1. 27 Apr, 2015 20 commits
  2. 24 Apr, 2015 20 commits
    • Igor Mammedov's avatar
      kvm: avoid page allocation failure in kvm_set_memory_region() · b94e91cc
      Igor Mammedov authored
      [ Upstream commit 74496134 ]
      
      KVM guest can fail to startup with following trace on host:
      
      qemu-system-x86: page allocation failure: order:4, mode:0x40d0
      Call Trace:
        dump_stack+0x47/0x67
        warn_alloc_failed+0xee/0x150
        __alloc_pages_direct_compact+0x14a/0x150
        __alloc_pages_nodemask+0x776/0xb80
        alloc_kmem_pages+0x3a/0x110
        kmalloc_order+0x13/0x50
        kmemdup+0x1b/0x40
        __kvm_set_memory_region+0x24a/0x9f0 [kvm]
        kvm_set_ioapic+0x130/0x130 [kvm]
        kvm_set_memory_region+0x21/0x40 [kvm]
        kvm_vm_ioctl+0x43f/0x750 [kvm]
      
      Failure happens when attempting to allocate pages for
      'struct kvm_memslots', however it doesn't have to be
      present in physically contiguous (kmalloc-ed) address
      space, change allocation to kvm_kvzalloc() so that
      it will be vmalloc-ed when its size is more then a page.
      Signed-off-by: default avatarIgor Mammedov <imammedo@redhat.com>
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b94e91cc
    • Dave Chinner's avatar
      xfs: ensure truncate forces zeroed blocks to disk · 48ca7d78
      Dave Chinner authored
      [ Upstream commit 5885ebda ]
      
      A new fsync vs power fail test in xfstests indicated that XFS can
      have unreliable data consistency when doing extending truncates that
      require block zeroing. The blocks beyond EOF get zeroed in memory,
      but we never force those changes to disk before we run the
      transaction that extends the file size and exposes those blocks to
      userspace. This can result in the blocks not being correctly zeroed
      after a crash.
      
      Because in-memory behaviour is correct, tools like fsx don't pick up
      any coherency problems - it's not until the filesystem is shutdown
      or the system crashes after writing the truncate transaction to the
      journal but before the zeroed data in the page cache is flushed that
      the issue is exposed.
      
      Fix this by also flushing the dirty data in memory region between
      the old size and new size when we've found blocks that need zeroing
      in the truncate process.
      Reported-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      48ca7d78
    • Omar Sandoval's avatar
      ext4: fix indirect punch hole corruption · a6995736
      Omar Sandoval authored
      [ Upstream commit 6f30b7e3 ]
      
      Commit 4f579ae7 (ext4: fix punch hole on files with indirect
      mapping) rewrote FALLOC_FL_PUNCH_HOLE for ext4 files with indirect
      mapping. However, there are bugs in several corner cases. This fixes 5
      distinct bugs:
      
      1. When there is at least one entire level of indirection between the
      start and end of the punch range and the end of the punch range is the
      first block of its level, we can't return early; we have to free the
      intervening levels.
      
      2. When the end is at a higher level of indirection than the start and
      ext4_find_shared returns a top branch for the end, we still need to free
      the rest of the shared branch it returns; we can't decrement partial2.
      
      3. When a punch happens within one level of indirection, we need to
      converge on an indirect block that contains the start and end. However,
      because the branches returned from ext4_find_shared do not necessarily
      start at the same level (e.g., the partial2 chain will be shallower if
      the last block occurs at the beginning of an indirect group), the walk
      of the two chains can end up "missing" each other and freeing a bunch of
      extra blocks in the process. This mismatch can be handled by first
      making sure that the chains are at the same level, then walking them
      together until they converge.
      
      4. When the punch happens within one level of indirection and
      ext4_find_shared returns a top branch for the start, we must free it,
      but only if the end does not occur within that branch.
      
