1. 17 Nov, 2014 40 commits
    • Oliver Neukum's avatar
      HID: usbhid: fix PIXART optical mouse · 647a9937
      Oliver Neukum authored
      commit 4980f957 upstream.
      
      This mouse keeps disconnecting in runlevel 3. It needs the ALWAYS_POLL quirk.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      647a9937
    • Johan Hovold's avatar
      HID: usbhid: enable always-poll quirk for Elan Touchscreen · 963dd1b9
      Johan Hovold authored
      commit bfe3c873 upstream.
      
      Enable the always-poll quirk for Elan Touchscreens found on some recent
      Samsung laptops.
      
      Without this quirk the device keeps disconnecting from the bus (and is
      re-enumerated) unless opened (and kept open, should an input event
      occur).
      
      Note that while the device can be run-time suspended, the autosuspend
      timeout must be high enough to allow the device to be polled at least
      once before being suspended. Specifically, using autosuspend_delay_ms=0
      will still cause the device to disconnect on input events.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      963dd1b9
    • Johan Hovold's avatar
      HID: usbhid: add always-poll quirk · 5fbff7ce
      Johan Hovold authored
      commit 0b750b3b upstream.
      
      Add quirk to make sure that a device is always polled for input events
      even if it hasn't been opened.
      
      This is needed for devices that disconnects from the bus unless the
      interrupt endpoint has been polled at least once or when not responding
      to an input event (e.g. after having shut down X).
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      5fbff7ce
    • Jason Gerecke's avatar
      HID: input: Fix TransducerSerialNumber implementation · b0bb0aa3
      Jason Gerecke authored
      commit 5989a55a upstream.
      
      The commit which introduced TransducerSerialNumber (368c9664) is missing
      two crucial implementation details. Firstly, the commit does not set the
      type/code/bit/max fields as expected later down the code which can cause
      the driver to crash when a tablet with this usage is connected. Secondly,
      the call to 'set_bit' causes MSC_PULSELED to be sent instead of the
      expected MSC_SERIAL. This commit addreses both issues.
      Signed-off-by: default avatarJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Reviewed-by: default avatarPing Cheng <pingc@wacom.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b0bb0aa3
    • Eric Dumazet's avatar
      net: skb_fclone_busy() needs to detect orphaned skb · 1cf39b5f
      Eric Dumazet authored
      commit 39bb5e62 upstream.
      
      Some drivers are unable to perform TX completions in a bound time.
      They instead call skb_orphan()
      
      Problem is skb_fclone_busy() has to detect this case, otherwise
      we block TCP retransmits and can freeze unlucky tcp sessions on
      mostly idle hosts.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Fixes: 1f3279ae ("tcp: avoid retransmits of TCP packets hanging in host queues")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backport to 3.16 provided by Eric Dumzet ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1cf39b5f
    • Roger Pau Monné's avatar
      xen-blkback: fix leak on grant map error path · fea6ccb6
      Roger Pau Monné authored
      commit 61cecca8 upstream.
      
      Fix leaking a page when a grant mapping has failed.
      Signed-off-by: default avatarRoger Pau Monné <roger.pau@citrix.com>
      Reported-and-Tested-by: default avatarTao Chen <boby.chen@huawei.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fea6ccb6
    • Richard Genoud's avatar
      UBI: add missing kmem_cache_free() in process_pool_aeb error path · 8a2a4f71
      Richard Genoud authored
      commit 1bf1890e upstream.
      
      I ran into this error after a ubiupdatevol, because I forgot to backport
      e9110361 UBI: fix the volumes tree sorting criteria.
      
      UBI error: process_pool_aeb: orphaned volume in fastmap pool
      UBI error: ubi_scan_fastmap: Attach by fastmap failed, doing a full scan!
      kmem_cache_destroy ubi_ainf_peb_slab: Slab cache still has objects
      CPU: 0 PID: 1 Comm: swapper Not tainted 3.14.18-00053-gf05cac8dbf85 #1
      [<c000d298>] (unwind_backtrace) from [<c000baa8>] (show_stack+0x10/0x14)
      [<c000baa8>] (show_stack) from [<c01b7a68>] (destroy_ai+0x230/0x244)
      [<c01b7a68>] (destroy_ai) from [<c01b8fd4>] (ubi_attach+0x98/0x1ec)
      [<c01b8fd4>] (ubi_attach) from [<c01ade90>] (ubi_attach_mtd_dev+0x2b8/0x868)
      [<c01ade90>] (ubi_attach_mtd_dev) from [<c038b510>] (ubi_init+0x1dc/0x2ac)
      [<c038b510>] (ubi_init) from [<c0008860>] (do_one_initcall+0x94/0x140)
      [<c0008860>] (do_one_initcall) from [<c037aadc>] (kernel_init_freeable+0xe8/0x1b0)
      [<c037aadc>] (kernel_init_freeable) from [<c02730ac>] (kernel_init+0x8/0xe4)
      [<c02730ac>] (kernel_init) from [<c00093f0>] (ret_from_fork+0x14/0x24)
      UBI: scanning is finished
      
      Freeing the cache in the error path fixes the Slab error.
      
      Tested on at91sam9g35 (3.14.18+fastmap backports)
      Signed-off-by: default avatarRichard Genoud <richard.genoud@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8a2a4f71
    • Dan Streetman's avatar
      powerpc: use device_online/offline() instead of cpu_up/down() · c3e91822
      Dan Streetman authored
      commit 10ccaf17 upstream.
      
