1. 17 Aug, 2015 40 commits
    • Kinglong Mee's avatar
      nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem · c7e6f051
      Kinglong Mee authored
      commit c2227a39 upstream.
      
      On an absent filesystem (one served by another server), we need to be
      able to handle requests for certain attributest (like fs_locations, so
      the client can find out which server does have the filesystem), but
      others we can't.
      
      We forgot to take that into account when adding another attribute
      bitmask work for the SECURITY_LABEL attribute.
      
      There an export entry with the "refer" option can result in:
      
      [   88.414272] kernel BUG at fs/nfsd/nfs4xdr.c:2249!
      [   88.414828] invalid opcode: 0000 [#1] SMP
      [   88.415368] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache nfsd xfs libcrc32c iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi iosf_mbi ppdev btrfs coretemp crct10dif_pclmul crc32_pclmul crc32c_intel xor ghash_clmulni_intel raid6_pq vmw_balloon parport_pc parport i2c_piix4 shpchp vmw_vmci acpi_cpufreq auth_rpcgss nfs_acl lockd grace sunrpc vmwgfx drm_kms_helper ttm drm mptspi mptscsih serio_raw mptbase e1000 scsi_transport_spi ata_generic pata_acpi [last unloaded: nfsd]
      [   88.417827] CPU: 0 PID: 2116 Comm: nfsd Not tainted 4.0.7-300.fc22.x86_64 #1
      [   88.418448] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
      [   88.419093] task: ffff880079146d50 ti: ffff8800785d8000 task.ti: ffff8800785d8000
      [   88.419729] RIP: 0010:[<ffffffffa04b3c10>]  [<ffffffffa04b3c10>] nfsd4_encode_fattr+0x820/0x1f00 [nfsd]
      [   88.420376] RSP: 0000:ffff8800785db998  EFLAGS: 00010206
      [   88.421027] RAX: 0000000000000001 RBX: 000000000018091a RCX: ffff88006668b980
      [   88.421676] RDX: 00000000fffef7fc RSI: 0000000000000000 RDI: ffff880078d05000
      [   88.422315] RBP: ffff8800785dbb58 R08: ffff880078d043f8 R09: ffff880078d4a000
      [   88.422968] R10: 0000000000010000 R11: 0000000000000002 R12: 0000000000b0a23a
      [   88.423612] R13: ffff880078d05000 R14: ffff880078683100 R15: ffff88006668b980
      [   88.424295] FS:  0000000000000000(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
      [   88.424944] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   88.425597] CR2: 00007f40bc370f90 CR3: 0000000035af5000 CR4: 00000000001407f0
      [   88.426285] Stack:
      [   88.426921]  ffff8800785dbaa8 ffffffffa049e4af ffff8800785dba08 ffffffff813298f0
      [   88.427585]  ffff880078683300 ffff8800769b0de8 0000089d00000001 0000000087f805e0
      [   88.428228]  ffff880000000000 ffff880079434a00 0000000000000000 ffff88006668b980
      [   88.428877] Call Trace:
      [   88.429527]  [<ffffffffa049e4af>] ? exp_get_by_name+0x7f/0xb0 [nfsd]
      [   88.430168]  [<ffffffff813298f0>] ? inode_doinit_with_dentry+0x210/0x6a0
      [   88.430807]  [<ffffffff8123833e>] ? d_lookup+0x2e/0x60
      [   88.431449]  [<ffffffff81236133>] ? dput+0x33/0x230
      [   88.432097]  [<ffffffff8123f214>] ? mntput+0x24/0x40
      [   88.432719]  [<ffffffff812272b2>] ? path_put+0x22/0x30
      [   88.433340]  [<ffffffffa049ac87>] ? nfsd_cross_mnt+0xb7/0x1c0 [nfsd]
      [   88.433954]  [<ffffffffa04b54e0>] nfsd4_encode_dirent+0x1b0/0x3d0 [nfsd]
      [   88.434601]  [<ffffffffa04b5330>] ? nfsd4_encode_getattr+0x40/0x40 [nfsd]
      [   88.435172]  [<ffffffffa049c991>] nfsd_readdir+0x1c1/0x2a0 [nfsd]
      [   88.435710]  [<ffffffffa049a530>] ? nfsd_direct_splice_actor+0x20/0x20 [nfsd]
      [   88.436447]  [<ffffffffa04abf30>] nfsd4_encode_readdir+0x120/0x220 [nfsd]
      [   88.437011]  [<ffffffffa04b58cd>] nfsd4_encode_operation+0x7d/0x190 [nfsd]
      [   88.437566]  [<ffffffffa04aa6dd>] nfsd4_proc_compound+0x24d/0x6f0 [nfsd]
      [   88.438157]  [<ffffffffa0496103>] nfsd_dispatch+0xc3/0x220 [nfsd]
      [   88.438680]  [<ffffffffa006f0cb>] svc_process_common+0x43b/0x690 [sunrpc]
      [   88.439192]  [<ffffffffa0070493>] svc_process+0x103/0x1b0 [sunrpc]
      [   88.439694]  [<ffffffffa0495a57>] nfsd+0x117/0x190 [nfsd]
      [   88.440194]  [<ffffffffa0495940>] ? nfsd_destroy+0x90/0x90 [nfsd]
      [   88.440697]  [<ffffffff810bb728>] kthread+0xd8/0xf0
      [   88.441260]  [<ffffffff810bb650>] ? kthread_worker_fn+0x180/0x180
      [   88.441762]  [<ffffffff81789e58>] ret_from_fork+0x58/0x90
      [   88.442322]  [<ffffffff810bb650>] ? kthread_worker_fn+0x180/0x180
      [   88.442879] Code: 0f 84 93 05 00 00 83 f8 ea c7 85 a0 fe ff ff 00 00 27 30 0f 84 ba fe ff ff 85 c0 0f 85 a5 fe ff ff e9 e3 f9 ff ff 0f 1f 44 00 00 <0f> 0b 66 0f 1f 44 00 00 be 04 00 00 00 4c 89 ef 4c 89 8d 68 fe
      [   88.444052] RIP  [<ffffffffa04b3c10>] nfsd4_encode_fattr+0x820/0x1f00 [nfsd]
      [   88.444658]  RSP <ffff8800785db998>
      [   88.445232] ---[ end trace 6cb9d0487d94a29f ]---
      Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7e6f051
    • Joseph Qi's avatar
      ocfs2: fix shift left overflow · 4b6bf170
      Joseph Qi authored
      commit 32e5a2a2 upstream.
      
      When using a large volume, for example 9T volume with 2T already used,
      frequent creation of small files with O_DIRECT when the IO is not
      cluster aligned may clear sectors in the wrong place.  This will cause
      filesystem corruption.
      
      This is because p_cpos is a u32.  When calculating the corresponding
      sector it should be converted to u64 first, otherwise it may overflow.
      Signed-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b6bf170
    • Joseph Qi's avatar
      ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() · c42af788
      Joseph Qi authored
      commit 209f7512 upstream.
      