      5. When the punch happens within one level of indirection and
      ext4_find_shared returns a top branch for the end, then we shouldn't
      free the block referenced by the end of the returned chain (this mirrors
      the different levels case).
      Signed-off-by: default avatarOmar Sandoval <osandov@osandov.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a6995736
    • Preeti U Murthy's avatar
      timers/tick/broadcast-hrtimer: Fix suspicious RCU usage in idle loop · b27b4b79
      Preeti U Murthy authored
      [ Upstream commit a127d2bc ]
      
      The hrtimer mode of broadcast queues hrtimers in the idle entry
      path so as to wakeup cpus in deep idle states. The associated
      call graph is :
      
      	cpuidle_idle_call()
      	|____ clockevents_notify(CLOCK_EVT_NOTIFY_BROADCAST_ENTER, ....))
      	     |_____tick_broadcast_set_event()
      		   |____clockevents_program_event()
      			|____bc_set_next()
      
      The hrtimer_{start/cancel} functions call into tracing which uses RCU.
      But it is not legal to call into RCU in cpuidle because it is one of the
      quiescent states. Hence protect this region with RCU_NONIDLE which informs
      RCU that the cpu is momentarily non-idle.
      
      As an aside it is helpful to point out that the clock event device that is
      programmed here is not a per-cpu clock device; it is a
      pseudo clock device, used by the broadcast framework alone.
      The per-cpu clock device programming never goes through bc_set_next().
      Signed-off-by: default avatarPreeti U Murthy <preeti@linux.vnet.ibm.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: linuxppc-dev@ozlabs.org
      Cc: mpe@ellerman.id.au
      Cc: tglx@linutronix.de
      Link: http://lkml.kernel.org/r/20150318104705.17763.56668.stgit@preeti.in.ibm.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b27b4b79
    • Majd Dibbiny's avatar
      IB/mlx4: Saturate RoCE port PMA counters in case of overflow · 02d51afc
      Majd Dibbiny authored
      [ Upstream commit 61a3855b ]
      
      For RoCE ports, we set the u32 PMA values based on u64 HCA counters. In case of
      overflow, according to the IB spec, we have to saturate a counter to its
      max value, do that.
      
      Fixes: c3779134 ('IB/mlx4: Support PMA counters for IBoE')
      Signed-off-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarHadar Hen Zion <hadarh@mellanox.com>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      02d51afc
    • Uwe Kleine-König's avatar
      clk: divider: fix calculation of maximal parent rate for a given divider · aaa2bf75
      Uwe Kleine-König authored
      [ Upstream commit da321133 ]
      
      The rate provided at the output of a clk-divider is calculated as:
      
      	DIV_ROUND_UP(parent_rate, div)
      
      since commit b11d282d (clk: divider: fix rate calculation for
      fractional rates). So to yield a rate not bigger than r parent_rate
      must be <= r * div.
      
      The effect of choosing a parent rate that is too big as was done before
      this patch results in wrongly ruling out good dividers.
      
      Note that this is not a complete fix as __clk_round_rate might return a
      value >= its 2nd parameter. Also for dividers with
      CLK_DIVIDER_ROUND_CLOSEST set the calculation is not accurate. But this
      fixes the test case by Sascha Hauer that uses a chain of three dividers
      under a fixed clock.
      
      Fixes: b11d282d (clk: divider: fix rate calculation for fractional rates)
      Suggested-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Acked-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarMichael Turquette <mturquette@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      aaa2bf75
    • Uwe Kleine-König's avatar
      clk: divider: fix selection of divider when rounding to closest · 5cd223ea
      Uwe Kleine-König authored
      [ Upstream commit 26bac95a ]
      
      It's an invalid approach to assume that among two divider values
      the one nearer the exact divider is the better one.
      
      Assume a parent rate of 1000 Hz, a divider with CLK_DIVIDER_POWER_OF_TWO
      and a target rate of 89 Hz. The exact divider is ~ 11.236 so 8 and 16
      are the candidates to choose from yielding rates 125 Hz and 62.5 Hz
      respectivly. While 8 is nearer to 11.236 than 16 is, the latter is still
      the better divider as 62.5 is nearer to 89 than 125 is.
      
