some investigation I have found out
      that indeed when delayed allocation is used, we don't add inode to
      transaction's list of inodes needing flushing before commit. Originally
      we were doing that but commit f3b59291 removed the logic with a
      flawed argument that it is not needed.
      
      The problem is that although for delayed allocated blocks we write their
      contents immediately after allocating them, there is no guarantee that
      the IO scheduler or device doesn't reorder things and thus transaction
      allocating blocks and attaching them to inode can reach stable storage
      before actual block contents. Actually whenever we attach freshly
      allocated blocks to inode using a written extent, we should add inode to
      transaction's ordered inode list to make sure we properly wait for block
      contents to be written before committing the transaction. So that is
      what we do in this patch. This also handles other cases where stale data
      exposure was possible - like filling hole via mmap in
      data=ordered,nodelalloc mode.
      
      The only exception to the above rule are extending direct IO writes where
      blkdev_direct_IO() waits for IO to complete before increasing i_size and
      thus stale data exposure is not possible. For now we don't complicate
      the code with optimizing this special case since the overhead is pretty
      low. In case this is observed to be a performance problem we can always
      handle it using a special flag to ext4_map_blocks().
      
      Fixes: f3b59291Reported-by: default avatar"HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
      Tested-by: default avatar"HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.16:
       - Drop check for EXT4_GET_BLOCKS_ZERO flag
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b274508e
    • Emmanouil Maroudas's avatar
      EDAC: Increment correct counter in edac_inc_ue_error() · 9cbacbad
      Emmanouil Maroudas authored
      commit 993f88f1 upstream.
      
      Fix typo in edac_inc_ue_error() to increment ue_noinfo_count instead of
      ce_noinfo_count.
      Signed-off-by: default avatarEmmanouil Maroudas <emmanouil.maroudas@gmail.com>
      Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Fixes: 4275be63 ("edac: Change internal representation to work with layers")
      Link: http://lkml.kernel.org/r/1461425580-5898-1-git-send-email-emmanouil.maroudas@gmail.comSigned-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9cbacbad
    • Ulf Hansson's avatar
      PM / Runtime: Fix error path in pm_runtime_force_resume() · e7a2c5bb
      Ulf Hansson authored
      commit 0ae3aeef upstream.
      
      As pm_runtime_set_active() may fail because the device's parent isn't
      active, we can end up executing the ->runtime_resume() callback for the
      device when it isn't allowed.
      
      Fix this by invoking pm_runtime_set_active() before running the callback
      and let's also deal with the error code.
      
      Fixes: 37f20416 (PM: Add pm_runtime_suspend|resume_force functions)
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e7a2c5bb
    • Hari Bathini's avatar
      powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel · d2666066
      Hari Bathini authored
      commit 8ed8ab40 upstream.
      
      Some of the interrupt vectors on 64-bit POWER server processors are only
      32 bytes long (8 instructions), which is not enough for the full
      first-level interrupt handler. For these we need to branch to an
      out-of-line (OOL) handler. But when we are running a relocatable kernel,
      interrupt vectors till __end_interrupts marker are copied down to real
      address 0x100. So, branching to labels (ie. OOL handlers) outside this
      section must be handled differently (see LOAD_HANDLER()), considering
      relocatable kernel, which would need at least 4 instructions.
      
      However, branching from interrupt vector means that we corrupt the
      CFAR (come-from address register) on POWER7 and later processors as
      mentioned in commit 1707dd16. So, EXCEPTION_PROLOG_0 (6 instructions)
      that contains the part up to the point where the CFAR is saved in the
      PACA should be part of the short interrupt vectors before we branch out
      to OOL handlers.
      