      In powerpc pseries platform dlpar operations, use device_online() and
      device_offline() instead of cpu_up() and cpu_down().
      
      Calling cpu_up/down() directly does not update the cpu device offline
      field, which is used to online/offline a cpu from sysfs. Calling
      device_online/offline() instead keeps the sysfs cpu online value
      correct. The hotplug lock, which is required to be held when calling
      device_online/offline(), is already held when dlpar_online/offline_cpu()
      are called, since they are called only from cpu_probe|release_store().
      
      This patch fixes errors on phyp (PowerVM) systems that have cpu(s)
      added/removed using dlpar operations; without this patch, the
      /sys/devices/system/cpu/cpuN/online nodes do not correctly show the
      online state of added/removed cpus.
      Signed-off-by: default avatarDan Streetman <ddstreet@ieee.org>
      Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
      Fixes: 0902a904 ("Driver core: Use generic offline/online for CPU offline/online")
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c3e91822
    • Sinclair Yeh's avatar
      drm/vmwgfx: Filter out modes those cannot be supported by the current VRAM size. · 88d0cb9b
      Sinclair Yeh authored
      commit 9a72384d upstream.
      
      When screen objects are enabled, the bpp is assumed to be 32, otherwise
      it is set to 16.
      
      v2:
      * Use u32 instead of u64 for assumed_bpp.
      * Fixed mechanism to check for screen objects
      * Limit the back buffer size to VRAM.
      Signed-off-by: default avatarSinclair Yeh <syeh@vmware.com>
      Reviewed-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      88d0cb9b
    • Kirill Tkhai's avatar
      sched: Use rq->rd in sched_setaffinity() under RCU read lock · decad6eb
      Kirill Tkhai authored
      commit f1e3a093 upstream.
      
      Probability of use-after-free isn't zero in this place.
      Signed-off-by: default avatarKirill Tkhai <ktkhai@parallels.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Link: http://lkml.kernel.org/r/20140922183636.11015.83611.stgit@localhostSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [ luis: backported to 3.16: used peterz's backport to 3.17 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      decad6eb
    • Stephen Boyd's avatar
      serial: msm_serial: Fix kgdb continue · 3fd48a66
      Stephen Boyd authored
      commit 8b374399 upstream.
      
      Frank reports that after continuing in kgdb the RX stale event
      doesn't occur until after the RX fifo is filled up with exactly
      the amount of characters programmed for the RX watermark (in this
      case it's 48). To read a single character from the uartdm
      hardware we force a stale event so that any characters in the RX
      packing buffer are flushed into the RX fifo immediately instead
      of waiting for a stale timeout or for the fifo to fill. Forcing
      that stale event asserts the stale interrupt but we never clear
      that interrupt via UART_CR_CMD_RESET_STALE_INT in the polling
      functions. So when kgdb continues the stale interrupt is left
      pending in the hardware and we don't timeout with a stale event,
      like we usually would if a user typed one character on the
      console, until the reset stale interrupt and stale event commands
      are sent. Frank could get things working again by running
      handle_rx_dm(). By putting enough characters into the fifo he
      could trigger a watermark interrupt, and thus cause
      handle_rx_dm() to run finally resetting the stale interrupt
      and enabling the stale event so that single characters would
      cause timeouts again.
      
      The fix is to just do what the interrupt routine was doing all
      along and clear the stale interrupt and enable the event again.
      Doing this also smooths over any differences in the fifo behavior
      between v1.3 and v1.4 hardware allowing us to skip forcing the
      uart into single character mode.
      Reviewed-by: default avatarFrank Rowand <frank.rowand@sonymobile.com>
      Tested-by: default avatarFrank Rowand <frank.rowand@sonymobile.com>
      Fixes: f7e54d7a "msm_serial: Add support for poll_{get,put}_char()"
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3fd48a66
    • Bryan O'Donoghue's avatar
      x86: Add cpu_detect_cache_sizes to init_intel() add Quark legacy_cache() · a51906f6
      Bryan O'Donoghue authored
      commit aece118e upstream.
      
      Intel processors which don't report cache information via cpuid(2)
      or cpuid(4) need quirk code in the legacy_cache_size callback to
      report this data. For Intel that callback is is intel_size_cache().
      
      This patch enables calling of cpu_detect_cache_sizes() inside of
      init_intel() and hence the calling of the legacy_cache callback in
      intel_size_cache(). Adding this call will ensure that PIII Tualatin
      currently in intel_size_cache() and Quark SoC X1000 being added to
      intel_size_cache() in this patch will report their respective cache
      sizes.
      
      This model of calling cpu_detect_cache_sizes() is consistent with
      AMD/Via/Cirix/Transmeta and Centaur.
      
      Also added is a string to idenitfy the Quark as Quark SoC X1000
      giving better and more descriptive output via /proc/cpuinfo
      
      Adding cpu_detect_cache_sizes to init_intel() will enable calling
      of intel_size_cache() on Intel processors which currently no code
      can reach. Therefore this patch will also re-enable reporting
      of PIII Tualatin cache size information as well as add
      Quark SoC X1000 support.
      