      The "BUG_ON(list_empty(&osb->blocked_lock_list))" in
      ocfs2_downconvert_thread_do_work can be triggered in the following case:
      
      ocfs2dc has firstly saved osb->blocked_lock_count to local varibale
      processed, and then processes the dentry lockres.  During the dentry
      put, it calls iput and then deletes rw, inode and open lockres from
      blocked list in ocfs2_mark_lockres_freeing.  And this causes the
      variable `processed' to not reflect the number of blocked lockres to be
      processed, which triggers the BUG.
      Signed-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c42af788
    • Marcus Gelderie's avatar
      ipc: modify message queue accounting to not take kernel data structures into account · dbbf0fec
      Marcus Gelderie authored
      commit de54b9ac upstream.
      
      A while back, the message queue implementation in the kernel was
      improved to use btrees to speed up retrieval of messages, in commit
      d6629859 ("ipc/mqueue: improve performance of send/recv").
      
      That patch introducing the improved kernel handling of message queues
      (using btrees) has, as a by-product, changed the meaning of the QSIZE
      field in the pseudo-file created for the queue.  Before, this field
      reflected the size of the user-data in the queue.  Since, it also takes
      kernel data structures into account.  For example, if 13 bytes of user
      data are in the queue, on my machine the file reports a size of 61
      bytes.
      
      There was some discussion on this topic before (for example
      https://lkml.org/lkml/2014/10/1/115).  Commenting on a th lkml, Michael
      Kerrisk gave the following background
      (https://lkml.org/lkml/2015/6/16/74):
      
          The pseudofiles in the mqueue filesystem (usually mounted at
          /dev/mqueue) expose fields with metadata describing a message
          queue. One of these fields, QSIZE, as originally implemented,
          showed the total number of bytes of user data in all messages in
          the message queue, and this feature was documented from the
          beginning in the mq_overview(7) page. In 3.5, some other (useful)
          work happened to break the user-space API in a couple of places,
          including the value exposed via QSIZE, which now includes a measure
          of kernel overhead bytes for the queue, a figure that renders QSIZE
          useless for its original purpose, since there's no way to deduce
          the number of overhead bytes consumed by the implementation.
          (The other user-space breakage was subsequently fixed.)
      
      This patch removes the accounting of kernel data structures in the
      queue.  Reporting the size of these data-structures in the QSIZE field
      was a breaking change (see Michael's comment above).  Without the QSIZE
      field reporting the total size of user-data in the queue, there is no
      way to deduce this number.
      
      It should be noted that the resource limit RLIMIT_MSGQUEUE is counted
      against the worst-case size of the queue (in both the old and the new
      implementation).  Therefore, the kernel overhead accounting in QSIZE is
      not necessary to help the user understand the limitations RLIMIT imposes
      on the processes.
      Signed-off-by: default avatarMarcus Gelderie <redmnic@gmail.com>
      Acked-by: default avatarDoug Ledford <dledford@redhat.com>
      Acked-by: default avatarMichael Kerrisk <mtk.manpages@gmail.com>
      Acked-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: John Duffy <jb_duffy@btinternet.com>
      Cc: Arto Bendiken <arto@bendiken.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dbbf0fec
    • Pali Rohár's avatar
      hwmon: (dell-smm) Blacklist Dell Studio XPS 8100 · 25ab1617
      Pali Rohár authored
      commit a4b45b25 upstream.
      
      CPU fan speed going up and down on Dell Studio XPS 8100 for
      unknown reasons. Without further debugging on the affected
      machine, it is not possible to find the problem.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=100121Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarJan C Peters <jcpeters89@gmail.com>
      [groeck: cleaned up description, comments]
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25ab1617
    • Javier Martinez Canillas's avatar
      hwmon: (nct7904) Export I2C module alias information · f03bde70
      Javier Martinez Canillas authored
      commit 1252be9c upstream.
      
      The I2C core always reports the MODALIAS uevent as "i2c:<client name"
      regardless if the driver was matched using the I2C id_table or the
      of_match_table. So the driver needs to export the I2C table and this
      be built into the module or udev won't have the necessary information
      to auto load the correct module when the device is added.
      Signed-off-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f03bde70
    • Takashi Sakamoto's avatar
      ALSA: fireworks/firewire-lib: add support for recent firmware quirk · 4a4a6ddb
      Takashi Sakamoto authored
      commit 18f5ed36 upstream.
      
      Fireworks uses TSB43CB43(IceLynx-Micro) as its IEC 61883-1/6 interface.
      This chip includes ARM7 core, and loads and runs program. The firmware
      is stored in on-board memory and loaded every powering-on from it.
      
      Echo Audio ships several versions of firmwares for each model. These
      firmwares have each quirk and the quirk changes a sequence of packets.
      
      As long as I investigated, AudioFire2/AudioFire4/AudioFirePre8 have a
      quirk to transfer a first packet with 0x02 in its dbc field. This causes
      ALSA Fireworks driver to detect discontinuity. In this case, firmware
      version 5.7.0, 5.7.3 and 5.8.0 are used.
      
      Payload  CIP      CIP
      quadlets header1  header2
      02       00050002 90ffffff <-
      42       0005000a 90013000
      42       00050012 90014400
      42       0005001a 90015800
      02       0005001a 90ffffff
      42       00050022 90019000
      42       0005002a 9001a400
      42       00050032 9001b800
      02       00050032 90ffffff
      42       0005003a 9001d000
      42       00050042 9001e400
      42       0005004a 9001f800
      02       0005004a 90ffffff
      (AudioFire2 with firmware version 5.7.)
      
      $ dmesg
      snd-fireworks fw1.0: Detect discontinuity of CIP: 00 02
      
      These models, AudioFire8 (since Jul 2009 ) and Gibson Robot Interface
      Pack series uses the same ARM binary as their firmware. Thus, this
      quirk may be observed among them.
      
      This commit adds a new member for AMDTP structure. This member represents
      the value of dbc field in a first AMDTP packet. Drivers can set it with
      a preferred value according to model's quirk.
      Tested-by: default avatarJohannes Oertei <johannes.oertel@uni-due.de>
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a4a6ddb
    • Hui Wang's avatar
      ALSA: hda - one Dell machine needs the headphone white noise fixup · 852fbebb
      Hui Wang authored
      commit 73851b36 upstream.
      
      The fixup ALC292_FIXUP_DISABLE_AAMIX can fix the white noise of
      the headphone on this Dell machine.
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      852fbebb
    • Dan Carpenter's avatar
      ALSA: hda - fix cs4210_spdif_automute() · 66832d90
      Dan Carpenter authored
      commit 44008f08 upstream.
      
      Smatch complains that we have nested checks for "spdif_present".  It
      turns out the current behavior isn't correct, we should remove the first
      check and keep the second.
      
      Fixes: 1077a024 ('ALSA: hda - Use generic parser for Cirrus codec driver')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66832d90
    • Roger Quadros's avatar
      ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc · dcee5833
      Roger Quadros authored
      commit 9a258afa upstream.
      
