1. 06 May, 2015 40 commits
    • Alexander Duyck's avatar
      jhash: Update jhash_[321]words functions to use correct initval · 6c380a76
      Alexander Duyck authored
      commit 2e7056c4 upstream.
      
      Looking over the implementation for jhash2 and comparing it to jhash_3words
      I realized that the two hashes were in fact very different.  Doing a bit of
      digging led me to "The new jhash implementation" in which lookup2 was
      supposed to have been replaced with lookup3.
      
      In reviewing the patch I noticed that jhash2 had originally initialized a
      and b to JHASH_GOLDENRATIO and c to initval, but after the patch a, b, and
      c were initialized to initval + (length << 2) + JHASH_INITVAL.  However the
      changes in jhash_3words simply replaced the initialization of a and b with
      JHASH_INITVAL.
      
      This change corrects what I believe was an oversight so that a, b, and c in
      jhash_3words all have the same value added consisting of initval + (length
      << 2) + JHASH_INITVAL so that jhash2 and jhash_3words will now produce the
      same hash result given the same inputs.
      
      Fixes: 60d509c8 ("The new jhash implementation")
      Signed-off-by: default avatarAlexander Duyck <alexander.h.duyck@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6c380a76
    • Russell King's avatar
      ARM: fix broken hibernation · 33c40643
      Russell King authored
      commit 767bf7e7 upstream.
      
      Normally, when a CPU wants to clear a cache line to zero in the external
      L2 cache, it would generate bus cycles to write each word as it would do
      with any other data access.
      
      However, a Cortex A9 connected to a L2C-310 has a specific feature where
      the CPU can detect this operation, and signal that it wants to zero an
      entire cache line.  This feature, known as Full Line of Zeros (FLZ),
      involves a non-standard AXI signalling mechanism which only the L2C-310
      can properly interpret.
      
      There are separate enable bits in both the L2C-310 and the Cortex A9 -
      the L2C-310 needs to be enabled and have the FLZ enable bit set in the
      auxiliary control register before the Cortex A9 has this feature
      enabled.
      
      Unfortunately, the suspend code was not respecting this - it's not
      obvious from the code:
      
      swsusp_arch_suspend()
       cpu_suspend() /* saves the Cortex A9 auxiliary control register */
        arch_save_image()
        soft_restart() /* turns off FLZ in Cortex A9, and disables L2C */
         cpu_resume() /* restores the Cortex A9 registers, inc auxcr */
      
      At this point, we end up with the L2C disabled, but the Cortex A9 with
      FLZ enabled - which means any memset() or zeroing of a full cache line
      will fail to take effect.
      
      A similar issue exists in the resume path, but it's slightly more
      complex:
      
      swsusp_arch_suspend()
       cpu_suspend() /* saves the Cortex A9 auxiliary control register */
        arch_save_image() /* image with A9 auxcr saved */
      ...
      swsusp_arch_resume()
       call_with_stack()
        arch_restore_image() /* restores image with A9 auxcr saved above */
        soft_restart() /* turns off FLZ in Cortex A9, and disables L2C */
         cpu_resume() /* restores the Cortex A9 registers, inc auxcr */
      
      Again, here we end up with the L2C disabled, but Cortex A9 FLZ enabled.
      
      There's no need to turn off the L2C in either of these two paths; there
      are benefits from not doing so - for example, the page copies will be
      faster with the L2C enabled.
      
      Hence, fix this by providing a variant of soft_restart() which can be
      used without turning the L2 cache controller off, and use it in both
      of these paths to keep the L2C enabled across the respective resume
      transitions.
      
      Fixes: 8ef418c7 ("ARM: l2c: trial at enabling some Cortex-A9 optimisations")
      Reported-by: default avatarSean Cross <xobs@kosagi.com>
      Tested-by: default avatarSean Cross <xobs@kosagi.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      33c40643
    • Vutla, Lokesh's avatar
      crypto: omap-aes - Fix support for unequal lengths · 49b416bb
      Vutla, Lokesh authored
      commit 6d7e7e02 upstream.
      
      For cases where total length of an input SGs is not same as
      length of the input data for encryption, omap-aes driver
      crashes. This happens in the case when IPsec is trying to use
      omap-aes driver.
      
      To avoid this, we copy all the pages from the input SG list
      into a contiguous buffer and prepare a single element SG list
      for this buffer with length as the total bytes to crypt, which is
      similar thing that is done in case of unaligned lengths.
      
      Fixes: 6242332f ("crypto: omap-aes - Add support for cases of unaligned lengths")
      Signed-off-by: default avatarLokesh Vutla <lokeshvutla@ti.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      49b416bb
    • Chuck Lever's avatar
      xprtrdma: Prevent infinite loop in rpcrdma_ep_create() · 1658f40e
      Chuck Lever authored
      commit 41f97028 upstream.
      
      If a provider advertizes a zero max_fast_reg_page_list_len, FRWR
      depth detection loops forever. Instead of just failing the mount,
      try other memory registration modes.
      
      Fixes: 0fc6c4e7 ("xprtrdma: mind the device's max fast . . .")
      Reported-by: default avatarDevesh Sharma <Devesh.Sharma@Emulex.Com>
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Tested-by: default avatarDevesh Sharma <Devesh.Sharma@Emulex.Com>
      Tested-by: default avatarMeghana Cheripady <Meghana.Cheripady@Emulex.Com>
      Tested-by: default avatarVeeresh U. Kokatnur <veereshuk@chelsio.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      [ luis: backported to 3.16:
        - devattr struct isn't a pointer ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1658f40e
    • Nishanth Menon's avatar
      C6x: time: Ensure consistency in __init · 08ba9e1c
      Nishanth Menon authored
      commit f4831605 upstream.
      
      time_init invokes timer64_init (which is __init annotation)
      since all of these are invoked at init time, lets maintain
      consistency by ensuring time_init is marked appropriately
      as well.
      
