1. 06 Jun, 2015 4 commits
  2. 17 May, 2015 18 commits
  3. 13 May, 2015 18 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.10.78 · c9cc129b
      Greg Kroah-Hartman authored
      c9cc129b
    • Vineet Gupta's avatar
      ARC: signal handling robustify · eb7b2163
      Vineet Gupta authored
      commit e4140819 upstream.
      
      A malicious signal handler / restorer can DOS the system by fudging the
      user regs saved on stack, causing weird things such as sigreturn returning
      to user mode PC but cpu state still being kernel mode....
      
      Ensure that in sigreturn path status32 always has U bit; any other bogosity
      (gargbage PC etc) will be taken care of by normal user mode exceptions mechanisms.
      
      Reproducer signal handler:
      
          void handle_sig(int signo, siginfo_t *info, void *context)
          {
      	ucontext_t *uc = context;
      	struct user_regs_struct *regs = &(uc->uc_mcontext.regs);
      
      	regs->scratch.status32 = 0;
          }
      
      Before the fix, kernel would go off to weeds like below:
      
          --------->8-----------
          [ARCLinux]$ ./signal-test
          Path: /signal-test
          CPU: 0 PID: 61 Comm: signal-test Not tainted 4.0.0-rc5+ #65
          task: 8f177880 ti: 5ffe6000 task.ti: 8f15c000
      
          [ECR   ]: 0x00220200 => Invalid Write @ 0x00000010 by insn @ 0x00010698
          [EFA   ]: 0x00000010
          [BLINK ]: 0x2007c1ee
          [ERET  ]: 0x10698
          [STAT32]: 0x00000000 :                                   <--------
          BTA: 0x00010680	 SP: 0x5ffe7e48	 FP: 0x00000000
          LPS: 0x20003c6c	LPE: 0x20003c70	LPC: 0x00000000
          ...
          --------->8-----------
      Reported-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb7b2163
    • hujianyang's avatar
      UBI: fix soft lockup in ubi_check_volume() · ad233850
      hujianyang authored
      commit 9aa272b4 upstream.
      
      Running mtd-utils/tests/ubi-tests/io_basic.c could cause
      soft lockup or watchdog reset. It is because *updatevol*
      will perform ubi_check_volume() after updating finish
      and this function will full scan the updated lebs if the
      volume is initialized as STATIC_VOLUME.
      
      This patch adds *cond_resched()* in the loop of lebs scan
      to avoid soft lockup.
      