      Fixes: 774b5143 (clk: divider: Add round to closest divider)
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Acked-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Acked-by: default avatarMaxime Coquelin <maxime.coquelin@st.com>
      Signed-off-by: default avatarMichael Turquette <mturquette@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5cd223ea
    • Hans Verkuil's avatar
      [media] vb2: fix 'UNBALANCED' warnings when calling vb2_thread_stop() · c6aa7146
      Hans Verkuil authored
      [ Upstream commit 0e661006 ]
      
      Stopping the vb2 thread (as used by several DVB devices) can result
      in an 'UNBALANCED' warning such as this:
      
      vb2: counters for queue ffff880407ee9828: UNBALANCED!
      vb2:     setup: 1 start_streaming: 1 stop_streaming: 1
      vb2:     wait_prepare: 249333 wait_finish: 249334
      
      This is due to a race condition between stopping the thread and
      calling vb2_internal_streamoff(). While I have not been able to deduce
      the exact mechanism how this race condition can produce this warning,
      I can see that the way the stream is stopped is likely to lead to a
      race somewhere.
      
      This patch simplifies how this is done by first ensuring that the
      thread is completely stopped before cleaning up the vb2 queue. It
      does that by setting threadio->stop to true, followed by a call to
      vb2_queue_error() which will wake up the thread. The thread sees that
      'stop' is true and it will exit.
      
      The call to kthread_stop() waits until the thread has exited, and only
      then is the queue cleaned up by calling __vb2_cleanup_fileio().
      
      This is a much cleaner sequence and the warning has now disappeared.
      Reported-by: default avatarJurgen Kramer <gtmkramer@xs4all.nl>
      Tested-by: default avatarJurgen Kramer <gtmkramer@xs4all.nl>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Cc: <stable@vger.kernel.org>      # for v3.18 and up
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c6aa7146
    • Geert Uytterhoeven's avatar
      [media] soc-camera: Fix devm_kfree() in soc_of_bind() · 71871e89
      Geert Uytterhoeven authored
      [ Upstream commit 8e48a2d5 ]
      
      Unlike scan_async_group(), soc_of_bind() doesn't allocate its
      soc_camera_async_client structure using devm_kzalloc(), but has it
      embedded inside the soc_of_info structure.  Hence on failure, it must
      free the whole soc_of_info structure, and not just the embedded
      soc_camera_async_client structure, as the latter causes a warning, and
      may cause slab corruption:
      
          soc-camera-pdrv soc-camera-pdrv.0: Probing soc-camera-pdrv.0
          ------------[ cut here ]------------
          WARNING: CPU: 0 PID: 1 at drivers/base/devres.c:887 devm_kfree+0x30/0x40()
          CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.19.0-shmobile-08386-g37feb0d093cb2d8e #128
          Hardware name: Generic R8A7791 (Flattened Device Tree)
          Backtrace:
          [<c0011e7c>] (dump_backtrace) from [<c0012024>] (show_stack+0x18/0x1c)
           r6:c05a923b r5:00000009 r4:00000000 r3:00204140
          [<c001200c>] (show_stack) from [<c048ed30>] (dump_stack+0x78/0x94)
          [<c048ecb8>] (dump_stack) from [<c002687c>] (warn_slowpath_common+0x8c/0xb8)
           r4:00000000 r3:00000000
          [<c00267f0>] (warn_slowpath_common) from [<c0026980>] (warn_slowpath_null+0x24/0x2c)
           r8:ee7d8214 r7:ed83b810 r6:ed83bc20 r5:fffffffa r4:ed83e510
          [<c002695c>] (warn_slowpath_null) from [<c025e0cc>] (devm_kfree+0x30/0x40)
          [<c025e09c>] (devm_kfree) from [<c032bbf4>] (soc_of_bind.isra.14+0x194/0x1d4)
          [<c032ba60>] (soc_of_bind.isra.14) from [<c032c6b8>] (soc_camera_host_register+0x208/0x31c)
           r9:00000070 r8:ee7e05d0 r7:ee153210 r6:00000000 r5:ee7e0218 r4:ed83bc20
          [<c032c4b0>] (soc_camera_host_register) from [<c032e80c>] (rcar_vin_probe+0x1f4/0x238)
           r8:ee153200 r7:00000008 r6:ee153210 r5:ed83bc10 r4:c066319c r3:000000c0
          [<c032e618>] (rcar_vin_probe) from [<c025c334>] (platform_drv_probe+0x50/0xa0)
           r10:00000000 r9:c0662fa8 r8:00000000 r7:c06a3700 r6:c0662fa8 r5:ee153210
           r4:00000000
          [<c025c2e4>] (platform_drv_probe) from [<c025af08>] (driver_probe_device+0xc4/0x208)
           r6:c06a36f4 r5:00000000 r4:ee153210 r3:c025c2e4
          [<c025ae44>] (driver_probe_device) from [<c025b108>] (__driver_attach+0x70/0x94)
           r9:c066f9c0 r8:c0624a98 r7:c065b790 r6:c0662fa8 r5:ee153244 r4:ee153210
          [<c025b098>] (__driver_attach) from [<c025984c>] (bus_for_each_dev+0x74/0x98)
           r6:c025b098 r5:c0662fa8 r4:00000000 r3:00000001
          [<c02597d8>] (bus_for_each_dev) from [<c025b1dc>] (driver_attach+0x20/0x28)
           r6:ed83c200 r5:00000000 r4:c0662fa8
          [<c025b1bc>] (driver_attach) from [<c025a00c>] (bus_add_driver+0xdc/0x1c4)
          [<c0259f30>] (bus_add_driver) from [<c025b8f4>] (driver_register+0xa4/0xe8)
           r7:c0624a98 r6:00000000 r5:c060b010 r4:c0662fa8
          [<c025b850>] (driver_register) from [<c025ccd0>] (__platform_driver_register+0x50/0x64)
           r5:c060b010 r4:ed8394c0
          [<c025cc80>] (__platform_driver_register) from [<c060b028>] (rcar_vin_driver_init+0x18/0x20)
          [<c060b010>] (rcar_vin_driver_init) from [<c05edde8>] (do_one_initcall+0x108/0x1b8)
          [<c05edce0>] (do_one_initcall) from [<c05edfb4>] (kernel_init_freeable+0x11c/0x1e4)
           r9:c066f9c0 r8:c066f9c0 r7:c062eab0 r6:c06252c4 r5:000000ad r4:00000006
          [<c05ede98>] (kernel_init_freeable) from [<c048c3d0>] (kernel_init+0x10/0xec)
           r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c048c3c0 r4:00000000
          [<c048c3c0>] (kernel_init) from [<c000eba0>] (ret_from_fork+0x14/0x34)
           r4:00000000 r3:ee04e000
          ---[ end trace e3a984cc0335c8a0 ]---
          rcar_vin e6ef1000.video: group probe failed: -6
      