      This fixes the following warning with CONFIG_DEBUG_SECTION_MISMATCH=y
      
      WARNING: vmlinux.o(.text+0x3bfc): Section mismatch in reference from the function time_init() to the function .init.text:timer64_init()
      The function time_init() references
      the function __init timer64_init().
      This is often because time_init lacks a __init
      annotation or the annotation of timer64_init is wrong.
      
      Fixes: 546a3954 ("C6X: time management")
      Signed-off-by: default avatarNishanth Menon <nm@ti.com>
      Signed-off-by: default avatarMark Salter <msalter@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      08ba9e1c
    • Junjie Mao's avatar
      driver core: bus: Goto appropriate labels on failure in bus_add_device · 2759fc53
      Junjie Mao authored
      commit 1c34203a upstream.
      
      It is not necessary to call device_remove_groups() when device_add_groups()
      fails.
      
      The group added by device_add_groups() should be removed if sysfs_create_link()
      fails.
      
      Fixes: fa6fdb33 ("driver core: bus_type: add dev_groups")
      Signed-off-by: default avatarJunjie Mao <junjie_mao@yeah.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2759fc53
    • Mark Rutland's avatar
      arm64: head.S: ensure visibility of page tables · 85e68cfc
      Mark Rutland authored
      commit 91d57155 upstream.
      
      After writing the page tables, we use __inval_cache_range to invalidate
      any stale cache entries. Strongly Ordered memory accesses are not
      ordered w.r.t. cache maintenance instructions, and hence explicit memory
      barriers are required to provide this ordering. However,
      __inval_cache_range was written to be used on Normal Cacheable memory
      once the MMU and caches are on, and does not have any barriers prior to
      the DC instructions.
      
      This patch adds a DMB between the page tables being written and the
      corresponding cachelines being invalidated, ensuring that the
      invalidation makes the new data visible to subsequent cacheable
      accesses. A barrier is not required before the prior invalidate as we do
      not access the page table memory area prior to this, and earlier
      barriers in preserve_boot_args and set_cpu_boot_mode_flag ensures
      ordering w.r.t. any stores performed prior to entering Linux.
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Fixes: c218bca7 ("arm64: Relax the kernel cache requirements for boot")
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      85e68cfc
    • Archit Taneja's avatar
      clk: qcom: fix RCG M/N counter configuration · 4138de54
      Archit Taneja authored
      commit 0b21503d upstream.
      
      Currently, a RCG's M/N counter (used for fraction division) is
      set to either 'bypass' (counter disabled) or 'dual edge' (counter
      enabled) based on whether the corresponding rcg struct has a mnd
      field specified and a non-zero N.
      
      In the case where M and N are the same value, the M/N counter is
      still enabled by code even though no division takes place.
      Leaving the RCG in such a state can result in improper behavior.
      This was observed with the DSI pixel clock RCG when M and N were
      both set to 1.
      
      Add an additional check (M != N) to enable the M/N counter only
      when it's needed for fraction division.
      Signed-off-by: default avatarArchit Taneja <architt@codeaurora.org>
      Fixes: bcd61c0f (clk: qcom: Add support for root clock
      generators (RCGs))
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4138de54
    • mancha security's avatar
      lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR · 6f613f37
      mancha security authored
      commit 0b053c95 upstream.
      
      OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to
      ensure protection from dead store optimization.
      
      For the random driver and crypto drivers, calls are emitted ...
      
        $ gdb vmlinux
        (gdb) disassemble memzero_explicit
        Dump of assembler code for function memzero_explicit:
          0xffffffff813a18b0 <+0>:	push   %rbp
          0xffffffff813a18b1 <+1>:	mov    %rsi,%rdx
          0xffffffff813a18b4 <+4>:	xor    %esi,%esi
          0xffffffff813a18b6 <+6>:	mov    %rsp,%rbp
          0xffffffff813a18b9 <+9>:	callq  0xffffffff813a7120 <memset>
          0xffffffff813a18be <+14>:	pop    %rbp
          0xffffffff813a18bf <+15>:	retq
        End of assembler dump.
      
        (gdb) disassemble extract_entropy
        [...]
          0xffffffff814a5009 <+313>:	mov    %r12,%rdi
          0xffffffff814a500c <+316>:	mov    $0xa,%esi
          0xffffffff814a5011 <+321>:	callq  0xffffffff813a18b0 <memzero_explicit>
          0xffffffff814a5016 <+326>:	mov    -0x48(%rbp),%rax
        [...]
      
      ... but in case in future we might use facilities such as LTO, then
      OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible
      eviction of the memset(). We have to use a compiler barrier instead.
      
      Minimal test example when we assume memzero_explicit() would *not* be
      a call, but would have been *inlined* instead:
      
        static inline void memzero_explicit(void *s, size_t count)
        {
          memset(s, 0, count);
          <foo>
        }
      
        int main(void)
        {
          char buff[20];
      
          snprintf(buff, sizeof(buff) - 1, "test");
          printf("%s", buff);
      
          memzero_explicit(buff, sizeof(buff));
          return 0;
        }
      
      With <foo> := OPTIMIZER_HIDE_VAR():
      
        (gdb) disassemble main
        Dump of assembler code for function main:
        [...]
         0x0000000000400464 <+36>:	callq  0x400410 <printf@plt>
         0x0000000000400469 <+41>:	xor    %eax,%eax
         0x000000000040046b <+43>:	add    $0x28,%rsp
         0x000000000040046f <+47>:	retq
        End of assembler dump.
      
      With <foo> := barrier():
      
        (gdb) disassemble main
        Dump of assembler code for function main:
        [...]
         0x0000000000400464 <+36>:	callq  0x400410 <printf@plt>
         0x0000000000400469 <+41>:	movq   $0x0,(%rsp)
         0x0000000000400471 <+49>:	movq   $0x0,0x8(%rsp)
         0x000000000040047a <+58>:	movl   $0x0,0x10(%rsp)
         0x0000000000400482 <+66>:	xor    %eax,%eax
         0x0000000000400484 <+68>:	add    $0x28,%rsp
         0x0000000000400488 <+72>:	retq
        End of assembler dump.
      