      But as mentioned already, there are interrupt vectors on 64-bit POWER
      server processors that are only 32 bytes long (like vectors 0x4f00,
      0x4f20, etc.), which cannot accomodate the above two cases at the same
      time owing to space constraint. Currently, in these interrupt vectors,
      we simply branch out to OOL handlers, without using LOAD_HANDLER(),
      which leaves us vulnerable when running a relocatable kernel (eg. kdump
      case). While this has been the case for sometime now and kdump is used
      widely, we were fortunate not to see any problems so far, for three
      reasons:
      
        1. In almost all cases, production kernel (relocatable) is used for
           kdump as well, which would mean that crashed kernel's OOL handler
           would be at the same place where we end up branching to, from short
           interrupt vector of kdump kernel.
        2. Also, OOL handler was unlikely the reason for crash in almost all
           the kdump scenarios, which meant we had a sane OOL handler from
           crashed kernel that we branched to.
        3. On most 64-bit POWER server processors, page size is large enough
           that marking interrupt vector code as executable (see commit
           429d2e83) leads to marking OOL handler code from crashed kernel,
           that sits right below interrupt vector code from kdump kernel, as
           executable as well.
      
      Let us fix this by moving the __end_interrupts marker down past OOL
      handlers to make sure that we also copy OOL handlers to real address
      0x100 when running a relocatable kernel.
      
      This fix has been tested successfully in kdump scenario, on an LPAR with
      4K page size by using different default/production kernel and kdump
      kernel.
      
      Also tested by manually corrupting the OOL handlers in the first kernel
      and then kdump'ing, and then causing the OOL handlers to fire - mpe.
      
      Fixes: c1fb6816 ("powerpc: Add relocation on exception vector handlers")
      Signed-off-by: default avatarHari Bathini <hbathini@linux.vnet.ibm.com>
      Signed-off-by: default avatarMahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d2666066
    • Takashi Iwai's avatar
      Bluetooth: vhci: Fix race at creating hci device · 418429fd
      Takashi Iwai authored
      commit c7c999cb upstream.
      
      hci_vhci driver creates a hci device object dynamically upon each
      HCI_VENDOR_PKT write.  Although it checks the already created object
      and returns an error, it's still racy and may build multiple hci_dev
      objects concurrently when parallel writes are performed, as the device
      tracks only a single hci_dev object.
      
      This patch introduces a mutex to protect against the concurrent device
      creations.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      418429fd
    • Geert Uytterhoeven's avatar
      serial: doc: Re-add paragraph documenting uart_console_write() · 35d7cfb3
      Geert Uytterhoeven authored
      commit d124fd3b upstream.
      
      Commit 834392a7 ("serial: doc: Un-document non-existing
      uart_write_console()") removed a paragraph about a helper function that
      seemed to never exist.
      
      Peter Hurley pointed out that the function does exist, but is called
      differently. Re-add the paragraph, with the function name corrected.
      
      Fixes: 834392a7 ("serial: doc: Un-document non-existing uart_write_console()")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      35d7cfb3
    • Johannes Thumshirn's avatar
      Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" · 638c0993
      Johannes Thumshirn authored
      commit 305c2e71 upstream.
      
      Now that we've done a more comprehensive fix with the intermediate
      target state we can remove the previous hack introduced with commit
      90a88d6e ("scsi: fix soft lockup in scsi_remove_target() on module
      removal").
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      638c0993
    • Johannes Thumshirn's avatar
      scsi: Add intermediate STARGET_REMOVE state to scsi_target_state · 3473e5db
      Johannes Thumshirn authored
      commit f05795d3 upstream.
      
      Add intermediate STARGET_REMOVE state to scsi_target_state to avoid
      running into the BUG_ON() in scsi_target_reap(). The STARGET_REMOVE
      state is only valid in the path from scsi_remove_target() to
      scsi_target_destroy() indicating this target is going to be removed.
      
      This re-fixes the problem introduced in commits bc3f02a7 ("[SCSI]
      scsi_remove_target: fix softlockup regression on hot remove") and
      40998193 ("scsi: restart list search after unlock in
      scsi_remove_target") in a more comprehensive way.
      
      [mkp: Included James' fix for scsi_target_destroy()]
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Fixes: 40998193Reported-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Tested-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarJames Bottomley <jejb@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3473e5db
    • Chris Wilson's avatar
      drm/i915: Prevent machine death on Ivybridge context switching · 72877948
      Chris Wilson authored
      commit e9135c4f upstream.
      