      Comment text and cache flow logic suggested by Thomas Gleixner
      Signed-off-by: default avatarBryan O'Donoghue <pure.logic@nexus-software.ie>
      Cc: davej@redhat.com
      Cc: hmh@hmh.eng.br
      Link: http://lkml.kernel.org/r/1412641189-12415-3-git-send-email-pure.logic@nexus-software.ieSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a51906f6
    • Axel Lin's avatar
      [media] tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register · 48c43d23
      Axel Lin authored
      commit 91ba0e59 upstream.
      
      Fix a copy-paste bug when converting to the control framework.
      
      Fixes: commit 5d478e0d ("[media] tda7432: convert to the control framework")
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      48c43d23
    • Antti Palosaari's avatar
      [media] m88ts2022: fix 32bit overflow on filter calc · e8df0d9f
      Antti Palosaari authored
      commit f538e085 upstream.
      
      Maximum satellite symbol rate used is 45000000Sps which overflows
      when multiplied by 135. As final calculation result is fraction,
      we could use mult_frac macro in order to keep calculation inside
      32 bit number limits and prevent overflow.
      
      Original bug and fix was provided by Nibble Max. I decided to
      implement it differently as it is now.
      Reported-by: default avatarNibble Max <nibble.max@gmail.com>
      Tested-by: default avatarNibble Max <nibble.max@gmail.com>
      Signed-off-by: default avatarAntti Palosaari <crope@iki.fi>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e8df0d9f
    • Mauro Carvalho Chehab's avatar
      [media] siano: add support for PCTV 77e · eb64a603
      Mauro Carvalho Chehab authored
      commit 29bbb7bd upstream.
      
      Add support for PCTV microStick (77e) device that uses a sms1140
      chipset.
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      eb64a603
    • Paul Fertser's avatar
      [media] media: usb: uvc: add a quirk for Dell XPS M1330 webcam · 962bfbf5
      Paul Fertser authored
      commit 62ea864f upstream.
      
      As reported on [1], this device needs this quirk to be able to
      reliably initialise the webcam.
      
      [1] http://ubuntuforums.org/showthread.php?t=2145996Signed-off-by: default avatarPaul Fertser <fercerpav@gmail.com>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      962bfbf5
    • Maciej Matraszek's avatar
      [media] v4l2-common: fix overflow in v4l_bound_align_image() · b0cf446b
      Maciej Matraszek authored
      commit 3bacc10c upstream.
      
      Fix clamp_align() used in v4l_bound_align_image() to prevent overflow
      when passed large value like UINT32_MAX.
      
       In the current implementation:
          clamp_align(UINT32_MAX, 8, 8192, 3)
      
      returns 8, because in line:
      
          x = (x + (1 << (align - 1))) & mask;
      
      x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192.
      
      v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and
      VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter
      explicitly states that:
      
      "The modified format should be as close as possible to the original
      request."
        -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html
      
      Thus one would expect, that passing UINT32_MAX as format width and
      height will result in setting maximum possible resolution for the
      device. Particularly, when the driver doesn't support
      VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase.
      
      Fixes changeset: b0d3159bSigned-off-by: default avatarMaciej Matraszek <m.matraszek@samsung.com>
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b0cf446b
    • Josh Boyer's avatar
      drm/vmwgfx: Fix drm.h include · dace39ab
      Josh Boyer authored
      commit e351943b upstream.
      
      The userspace drm.h include doesn't prefix the drm directory.  This can lead
      to compile failures as /usr/include/drm/ isn't in the standard gcc include
      paths.  Fix it to be <drm/drm.h>, which matches the rest of the driver drm
      header files that get installed into /usr/include/drm.
      
      Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1138759
      
      Fixes: 1d7a5cbfReported-by: default avatarJeffrey Bastian <jbastian@redhat.com>
      Signed-off-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      dace39ab
    • Tvrtko Ursulin's avatar
      drm/i915: Do not leak pages when freeing userptr objects · 0f55506b
      Tvrtko Ursulin authored
      commit c479f438 upstream.
      
      sg_alloc_table_from_pages() can build us a table with coalesced ranges which
      means we need to iterate over pages and not sg table entries when releasing
      page references.
      Signed-off-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: "Barbalho, Rafael" <rafael.barbalho@intel.com>
      Tested-by: default avatarRafael Barbalho <rafael.barbalho@intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      [danvet: Remove unused local variable sg.]
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0f55506b
    • Emil Velikov's avatar
      drm/nouveau/gpio: rename g92 class to g94 · 3b9a8b7e
      Emil Velikov authored
      commit b485a700 upstream.
      
      nv92 hardware has only 16 interrupt lines, while nv94 and later
      has 32. Accessing 0xe0c{0,4} registers on nv92 can lead to incorrect
      PDISP setup. This is a regression introduced with
      
      commit 9d0f5ec9ee0fd5dc5fc1cc2cf559286431e406e3
      Author: Ben Skeggs <bskeggs@redhat.com>
      Date:   Mon May 12 15:22:42 2014 +1000
      
          gpio: split g92 class from nv50
      
      Reported-by: estece on #nouveau
      Signed-off-by: default avatarEmil Velikov <emil.l.velikov@gmail.com>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3b9a8b7e
    • Benjamin Herrenschmidt's avatar
      drm/ast: Fix HW cursor image · e58e777b
      Benjamin Herrenschmidt authored
      commit 1e99cfa8 upstream.
      
      The translation from the X driver to the KMS one typo'ed a couple
      of array indices, causing the HW cursor to look weird (blocky with
      leaking edge colors). This fixes it.
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e58e777b
    • Hans de Goede's avatar
      Input: i8042 - add noloop quirk for Asus X750LN · e1c9aa44
      Hans de Goede authored
      commit 9ff84a17 upstream.
      