      For hwmods without sysc, _init_mpu_rt_base(oh) won't be called and so
      _find_mpu_rt_port(oh) will return NULL thus preventing ready state check
      on those modules after the module is enabled.
      
      This can potentially cause a bus access error if the module is accessed
      before the module is ready.
      
      Fix this by unconditionally calling _init_mpu_rt_base() during hwmod
      _init(). Do ioremap only if we need SYSC access.
      
      Eventhough _wait_target_ready() check doesn't really need MPU RT port but
      just the PRCM registers, we still mandate that the hwmod must have an
      MPU RT port if ready state check needs to be done. Else it would mean that
      the module is not accessible by MPU so there is no point in waiting
      for target to be ready.
      
      e.g. this fixes the below DCAN bus access error on AM437x-gp-evm.
      
      [   16.672978] ------------[ cut here ]------------
      [   16.677885] WARNING: CPU: 0 PID: 1580 at drivers/bus/omap_l3_noc.c:147 l3_interrupt_handler+0x234/0x35c()
      [   16.687946] 44000000.ocp:L3 Custom Error: MASTER M2 (64-bit) TARGET L4_PER_0 (Read): Data Access in User mode during Functional access
      [   16.700654] Modules linked in: xhci_hcd btwilink ti_vpfe dwc3 videobuf2_core ov2659 bluetooth v4l2_common videodev ti_am335x_adc kfifo_buf industrialio c_can_platform videobuf2_dma_contig media snd_soc_tlv320aic3x pixcir_i2c_ts c_can dc
      [   16.731144] CPU: 0 PID: 1580 Comm: rpc.statd Not tainted 3.14.26-02561-gf733aa036398 #180
      [   16.739747] Backtrace:
      [   16.742336] [<c0011108>] (dump_backtrace) from [<c00112a4>] (show_stack+0x18/0x1c)
      [   16.750285]  r6:00000093 r5:00000009 r4:eab5b8a8 r3:00000000
      [   16.756252] [<c001128c>] (show_stack) from [<c05a4418>] (dump_stack+0x20/0x28)
      [   16.763870] [<c05a43f8>] (dump_stack) from [<c0037120>] (warn_slowpath_common+0x6c/0x8c)
      [   16.772408] [<c00370b4>] (warn_slowpath_common) from [<c00371e4>] (warn_slowpath_fmt+0x38/0x40)
      [   16.781550]  r8:c05d1f90 r7:c0730844 r6:c0730448 r5:80080003 r4:ed0cd210
      [   16.788626] [<c00371b0>] (warn_slowpath_fmt) from [<c027fa94>] (l3_interrupt_handler+0x234/0x35c)
      [   16.797968]  r3:ed0cd480 r2:c0730508
      [   16.801747] [<c027f860>] (l3_interrupt_handler) from [<c0063758>] (handle_irq_event_percpu+0x54/0x1bc)
      [   16.811533]  r10:ed005600 r9:c084855b r8:0000002a r7:00000000 r6:00000000 r5:0000002a
      [   16.819780]  r4:ed0e6d80
      [   16.822453] [<c0063704>] (handle_irq_event_percpu) from [<c00638f0>] (handle_irq_event+0x30/0x40)
      [   16.831789]  r10:eb2b6938 r9:eb2b6960 r8:bf011420 r7:fa240100 r6:00000000 r5:0000002a
      [   16.840052]  r4:ed005600
      [   16.842744] [<c00638c0>] (handle_irq_event) from [<c00661d8>] (handle_fasteoi_irq+0x74/0x128)
      [   16.851702]  r4:ed005600 r3:00000000
      [   16.855479] [<c0066164>] (handle_fasteoi_irq) from [<c0063068>] (generic_handle_irq+0x28/0x38)
      [   16.864523]  r4:0000002a r3:c0066164
      [   16.868294] [<c0063040>] (generic_handle_irq) from [<c000ef60>] (handle_IRQ+0x38/0x8c)
      [   16.876612]  r4:c081c640 r3:00000202
      [   16.880380] [<c000ef28>] (handle_IRQ) from [<c00084f0>] (gic_handle_irq+0x30/0x5c)
      [   16.888328]  r6:eab5ba38 r5:c0804460 r4:fa24010c r3:00000100
      [   16.894303] [<c00084c0>] (gic_handle_irq) from [<c05a8d80>] (__irq_svc+0x40/0x50)
      [   16.902193] Exception stack(0xeab5ba38 to 0xeab5ba80)
      [   16.907499] ba20:                                                       00000000 00000006
      [   16.916108] ba40: fa1d0000 fa1d0008 ed3d3000 eab5bab4 ed3d3460 c0842af4 bf011420 eb2b6960
      [   16.924716] ba60: eb2b6938 eab5ba8c eab5ba90 eab5ba80 bf035220 bf07702c 600f0013 ffffffff
      [   16.933317]  r7:eab5ba6c r6:ffffffff r5:600f0013 r4:bf07702c
      [   16.939317] [<bf077000>] (c_can_plat_read_reg_aligned_to_16bit [c_can_platform]) from [<bf035220>] (c_can_get_berr_counter+0x38/0x64 [c_can])
      [   16.952696] [<bf0351e8>] (c_can_get_berr_counter [c_can]) from [<bf010294>] (can_fill_info+0x124/0x15c [can_dev])
      [   16.963480]  r5:ec8c9740 r4:ed3d3000
      [   16.967253] [<bf010170>] (can_fill_info [can_dev]) from [<c0502fa8>] (rtnl_fill_ifinfo+0x58c/0x8fc)
      [   16.976749]  r6:ec8c9740 r5:ed3d3000 r4:eb2b6780
      [   16.981613] [<c0502a1c>] (rtnl_fill_ifinfo) from [<c0503408>] (rtnl_dump_ifinfo+0xf0/0x1dc)
      [   16.990401]  r10:ec8c9740 r9:00000000 r8:00000000 r7:00000000 r6:ebd4d1b4 r5:ed3d3000
      [   16.998671]  r4:00000000
      [   17.001342] [<c0503318>] (rtnl_dump_ifinfo) from [<c050e6e4>] (netlink_dump+0xa8/0x1e0)
      [   17.009772]  r10:00000000 r9:00000000 r8:c0503318 r7:ebf3e6c0 r6:ebd4d1b4 r5:ec8c9740
      [   17.018050]  r4:ebd4d000
      [   17.020714] [<c050e63c>] (netlink_dump) from [<c050ec10>] (__netlink_dump_start+0x104/0x154)
      [   17.029591]  r6:eab5bd34 r5:ec8c9980 r4:ebd4d000
      [   17.034454] [<c050eb0c>] (__netlink_dump_start) from [<c0505604>] (rtnetlink_rcv_msg+0x110/0x1f4)
      [   17.043778]  r7:00000000 r6:ec8c9980 r5:00000f40 r4:ebf3e6c0
      [   17.049743] [<c05054f4>] (rtnetlink_rcv_msg) from [<c05108e8>] (netlink_rcv_skb+0xb4/0xc8)
      [   17.058449]  r8:eab5bdac r7:ec8c9980 r6:c05054f4 r5:ec8c9980 r4:ebf3e6c0
      [   17.065534] [<c0510834>] (netlink_rcv_skb) from [<c0504134>] (rtnetlink_rcv+0x24/0x2c)
      [   17.073854]  r6:ebd4d000 r5:00000014 r4:ec8c9980 r3:c0504110
      [   17.079846] [<c0504110>] (rtnetlink_rcv) from [<c05102ac>] (netlink_unicast+0x180/0x1ec)
      [   17.088363]  r4:ed0c6800 r3:c0504110
      [   17.092113] [<c051012c>] (netlink_unicast) from [<c0510670>] (netlink_sendmsg+0x2ac/0x380)
      [   17.100813]  r10:00000000 r8:00000008 r7:ec8c9980 r6:ebd4d000 r5:eab5be70 r4:eab5bee4
      [   17.109083] [<c05103c4>] (netlink_sendmsg) from [<c04dfdb4>] (sock_sendmsg+0x90/0xb0)
      [   17.117305]  r10:00000000 r9:eab5a000 r8:becdda3c r7:0000000c r6:ea978400 r5:eab5be70
      [   17.125563]  r4:c05103c4
      [   17.128225] [<c04dfd24>] (sock_sendmsg) from [<c04e1c28>] (SyS_sendto+0xb8/0xdc)
      [   17.136001]  r6:becdda5c r5:00000014 r4:ecd37040
      [   17.140876] [<c04e1b70>] (SyS_sendto) from [<c000e680>] (ret_fast_syscall+0x0/0x30)
      [   17.148923]  r10:00000000 r8:c000e804 r7:00000122 r6:becdda5c r5:0000000c r4:becdda5c
      [   17.157169] ---[ end trace 2b71e15b38f58bad ]---
      