      As can be seen, movq, movq, movl are being emitted inlined
      via memset().
      
      Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/
      Fixes: d4c5efdb ("random: add and use memzero_explicit() for clearing data")
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarmancha security <mancha1@zoho.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6f613f37
    • Bruno Prémont's avatar
      apple-gmux: lock iGP IO to protect from vgaarb changes · 126c7689
      Bruno Prémont authored
      commit 4eebd5a4 upstream.
      
      As GMUX depends on IO for iGP to be enabled and active, lock the IO at
      vgaarb level. This should prevent GPU driver for dGPU to disable IO for
      iGP while it tries to own legacy VGA IO.
      
      This fixes usage of backlight control combined with closed nvidia
      driver on some Apple dual-GPU (intel/nvidia) systems.
      
      On those systems loading nvidia driver disables intel IO decoding,
      disabling the gmux backlight controls as a side effect.
      Prior to commits moving boot_vga from (optional) efifb to less optional
      vgaarb this mis-behavior could be avoided by using right kernel config
      (efifb enabled but vgaarb disabled).
      
      This patch explicitly does not try to trigger vgaarb changes in order
      to avoid confusing already running graphics drivers. If IO has been
      mis-configured by vgaarb gmux will thus fail to probe.
      It is expected to load/probe gmux prior to graphics drivers.
      
      Fixes: ce027dac # nvidia interaction
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=86121Reported-by: default avatarPetri Hodju <petrihodju@yahoo.com>
      Tested-by: default avatarPetri Hodju <petrihodju@yahoo.com>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Matthew Garrett <matthew.garrett@nebula.com>
      Signed-off-by: default avatarBruno Prémont <bonbons@linux-vserver.org>
      Signed-off-by: default avatarDarren Hart <dvhart@linux.intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      126c7689
    • Simon Horman's avatar
      ARM: shmobile: r8a7790: Correct SYSCIER value · 351c5434
      Simon Horman authored
      commit ee72f6ad upstream.
      
      Set the SYSCIER as per the values indicated in the documentation.
      The value previously used appears to been copied from the r8a7779
      implementation but on closer inspection is not correct for the r8a7790.
      
      Fixes: a48f1655 ("ARM: shmobile: r8a7790 SYSC setup code")
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Acked-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      351c5434
    • Nicolas Iooss's avatar
      wl18xx: show rx_frames_per_rates as an array as it really is · fbe9ed3e
      Nicolas Iooss authored
      commit a3fa71c4 upstream.
      
      In struct wl18xx_acx_rx_rate_stat, rx_frames_per_rates field is an
      array, not a number.  This means WL18XX_DEBUGFS_FWSTATS_FILE can't be
      used to display this field in debugfs (it would display a pointer, not
      the actual data).  Use WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY instead.
      
      This bug has been found by adding a __printf attribute to
      wl1271_format_buffer.  gcc complained about "format '%u' expects
      argument of type 'unsigned int', but argument 5 has type 'u32 *'".
      
      Fixes: c5d94169 ("wl18xx: use new fw stats structures")
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss_linux@m4x.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fbe9ed3e
    • Sabrina Dubroca's avatar
      e1000: add dummy allocator to fix race condition between mtu change and netpoll · d8f5d356
      Sabrina Dubroca authored
      commit 08e83316 upstream.
      
      There is a race condition between e1000_change_mtu's cleanups and
      netpoll, when we change the MTU across jumbo size:
      
      Changing MTU frees all the rx buffers:
          e1000_change_mtu -> e1000_down -> e1000_clean_all_rx_rings ->
              e1000_clean_rx_ring
      
      Then, close to the end of e1000_change_mtu:
          pr_info -> ... -> netpoll_poll_dev -> e1000_clean ->
              e1000_clean_rx_irq -> e1000_alloc_rx_buffers -> e1000_alloc_frag
      
      And when we come back to do the rest of the MTU change:
          e1000_up -> e1000_configure -> e1000_configure_rx ->
              e1000_alloc_jumbo_rx_buffers
      
      alloc_jumbo finds the buffers already != NULL, since data (shared with
      page in e1000_rx_buffer->rxbuf) has been re-alloc'd, but it's garbage,
      or at least not what is expected when in jumbo state.
      
      This results in an unusable adapter (packets don't get through), and a
      NULL pointer dereference on the next call to e1000_clean_rx_ring
      (other mtu change, link down, shutdown):
      
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff81194d6e>] put_compound_page+0x7e/0x330
      
          [...]
      
      Call Trace:
       [<ffffffff81195445>] put_page+0x55/0x60
       [<ffffffff815d9f44>] e1000_clean_rx_ring+0x134/0x200
       [<ffffffff815da055>] e1000_clean_all_rx_rings+0x45/0x60
       [<ffffffff815df5e0>] e1000_down+0x1c0/0x1d0
       [<ffffffff811e2260>] ? deactivate_slab+0x7f0/0x840
       [<ffffffff815e21bc>] e1000_change_mtu+0xdc/0x170
       [<ffffffff81647050>] dev_set_mtu+0xa0/0x140
       [<ffffffff81664218>] do_setlink+0x218/0xac0
       [<ffffffff814459e9>] ? nla_parse+0xb9/0x120
       [<ffffffff816652d0>] rtnl_newlink+0x6d0/0x890
       [<ffffffff8104f000>] ? kvm_clock_read+0x20/0x40
       [<ffffffff810a2068>] ? sched_clock_cpu+0xa8/0x100
       [<ffffffff81663802>] rtnetlink_rcv_msg+0x92/0x260
      
      By setting the allocator to a dummy version, netpoll can't mess up our
      rx buffers.  The allocator is set back to a sane value in
      e1000_configure_rx.
      