      Without this the aux port does not get detected, and consequently the
      touchpad will not work.
      
      https://bugzilla.redhat.com/show_bug.cgi?id=1110011Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e1c9aa44
    • Dmitry Torokhov's avatar
      Input: synaptics - gate forcepad support by DMI check · 332221c6
      Dmitry Torokhov authored
      commit aa972409 upstream.
      
      Unfortunately, ForcePad capability is not actually exported over PS/2, so
      we have to resort to DMI checks.
      Reported-by: default avatarNicole Faerber <nicole.faerber@kernelconcepts.de>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      332221c6
    • Mikulas Patocka's avatar
      framebuffer: fix border color · 4187f126
      Mikulas Patocka authored
      commit f74a289b upstream.
      
      The framebuffer code uses the current background color to fill the border
      when switching consoles, however, this results in inconsistent behavior.
      For example:
      - start Midnigh Commander
      - the border is black
      - switch to another console and switch back
      - the border is cyan
      - type something into the command line in mc
      - the border is cyan
      - switch to another console and switch back
      - the border is black
      - press F9 to go to menu
      - the border is black
      - switch to another console and switch back
      - the border is dark blue
      
      When switching to a console with Midnight Commander, the border is random
      color that was left selected by the slang subsystem.
      
      This patch fixes this inconsistency by always using black as the
      background color when switching consoles.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4187f126
    • Mikulas Patocka's avatar
      framebuffer: fix screen corruption when copying · 450c8ecd
      Mikulas Patocka authored
      commit 5b789da8 upstream.
      
      The function bitcpy_rev has a bug that may result in screen corruption.
      The bug happens under these conditions:
      * the end of the destination area of a copy operation is aligned on a long
        word boundary
      * the end of the source area is not aligned on a long word boundary
      * we are copying more than one long word
      
      In this case, the variable shift is non-zero and the variable first is
      zero. The statements FB_WRITEL(comp(d0, FB_READL(dst), first), dst) reads
      the last long word of the destination and writes it back unchanged
      (because first is zero). Correctly, we should write the variable d0 to the
      last word of the destination in this case.
      
      This patch fixes the bug by introducing and extra test if first is zero.
      
      The patch also removes the references to fb_memmove in the code that is
      commented out because fb_memmove was removed from framebuffer subsystem.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      450c8ecd
    • Prarit Bhargava's avatar
      modules, lock around setting of MODULE_STATE_UNFORMED · c5029ed4
      Prarit Bhargava authored
      commit d3051b48 upstream.
      
      A panic was seen in the following sitation.
      
      There are two threads running on the system. The first thread is a system
      monitoring thread that is reading /proc/modules. The second thread is
      loading and unloading a module (in this example I'm using my simple
      dummy-module.ko).  Note, in the "real world" this occurred with the qlogic
      driver module.
      
      When doing this, the following panic occurred:
      
       ------------[ cut here ]------------
       kernel BUG at kernel/module.c:3739!
       invalid opcode: 0000 [#1] SMP
       Modules linked in: binfmt_misc sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw igb gf128mul glue_helper iTCO_wdt iTCO_vendor_support ablk_helper ptp sb_edac cryptd pps_core edac_core shpchp i2c_i801 pcspkr wmi lpc_ich ioatdma mfd_core dca ipmi_si nfsd ipmi_msghandler auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm isci drm libsas ahci libahci scsi_transport_sas libata i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: dummy_module]
       CPU: 37 PID: 186343 Comm: cat Tainted: GF          O--------------   3.10.0+ #7
       Hardware name: Intel Corporation S2600CP/S2600CP, BIOS RMLSDP.86I.00.29.D696.1311111329 11/11/2013
       task: ffff8807fd2d8000 ti: ffff88080fa7c000 task.ti: ffff88080fa7c000
       RIP: 0010:[<ffffffff810d64c5>]  [<ffffffff810d64c5>] module_flags+0xb5/0xc0
       RSP: 0018:ffff88080fa7fe18  EFLAGS: 00010246
       RAX: 0000000000000003 RBX: ffffffffa03b5200 RCX: 0000000000000000
       RDX: 0000000000001000 RSI: ffff88080fa7fe38 RDI: ffffffffa03b5000
       RBP: ffff88080fa7fe28 R08: 0000000000000010 R09: 0000000000000000
       R10: 0000000000000000 R11: 000000000000000f R12: ffffffffa03b5000
       R13: ffffffffa03b5008 R14: ffffffffa03b5200 R15: ffffffffa03b5000
       FS:  00007f6ae57ef740(0000) GS:ffff88101e7a0000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000404f70 CR3: 0000000ffed48000 CR4: 00000000001407e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
       Stack:
        ffffffffa03b5200 ffff8810101e4800 ffff88080fa7fe70 ffffffff810d666c
        ffff88081e807300 000000002e0f2fbf 0000000000000000 ffff88100f257b00
        ffffffffa03b5008 ffff88080fa7ff48 ffff8810101e4800 ffff88080fa7fee0
       Call Trace:
        [<ffffffff810d666c>] m_show+0x19c/0x1e0
        [<ffffffff811e4d7e>] seq_read+0x16e/0x3b0
        [<ffffffff812281ed>] proc_reg_read+0x3d/0x80
        [<ffffffff811c0f2c>] vfs_read+0x9c/0x170
        [<ffffffff811c1a58>] SyS_read+0x58/0xb0
        [<ffffffff81605829>] system_call_fastpath+0x16/0x1b
       Code: 48 63 c2 83 c2 01 c6 04 03 29 48 63 d2 eb d9 0f 1f 80 00 00 00 00 48 63 d2 c6 04 13 2d 41 8b 0c 24 8d 50 02 83 f9 01 75 b2 eb cb <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
       RIP  [<ffffffff810d64c5>] module_flags+0xb5/0xc0
        RSP <ffff88080fa7fe18>
      
          Consider the two processes running on the system.
      