      Fixes: 6423d6df ("ARM: OMAP2+: hwmod: check for module address space during init")
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarPaul Walmsley <paul@pwsan.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dcee5833
    • Denis Carikli's avatar
      ARM: dts: i.MX35: Fix can support. · d13a03e5
      Denis Carikli authored
      commit e053f96b upstream.
      
      Since commit 3d42a379
      ("can: flexcan: add 2nd clock to support imx53 and newer")
      the can driver requires a dt nodes to have a second clock.
      Add them to imx35 to fix probing the flex can driver on the
      respective platforms.
      Signed-off-by: default avatarDenis Carikli <denis@eukrea.com>
      Signed-off-by: default avatarShawn Guo <shawnguo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d13a03e5
    • Ilya Dryomov's avatar
      rbd: fix copyup completion race · 1fc5d707
      Ilya Dryomov authored
      commit 2761713d upstream.
      
      For write/discard obj_requests that involved a copyup method call, the
      opcode of the first op is CEPH_OSD_OP_CALL and the ->callback is
      rbd_img_obj_copyup_callback().  The latter frees copyup pages, sets
      ->xferred and delegates to rbd_img_obj_callback(), the "normal" image
      object callback, for reporting to block layer and putting refs.
      
      rbd_osd_req_callback() however treats CEPH_OSD_OP_CALL as a trivial op,
      which means obj_request is marked done in rbd_osd_trivial_callback(),
      *before* ->callback is invoked and rbd_img_obj_copyup_callback() has
      a chance to run.  Marking obj_request done essentially means giving
      rbd_img_obj_callback() a license to end it at any moment, so if another
      obj_request from the same img_request is being completed concurrently,
      rbd_img_obj_end_request() may very well be called on such prematurally
      marked done request:
      
      <obj_request-1/2 reply>
      handle_reply()
        rbd_osd_req_callback()
          rbd_osd_trivial_callback()
          rbd_obj_request_complete()
          rbd_img_obj_copyup_callback()
          rbd_img_obj_callback()
                                          <obj_request-2/2 reply>
                                          handle_reply()
                                            rbd_osd_req_callback()
                                              rbd_osd_trivial_callback()
            for_each_obj_request(obj_request->img_request) {
              rbd_img_obj_end_request(obj_request-1/2)
              rbd_img_obj_end_request(obj_request-2/2) <--
            }
      
      Calling rbd_img_obj_end_request() on such a request leads to trouble,
      in particular because its ->xfferred is 0.  We report 0 to the block
      layer with blk_update_request(), get back 1 for "this request has more
      data in flight" and then trip on
      
          rbd_assert(more ^ (which == img_request->obj_request_count));
      
      with rhs (which == ...) being 1 because rbd_img_obj_end_request() has
      been called for both requests and lhs (more) being 1 because we haven't
      got a chance to set ->xfferred in rbd_img_obj_copyup_callback() yet.
      
      To fix this, leverage that rbd wants to call class methods in only two
      cases: one is a generic method call wrapper (obj_request is standalone)
      and the other is a copyup (obj_request is part of an img_request).  So
      make a dedicated handler for CEPH_OSD_OP_CALL and directly invoke
      rbd_img_obj_copyup_callback() from it if obj_request is part of an
      img_request, similar to how CEPH_OSD_OP_READ handler invokes
      rbd_img_obj_request_read_callback().
      
      Since rbd_img_obj_copyup_callback() is now being called from the OSD
      request callback (only), it is renamed to rbd_osd_copyup_callback().
      
      Cc: Alex Elder <elder@linaro.org>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fc5d707
    • Herbert Xu's avatar
      crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer · 593b1559
      Herbert Xu authored
      commit f898c522 upstream.
      
      This patch removes a bogus BUG_ON in the ablkcipher path that
      triggers when the destination buffer is different from the source
      buffer and is scattered.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      593b1559
    • Tadeusz Struk's avatar
      crypto: qat - Fix invalid synchronization between register/unregister sym algs · 7047312d
      Tadeusz Struk authored
      commit 6f043b50 upstream.
      
      The synchronization method used atomic was bogus.
      Use a proper synchronization with mutex.
      Signed-off-by: default avatarTadeusz Struk <tadeusz.struk@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7047312d
    • Martin Schwidefsky's avatar
      hwrng: core - correct error check of kthread_run call · 640e6017
      Martin Schwidefsky authored
      commit 17fb874d upstream.
      
      The kthread_run() function can return two different error values
      but the hwrng core only checks for -ENOMEM. If the other error
      value -EINTR is returned it is assigned to hwrng_fill and later
      used on a kthread_stop() call which naturally crashes.
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      640e6017
    • Marek Marczykowski-Górecki's avatar
      xen/gntdevt: Fix race condition in gntdev_release() · f90781aa
      Marek Marczykowski-Górecki authored
      commit 30b03d05 upstream.
      