      Two concurrent writes into the same register cacheline has the chance of
      killing the machine on Ivybridge and other gen7. This includes LRI
      emitted from the command parser.  The MI_SET_CONTEXT itself serves as
      serialising barrier and prevents the pair of register writes in the first
      packet from triggering the fault.  However, if a second switch-context
      immediately occurs then we may have two adjacent blocks of LRI to the
      same registers which may then trigger the hang. To counteract this we
      need to insert a delay after the second register write using SRM.
      
      This is easiest to reproduce with something like
      igt/gem_ctx_switch/interruptible that triggers back-to-back context
      switches (with no operations in between them in the command stream,
      which requires the execbuf operation to be interrupted after the
      MI_SET_CONTEXT) but can be observed sporadically elsewhere when running
      interruptible igt. No reports from the wild though, so it must be of low
      enough frequency that no one has correlated the random machine freezes
      with i915.ko
      
      The issue was introduced with
      commit 2c550183 [v3.19]
      Author: Chris Wilson <chris@chris-wilson.co.uk>
      Date:   Tue Dec 16 10:02:27 2014 +0000
      
          drm/i915: Disable PSMI sleep messages on all rings around context switches
      
      Testcase: igt/gem_ctx_switch/render-interruptible #ivb
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: default avatarDaniel Vetter <daniel@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/1460565315-7748-11-git-send-email-chris@chris-wilson.co.uk
      [bwh: Backported to 3.16:
       - Pass ring, not engine, to intel_ring_emit()
       - Register type is u32 not i915_reg_t
       - MI_STORE_REGISTER_MEM is a function-macro]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      72877948
    • Daniel Borkmann's avatar
      ipv6, token: allow for clearing the current device token · 8ce5d622
      Daniel Borkmann authored
      commit 47e27d5e upstream.
      
      The original tokenized iid support implemented via f53adae4 ("net: ipv6:
      add tokenized interface identifier support") didn't allow for clearing a
      device token as it was intended that this addressing mode was the only one
      active for globally scoped IPv6 addresses. Later we relaxed that restriction
      via 617fe29d ("net: ipv6: only invalidate previously tokenized addresses"),
      and we should also allow for clearing tokens as there's no good reason why
      it shouldn't be allowed.
      
      Fixes: 617fe29d ("net: ipv6: only invalidate previously tokenized addresses")
      Reported-by: default avatarRobin H. Johnson <robbat2@gentoo.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8ce5d622
    • Dan Carpenter's avatar
      cx23885: uninitialized variable in cx23885_av_work_handler() · 300aecc0
      Dan Carpenter authored
      commit 60587bd0 upstream.
      
      The "handled" variable could be uninitialized if the
      interrupt_service_routine() call back hasn't been implimented or if it
      has been implemented but doesn't initialize "handled" to zero at the
      start.  For example, adv76xx_isr() only sets "handled" to true.
      
      Fixes: 44b153ca ('[media] m5mols: Add ISO sensitivity controls')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      300aecc0
    • Dan Carpenter's avatar
      mfd: lp8788-irq: Uninitialized variable in irq handler · 6d56be20
      Dan Carpenter authored
      commit 22aab38e upstream.
      
      Instead to being true/false, the "handled" is true/uninitialized.
      Presumably this doesn't cause that many problems in real life because
      normally we handle the IRQ.
      
      Fixes: eea6b7cc ('mfd: Add lp8788 mfd driver')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarMilo Kim <milo.kim@ti.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6d56be20
    • Suman Anna's avatar
      ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence · 3de7eed0
      Suman Anna authored
      commit c20c8f75 upstream.
      