          CPU 0 (/proc/modules reader)
          CPU 1 (loading/unloading module)
      
          CPU 0 opens /proc/modules, and starts displaying data for each module by
          traversing the modules list via fs/seq_file.c:seq_open() and
          fs/seq_file.c:seq_read().  For each module in the modules list, seq_read
          does
      
                  op->start()  <-- this is a pointer to m_start()
                  op->show()   <- this is a pointer to m_show()
                  op->stop()   <-- this is a pointer to m_stop()
      
          The m_start(), m_show(), and m_stop() module functions are defined in
          kernel/module.c. The m_start() and m_stop() functions acquire and release
          the module_mutex respectively.
      
          ie) When reading /proc/modules, the module_mutex is acquired and released
          for each module.
      
          m_show() is called with the module_mutex held.  It accesses the module
          struct data and attempts to write out module data.  It is in this code
          path that the above BUG_ON() warning is encountered, specifically m_show()
          calls
      
          static char *module_flags(struct module *mod, char *buf)
          {
                  int bx = 0;
      
                  BUG_ON(mod->state == MODULE_STATE_UNFORMED);
          ...
      
          The other thread, CPU 1, in unloading the module calls the syscall
          delete_module() defined in kernel/module.c.  The module_mutex is acquired
          for a short time, and then released.  free_module() is called without the
          module_mutex.  free_module() then sets mod->state = MODULE_STATE_UNFORMED,
          also without the module_mutex.  Some additional code is called and then the
          module_mutex is reacquired to remove the module from the modules list:
      
              /* Now we can delete it from the lists */
              mutex_lock(&module_mutex);
              stop_machine(__unlink_module, mod, NULL);
              mutex_unlock(&module_mutex);
      
      This is the sequence of events that leads to the panic.
      
      CPU 1 is removing dummy_module via delete_module().  It acquires the
      module_mutex, and then releases it.  CPU 1 has NOT set dummy_module->state to
      MODULE_STATE_UNFORMED yet.
      
      CPU 0, which is reading the /proc/modules, acquires the module_mutex and
      acquires a pointer to the dummy_module which is still in the modules list.
      CPU 0 calls m_show for dummy_module.  The check in m_show() for
      MODULE_STATE_UNFORMED passed for dummy_module even though it is being
      torn down.
      
      Meanwhile CPU 1, which has been continuing to remove dummy_module without
      holding the module_mutex, now calls free_module() and sets
      dummy_module->state to MODULE_STATE_UNFORMED.
      
      CPU 0 now calls module_flags() with dummy_module and ...
      
      static char *module_flags(struct module *mod, char *buf)
      {
              int bx = 0;
      
              BUG_ON(mod->state == MODULE_STATE_UNFORMED);
      
      and BOOM.
      
      Acquire and release the module_mutex lock around the setting of
      MODULE_STATE_UNFORMED in the teardown path, which should resolve the
      problem.
      
      Testing: In the unpatched kernel I can panic the system within 1 minute by
      doing
      
      while (true) do insmod dummy_module.ko; rmmod dummy_module.ko; done
      
      and
      
      while (true) do cat /proc/modules; done
      
      in separate terminals.
      
      In the patched kernel I was able to run just over one hour without seeing
      any issues.  I also verified the output of panic via sysrq-c and the output
      of /proc/modules looks correct for all three states for the dummy_module.
      
              dummy_module 12661 0 - Unloading 0xffffffffa03a5000 (OE-)
              dummy_module 12661 0 - Live 0xffffffffa03bb000 (OE)
              dummy_module 14015 1 - Loading 0xffffffffa03a5000 (OE+)
      Signed-off-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Reviewed-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c5029ed4
    • Alexey Khoroshilov's avatar
      dm log userspace: fix memory leak in dm_ulog_tfr_init failure path · 04b2550a
      Alexey Khoroshilov authored
      commit 56ec16cb upstream.
      
      If cn_add_callback() fails in dm_ulog_tfr_init(), it does not
      deallocate prealloced memory but calls cn_del_callback().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Reviewed-by: default avatarJonathan Brassow <jbrassow@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      04b2550a
    • Mike Snitzer's avatar
      block: fix alignment_offset math that assumes io_min is a power-of-2 · 4296b616
      Mike Snitzer authored
      commit b8839b8c upstream.
      
      The math in both blk_stack_limits() and queue_limit_alignment_offset()
      assume that a block device's io_min (aka minimum_io_size) is always a
      power-of-2.  Fix the math such that it works for non-power-of-2 io_min.
      