      While gntdev_release() is called the MMU notifier is still registered
      and can traverse priv->maps list even if no pages are mapped (which is
      the case -- gntdev_release() is called after all). But
      gntdev_release() will clear that list, so make sure that only one of
      those things happens at the same time.
      Signed-off-by: default avatarMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f90781aa
    • Andy Lutomirski's avatar
      x86/xen: Probe target addresses in set_aliased_prot() before the hypercall · d24944ad
      Andy Lutomirski authored
      commit aa1acff3 upstream.
      
      The update_va_mapping hypercall can fail if the VA isn't present
      in the guest's page tables.  Under certain loads, this can
      result in an OOPS when the target address is in unpopulated vmap
      space.
      
      While we're at it, add comments to help explain what's going on.
      
      This isn't a great long-term fix.  This code should probably be
      changed to use something like set_memory_ro.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Andrew Cooper <andrew.cooper3@citrix.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: David Vrabel <dvrabel@cantab.net>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jan Beulich <jbeulich@suse.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: security@kernel.org <security@kernel.org>
      Cc: xen-devel <xen-devel@lists.xen.org>
      Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d24944ad
    • Lars-Peter Clausen's avatar
      ASoC: dapm: Don't add prefix to widget stream name · 07d74a4b
      Lars-Peter Clausen authored
      commit a798c24a upstream.
      
      Commit fdb6eb0a ("ASoC: dapm: Modify widget stream name according to
      prefix") fixed the case where a DAPM route between a DAI widget and a
      DAC/ADC/AIF widget with a matching stream name was not created when the
      DAPM context was using a prefix.
      
      Unfortunately the patch introduced a few issues on its own like leaking the
      dynamically allocated stream name memory and also not checking whether the
      allocation succeeded in the first place.
      
      It is also incomplete in that it still does not handle the case where
      stream name of the widget is a substring of the stream name of the DAI,
      which is explicitly allowed and works fine if no DAPM prefix is used.
      
      Revert the commit and take a slightly different approach to solving the
      issue. Instead of comparing the widget's stream name to the name of the DAI
      widget compare it to the stream name of the DAI widget. The stream name of
      the DAI widget is identical to the name of the DAI widget except that it
      wont have the DAPM prefix added. So this approach behaves identical
      regardless to whether the DAPM context uses a prefix or not.
      
      We don't have to worry about potentially matching with a widget with the
      same stream name, but from a different DAPM context with a different
      prefix, since the code already makes sure that both the DAI widget and the
      matched widget are from the same DAPM context.
      
      Fixes: fdb6eb0a ("ASoC: dapm: Modify widget stream name according to prefix")
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07d74a4b
    • Lars-Peter Clausen's avatar
      ASoC: dapm: Lock during userspace access · d90d0668
      Lars-Peter Clausen authored
      commit e50b1e06 upstream.
      
      The DAPM lock must be held when accessing the DAPM graph status through
      sysfs or debugfs, otherwise concurrent changes to the graph can result in
      undefined behaviour.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d90d0668
    • Axel Lin's avatar
      ASoC: pcm1681: Fix setting de-emphasis sampling rate selection · e52e67a7
      Axel Lin authored
      commit fa8173a3 upstream.
      
      The de-emphasis sampling rate selection is controlled by BIT[3:4] of
      PCM1681_DEEMPH_CONTROL register. Do proper left shift to set it.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Acked-by: default avatarMarek Belisko <marek.belisko@streamunlimited.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e52e67a7
    • Ben Zhang's avatar
      ASoC: ssm4567: Keep TDM_BCLKS in ssm4567_set_dai_fmt · b0e4d399
      Ben Zhang authored
      commit a6c2a32a upstream.
      
      The regmap_write in ssm4567_set_dai_fmt accidentally clears the
      TDM_BCLKS field which was set earlier by ssm4567_set_tdm_slot.
      
      This patch fixes it by using regmap_update_bits with proper mask.
      Signed-off-by: default avatarBen Zhang <benzh@chromium.org>
      Acked-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Acked-by: default avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b0e4d399
    • Shilpa Sreeramalu's avatar
      ASoC: Intel: Get correct usage_count value to load firmware · ba8d2b48
      Shilpa Sreeramalu authored
      commit 412efa73 upstream.
      
      The usage_count variable was read before it was set to the correct
      value, due to which the firmware load was failing. Because of this
      IPC messages sent to the firmware were timing out causing a delay
      of about 1 second while playing audio from the internal speakers.
      
      With this patch the usage_count is read after the function call
      pm_runtime_get_sync which will increment the usage_count variable
      and the firmware load is successful and all the IPC messages are
      processed correctly.
      Signed-off-by: default avatarShilpa Sreeramalu <shilpa.sreeramalu@intel.com>
      Signed-off-by: default avatarFang, Yang A <yang.a.fang@intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba8d2b48
    • Murali Karicheri's avatar
      ARM: dts: keystone: fix dt bindings to use post div register for mainpll · 40114a3e
      Murali Karicheri authored
      commit c1bfa985 upstream.
      
      All of the keystone devices have a separate register to hold post
      divider value for main pll clock. Currently the fixed-postdiv
      value used for k2hk/l/e SoCs works by sheer luck as u-boot happens to
      use a value of 2 for this. Now that we have fixed this in the pll
      clock driver change the dt bindings for the same.
      Signed-off-by: default avatarMurali Karicheri <m-karicheri2@ti.com>
      Acked-by: default avatarSantosh Shilimkar <ssantosh@kernel.org>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      40114a3e
    • Murali Karicheri's avatar
      clk: keystone: add support for post divider register for main pll · c6fdd1b5
      Murali Karicheri authored
      commit 02fdfd70 upstream.
      
      Main PLL controller has post divider bits in a separate register in
      pll controller. Use the value from this register instead of fixed
      divider when available.
      Signed-off-by: default avatarMurali Karicheri <m-karicheri2@ti.com>
      Signed-off-by: default avatarMichael Turquette <mturquette@baylibre.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6fdd1b5
    • David S. Miller's avatar
      sparc64: Fix userspace FPU register corruptions. · b75513b0
      David S. Miller authored
      [ Upstream commit 44922150 ]
      
      If we have a series of events from userpsace, with %fprs=FPRS_FEF,
      like follows:
      
      ETRAP
      	ETRAP
      		VIS_ENTRY(fprs=0x4)
      		VIS_EXIT
      		RTRAP (kernel FPU restore with fpu_saved=0x4)
      	RTRAP
      
      We will not restore the user registers that were clobbered by the FPU
      using kernel code in the inner-most trap.
      
      Traps allocate FPU save slots in the thread struct, and FPU using
      sequences save the "dirty" FPU registers only.
      
      This works at the initial trap level because all of the registers
      get recorded into the top-level FPU save area, and we'll return
      to userspace with the FPU disabled so that any FPU use by the user
      will take an FPU disabled trap wherein we'll load the registers
      back up properly.
      
      But this is not how trap returns from kernel to kernel operate.
      
      The simplest fix for this bug is to always save all FPU register state
      for anything other than the top-most FPU save area.
      