      The omap_hwmod _enable() function can return success without setting
      the hwmod state to _HWMOD_STATE_ENABLED for IPs with reset lines when
      all of the reset lines are asserted. The omap_hwmod _idle() function
      also performs a similar check, but after checking for the hwmod state
      first. This triggers the WARN when pm_runtime_get and pm_runtime_put
      are invoked on IPs with all reset lines asserted. Reverse the checks
      for hwmod state and reset lines status to fix this.
      
      Issue found during a unbind operation on a device with reset lines
      still asserted, example backtrace below
      
       ------------[ cut here ]------------
       WARNING: CPU: 1 PID: 879 at arch/arm/mach-omap2/omap_hwmod.c:2207 _idle+0x1e4/0x240()
       omap_hwmod: mmu_dsp: idle state can only be entered from enabled state
       Modules linked in:
       CPU: 1 PID: 879 Comm: sh Not tainted 4.4.0-00008-ga989d951331a #3
       Hardware name: Generic OMAP5 (Flattened Device Tree)
       [<c0018e60>] (unwind_backtrace) from [<c0014dc4>] (show_stack+0x10/0x14)
       [<c0014dc4>] (show_stack) from [<c037ac28>] (dump_stack+0x90/0xc0)
       [<c037ac28>] (dump_stack) from [<c003f420>] (warn_slowpath_common+0x78/0xb4)
       [<c003f420>] (warn_slowpath_common) from [<c003f48c>] (warn_slowpath_fmt+0x30/0x40)
       [<c003f48c>] (warn_slowpath_fmt) from [<c0028c20>] (_idle+0x1e4/0x240)
       [<c0028c20>] (_idle) from [<c0029080>] (omap_hwmod_idle+0x28/0x48)
       [<c0029080>] (omap_hwmod_idle) from [<c002a5a4>] (omap_device_idle+0x3c/0x90)
       [<c002a5a4>] (omap_device_idle) from [<c0427a90>] (__rpm_callback+0x2c/0x60)
       [<c0427a90>] (__rpm_callback) from [<c0427ae4>] (rpm_callback+0x20/0x80)
       [<c0427ae4>] (rpm_callback) from [<c0427f84>] (rpm_suspend+0x138/0x74c)
       [<c0427f84>] (rpm_suspend) from [<c0428b78>] (__pm_runtime_idle+0x78/0xa8)
       [<c0428b78>] (__pm_runtime_idle) from [<c041f514>] (__device_release_driver+0x64/0x100)
       [<c041f514>] (__device_release_driver) from [<c041f5d0>] (device_release_driver+0x20/0x2c)
       [<c041f5d0>] (device_release_driver) from [<c041d85c>] (unbind_store+0x78/0xf8)
       [<c041d85c>] (unbind_store) from [<c0206df8>] (kernfs_fop_write+0xc0/0x1c4)
       [<c0206df8>] (kernfs_fop_write) from [<c018a120>] (__vfs_write+0x20/0xdc)
       [<c018a120>] (__vfs_write) from [<c018a9cc>] (vfs_write+0x90/0x164)
       [<c018a9cc>] (vfs_write) from [<c018b1f0>] (SyS_write+0x44/0x9c)
       [<c018b1f0>] (SyS_write) from [<c0010420>] (ret_fast_syscall+0x0/0x1c)
       ---[ end trace a4182013c75a9f50 ]---
      
      While at this, fix the sequence in _shutdown() as well, though there
      is no easy reproducible scenario.
      
      Fixes: 747834ab ("ARM: OMAP2+: hwmod: revise hardreset behavior")
      Signed-off-by: default avatarSuman Anna <s-anna@ti.com>
      Signed-off-by: default avatarPaul Walmsley <paul@pwsan.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3de7eed0
    • Dave Gerlach's avatar
      cpuidle: Indicate when a device has been unregistered · f9f84817
      Dave Gerlach authored
      commit c998c078 upstream.
      
      Currently the 'registered' member of the cpuidle_device struct is set
      to 1 during cpuidle_register_device. In this same function there are
      checks to see if the device is already registered to prevent duplicate
      calls to register the device, but this value is never set to 0 even on
      unregister of the device. Because of this, any attempt to call
      cpuidle_register_device after a call to cpuidle_unregister_device will
      fail which shouldn't be the case.
      