      This issue (of alignment_offset != 0) became apparent when testing
      dm-thinp with a thinp blocksize that matches a RAID6 stripesize of
      1280K.  Commit fdfb4c8c ("dm thin: set minimum_io_size to pool's data
      block size") unlocked the potential for alignment_offset != 0 due to
      the dm-thin-pool's io_min possibly being a non-power-of-2.
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Acked-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4296b616
    • Lai Jiangshan's avatar
      drbd: compute the end before rb_insert_augmented() · 51edc20f
      Lai Jiangshan authored
      commit 82cfb90b upstream.
      
      Commit 98683650 "Merge branch 'drbd-8.4_ed6' into
      for-3.8-drivers-drbd-8.4_ed6" switches to the new augment API, but the
      new API requires that the tree is augmented before rb_insert_augmented()
      is called, which is missing.
      
      So we add the augment-code to drbd_insert_interval() when it travels the
      tree up to down before rb_insert_augmented().  See the example in
      include/linux/interval_tree_generic.h or Documentation/rbtree.txt.
      
      drbd_insert_interval() may cancel the insertion when traveling, in this
      case, the just added augment-code does nothing before cancel since the
      @this node is already in the subtrees in this case.
      
      CC: Michel Lespinasse <walken@google.com>
      Signed-off-by: default avatarLai Jiangshan <laijs@cn.fujitsu.com>
      Signed-off-by: default avatarAndreas Gruenbacher <agruen@linbit.com>
      Signed-off-by: default avatarPhilipp Reisner <philipp.reisner@linbit.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      51edc20f
    • Mikulas Patocka's avatar
      dm bufio: when done scanning return from __scan immediately · 397c6bba
      Mikulas Patocka authored
      commit 0e825862 upstream.
      
      When __scan frees the required number of buffer entries that the
      shrinker requested (nr_to_scan becomes zero) it must return.  Before
      this fix the __scan code exited only the inner loop and continued in the
      outer loop -- which could result in reduced performance due to extra
      buffers being freed (e.g. unnecessarily evicted thinp metadata needing
      to be synchronously re-read into bufio's cache).
      
      Also, move dm_bufio_cond_resched to __scan's inner loop, so that
      iterating the bufio client's lru lists doesn't result in scheduling
      latency.
      Reported-by: default avatarJoe Thornber <thornber@redhat.com>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      397c6bba
    • Joe Thornber's avatar
      dm bufio: update last_accessed when relinking a buffer · fd5d12b9
      Joe Thornber authored
      commit eb76faf5 upstream.
      
      The 'last_accessed' member of the dm_buffer structure was only set when
      the the buffer was created.  This led to each buffer being discarded
      after dm_bufio_max_age time even if it was used recently.  In practice
      this resulted in all thinp metadata being evicted soon after being read
      -- this is particularly problematic for metadata intensive workloads
      like multithreaded small random IO.
      
      'last_accessed' is now updated each time the buffer is moved to the head
      of the LRU list, so the buffer is now properly discarded if it was not
      used in dm_bufio_max_age time.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fd5d12b9
    • Jens Axboe's avatar
      blk-mq: fix potential hang if rolling wakeup depth is too high · 36df0107
      Jens Axboe authored
      commit abab13b5 upstream.
      
      We currently divide the queue depth by 4 as our batch wakeup
      count, but we split the wakeups over BT_WAIT_QUEUES number of
      wait queues. This defaults to 8. If the product of the resulting
      batch wake count and BT_WAIT_QUEUES is higher than the device
      queue depth, we can get into a situation where a task goes to
      sleep waiting for a request, but never gets woken up.
      Reported-by: default avatarBart Van Assche <bvanassche@acm.org>
      Fixes: 4bb659b1Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      36df0107
    • Vitaly Kuznetsov's avatar
      xen/blkback: unmap all persistent grants when frontend gets disconnected · c4221e3f
      Vitaly Kuznetsov authored
      commit 12ea7296 upstream.
      
      blkback does not unmap persistent grants when frontend goes to Closed
      state (e.g. when blkfront module is being removed). This leads to the
      following in guest's dmesg:
      
      [  343.243825] xen:grant_table: WARNING: g.e. 0x445 still in use!
      [  343.243825] xen:grant_table: WARNING: g.e. 0x42a still in use!
      ...
      
      When load module -> use device -> unload module sequence is performed multiple times
      it is possible to hit BUG() condition in blkfront module:
      
      [  343.243825] kernel BUG at drivers/block/xen-blkfront.c:954!
      [  343.243825] invalid opcode: 0000 [#1] SMP
      [  343.243825] Modules linked in: xen_blkfront(-) ata_generic pata_acpi [last unloaded: xen_blkfront]
      ...
      [  343.243825] Call Trace:
      [  343.243825]  [<ffffffff814111ef>] ? unregister_xenbus_watch+0x16f/0x1e0
      [  343.243825]  [<ffffffffa0016fbf>] blkfront_remove+0x3f/0x140 [xen_blkfront]
      ...
      [  343.243825] RIP  [<ffffffffa0016aae>] blkif_free+0x34e/0x360 [xen_blkfront]
      [  343.243825]  RSP <ffff88001eb8fdc0>
      
      We don't need to keep these grants if we're disconnecting as frontend might already
      forgot about them. Solve the issue by moving xen_blkbk_free_caches() call from
      xen_blkif_free() to xen_blkif_disconnect().
      
      Now we can see the following:
      [  928.590893] xen:grant_table: WARNING: g.e. 0x587 still in use!
      [  928.591861] xen:grant_table: WARNING: g.e. 0x372 still in use!
      ...
      [  929.592146] xen:grant_table: freeing g.e. 0x587
      [  929.597174] xen:grant_table: freeing g.e. 0x372
      ...
      