      Helped by Richard Weinberger <richard@nod.at>
      
      [ 2158.067096] INFO: rcu_sched self-detected stall on CPU { 1}  (t=2101 jiffies g=1606 c=1605 q=56)
      [ 2158.172867] CPU: 1 PID: 2073 Comm: io_basic Tainted: G           O 3.10.53 #21
      [ 2158.172898] [<c000f624>] (unwind_backtrace+0x0/0x120) from [<c000c294>] (show_stack+0x10/0x14)
      [ 2158.172918] [<c000c294>] (show_stack+0x10/0x14) from [<c008ac3c>] (rcu_check_callbacks+0x1c0/0x660)
      [ 2158.172936] [<c008ac3c>] (rcu_check_callbacks+0x1c0/0x660) from [<c002b480>] (update_process_times+0x38/0x64)
      [ 2158.172953] [<c002b480>] (update_process_times+0x38/0x64) from [<c005ff38>] (tick_sched_handle+0x54/0x60)
      [ 2158.172966] [<c005ff38>] (tick_sched_handle+0x54/0x60) from [<c00601ac>] (tick_sched_timer+0x44/0x74)
      [ 2158.172978] [<c00601ac>] (tick_sched_timer+0x44/0x74) from [<c003f348>] (__run_hrtimer+0xc8/0x1b8)
      [ 2158.172992] [<c003f348>] (__run_hrtimer+0xc8/0x1b8) from [<c003fd9c>] (hrtimer_interrupt+0x128/0x2a4)
      [ 2158.173007] [<c003fd9c>] (hrtimer_interrupt+0x128/0x2a4) from [<c0246f1c>] (arch_timer_handler_virt+0x28/0x30)
      [ 2158.173022] [<c0246f1c>] (arch_timer_handler_virt+0x28/0x30) from [<c0086214>] (handle_percpu_devid_irq+0x9c/0x124)
      [ 2158.173036] [<c0086214>] (handle_percpu_devid_irq+0x9c/0x124) from [<c0082bd8>] (generic_handle_irq+0x20/0x30)
      [ 2158.173049] [<c0082bd8>] (generic_handle_irq+0x20/0x30) from [<c000969c>] (handle_IRQ+0x64/0x8c)
      [ 2158.173060] [<c000969c>] (handle_IRQ+0x64/0x8c) from [<c0008544>] (gic_handle_irq+0x3c/0x60)
      [ 2158.173074] [<c0008544>] (gic_handle_irq+0x3c/0x60) from [<c02f0f80>] (__irq_svc+0x40/0x50)
      [ 2158.173083] Exception stack(0xc4043c98 to 0xc4043ce0)
      [ 2158.173092] 3c80:                                                       c4043ce4 00000019
      [ 2158.173102] 3ca0: 1f8a865f c050ad10 1f8a864c 00000031 c04b5970 0003ebce 00000000 f3550000
      [ 2158.173113] 3cc0: bf00bc68 00000800 0003ebce c4043ce0 c0186d14 c0186cb8 80000013 ffffffff
      [ 2158.173130] [<c02f0f80>] (__irq_svc+0x40/0x50) from [<c0186cb8>] (read_current_timer+0x4/0x38)
      [ 2158.173145] [<c0186cb8>] (read_current_timer+0x4/0x38) from [<1f8a865f>] (0x1f8a865f)
      [ 2183.927097] BUG: soft lockup - CPU#1 stuck for 22s! [io_basic:2073]
      [ 2184.002229] Modules linked in: nandflash(O) [last unloaded: nandflash]
      Signed-off-by: default avatarWang Kai <morgan.wang@huawei.com>
      Signed-off-by: default avatarhujianyang <hujianyang@huawei.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad233850
    • K. Y. Srinivasan's avatar
      Drivers: hv: vmbus: Don't wait after requesting offers · b5837189
      K. Y. Srinivasan authored
      commit 73cffdb6 upstream.
      
      Don't wait after sending request for offers to the host. This wait is
      unnecessary and simply adds 5 seconds to the boot time.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b5837189
    • Sebastian Hesselbarth's avatar
      ARM: dts: dove: Fix uart[23] reg property · 0fe89264
      Sebastian Hesselbarth authored
      commit a74cd13b upstream.
      
      Fix Dove's register addresses of uart2 and uart3 nodes that seem to
      be broken since ages due to a copy-and-paste error.
      Signed-off-by: default avatarSebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
      Acked-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0fe89264
    • Sudip Mukherjee's avatar
      staging: panel: fix lcd type · b68cec9d
      Sudip Mukherjee authored
      commit 2c20d92d upstream.
      
      the lcd type as defined in the Kconfig is not matching in the code.
      as a result the rs, rw and en pins were getting interchanged.
      Kconfig defines the value of PANEL_LCD to be 1 if we select custom
      configuration but in the code LCD_TYPE_CUSTOM is defined as 5.
      
      my hardware is LCD_TYPE_CUSTOM, but the pins were assigned to it
      as pins of LCD_TYPE_OLD, and it was not working.
      Now values are corrected with referenece to the values defined in
      Kconfig and it is working.
      checked on JHD204A lcd with LCD_TYPE_CUSTOM configuration.
      Signed-off-by: default avatarSudip Mukherjee <sudip@vectorindia.org>
      Acked-by: default avatarWilly Tarreau <w@1wt.eu>
      [wt: backport to 3.10 and 3.14]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b68cec9d
    • Andrzej Pietrasiewicz's avatar
      usb: gadget: printer: enqueue printer's response for setup request · db834988
      Andrzej Pietrasiewicz authored
      commit eb132ccb upstream.
      
      Function-specific setup requests should be handled in such a way, that
      apart from filling in the data buffer, the requests are also actually
      enqueued: if function-specific setup is called from composte_setup(),
      the "usb_ep_queue()" block of code in composite_setup() is skipped.
      
      The printer function lacks this part and it results in e.g. get device id
      requests failing: the host expects some response, the device prepares it
      but does not equeue it for sending to the host, so the host finally asserts
      timeout.
      
      This patch adds enqueueing the prepared responses.
      