      Fixes: edbbb3ca ("e1000: implement jumbo receive with partial descriptors")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d8f5d356
    • Benjamin Herrenschmidt's avatar
      drivers/of: Add empty ranges quirk for PA-Semi · 2e3e9f18
      Benjamin Herrenschmidt authored
      commit a5ed1ad0 upstream.
      
      The "sdc" node is missing the ranges property, it needs to be treated
      as having an empty one otherwise translation fails for its children.
      
      Fixes 746c9e9f, "of/base: Fix PowerPC address parsing hack"
      Tested-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGrant Likely <grant.likely@linaro.org>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2e3e9f18
    • Al Viro's avatar
      RCU pathwalk breakage when running into a symlink overmounting something · 4216710d
      Al Viro authored
      commit 3cab989a upstream.
      
      Calling unlazy_walk() in walk_component() and do_last() when we find
      a symlink that needs to be followed doesn't acquire a reference to vfsmount.
      That's fine when the symlink is on the same vfsmount as the parent directory
      (which is almost always the case), but it's not always true - one _can_
      manage to bind a symlink on top of something.  And in such cases we end up
      with excessive mntput().
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4216710d
    • Rafael J. Wysocki's avatar
      ACPI / scan: Annotate physical_node_lock in acpi_scan_is_offline() · 07e6af17
      Rafael J. Wysocki authored
      commit 4c533c80 upstream.
      
      acpi_scan_is_offline() may be called under the physical_node_lock
      lock of the given device object's parent, so prevent lockdep from
      complaining about that by annotating that instance with
      SINGLE_DEPTH_NESTING.
      
      Fixes: caa73ea1 (ACPI / hotplug / driver core: Handle containers in a special way)
      Reported-and-tested-by: default avatarXie XiuQi <xiexiuqi@huawei.com>
      Reviewed-by: default avatarToshi Kani <toshi.kani@hp.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      07e6af17
    • Imre Deak's avatar
      drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT reg · 34d6f486
      Imre Deak authored
      commit b5f1c97f upstream.
      
      Due this typo we don't save/restore the GFX_MAX_REQ_COUNT register across
      suspend/resume, so fix this.
      
      This was introduced in
      
      commit ddeea5b0
      Author: Imre Deak <imre.deak@intel.com>
      Date:   Mon May 5 15:19:56 2014 +0300
      
          drm/i915: vlv: add runtime PM support
      
      I noticed this only by reading the code. To my knowledge it shouldn't
      cause any real problems at the moment, since the power well backing this
      register remains on across a runtime s/r. This may change once
      system-wide s0ix functionality is enabled in the kernel.
      
      v2:
      - resend after a missing git add -u :/
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Tested-By: PRC QA PRTS (Patch Regression Test System Contact: shuang.he@intel.com)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Reviewed-by: default avatarMika Kuoppala <mika.kuoppala@intel.com>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      34d6f486
    • Dmitry Torokhov's avatar
      drm/i915: cope with large i2c transfers · 46f080a6
      Dmitry Torokhov authored
      commit 9535c475 upstream.
      
      The hardware, according to the specs, is limited to 256 byte transfers,
      and current driver has no protections in case users attempt to do larger
      transfers. The code will just stomp over status register and mayhem
      ensues.
      
      Let's split larger transfers into digestable chunks. Doing this allows
      Atmel MXT driver on Pixel 1 function properly (it hasn't since commit
      9d8dc3e5 "Input: atmel_mxt_ts -
      implement T44 message handling" which tries to consume multiple
      touchscreen/touchpad reports in a single transaction).
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      46f080a6
    • Jeff Layton's avatar
      nfs: fix high load average due to callback thread sleeping · d9a3f2e5
      Jeff Layton authored
      commit 5d05e54a upstream.
      
      Chuck pointed out a problem that crept in with commit 6ffa30d3 (nfs:
      don't call blocking operations while !TASK_RUNNING). Linux counts tasks
      in uninterruptible sleep against the load average, so this caused the
      system's load average to be pinned at at least 1 when there was a
      NFSv4.1+ mount active.
      
      Not a huge problem, but it's probably worth fixing before we get too
      many complaints about it. This patch converts the code back to use
      TASK_INTERRUPTIBLE sleep, simply has it flush any signals on each loop
      iteration. In practice no one should really be signalling this thread at
      all, so I think this is reasonably safe.
      
      With this change, there's also no need to game the hung task watchdog so
      we can also convert the schedule_timeout call back to a normal schedule.
      Reported-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarJeff Layton <jeff.layton@primarydata.com>
      Tested-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Fixes: commit 6ffa30d3 (“nfs: don't call blocking . . .”)
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d9a3f2e5
    • Charles Keepax's avatar
      i2c: Mark adapter devices with pm_runtime_no_callbacks · aba636b8
      Charles Keepax authored
      commit 6ada5c1e upstream.
      
      Commit 523c5b89 ("i2c: Remove support for legacy PM") removed the PM
      ops from the bus type, which causes the pm operations on the s3c2410
      adapter device to fail (-ENOSUPP in rpm_callback). The adapter device
      doesn't get bound to a driver and as such can't have its own pm_runtime
      callbacks. Previously this was fine as the bus callbacks would have been
      used, but now this can cause devices which use PM runtime and are
      attached over I2C to fail to resume.
      