      To prevent this, set registered to 0 when the device is unregistered.
      
      Fixes: c878a52d (cpuidle: Check if device is already registered)
      Signed-off-by: default avatarDave Gerlach <d-gerlach@ti.com>
      Acked-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f9f84817
    • Jiri Slaby's avatar
      Bluetooth: vhci: purge unhandled skbs · 140d276c
      Jiri Slaby authored
      commit 13407376 upstream.
      
      The write handler allocates skbs and queues them into data->readq.
      Read side should read them, if there is any. If there is none, skbs
      should be dropped by hdev->flush. But this happens only if the device
      is HCI_UP, i.e. hdev->power_on work was triggered already. When it was
      not, skbs stay allocated in the queue when /dev/vhci is closed. So
      purge the queue in ->release.
      
      Program to reproduce:
      	#include <err.h>
      	#include <fcntl.h>
      	#include <stdio.h>
      	#include <unistd.h>
      
      	#include <sys/stat.h>
      	#include <sys/types.h>
      	#include <sys/uio.h>
      
      	int main()
      	{
      		char buf[] = { 0xff, 0 };
      		struct iovec iov = {
      			.iov_base = buf,
      			.iov_len = sizeof(buf),
      		};
      		int fd;
      
      		while (1) {
      			fd = open("/dev/vhci", O_RDWR);
      			if (fd < 0)
      				err(1, "open");
      
      			usleep(50);
      
      			if (writev(fd, &iov, 1) < 0)
      				err(1, "writev");
      
      			usleep(50);
      
      			close(fd);
      		}
      
      		return 0;
      	}
      
      Result:
      kmemleak: 4609 new suspected memory leaks
      unreferenced object 0xffff88059f4d5440 (size 232):
        comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s)
        hex dump (first 32 bytes):
          20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff   .#..... .#.....
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
      ...
          [<ffffffff81ece010>] __alloc_skb+0x0/0x5a0
          [<ffffffffa021886c>] vhci_create_device+0x5c/0x580 [hci_vhci]
          [<ffffffffa0219436>] vhci_write+0x306/0x4c8 [hci_vhci]
      
      Fixes: 23424c0d (Bluetooth: Add support creating virtual AMP controllers)
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      140d276c
    • Jiri Slaby's avatar
      Bluetooth: vhci: fix open_timeout vs. hdev race · fe7ecd1a
      Jiri Slaby authored
      commit 373a32c8 upstream.
      
      Both vhci_get_user and vhci_release race with open_timeout work. They
      both contain cancel_delayed_work_sync, but do not test whether the
      work actually created hdev or not. Since the work can be in progress
      and _sync will wait for finishing it, we can have data->hdev allocated
      when cancel_delayed_work_sync returns. But the call sites do 'if
      (data->hdev)' *before* cancel_delayed_work_sync.
      
      As a result:
      * vhci_get_user allocates a second hdev and puts it into
        data->hdev. The former is leaked.
      * vhci_release does not release data->hdev properly as it thinks there
        is none.
      
      Fix both cases by moving the actual test *after* the call to
      cancel_delayed_work_sync.
      
      This can be hit by this program:
      	#include <err.h>
      	#include <fcntl.h>
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <time.h>
      	#include <unistd.h>
      
      	#include <sys/stat.h>
      	#include <sys/types.h>
      
      	int main(int argc, char **argv)
      	{
      		int fd;
      
      		srand(time(NULL));
      
      		while (1) {
      			const int delta = (rand() % 200 - 100) * 100;
      
      			fd = open("/dev/vhci", O_RDWR);
      			if (fd < 0)
      				err(1, "open");
      
      			usleep(1000000 + delta);
      
      			close(fd);
      		}
      
      		return 0;
      	}
      
      And the result is:
      BUG: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228
      Read of size 8 by task kworker/u13:1/32068
      =============================================================================
      BUG kmalloc-192 (Tainted: G            E     ): kasan: bad access detected
      -----------------------------------------------------------------------------
      