      Fixes: 2e87edf4: "usb: gadget: make g_printer use composite"
      Signed-off-by: default avatarAndrzej Pietrasiewicz <andrzej.p@samsung.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      [ported to stable 3.10 and 3.14]
      Signed-off-by: default avatarAndrzej Pietrasiewicz <andrzej.p@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db834988
    • Felipe Balbi's avatar
      usb: host: oxu210hp: use new USB_RESUME_TIMEOUT · 228dae65
      Felipe Balbi authored
      commit 84c0d178 upstream.
      
      Make sure we're using the new macro, so our
      resume signaling will always pass certification.
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      228dae65
    • Christoph Hellwig's avatar
      3w-sas: fix command completion race · 7332f321
      Christoph Hellwig authored
      commit 579d69bc upstream.
      
      The 3w-sas driver needs to tear down the dma mappings before returning
      the command to the midlayer, as there is no guarantee the sglist and
      count are valid after that point.  Also remove the dma mapping helpers
      which have another inherent race due to the request_id index.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarTorsten Luettgert <ml-lkml@enda.eu>
      Tested-by: default avatarBernd Kardatzki <Bernd.Kardatzki@med.uni-tuebingen.de>
      Acked-by: default avatarAdam Radford <aradford@gmail.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7332f321
    • Christoph Hellwig's avatar
      3w-9xxx: fix command completion race · ea5f56ae
      Christoph Hellwig authored
      commit 118c855b upstream.
      
      The 3w-9xxx driver needs to tear down the dma mappings before returning
      the command to the midlayer, as there is no guarantee the sglist and
      count are valid after that point.  Also remove the dma mapping helpers
      which have another inherent race due to the request_id index.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Acked-by: default avatarAdam Radford <aradford@gmail.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea5f56ae
    • Christoph Hellwig's avatar
      3w-xxxx: fix command completion race · 1dff8de4
      Christoph Hellwig authored
      commit 9cd95546 upstream.
      
      The 3w-xxxx driver needs to tear down the dma mappings before returning
      the command to the midlayer, as there is no guarantee the sglist and
      count are valid after that point.  Also remove the dma mapping helpers
      which have another inherent race due to the request_id index.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Acked-by: default avatarAdam Radford <aradford@gmail.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1dff8de4
    • Lukas Czerner's avatar
      ext4: fix data corruption caused by unwritten and delayed extents · 5a7d1e16
      Lukas Czerner authored
      commit d2dc317d upstream.
      
      Currently it is possible to lose whole file system block worth of data
      when we hit the specific interaction with unwritten and delayed extents
      in status extent tree.
      
      The problem is that when we insert delayed extent into extent status
      tree the only way to get rid of it is when we write out delayed buffer.
      However there is a limitation in the extent status tree implementation
      so that when inserting unwritten extent should there be even a single
      delayed block the whole unwritten extent would be marked as delayed.
      
      At this point, there is no way to get rid of the delayed extents,
      because there are no delayed buffers to write out. So when a we write
      into said unwritten extent we will convert it to written, but it still
      remains delayed.
      
      When we try to write into that block later ext4_da_map_blocks() will set
      the buffer new and delayed and map it to invalid block which causes
      the rest of the block to be zeroed loosing already written data.
      
      For now we can fix this by simply not allowing to set delayed status on
      written extent in the extent status tree. Also add WARN_ON() to make
      sure that we notice if this happens in the future.
      
      This problem can be easily reproduced by running the following xfs_io.
      
      xfs_io -f -c "pwrite -S 0xaa 4096 2048" \
                -c "falloc 0 131072" \
                -c "pwrite -S 0xbb 65536 2048" \
                -c "fsync" /mnt/test/fff
      
      echo 3 > /proc/sys/vm/drop_caches
      xfs_io -c "pwrite -S 0xdd 67584 2048" /mnt/test/fff
      
      This can be theoretically also reproduced by at random by running fsx,
      but it's not very reliable, though on machines with bigger page size
      (like ppc) this can be seen more often (especially xfstest generic/127)
      Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a7d1e16
    • Ilya Dryomov's avatar
      rbd: end I/O the entire obj_request on error · be13cfbd
      Ilya Dryomov authored
      commit 082a75da upstream.
      
      When we end I/O struct request with error, we need to pass
      obj_request->length as @nr_bytes so that the entire obj_request worth
      of bytes is completed.  Otherwise block layer ends up confused and we
      trip on
      
          rbd_assert(more ^ (which == img_request->obj_request_count));
      
      in rbd_img_obj_callback() due to more being true no matter what.  We
      already do it in most cases but we are missing some, in particular
      those where we don't even get a chance to submit any obj_requests, due
      to an early -ENOMEM for example.
      