      This commit fixes this issue by marking all adapter devices with
      pm_runtime_no_callbacks, since they can't have any.
      Signed-off-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Acked-by: default avatarBeata Michalska <b.michalska@samsung.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Fixes: 523c5b89Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      aba636b8
    • Dmitry Torokhov's avatar
      i2c: rk3x: report number of messages transmitted · a7c25c70
      Dmitry Torokhov authored
      commit c6cbfb91 upstream.
      
      master_xfer() method should return number of i2c messages transferred,
      but on Rockchip we were usually returning just 1, which caused trouble
      with users that actually check number of transferred messages vs.
      checking for negative error codes.
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a7c25c70
    • Giuseppe Cantavenera's avatar
      nfsd: fix nsfd startup race triggering BUG_ON · edd6f441
      Giuseppe Cantavenera authored
      commit bb7ffbf2 upstream.
      
      nfsd triggered a BUG_ON in net_generic(...) when rpc_pipefs_event(...)
      in fs/nfsd/nfs4recover.c was called before assigning ntfsd_net_id.
      The following was observed on a MIPS 32-core processor:
      kernel: Call Trace:
      kernel: [<ffffffffc00bc5e4>] rpc_pipefs_event+0x7c/0x158 [nfsd]
      kernel: [<ffffffff8017a2a0>] notifier_call_chain+0x70/0xb8
      kernel: [<ffffffff8017a4e4>] __blocking_notifier_call_chain+0x4c/0x70
      kernel: [<ffffffff8053aff8>] rpc_fill_super+0xf8/0x1a0
      kernel: [<ffffffff8022204c>] mount_ns+0xb4/0xf0
      kernel: [<ffffffff80222b48>] mount_fs+0x50/0x1f8
      kernel: [<ffffffff8023dc00>] vfs_kern_mount+0x58/0xf0
      kernel: [<ffffffff802404ac>] do_mount+0x27c/0xa28
      kernel: [<ffffffff80240cf0>] SyS_mount+0x98/0xe8
      kernel: [<ffffffff80135d24>] handle_sys64+0x44/0x68
      kernel:
      kernel:
              Code: 0040f809  00000000  2e020001 <00020336> 3c12c00d
                      3c02801a  de100000 6442eb98  0040f809
      kernel: ---[ end trace 7471374335809536 ]---
      
      Fixed this behaviour by calling register_pernet_subsys(&nfsd_net_ops) before
      registering rpc_pipefs_event(...) with the notifier chain.
      Signed-off-by: default avatarGiuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>
      Signed-off-by: default avatarLorenzo Restelli <lorenzo.restelli.ext@nokia.com>
      Reviewed-by: default avatarKinlong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      edd6f441
    • James Bottomley's avatar
      mvsas: fix panic on expander attached SATA devices · b0cc9113
      James Bottomley authored
      commit 56cbd0cc upstream.
      
      mvsas is giving a General protection fault when it encounters an expander
      attached ATA device.  Analysis of mvs_task_prep_ata() shows that the driver is
      assuming all ATA devices are locally attached and obtaining the phy mask by
      indexing the local phy table (in the HBA structure) with the phy id.  Since
      expanders have many more phys than the HBA, this is causing the index into the
      HBA phy table to overflow and returning rubbish as the pointer.
      
      mvs_task_prep_ssp() instead does the phy mask using the port properties.
      Mirror this in mvs_task_prep_ata() to fix the panic.
      Reported-by: default avatarAdam Talbot <ajtalbot1@gmail.com>
      Tested-by: default avatarAdam Talbot <ajtalbot1@gmail.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b0cc9113
    • Oleg Nesterov's avatar
      ptrace: fix race between ptrace_resume() and wait_task_stopped() · c50f1502
      Oleg Nesterov authored
      commit b72c1869 upstream.
      
      ptrace_resume() is called when the tracee is still __TASK_TRACED.  We set
      tracee->exit_code and then wake_up_state() changes tracee->state.  If the
      tracer's sub-thread does wait() in between, task_stopped_code(ptrace => T)
      wrongly looks like another report from tracee.
      
      This confuses debugger, and since wait_task_stopped() clears ->exit_code
      the tracee can miss a signal.
      
      Test-case:
      
      	#include <stdio.h>
      	#include <unistd.h>
      	#include <sys/wait.h>
      	#include <sys/ptrace.h>
      	#include <pthread.h>
      	#include <assert.h>
      
      	int pid;
      
      	void *waiter(void *arg)
      	{
      		int stat;
      
      		for (;;) {
      			assert(pid == wait(&stat));
      			assert(WIFSTOPPED(stat));
      			if (WSTOPSIG(stat) == SIGHUP)
      				continue;
      
      			assert(WSTOPSIG(stat) == SIGCONT);
      			printf("ERR! extra/wrong report:%x\n", stat);
      		}
      	}
      
      	int main(void)
      	{
      		pthread_t thread;
      
      		pid = fork();
      		if (!pid) {
      			assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
      			for (;;)
      				kill(getpid(), SIGHUP);
      		}
      
      		assert(pthread_create(&thread, NULL, waiter, NULL) == 0);
      
      		for (;;)
      			ptrace(PTRACE_CONT, pid, 0, SIGCONT);
      
      		return 0;
      	}
      
      Note for stable: the bug is very old, but without 9899d11f "ptrace:
      ensure arch_ptrace/ptrace_request can never race with SIGKILL" the fix
      should use lock_task_sighand(child).
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Reported-by: default avatarPavel Labath <labath@google.com>
      Tested-by: default avatarPavel Labath <labath@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c50f1502
    • Akinobu Mita's avatar
      target/file: Fix UNMAP with DIF protection support · f415f5c3
      Akinobu Mita authored
      commit 64d240b7 upstream.
      
      When UNMAP command is issued with DIF protection support enabled,
      the protection info for the unmapped region is remain unchanged.
      So READ command for the region causes data integrity failure.
      
      This fixes it by invalidating protection info for the unmapped region
      by filling with 0xff pattern.  This change also adds helper function
      fd_do_prot_fill() in order to reduce code duplication with existing
      fd_format_prot().
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Reviewed-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Reviewed-by: default avatar"Martin K. Petersen" <martin.petersen@oracle.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f415f5c3
    • Akinobu Mita's avatar
      target/file: Fix SG table for prot_buf initialization · cb5fc0f9
      Akinobu Mita authored
      commit c8367778 upstream.
      
      In fd_do_prot_rw(), it allocates prot_buf which is used to copy from
      se_cmd->t_prot_sg by sbc_dif_copy_prot().  The SG table for prot_buf
      is also initialized by allocating 'se_cmd->t_prot_nents' entries of
      scatterlist and setting the data length of each entry to PAGE_SIZE
      at most.
      