      Backend does not keep persistent grants any more, reconnect works fine.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c4221e3f
    • Michael S. Tsirkin's avatar
      virtio_pci: fix virtio spec compliance on restore · 9dd5d30b
      Michael S. Tsirkin authored
      commit 6fbc198c upstream.
      
      On restore, virtio pci does the following:
      + set features
      + init vqs etc - device can be used at this point!
      + set ACKNOWLEDGE,DRIVER and DRIVER_OK status bits
      
      This is in violation of the virtio spec, which
      requires the following order:
      - ACKNOWLEDGE
      - DRIVER
      - init vqs
      - DRIVER_OK
      
      This behaviour will break with hypervisors that assume spec compliant
      behaviour.  It seems like a good idea to have this patch applied to
      stable branches to reduce the support butden for the hypervisors.
      
      Cc: Amit Shah <amit.shah@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9dd5d30b
    • Krzysztof Kozlowski's avatar
      power: charger-manager: Fix NULL pointer exception with missing cm-fuel-gauge · d0e18713
      Krzysztof Kozlowski authored
      commit 661a8886 upstream.
      
      NULL pointer exception happens during charger-manager probe if
      'cm-fuel-gauge' property is not present.
      
      [    2.448536] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      [    2.456572] pgd = c0004000
      [    2.459217] [00000000] *pgd=00000000
      [    2.462759] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      [    2.468047] Modules linked in:
      [    2.471089] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.17.0-rc6-00251-ge44cf96cd525-dirty #969
      [    2.479765] task: ea890000 ti: ea87a000 task.ti: ea87a000
      [    2.485161] PC is at strcmp+0x4/0x30
      [    2.488719] LR is at power_supply_match_device_by_name+0x10/0x1c
      [    2.494695] pc : [<c01f4220>]    lr : [<c030fe38>]    psr: a0000113
      [    2.494695] sp : ea87bde0  ip : 00000000  fp : eaa97010
      [    2.506150] r10: 00000004  r9 : ea97269c  r8 : ea3bbfd0
      [    2.511360] r7 : eaa97000  r6 : c030fe28  r5 : 00000000  r4 : ea3b0000
      [    2.517869] r3 : 0000006d  r2 : 00000000  r1 : 00000000  r0 : c057c195
      [    2.524381] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      [    2.531671] Control: 10c5387d  Table: 4000404a  DAC: 00000015
      [    2.537399] Process swapper/0 (pid: 1, stack limit = 0xea87a240)
      [    2.543388] Stack: (0xea87bde0 to 0xea87c000)
      [    2.547733] bde0: ea3b0210 c026b1c8 eaa97010 eaa97000 eaa97010 eabb60a8 ea3b0210 00000000
      [    2.555891] be00: 00000008 ea2db210 ea1a3410 c030fee0 ea3bbf90 c03138fc c068969c c013526c
      [    2.564050] be20: eaa040c0 00000000 c068969c 00000000 eaa040c0 ea2da300 00000002 00000000
      [    2.572208] be40: 00000001 ea2da3c0 00000000 00000001 00000000 eaa97010 c068969c 00000000
      [    2.580367] be60: 00000000 c068969c 00000000 00000002 00000000 c026b71c c026b6f0 eaa97010
      [    2.588527] be80: c0e82530 c026a330 00000000 eaa97010 c068969c eaa97044 00000000 c061df50
      [    2.596686] bea0: ea87a000 c026a4dc 00000000 c068969c c026a448 c0268b5c ea8054a8 eaa8fd50
      [    2.604845] bec0: c068969c ea2db180 c06801f8 c0269b18 c0590f68 c068969c c0656c98 c068969c
      [    2.613004] bee0: c0656c98 ea3bbe40 c06988c0 c026aaf0 00000000 c0656c98 c0656c98 c00088a4
      [    2.621163] bf00: 00000000 c0055f48 00000000 00000004 00000000 ea890000 c05dbc54 c062c178
      [    2.629323] bf20: c0603518 c005f674 00000001 ea87a000 eb7ff83b c0476440 00000091 c003d41c
      [    2.637482] bf40: c05db344 00000007 eb7ff858 00000007 c065a76c c0647d24 00000007 c062c170
      [    2.645642] bf60: c06988c0 00000091 c062c178 c0603518 00000000 c0603cc4 00000007 00000007
      [    2.653801] bf80: c0603518 c0c0c0c0 00000000 c0453948 00000000 00000000 00000000 00000000
      [    2.661959] bfa0: 00000000 c0453950 00000000 c000e728 00000000 00000000 00000000 00000000
      [    2.670118] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    2.678277] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0
      [    2.686454] [<c01f4220>] (strcmp) from [<c030fe38>] (power_supply_match_device_by_name+0x10/0x1c)
      [    2.695303] [<c030fe38>] (power_supply_match_device_by_name) from [<c026b1c8>] (class_find_device+0x54/0xac)
      [    2.705106] [<c026b1c8>] (class_find_device) from [<c030fee0>] (power_supply_get_by_name+0x1c/0x30)
      [    2.714137] [<c030fee0>] (power_supply_get_by_name) from [<c03138fc>] (charger_manager_probe+0x3d8/0xe58)
      [    2.723683] [<c03138fc>] (charger_manager_probe) from [<c026b71c>] (platform_drv_probe+0x2c/0x5c)
      [    2.732532] [<c026b71c>] (platform_drv_probe) from [<c026a330>] (driver_probe_device+0x10c/0x224)
      [    2.741384] [<c026a330>] (driver_probe_device) from [<c026a4dc>] (__driver_attach+0x94/0x98)
      [    2.749813] [<c026a4dc>] (__driver_attach) from [<c0268b5c>] (bus_for_each_dev+0x54/0x88)
      [    2.757969] [<c0268b5c>] (bus_for_each_dev) from [<c0269b18>] (bus_add_driver+0xd4/0x1d0)
      [    2.766123] [<c0269b18>] (bus_add_driver) from [<c026aaf0>] (driver_register+0x78/0xf4)
      [    2.774110] [<c026aaf0>] (driver_register) from [<c00088a4>] (do_one_initcall+0x80/0x1bc)
      [    2.782276] [<c00088a4>] (do_one_initcall) from [<c0603cc4>] (kernel_init_freeable+0x100/0x1cc)
      [    2.790952] [<c0603cc4>] (kernel_init_freeable) from [<c0453950>] (kernel_init+0x8/0xec)
      [    2.799029] [<c0453950>] (kernel_init) from [<c000e728>] (ret_from_fork+0x14/0x2c)
      [    2.806572] Code: e12fff1e e1a03000 eafffff7 e4d03001 (e4d12001)
      [    2.812832] ---[ end trace 7f12556111b9e7ef ]---
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Fixes: 856ee611 ("charger-manager: Support deivce tree in charger manager driver")
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d0e18713
    • Stephen Smalley's avatar
      selinux: fix inode security list corruption · bb62683e
      Stephen Smalley authored
      commit 923190d3 upstream.
      