      Fixes: 1ddc6a6c ("[media] soc_camera: add support for dt binding soc_camera drivers")
      
      Cc: <stable@vger.kernel.org> # 3.17+
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarGuennadi Liakhovetski <g.liakhovetski@gmx.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      71871e89
    • Marek Szyprowski's avatar
      [media] media: s5p-mfc: fix mmap support for 64bit arch · 9785703f
      Marek Szyprowski authored
      [ Upstream commit 05b676ab ]
      
      TASK_SIZE is depends on the systems architecture (32 or 64 bits) and it
      should not be used for defining offset boundary for mmaping buffers for
      CAPTURE and OUTPUT queues. This patch fixes support for MMAP calls on
      the CAPTURE queue on 64bit architectures (like ARM64).
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarKamil Debski <k.debski@samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9785703f
    • Hans Verkuil's avatar
      [media] sh_veu: v4l2_dev wasn't set · 632f8dff
      Hans Verkuil authored
      [ Upstream commit ab312030 ]
      
      The v4l2_dev field of struct video_device must be set correctly.
      This was never done for this driver, so no video nodes were created
      anymore.
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Cc: <stable@vger.kernel.org>      # for v3.11 and up
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      632f8dff
    • Mike Christie's avatar
      iscsi target: fix oops when adding reject pdu · a7c01414
      Mike Christie authored
      [ Upstream commit b815fc12 ]
      
      This fixes a oops due to a double list add when adding a reject PDU for
      iscsit_allocate_iovecs allocation failures. The cmd has already been
      added to the conn_cmd_list in iscsit_setup_scsi_cmd, so this has us call
      iscsit_reject_cmd.
      