      However if se_cmd->t_prot_sg contains a clustered entry (i.e.
      sg->length > PAGE_SIZE), the SG table for prot_buf can't be
      initialized correctly and sbc_dif_copy_prot() can't copy to prot_buf.
      (This actually happened with TCM loopback fabric module)
      
      As prot_buf is allocated by kzalloc() and it's physically contiguous,
      we only need a single scatterlist entry.
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cb5fc0f9
    • Akinobu Mita's avatar
      target/file: Fix BUG() when CONFIG_DEBUG_SG=y and DIF protection enabled · e5cbd8f7
      Akinobu Mita authored
      commit 38da0f49 upstream.
      
      When CONFIG_DEBUG_SG=y and DIF protection support enabled, kernel
      BUG()s are triggered due to the following two issues:
      
      1) prot_sg is not initialized by sg_init_table().
      
      When CONFIG_DEBUG_SG=y, scatterlist helpers check sg entry has a
      correct magic value.
      
      2) vmalloc'ed buffer is passed to sg_set_buf().
      
      sg_set_buf() uses virt_to_page() to convert virtual address to struct
      page, but it doesn't work with vmalloc address.  vmalloc_to_page()
      should be used instead.  As prot_buf isn't usually too large, so
      fix it by allocating prot_buf by kmalloc instead of vmalloc.
      Signed-off-by: default avatarAkinobu Mita <akinobu.mita@gmail.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e5cbd8f7
    • Yann Droneaud's avatar
      IB/core: don't disallow registering region starting at 0x0 · a77695d7
      Yann Droneaud authored
      commit 66578b0b upstream.
      
      In a call to ib_umem_get(), if address is 0x0 and size is
      already page aligned, check added in commit 8494057a
      ("IB/uverbs: Prevent integer overflow in ib_umem_get address
      arithmetic") will refuse to register a memory region that
      could otherwise be valid (provided vm.mmap_min_addr sysctl
      and mmap_low_allowed SELinux knobs allow userspace to map
      something at address 0x0).
      
      This patch allows back such registration: ib_umem_get()
      should probably don't care of the base address provided it
      can be pinned with get_user_pages().
      
      There's two possible overflows, in (addr + size) and in
      PAGE_ALIGN(addr + size), this patch keep ensuring none
      of them happen while allowing to pin memory at address
      0x0. Anyway, the case of size equal 0 is no more (partially)
      handled as 0-length memory region are disallowed by an
      earlier check.
      
      Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com
      Cc: Shachar Raindel <raindel@mellanox.com>
      Cc: Jack Morgenstein <jackm@mellanox.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      Reviewed-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Reviewed-by: default avatarHaggai Eran <haggaie@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a77695d7
    • Yann Droneaud's avatar
      IB/core: disallow registering 0-sized memory region · 4aa6e6a0
      Yann Droneaud authored
      commit 8abaae62 upstream.
      
      If ib_umem_get() is called with a size equal to 0 and an
      non-page aligned address, one page will be pinned and a
      0-sized umem will be returned to the caller.
      
      This should not be allowed: it's not expected for a memory
      region to have a size equal to 0.
      
      This patch adds a check to explicitly refuse to register
      a 0-sized region.
      
      Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com
      Cc: Shachar Raindel <raindel@mellanox.com>
      Cc: Jack Morgenstein <jackm@mellanox.com>
      Cc: Or Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4aa6e6a0
    • Michael Davidson's avatar
      fs/binfmt_elf.c: fix bug in loading of PIE binaries · ea08dc51
      Michael Davidson authored
      commit a87938b2 upstream.
      
      With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down
      address allocation strategy, load_elf_binary() will attempt to map a PIE
      binary into an address range immediately below mm->mmap_base.
      
      Unfortunately, load_elf_ binary() does not take account of the need to
      allocate sufficient space for the entire binary which means that, while
      the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent
      PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are
      that is supposed to be the "gap" between the stack and the binary.
      
      Since the size of the "gap" on x86_64 is only guaranteed to be 128MB this
      means that binaries with large data segments > 128MB can end up mapping
      part of their data segment over their stack resulting in corruption of the
      stack (and the data segment once the binary starts to run).
      
      Any PIE binary with a data segment > 128MB is vulnerable to this although
      address randomization means that the actual gap between the stack and the
      end of the binary is normally greater than 128MB.  The larger the data
      segment of the binary the higher the probability of failure.
      
      Fix this by calculating the total size of the binary in the same way as
      load_elf_interp().
      Signed-off-by: default avatarMichael Davidson <md@google.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ea08dc51
    • Gerald Schaefer's avatar
      mm/hugetlb: use pmd_page() in follow_huge_pmd() · 65342eab
      Gerald Schaefer authored
      commit 97534127 upstream.
      
      Commit 61f77eda ("mm/hugetlb: reduce arch dependent code around
      follow_huge_*") broke follow_huge_pmd() on s390, where pmd and pte
      layout differ and using pte_page() on a huge pmd will return wrong
      results.  Using pmd_page() instead fixes this.
      
      All architectures that were touched by that commit have pmd_page()
      defined, so this should not break anything on other architectures.
      
      Fixes: 61f77eda "mm/hugetlb: reduce arch dependent code around follow_huge_*"
      Signed-off-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Acked-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Michal Hocko <mhocko@suse.cz>, Andrea Arcangeli <aarcange@redhat.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Acked-by: default avatarDavid Rientjes <rientjes@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      65342eab
    • Nicholas Bellinger's avatar
      target: Fix COMPARE_AND_WRITE with SG_TO_MEM_NOALLOC handling · 8c493843
      Nicholas Bellinger authored
      commit c8e63985 upstream.
      
      This patch fixes a bug for COMPARE_AND_WRITE handling with
      fabrics using SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC.
      