      Disabling lock debugging due to kernel taint
      INFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age=260 cpu=3 pid=32040
      ...
      	kmem_cache_alloc_trace+0x150/0x190
      	vhci_open+0x50/0x330 [hci_vhci]
      	misc_open+0x35b/0x4e0
      	chrdev_open+0x23b/0x510
      ...
      INFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age=9 cpu=2 pid=32040
      ...
      	__slab_free+0x204/0x310
      	vhci_release+0xa4/0xd0 [hci_vhci]
      ...
      INFO: Slab 0xffffea0001ac3000 objects=16 used=13 fp=0xffff88006b0c1e00 flags=0x5fffff80004080
      INFO: Object 0xffff88006b0c1200 @offset=4608 fp=0xffff88006b0c0600
      Bytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00  ...k............
      Object ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff  ...k.......k....
      Object ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff  .F.k.....F.k....
      Object ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00  ................
      Object ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff  @..k....@..k....
      Object ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de  P.n.............
      Object ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00  .........b......
      Object ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff  ........8..k....
      Object ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00  .. .............
      Object ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff  ...........=....
      Object ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00  . ..............
      Redzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb                          ........
      Padding ffff88006b0c13f8: 00 00 00 00 00 00 00 00                          ........
      CPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G    B       E      4.4.6-0-default #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
      Workqueue: hci0 hci_cmd_work [bluetooth]
       00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180
       ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320
       ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80
      Call Trace:
      ...
       [<ffffffff81ec8ebe>] ? skb_queue_tail+0x13e/0x150
       [<ffffffffa06e027c>] ? vhci_send_frame+0xac/0x100 [hci_vhci]
       [<ffffffffa0c61268>] ? hci_send_frame+0x188/0x320 [bluetooth]
       [<ffffffffa0c61515>] ? hci_cmd_work+0x115/0x310 [bluetooth]
       [<ffffffff811a1375>] ? process_one_work+0x815/0x1340
       [<ffffffff811a1f85>] ? worker_thread+0xe5/0x11f0
       [<ffffffff811a1ea0>] ? process_one_work+0x1340/0x1340
       [<ffffffff811b3c68>] ? kthread+0x1c8/0x230
      ...
      Memory state around the buggy address:
       ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
       ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
       ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: 23424c0d (Bluetooth: Add support creating virtual AMP controllers)
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fe7ecd1a
    • Itai Handler's avatar
      drm/gma500: Fix possible out of bounds read · 37154c75
      Itai Handler authored
      commit 7ccca1d5 upstream.
      
      Fix possible out of bounds read, by adding missing comma.
      The code may read pass the end of the dsi_errors array
      when the most significant bit (bit #31) in the intr_stat register
      is set.
      This bug has been detected using CppCheck (static analysis tool).
      Signed-off-by: default avatarItai Handler <itai_handler@hotmail.com>
      Signed-off-by: default avatarPatrik Jakobsson <patrik.r.jakobsson@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      37154c75
    • Eric Sandeen's avatar
      xfs: disallow rw remount on fs with unknown ro-compat features · 1e31630b
      Eric Sandeen authored
      commit d0a58e83 upstream.
      
      Today, a kernel which refuses to mount a filesystem read-write
      due to unknown ro-compat features can still transition to read-write
      via the remount path.  The old kernel is most likely none the wiser,
      because it's unaware of the new feature, and isn't using it.  However,
      writing to the filesystem may well corrupt metadata related to that
      new feature, and moving to a newer kernel which understand the feature
      will have problems.
      
      Right now the only ro-compat feature we have is the free inode btree,
      which showed up in v3.16.  It would be good to push this back to
      all the active stable kernels, I think, so that if anyone is using
      newer mkfs (which enables the finobt feature) with older kernel
      releases, they'll be protected.
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Reviewed-by: default avatarBill O'Donnell <billodo@redhat.com>
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1e31630b