      Note that for ERL0 the reject PDU is not actually sent, so this patch
      is not completely tested. Just verified we do not oops. The problem is the
      add reject functions return -1 which is returned all the way up to
      iscsi_target_rx_thread which for ERL0 will drop the connection.
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Cc: <stable@vger.kernel.org> # v3.10+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a7c01414
    • Al Viro's avatar
      ioctx_alloc(): fix vma (and file) leak on failure · fe4a6fce
      Al Viro authored
      [ Upstream commit deeb8525 ]
      
      If we fail past the aio_setup_ring(), we need to destroy the
      mapping.  We don't need to care about anybody having found ctx,
      or added requests to it, since the last failure exit is exactly
      the failure to make ctx visible to lookups.
      
      Reproducer (based on one by Joe Mario <jmario@redhat.com>):
      
      void count(char *p)
      {
      	char s[80];
      	printf("%s: ", p);
      	fflush(stdout);
      	sprintf(s, "/bin/cat /proc/%d/maps|/bin/fgrep -c '/[aio] (deleted)'", getpid());
      	system(s);
      }
      
      int main()
      {
      	io_context_t *ctx;
      	int created, limit, i, destroyed;
      	FILE *f;
      
      	count("before");
      	if ((f = fopen("/proc/sys/fs/aio-max-nr", "r")) == NULL)
      		perror("opening aio-max-nr");
      	else if (fscanf(f, "%d", &limit) != 1)
      		fprintf(stderr, "can't parse aio-max-nr\n");
      	else if ((ctx = calloc(limit, sizeof(io_context_t))) == NULL)
      		perror("allocating aio_context_t array");
      	else {
      		for (i = 0, created = 0; i < limit; i++) {
      			if (io_setup(1000, ctx + created) == 0)
      				created++;
      		}
      		for (i = 0, destroyed = 0; i < created; i++)
      			if (io_destroy(ctx[i]) == 0)
      				destroyed++;
      		printf("created %d, failed %d, destroyed %d\n",
      			created, limit - created, destroyed);
      		count("after");
      	}
      }
      Found-by: default avatarJoe Mario <jmario@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fe4a6fce
    • Al Viro's avatar
      ocfs2: _really_ sync the right range · 67041680
      Al Viro authored
      [ Upstream commit 64b4e252 ]
      
      "ocfs2 syncs the wrong range" had been broken; prior to it the
      code was doing the wrong thing in case of O_APPEND, all right,
      but _after_ it we were syncing the wrong range in 100% cases.
      *ppos, aka iocb->ki_pos is incremented prior to that point,
      so we are always doing sync on the area _after_ the one we'd
      written to.
      
      Spotted by Joseph Qi <joseph.qi@huawei.com> back in January;
      unfortunately, I'd missed his mail back then ;-/
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      67041680
    • John Soni Jose's avatar
      be2iscsi: Fix kernel panic when device initialization fails · a260abd1
      John Soni Jose authored
      [ Upstream commit 2e7cee02 ]
      
      Kernel panic was happening as iscsi_host_remove() was called on
      a host which was not yet added.
      Signed-off-by: default avatarJohn Soni Jose <sony.john-n@emulex.com>
      Reviewed-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a260abd1
    • Rafael J. Wysocki's avatar
      Revert "PM / hibernate: avoid unsafe pages in e820 reserved regions" · 862158f2
      Rafael J. Wysocki authored
      [ Upstream commit f82daee4 ]
      
      Commit 84c91b7a (PM / hibernate: avoid unsafe pages in e820 reserved
      regions) is reported to make resume from hibernation on Lenovo x230
      unreliable, so revert it.
      
      We will revisit the issue the commit in question was supposed to fix
      in the future.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=96111Reported-by: default avatarrhn <kebuac.rhn@porcupinefactory.org>
      Cc: 3.17+ <stable@vger.kernel.org> # 3.17+
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      862158f2
    • Benjamin Herrenschmidt's avatar
      drivers/of: Add empty ranges quirk for PA-Semi · 0bc444b1
      Benjamin Herrenschmidt authored
      [ Upstream commit 41d94893 ]
      
      The "sdc" node is missing the ranges property, it needs to be treated
      as having an empty one otherwise translation fails for its children.
      