      It adds the missing allocation for cmd->t_bidi_data_sg within
      transport_generic_new_cmd() that is used by COMPARE_AND_WRITE
      for the initial READ payload, even if the fabric is already
      providing a pre-allocated buffer for cmd->t_data_sg.
      
      Also, fix zero-length COMPARE_AND_WRITE handling within the
      compare_and_write_callback() and target_complete_ok_work()
      to queue the response, skipping the initial READ.
      
      This fixes COMPARE_AND_WRITE emulation with loopback, vhost,
      and xen-backend fabric drivers using SG_TO_MEM_NOALLOC.
      Reported-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8c493843
    • Nadav Amit's avatar
      KVM: x86: Fix MSR_IA32_BNDCFGS in msrs_to_save · 3642850a
      Nadav Amit authored
      commit 9e9c3fe4 upstream.
      
      kvm_init_msr_list is currently called before hardware_setup. As a result,
      vmx_mpx_supported always returns false when kvm_init_msr_list checks whether to
      save MSR_IA32_BNDCFGS.
      
      Move kvm_init_msr_list after vmx_hardware_setup is called to fix this issue.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      
      Message-Id: <1428864435-4732-1-git-send-email-namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3642850a
    • Daniel Vetter's avatar
      drm/i915: Dont enable CS_PARSER_ERROR interrupts at all · f2871754
      Daniel Vetter authored
      commit 37ef01ab upstream.
      
      We stopped handling them in
      
      commit aaecdf61
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Tue Nov 4 15:52:22 2014 +0100
      
          drm/i915: Stop gathering error states for CS error interrupts
      
      but just clearing is apparently not enough: A sufficiently dead gpu
      left behind by firmware (*cough* coreboot *cough*) can keep the gpu in
      an endless loop of such interrupts, eventually leading to the nmi
      firing. And definitely to what looks like a machine hang.
      
      Since we don't even enable these interrupts on gen5+ let's do the same
      on earlier platforms.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=93171Tested-by: default avatarMono <mono-for-kernel-org@donderklumpen.de>
      Tested-by: info@gluglug.org.uk
      Reviewed-by: default avatarMika Kuoppala <mika.kuoppala@intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f2871754
    • Octavian Purdila's avatar
      ACPICA: Tables: Don't release ACPI_MTX_TABLES in acpi_tb_install_standard_table(). · 0db97c6b
      Octavian Purdila authored
      commit 77ddc2fe upstream.
      
      ACPICA commit c70434d4da13e65b6163c79a5aa16b40193631c7
      
      ACPI_MTX_TABLES is acquired and released by the callers of
      acpi_tb_install_standard_table() so releasing it in the function itself is
      causing the following error in Linux kernel if the table is reloaded:
      
      ACPI Error: Mutex [0x2] is not acquired, cannot release (20141107/utmutex-321)
      Call Trace:
        [<ffffffff81b0bd48>] dump_stack+0x4f/0x7b
        [<ffffffff81546bf5>] acpi_ut_release_mutex+0x47/0x67
        [<ffffffff81544357>] acpi_load_table+0x73/0xcb
      
      Link: https://github.com/acpica/acpica/commit/c70434d4Signed-off-by: default avatarOctavian Purdila <octavian.purdila@intel.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0db97c6b
    • Anton Blanchard's avatar
      powerpc/perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH · 1564ecf1
      Anton Blanchard authored
      commit 9a5cbce4 upstream.
      
      We cap 32bit userspace backtraces to PERF_MAX_STACK_DEPTH
      (currently 127), but we forgot to do the same for 64bit backtraces.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1564ecf1
    • Filipe Manana's avatar
      Btrfs: fix inode eviction infinite loop after cloning into it · fea3314d
      Filipe Manana authored
      commit ccccf3d6 upstream.
      
      If we attempt to clone a 0 length region into a file we can end up
      inserting a range in the inode's extent_io tree with a start offset
      that is greater then the end offset, which triggers immediately the
      following warning:
      
      [ 3914.619057] WARNING: CPU: 17 PID: 4199 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]()
      [ 3914.620886] BTRFS: end < start 4095 4096
      (...)
      [ 3914.638093] Call Trace:
      [ 3914.638636]  [<ffffffff81425fd9>] dump_stack+0x4c/0x65
      [ 3914.639620]  [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb
      [ 3914.640789]  [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs]
      [ 3914.642041]  [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48
      [ 3914.643236]  [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs]
      [ 3914.644441]  [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs]
      [ 3914.645711]  [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs]
      [ 3914.646914]  [<ffffffff8142b2fb>] ? _raw_spin_unlock+0x28/0x33
      [ 3914.648058]  [<ffffffffa03cbac4>] ? test_range_bit+0xcc/0xde [btrfs]
      [ 3914.650105]  [<ffffffffa03cb3c3>] lock_extent+0x13/0x15 [btrfs]
      [ 3914.651361]  [<ffffffffa03db39e>] lock_extent_range+0x3d/0xcd [btrfs]
      [ 3914.652761]  [<ffffffffa03de1fe>] btrfs_ioctl_clone+0x278/0x388 [btrfs]
      [ 3914.654128]  [<ffffffff811226dd>] ? might_fault+0x58/0xb5
      [ 3914.655320]  [<ffffffffa03e0909>] btrfs_ioctl+0xb51/0x2195 [btrfs]
      (...)
      [ 3914.669271] ---[ end trace 14843d3e2e622fc1 ]---
      
      This later makes the inode eviction handler enter an infinite loop that
      keeps dumping the following warning over and over:
      