      Getting rid of the optimized inner-slot FPU saving code ends up
      making VISEntryHalf degenerate into plain VISEntry.
      
      Longer term we need to do something smarter to reinstate the partial
      save optimizations.  Perhaps the fundament error is having trap entry
      and exit allocate FPU save slots and restore register state.  Instead,
      the VISEntry et al. calls should be doing that work.
      
      This bug is about two decades old.
      Reported-by: default avatarJames Y Knight <jyknight@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b75513b0
    • Herbert Xu's avatar
      crypto: nx - Fix reentrancy bugs · 2d089963
      Herbert Xu authored
      commit 030f4e96 upstream.
      
      This patch fixes a host of reentrancy bugs in the nx driver.  The
      following algorithms are affected:
      
      * CCM
      * GCM
      * CTR
      * XCBC
      * SHA256
      * SHA512
      
      The crypto API allows a single transform to be used by multiple
      threads simultaneously.  For example, IPsec will use a single tfm
      to process packets for a given SA.  As packets may arrive on
      multiple CPUs that tfm must be reentrant.
      
      The nx driver does try to deal with this by using a spin lock.
      Unfortunately only the basic AES/CBC/ECB algorithms do this in
      the correct way.
      
      The symptom of these bugs may range from the generation of incorrect
      output to memory corruption.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d089963
    • Leonidas Da Silva Barbosa's avatar
      crypto: nx - Fixing SHA update bug · 71a0c1ec
      Leonidas Da Silva Barbosa authored
      commit 10d87b73 upstream.
      
      Bug happens when a data size less than SHA block size is passed.
      Since first attempt will be saved in buffer, second round attempt
      get into two step to calculate op.inlen and op.outlen. The issue
      resides in this step. A  wrong value of op.inlen and outlen was being
      calculated.
      
      This patch fix this eliminate the nx_sha_build_sg_list, that is
      useless in SHA's algorithm context. Instead we call nx_build_sg_list
      directly and pass a previous calculated max_sg_len to it.
      Signed-off-by: default avatarLeonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71a0c1ec
    • Leonidas Da Silva Barbosa's avatar
      crypto: nx - Fixing NX data alignment with nx_sg list · b2b6e166
      Leonidas Da Silva Barbosa authored
      commit c3365ce1 upstream.
      
      In NX we need to pass always a 16 multiple size nx_sg_list to
      co processor. Trim function handle with this assuring all nx_sg_lists
      are 16 multiple size, although data was not being considerated when
      crop was done. It was causing an unalignment between size of the list
      and data, corrupting csbcpb fields returning a -23 H_ST_PARM error, or
      invalid operation.
      
      This patch fix this recalculating how much data should be put back
      in to_process variable what assures the size of sg_list will be
      correct with size of the data.
      Signed-off-by: default avatarLeonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b2b6e166
    • Cyrille Pitchen's avatar
      dmaengine: at_xdmac: fix transfer data width in at_xdmac_prep_slave_sg() · c0e0ec97
      Cyrille Pitchen authored
      commit 1c8a38b1 upstream.
      
      This patch adds the missing update of the transfer data width in
      at_xdmac_prep_slave_sg().
      
      Indeed, for each item in the scatter-gather list, we check whether the
      transfer length is aligned with the data width provided by
      dmaengine_slave_config(). If so, we directly use this data width for the
      current part of the transfer we are preparing. Otherwise, the data width
      is reduced to 8 bits (1 byte). Of course, the actual number of register
      accesses must also be updated to match the new data width.
      
      So one chunk was missing in the original patch (see Fixes tag below): the
      number of register accesses was correctly set to (len >> fixed_dwidth) in
      mbr_ubc but the real data width was not updated in mbr_cfg. Since mbr_cfg
      may change for each part of the scatter-gather transfer this also explains
      why the original patch used the Descriptor View 2 instead of the
      Descriptor View 1.
      
      Let's take the example of a DMA transfer to write 8bit data into an Atmel
      USART with FIFOs. When FIFOs are enabled in the USART, its Transmit
      Holding Register (THR) works in multidata mode, that is to say that up to
      4 8bit data can be written into the THR in a single 32bit access and it is
      still possible to write only one data with a 8bit access. To take
      advantage of this new feature, the DMA driver was modified to allow
      multiple dwidths when doing slave transfers.
      For instance, when the total length is 22 bytes, the USART driver splits
      the transfer into 2 parts:
      
      First part: 20 bytes transferred through 5 32bit writes into THR
      Second part: 2 bytes transferred though 2 8bit writes into THR
      
      For the second part, the data width was first set to 4_BYTES by the USART
      driver thanks to dmaengine_slave_config() then at_xdmac_prep_slave_sg()
      reduces this data width to 1_BYTE because the 2 byte length is not aligned
      with the original 4_BYTES data width. Since the data width is modified,
      the actual number of writes into THR must be set accordingly.
      Signed-off-by: default avatarCyrille Pitchen <cyrille.pitchen@atmel.com>
      Fixes: 6d3a7d9e ("dmaengine: at_xdmac: allow muliple dwidths when doing slave transfers")
      Cc: stable@vger.kernel.org #4.0 and later
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Acked-by: default avatarLudovic Desroches <ludovic.desroches@atmel.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0e0ec97
    • Andy Lutomirski's avatar
      x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection · 37df1cab
      Andy Lutomirski authored
      commit 810bc075 upstream.
      
      We have a tricky bug in the nested NMI code: if we see RSP
      pointing to the NMI stack on NMI entry from kernel mode, we
      assume that we are executing a nested NMI.
      
      This isn't quite true.  A malicious userspace program can point
      RSP at the NMI stack, issue SYSCALL, and arrange for an NMI to
      happen while RSP is still pointing at the NMI stack.
      
      Fix it with a sneaky trick.  Set DF in the region of code that
      the RSP check is intended to detect.  IRET will clear DF
      atomically.
      
      ( Note: other than paravirt, there's little need for all this
        complexity. We could check RIP instead of RSP. )
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37df1cab
    • Andy Lutomirski's avatar
      x86/nmi/64: Reorder nested NMI checks · d8246ca4
      Andy Lutomirski authored
      commit a27507ca upstream.
      
      Check the repeat_nmi .. end_repeat_nmi special case first.  The
      next patch will rework the RSP check and, as a side effect, the
      RSP check will no longer detect repeat_nmi .. end_repeat_nmi, so
      we'll need this ordering of the checks.
      
      Note: this is more subtle than it appears.  The check for
      repeat_nmi .. end_repeat_nmi jumps straight out of the NMI code
      instead of adjusting the "iret" frame to force a repeat.  This
      is necessary, because the code between repeat_nmi and
      end_repeat_nmi sets "NMI executing" and then writes to the
      "iret" frame itself.  If a nested NMI comes in and modifies the
      "iret" frame while repeat_nmi is also modifying it, we'll end up
      with garbage.  The old code got this right, as does the new
      code, but the new code is a bit more explicit.
      