      Fixes 746c9e9f, "of/base: Fix PowerPC address parsing hack"
      Tested-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGrant Likely <grant.likely@linaro.org>
      Cc: Stable <stable@vger.kernel.org> # v3.18+
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0bc444b1
    • Larry Finger's avatar
      rtlwifi: Fix IOMMU mapping leak in AP mode · 19d240f7
      Larry Finger authored
      [ Upstream commit be0b5e63 ]
      
      Transmission of an AP beacon does not call the TX interrupt service routine,
      which usually does the cleanup. Instead, cleanup is handled in a tasklet
      completion routine. Unfortunately, this routine has a serious bug in that it does
      not release the DMA mapping before it frees the skb, thus one IOMMU mapping is
      leaked for each beacon. The test system failed with no free IOMMU mapping slots
      approximately one hour after hostapd was used to start an AP.
      
      This issue was reported and tested at https://github.com/lwfinger/rtlwifi_new/issues/30.
      Reported-and-tested-by: default avatarKevin Mullican <kevin@mullican.com>
      Cc: Kevin Mullican <kevin@mullican.com>
      Signed-off-by: default avatarShao Fu <shaofu@realtek.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Stable <stable@vger.kernel.org>  [3.18+]
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      19d240f7
    • Alex Williamson's avatar
      iommu/vt-d: Detach domain *only* from attached iommus · d2942566
      Alex Williamson authored
      [ Upstream commit 71684406 ]
      
      Device domains never span IOMMU hardware units, which allows the
      domain ID space for each IOMMU to be an independent address space.
      Therefore we can have multiple, independent domains, each with the
      same domain->id, but attached to different hardware units.  This is
      also why we need to do a heavy-weight search for VM domains since
      they can span multiple IOMMUs hardware units and we don't require a
      single global ID to use for all hardware units.
      
      Therefore, if we call iommu_detach_domain() across all active IOMMU
      hardware units for a non-VM domain, the result is that we clear domain
      IDs that are not associated with our domain, allowing them to be
      re-allocated and causing apparent coherency issues when the device
      cannot access IOVAs for the intended domain.
      
      This bug was introduced in commit fb170fb4 ("iommu/vt-d: Introduce
      helper functions to make code symmetric for readability"), but is
      significantly exacerbated by the more recent commit 62c22167
      ("iommu/vt-d: Fix dmar_domain leak in iommu_attach_device") which calls
      domain_exit() more frequently to resolve a domain leak.
      
      Fixes: fb170fb4 ("iommu/vt-d: Introduce helper functions to make code symmetric for readability")
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Cc: Jiang Liu <jiang.liu@linux.intel.com>
      Cc: stable@vger.kernel.org # v3.17+
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d2942566
    • David Disseldorp's avatar
      cifs: fix use-after-free bug in find_writable_file · e9c75e69
      David Disseldorp authored
      [ Upstream commit e1e9bda2 ]
      
      Under intermittent network outages, find_writable_file() is susceptible
      to the following race condition, which results in a user-after-free in
      the cifs_writepages code-path:
      
      Thread 1                                        Thread 2
      ========                                        ========
      
      inv_file = NULL
      refind = 0
      spin_lock(&cifs_file_list_lock)
      
      // invalidHandle found on openFileList
      
      inv_file = open_file
      // inv_file->count currently 1
      
      cifsFileInfo_get(inv_file)
      // inv_file->count = 2
      
      spin_unlock(&cifs_file_list_lock);
      
      cifs_reopen_file()                            cifs_close()
      // fails (rc != 0)                            ->cifsFileInfo_put()
                                             spin_lock(&cifs_file_list_lock)
                                             // inv_file->count = 1
                                             spin_unlock(&cifs_file_list_lock)
      
      spin_lock(&cifs_file_list_lock);
      list_move_tail(&inv_file->flist,
            &cifs_inode->openFileList);
      spin_unlock(&cifs_file_list_lock);
      
      cifsFileInfo_put(inv_file);
      ->spin_lock(&cifs_file_list_lock)
      
        // inv_file->count = 0
        list_del(&cifs_file->flist);
        // cleanup!!
        kfree(cifs_file);
      
        spin_unlock(&cifs_file_list_lock);
      
      spin_lock(&cifs_file_list_lock);
      ++refind;
      // refind = 1
      goto refind_writable;
      
      At this point we loop back through with an invalid inv_file pointer
      and a refind value of 1. On second pass, inv_file is not overwritten on
      openFileList traversal, and is subsequently dereferenced.
      Signed-off-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Reviewed-by: default avatarJeff Layton <jlayton@samba.org>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e9c75e69