      [ 3915.117629] WARNING: CPU: 22 PID: 4228 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]()
      [ 3915.119913] BTRFS: end < start 4095 4096
      (...)
      [ 3915.137394] Call Trace:
      [ 3915.137913]  [<ffffffff81425fd9>] dump_stack+0x4c/0x65
      [ 3915.139154]  [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb
      [ 3915.140316]  [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs]
      [ 3915.141505]  [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48
      [ 3915.142709]  [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs]
      [ 3915.143849]  [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs]
      [ 3915.145120]  [<ffffffffa038c1e3>] ? btrfs_kill_super+0x17/0x23 [btrfs]
      [ 3915.146352]  [<ffffffff811548f6>] ? deactivate_locked_super+0x3b/0x50
      [ 3915.147565]  [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs]
      [ 3915.148785]  [<ffffffff8142b7e2>] ? _raw_write_unlock+0x28/0x33
      [ 3915.149931]  [<ffffffffa03bc325>] btrfs_evict_inode+0x196/0x482 [btrfs]
      [ 3915.151154]  [<ffffffff81168904>] evict+0xa0/0x148
      [ 3915.152094]  [<ffffffff811689e5>] dispose_list+0x39/0x43
      [ 3915.153081]  [<ffffffff81169564>] evict_inodes+0xdc/0xeb
      [ 3915.154062]  [<ffffffff81154418>] generic_shutdown_super+0x49/0xef
      [ 3915.155193]  [<ffffffff811546d1>] kill_anon_super+0x13/0x1e
      [ 3915.156274]  [<ffffffffa038c1e3>] btrfs_kill_super+0x17/0x23 [btrfs]
      (...)
      [ 3915.167404] ---[ end trace 14843d3e2e622fc2 ]---
      
      So just bail out of the clone ioctl if the length of the region to clone
      is zero, without locking any extent range, in order to prevent this issue
      (same behaviour as a pwrite with a 0 length for example).
      
      This is trivial to reproduce. For example, the steps for the test I just
      made for fstests:
      
        mkfs.btrfs -f SCRATCH_DEV
        mount SCRATCH_DEV $SCRATCH_MNT
      
        touch $SCRATCH_MNT/foo
        touch $SCRATCH_MNT/bar
      
        $CLONER_PROG -s 0 -d 4096 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
        umount $SCRATCH_MNT
      
      A test case for fstests follows soon.
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarOmar Sandoval <osandov@osandov.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fea3314d
    • Filipe Manana's avatar
      Btrfs: fix inode eviction infinite loop after extent_same ioctl · ac52f6f5
      Filipe Manana authored
      commit 113e8283 upstream.
      
      If we pass a length of 0 to the extent_same ioctl, we end up locking an
      extent range with a start offset greater then its end offset (if the
      destination file's offset is greater than zero). This results in a warning
      from extent_io.c:insert_state through the following call chain:
      
        btrfs_extent_same()
          btrfs_double_lock()
            lock_extent_range()
              lock_extent(inode->io_tree, offset, offset + len - 1)
                lock_extent_bits()
                  __set_extent_bit()
                    insert_state()
                      --> WARN_ON(end < start)
      
      This leads to an infinite loop when evicting the inode. This is the same
      problem that my previous patch titled
      "Btrfs: fix inode eviction infinite loop after cloning into it" addressed
      but for the extent_same ioctl instead of the clone ioctl.
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarOmar Sandoval <osandov@osandov.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ac52f6f5
    • Jo-Philipp Wich's avatar
      ALSA: hda/realtek - Enable the ALC292 dock fixup on the Thinkpad T450 · 9ee588e8
      Jo-Philipp Wich authored
      commit f2aa1110 upstream.
      
      The Lenovo Thinkpad T450 requires the ALC292_FIXUP_TPT440_DOCK as well in
      order to get working sound output on the docking stations headphone jack.
      
      Patch tested on a Thinkpad T450 (20BVCTO1WW) using kernel 4.0-rc7 in
      conjunction with a ThinkPad Ultradock.
      Signed-off-by: default avatarJo-Philipp Wich <jow@openwrt.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9ee588e8
    • Heiko Carstens's avatar
      s390/hibernate: fix save and restore of kernel text section · 5d32cdce
      Heiko Carstens authored
      commit d7441949 upstream.
      
      Sebastian reported a crash caused by a jump label mismatch after resume.
      This happens because we do not save the kernel text section during suspend
      and therefore also do not restore it during resume, but use the kernel image
      that restores the old system.
      
      This means that after a suspend/resume cycle we lost all modifications done
      to the kernel text section.
      The reason for this is the pfn_is_nosave() function, which incorrectly
      returns that read-only pages don't need to be saved. This is incorrect since
      we mark the kernel text section read-only.
      We still need to make sure to not save and restore pages contained within
      NSS and DCSS segment.
      To fix this add an extra case for the kernel text section and only save
      those pages if they are not contained within an NSS segment.
      
      Fixes the following crash (and the above bugs as well):
      
      Jump label code mismatch at netif_receive_skb_internal+0x28/0xd0
      Found:    c0 04 00 00 00 00
      Expected: c0 f4 00 00 00 11
      New:      c0 04 00 00 00 00
      Kernel panic - not syncing: Corrupted kernel text
      CPU: 0 PID: 9 Comm: migration/0 Not tainted 3.19.0-01975-gb1b096e70f23 #4
      Call Trace:
        [<0000000000113972>] show_stack+0x72/0xf0
        [<000000000081f15e>] dump_stack+0x6e/0x90
        [<000000000081c4e8>] panic+0x108/0x2b0
        [<000000000081be64>] jump_label_bug.isra.2+0x104/0x108
        [<0000000000112176>] __jump_label_transform+0x9e/0xd0
        [<00000000001121e6>] __sm_arch_jump_label_transform+0x3e/0x50
        [<00000000001d1136>] multi_cpu_stop+0x12e/0x170
        [<00000000001d1472>] cpu_stopper_thread+0xb2/0x168
        [<000000000015d2ac>] smpboot_thread_fn+0x134/0x1b0
        [<0000000000158baa>] kthread+0x10a/0x110
        [<0000000000824a86>] kernel_thread_starter+0x6/0xc
      Reported-and-tested-by: default avatarSebastian Ott <sebott@linux.vnet.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      5d32cdce