      If we were to move the check right after the "NMI executing"
      check, then we'd get it wrong and have random crashes.
      
      ( Because the "NMI executing" check would jump to the code that would
        modify the "iret" frame without checking if the interrupted NMI was
        currently modifying it. )
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d8246ca4
    • Andy Lutomirski's avatar
      x86/nmi/64: Improve nested NMI comments · 1dd191d7
      Andy Lutomirski authored
      commit 0b22930e upstream.
      
      I found the nested NMI documentation to be difficult to follow.
      Improve the comments.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1dd191d7
    • Andy Lutomirski's avatar
      x86/nmi/64: Switch stacks on userspace NMI entry · 60e6cbaf
      Andy Lutomirski authored
      commit 9b6e6a83 upstream.
      
      Returning to userspace is tricky: IRET can fail, and ESPFIX can
      rearrange the stack prior to IRET.
      
      The NMI nesting fixup relies on a precise stack layout and
      atomic IRET.  Rather than trying to teach the NMI nesting fixup
      to handle ESPFIX and failed IRET, punt: run NMIs that came from
      user mode on the normal kernel stack.
      
      This will make some nested NMIs visible to C code, but the C
      code is okay with that.
      
      As a side effect, this should speed up perf: it eliminates an
      RDMSR when NMIs come from user mode.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Reviewed-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      60e6cbaf
    • Andy Lutomirski's avatar
      x86/nmi/64: Remove asm code that saves CR2 · f163d838
      Andy Lutomirski authored
      commit 0e181bb5 upstream.
      
      Now that do_nmi saves CR2, we don't need to save it in asm.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Acked-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f163d838
    • Andy Lutomirski's avatar
      x86/nmi: Enable nested do_nmi() handling for 64-bit kernels · e0146756
      Andy Lutomirski authored
      commit 9d050416 upstream.
      
      32-bit kernels handle nested NMIs in C.  Enable the exact same
      handling on 64-bit kernels as well.  This isn't currently
      necessary, but it will become necessary once the asm code starts
      allowing limited nesting.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0146756
    • Andy Lutomirski's avatar
      x86/asm/entry/64: Remove pointless jump to irq_return · 4e1fb62b
      Andy Lutomirski authored
      commit 5ca6f70f upstream.
      
      INTERRUPT_RETURN turns into a jmp instruction.  There's no need
      for extra indirection.
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: <linux-kernel@vger.kernel.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/2f2318653dbad284a59311f13f08cea71298fd7c.1433449436.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4e1fb62b
    • Michal Kazior's avatar
      ath10k: fix qca61x4 hw2.1 support · b235edce
      Michal Kazior authored
      commit 11a002ef upstream.
      
      During initialization firmware does some sort of
      memory switch between DRAM and IRAM. If
      configuration value for bank switching isn't
      correct device crashes during init.
      
      The new value prevents firmware 11.0.0.302 (and
      possibly others) for qca61x4 hw2.1 from crashing
      during init.
      Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b235edce
    • Benjamin Randazzo's avatar
      md: use kzalloc() when bitmap is disabled · 33afeac2
      Benjamin Randazzo authored
      commit b6878d9e upstream.
      
      In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
      mdu_bitmap_file_t called "file".
      
      5769         file = kmalloc(sizeof(*file), GFP_NOIO);
      5770         if (!file)
      5771                 return -ENOMEM;
      
      This structure is copied to user space at the end of the function.
      
      5786         if (err == 0 &&
      5787             copy_to_user(arg, file, sizeof(*file)))
      5788                 err = -EFAULT
      
      But if bitmap is disabled only the first byte of "file" is initialized
      with zero, so it's possible to read some bytes (up to 4095) of kernel
      space memory from user space. This is an information leak.
      
      5775         /* bitmap disabled, zero the first byte and copy out */
      5776         if (!mddev->bitmap_info.file)
      5777                 file->pathname[0] = '\0';
      Signed-off-by: default avatarBenjamin Randazzo <benjamin@randazzo.fr>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      33afeac2
    • NeilBrown's avatar
      phy: twl4030-usb: make runtime pm more reliable. · 73f7d1ff
      NeilBrown authored
      commit 56301df6 upstream.
      
      A construct like:
      
              if (pm_runtime_suspended(twl->dev))
                     pm_runtime_get_sync(twl->dev);
      
      is against the spirit of the runtime_pm interface as it
      makes the internal refcounting useless.
      
      In this case it is also racy, particularly as 'put_autosuspend'
      is used to drop a reference.
      When that happens a timer is started and the device is
      runtime-suspended after the timeout.
      If the above code runs in this window, the device will not be
      found to be suspended so no pm_runtime reference is taken.
      When the timer expires the device will be suspended, which is
      against the intention of the code.
      
      So be more direct is taking and dropping references.
      If twl->linkstat is VBUS_VALID or ID_GROUND, then hold a
      pm_runtime reference, otherwise don't.
      Define "cable_present()" to test for this condition.
      Tested-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Cc: Alexander Holler <holler@ahsoftware.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73f7d1ff
    • Peter Chen's avatar
      usb: chipidea: ehci_init_driver is intended to call one time · 87a73d80
      Peter Chen authored
      commit 2f01a33b upstream.
      
      The ehci_init_driver is used to initialize hcd APIs for each
      ehci controller driver, it is designed to be called only one time
      and before driver register is called. The current design will
      cause ehci_init_driver is called multiple times at probe process,
      it will cause hc_driver's initialization affect current running hcd.
      
      We run out NULL pointer dereference problem when one hcd is started
      by module_init, and the other is started by otg thread at SMP platform.
      The reason for this problem is ehci_init_driver will do memory copy
      for current uniform hc_driver, and this memory copy will do memset (as 0)
      first, so when the first hcd is running usb_add_hcd, and the second
      hcd may clear the uniform hc_driver's space (at ehci_init_driver),
      then the first hcd will meet NULL pointer at the same time.
      
      See below two logs:
      