      sb_finish_set_opts() can race with inode_free_security()
      when initializing inode security structures for inodes
      created prior to initial policy load or by the filesystem
      during ->mount().   This appears to have always been
      a possible race, but commit 3dc91d43 ("SELinux:  Fix possible
      NULL pointer dereference in selinux_inode_permission()")
      made it more evident by immediately reusing the unioned
      list/rcu element  of the inode security structure for call_rcu()
      upon an inode_free_security().  But the underlying issue
      was already present before that commit as a possible use-after-free
      of isec.
      
      Shivnandan Kumar reported the list corruption and proposed
      a patch to split the list and rcu elements out of the union
      as separate fields of the inode_security_struct so that setting
      the rcu element would not affect the list element.  However,
      this would merely hide the issue and not truly fix the code.
      
      This patch instead moves up the deletion of the list entry
      prior to dropping the sbsec->isec_lock initially.  Then,
      if the inode is dropped subsequently, there will be no further
      references to the isec.
      Reported-by: default avatarShivnandan Kumar <shivnandan.k@samsung.com>
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      bb62683e
    • Chris Ball's avatar
      mfd: rtsx_pcr: Fix MSI enable error handling · 2192ea7d
      Chris Ball authored
      commit 51529705 upstream.
      
      pci_enable_msi() can return failure with both positive and negative
      integers -- it returns 0 for success -- but is only tested here for
      "if (ret < 0)".  This causes us to try to use MSI on the RTS5249 SD
      reader in the Dell XPS 11 when enabling MSI failed, causing:
      
      [    1.737110] rtsx_pci: probe of 0000:05:00.0 failed with error -110
      Reported-by: default avatarD. Jared Dominguez <Jared_Dominguez@Dell.com>
      Tested-by: default avatarD. Jared Dominguez <Jared_Dominguez@Dell.com>
      Signed-off-by: default avatarChris Ball <chris@printf.net>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2192ea7d
    • Sebastian Andrzej Siewior's avatar
      mfd: ti_am335x_tscadc: Fix TSC resume · c5a2357f
      Sebastian Andrzej Siewior authored
      commit 6a71f38d upstream.
      
      In the resume path, the ADC invokes am335x_tsc_se_set_cache() with 0 as
      the steps argument if continous mode is not in use. This in turn disables
      all steps and so the TSC is not working until one ADC sampling is
      performed.
      
      This patch fixes it by writing the current cached mask instead of the
      passed steps.
      
      Fixes: 7ca6740c ("mfd: input: iio: ti_amm335x: Rework TSC/ADCA
      synchronization")
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c5a2357f
    • Vignesh R's avatar
      mfd: ti_am335x_tscadc: Fix TSC operation after ADC continouous mode · 4cc4c1f4
      Vignesh R authored
      commit 6ac734d2 upstream.
      
      After enabling and disabling ADC continuous mode via sysfs, ts_print_raw
      fails to return any data. This is because when ADC is configured for
      continuous mode, it disables touch screen steps.These steps are not
      re-enabled when ADC continuous mode is disabled. Therefore existing values
      of REG_SE needs to be cached before enabling continuous mode and
      disabling touch screen steps and enabling ADC steps. The cached value
      are to be restored to REG_SE once ADC is disabled.
      
      Fixes: 7ca6740c ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization")
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4cc4c1f4
    • Martin Schwidefsky's avatar
      s390/topology: call set_sched_topology early · 8d765b88
      Martin Schwidefsky authored
      commit 48e9a6c1 upstream.
      
      The call to topology_init is too late for the set_sched_topology call.
      The initial scheduling domain structure has already been established
      with default topology array. Use the smp_cpus_done() call to get the
      s390 specific topology array registered early enough.
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8d765b88