      A number of obj_request->xferred assignments seem to be redundant but
      I haven't touched any of obj_request->xferred stuff to keep this small
      and isolated.
      
      Cc: Alex Elder <elder@linaro.org>
      Reported-by: default avatarShawn Edwards <lesser.evil@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be13cfbd
    • Michal Simek's avatar
      serial: of-serial: Remove device_type = "serial" registration · 31608b7e
      Michal Simek authored
      commit 6befa9d8 upstream.
      
      Do not probe all serial drivers by of_serial.c which are using
      device_type = "serial"; property. Only drivers which have valid
      compatible strings listed in the driver should be probed.
      
      When PORT_UNKNOWN is setup probe will fail anyway.
      
      Arnd quotation about driver historical background:
      "when I wrote that driver initially, the idea was that it would
      get used as a stub to hook up all other serial drivers but after
      that, the common code learned to create platform devices from DT"
      
      This patch fix the problem with on the system with xilinx_uartps and
      16550a where of_serial failed to register for xilinx_uartps and because
      of irq_dispose_mapping() removed irq_desc. Then when xilinx_uartps was asking
      for irq with request_irq() EINVAL is returned.
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31608b7e
    • Takashi Iwai's avatar
      ALSA: hda - Fix mute-LED fixed mode · 4453c82b
      Takashi Iwai authored
      commit ee52e56e upstream.
      
      The mute-LED mode control has the fixed on/off states that are
      supposed to remain on/off regardless of the master switch.  However,
      this doesn't work actually because the vmaster hook is called in the
      vmaster code itself.
      
      This patch fixes it by calling the hook indirectly after checking the
      mute LED mode.
      Reported-and-tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4453c82b
    • Peter Zubaj's avatar
      ALSA: emu10k1: Emu10k2 32 bit DMA mode · b68ed131
      Peter Zubaj authored
      commit 7241ea55 upstream.
      
      Looks like audigy emu10k2 (probably emu10k1 - sb live too) support two
      modes for DMA. Second mode is useful for 64 bit os with more then 2 GB
      of ram (fixes problems with big soundfont loading)
      
      1) 32MB from 2 GB address space using 8192 pages (used now as default)
      2) 16MB from 4 GB address space using 4096 pages
      
      Mode is set using HCFG_EXPANDED_MEM flag in HCFG register.
      Also format of emu10k2 page table is then different.
      Signed-off-by: default avatarPeter Zubaj <pzubaj@marticonet.sk>
      Tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b68ed131
    • Takashi Iwai's avatar
      ALSA: emu10k1: Fix card shortname string buffer overflow · 0da12e28
      Takashi Iwai authored
      commit d0226082 upstream.
      
      Some models provide too long string for the shortname that has 32bytes
      including the terminator, and it results in a non-terminated string
      exposed to the user-space.  This isn't too critical, though, as the
      string is stopped at the succeeding longname string.
      
      This patch fixes such entries by dropping "SB" prefix (it's enough to
      fit within 32 bytes, so far).  Meanwhile, it also changes strcpy()
      with strlcpy() to make sure that this kind of problem won't happen in
      future, too.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0da12e28
    • Takashi Iwai's avatar
      ALSA: emux: Fix mutex deadlock in OSS emulation · c542e915
      Takashi Iwai authored
      commit 1c94e65c upstream.
      
      The OSS emulation in synth-emux helper has a potential AB/BA deadlock
      at the simultaneous closing and opening:
      
        close ->
          snd_seq_release() ->
            sne_seq_free_client() ->
              snd_seq_delete_all_ports(): takes client->ports_mutex ->
      	  port_delete() ->
      	    snd_emux_unuse(): takes emux->register_mutex
      
        open ->
          snd_seq_oss_open() ->
            snd_emux_open_seq_oss(): takes emux->register_mutex ->
              snd_seq_event_port_attach() ->
      	  snd_seq_create_port(): takes client->ports_mutex
      
      This patch addresses the deadlock by reducing the rance taking
      emux->register_mutex in snd_emux_open_seq_oss().  The lock is needed
      for the refcount handling, so move it locally.  The calls in
      emux_seq.c are already with the mutex, thus they are replaced with the
      version without mutex lock/unlock.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c542e915