      LOG_1:
      ci_hdrc ci_hdrc.0: EHCI Host Controller
      ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
      ci_hdrc ci_hdrc.1: doesn't support gadget
      Unable to handle kernel NULL pointer dereference at virtual address 00000014
      pgd = 80004000
      [00000014] *pgd=00000000
      Internal error: Oops: 805 [#1] PREEMPT SMP ARM
      Modules linked in:
      CPU: 0 PID: 108 Comm: kworker/u8:2 Not tainted 3.14.38-222193-g24b2734-dirty #25
      Workqueue: ci_otg ci_otg_work
      task: d839ec00 ti: d8400000 task.ti: d8400000
      PC is at ehci_run+0x4c/0x284
      LR is at _raw_spin_unlock_irqrestore+0x28/0x54
      pc : [<8041f9a0>]    lr : [<8070ea84>]    psr: 60000113
      sp : d8401e30  ip : 00000000  fp : d8004400
      r10: 00000001  r9 : 00000001  r8 : 00000000
      r7 : 00000000  r6 : d8419940  r5 : 80dd24c0  r4 : d8419800
      r3 : 8001d060  r2 : 00000000  r1 : 00000001  r0 : 00000000
      Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      Control: 10c53c7d  Table: 1000404a  DAC: 00000015
      Process kworker/u8:2 (pid: 108, stack limit = 0xd8400238)
      Stack: (0xd8401e30 to 0xd8402000)
      1e20:                                     d87523c0 d8401e48 66667562 d8419800
      1e40: 00000000 00000000 d8419800 00000000 00000000 00000000 d84198b0 8040fcdc
      1e60: 00000000 80dd320c d8477610 d8419c00 d803d010 d8419800 00000000 00000000
      1e80: d8004400 00000000 d8400008 80431494 80431374 d803d100 d803d010 d803d1ac
      1ea0: 00000000 80432428 804323d4 d803d100 00000001 80435eb8 80e0d0bc d803d100
      1ec0: 00000006 80436458 00000000 d803d100 80e92ec8 80436f44 d803d010 d803d100
      1ee0: d83fde00 8043292c d8752710 d803d1f4 d803d010 8042ddfc 8042ddb8 d83f3b00
      1f00: d803d1f4 80042b60 00000000 00000003 00000001 00000001 80054598 d83f3b00
      1f20: d8004400 d83f3b18 d8004414 d8400000 80e3957b 00000089 d8004400 80043814
      1f40: d839ec00 00000000 d83fcd80 d83f3b00 800436e4 00000000 00000000 00000000
      1f60: 00000000 80048f34 00000000 00000000 00000000 d83f3b00 00000000 00000000
      1f80: d8401f80 d8401f80 00000000 00000000 d8401f90 d8401f90 d8401fac d83fcd80
      1fa0: 80048e68 00000000 00000000 8000e538 00000000 00000000 00000000 00000000
      1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
      [<8041f9a0>] (ehci_run) from [<8040fcdc>] (usb_add_hcd+0x248/0x6e8)
      [<8040fcdc>] (usb_add_hcd) from [<80431494>] (host_start+0x120/0x2e4)
      [<80431494>] (host_start) from [<80432428>] (ci_otg_start_host+0x54/0xbc)
      [<80432428>] (ci_otg_start_host) from [<80435eb8>] (otg_set_protocol+0xa4/0xd0)
      [<80435eb8>] (otg_set_protocol) from [<80436458>] (otg_set_state+0x574/0xc58)
      [<80436458>] (otg_set_state) from [<80436f44>] (otg_statemachine+0x408/0x46c)
      [<80436f44>] (otg_statemachine) from [<8043292c>] (ci_otg_fsm_work+0x3c/0x190)
      [<8043292c>] (ci_otg_fsm_work) from [<8042ddfc>] (ci_otg_work+0x44/0x1c4)
      [<8042ddfc>] (ci_otg_work) from [<80042b60>] (process_one_work+0xf4/0x35c)
      [<80042b60>] (process_one_work) from [<80043814>] (worker_thread+0x130/0x3bc)
      [<80043814>] (worker_thread) from [<80048f34>] (kthread+0xcc/0xe4)
      [<80048f34>] (kthread) from [<8000e538>] (ret_from_fork+0x14/0x3c)
      Code: e5953018 e3530000 0a000000 e12fff33 (e5878014)
      
      LOG_2:
      ci_hdrc ci_hdrc.0: EHCI Host Controller
      ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
      ci_hdrc ci_hdrc.1: doesn't support gadget
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = 80004000
      [00000000] *pgd=00000000
      In Online 00:00ternal e      Offline rror: Oops: 80000005 [#1] PREEMPT SMP ARM
      Modules linked in:
      CPU: 0 PID: 108 Comm: kworker/u8:2 Not tainted 3.14.38-02007-g24b2734-dirty #127
      Workque Online 00:00ue: ci_o      Offline tg ci_otg_work
      Online 00:00task: d8      Offline 39ec00 ti: d83ea000 task.ti: d83ea000
      PC is at 0x0
      LR is at usb_add_hcd+0x248/0x6e8
      pc : [<00000000>]    lr : [<8040f644>]    psr: 60000113
      sp : d83ebe60  ip : 00000000  fp : d8004400
      r10: 00000001  r9 : 00000001  r8 : d85fd4b0
      r7 : 00000000  r6 : 00000000  r5 : 00000000  r4 : d85fd400
      r3 : 00000000  r2 : d85fd4f4  r1 : 80410178  r0 : d85fd400
      Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      Control: 10c53c7d  Table: 1000404a  DAC: 00000015
      Process kworker/u8:2 (pid: 108, stack limit = 0xd83ea238)
      Stack: (0xd83ebe60 to 0xd83ec000)
      be60: 00000000 80dd920c d8654e10 d85fd800 d803e010 d85fd400 00000000 00000000
      be80: d8004400 00000000 d83ea008 80430e34 80430d14 d803e100 d803e010 d803e1ac
      bea0: 00000000 80431dc8 80431d74 d803e100 00000001 80435858 80e130bc d803e100
      bec0: 00000006 80435df8 00000000 d803e100 80e98ec8 804368e4 d803e010 d803e100
      bee0: d86e8100 804322cc d86cf050 d803e1f4 d803e010 8042d79c 8042d758 d83cf900
      bf00: d803e1f4 80042b78 00000000 00000003 00000001 00000001 800545e8 d83cf900
      bf20: d8004400 d83cf918 d8004414 d83ea000 80e3f57b 00000089 d8004400 8004382c
      bf40: d839ec00 00000000 d8393780 d83cf900 800436fc 00000000 00000000 00000000
      bf60: 00000000 80048f50 80e019f4 00000000 0000264c d83cf900 00000000 00000000
      bf80: d83ebf80 d83ebf80 00000000 00000000 d83ebf90 d83ebf90 d83ebfac d8393780
      bfa0: 80048e84 00000000 00000000 8000e538 00000000 00000000 00000000 00000000
      bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 ee66e85d 133ebd03
      [<804 Online 00:000f644>]       Offline (usb_add_hcd) from [<80430e34>] (host_start+0x120/0x2e4)
      [<80430e34>] (host_start) from [<80431dc8>] (ci_otg_start_host+0x54/0xbc)
      [<80431dc8>] (ci_otg_start_host) from [<80435858>] (otg_set_protocol+0xa4/0xd0)
      [<80435858>] (otg_set_protocol) from [<80435df8>] (otg_set_state+0x574/0xc58)
      [<80435df8>] (otg_set_state) from [<804368e4>] (otg_statemachine+0x408/0x46c)
      [<804368e4>] (otg_statemachine) from [<804322cc>] (ci_otg_fsm_work+0x3c/0x190)
      [<804322cc>] (ci_otg_fsm_work) from [<8042d79c>] (ci_otg_work+0x44/0x1c4)
      [<8042d79c>] (ci_otg_work) from [<80042b78>] (process_one_work+0xf4/0x35c)
      [<80042b78>] (process_one_work) from [<8004382c>] (worker_thread+0x130/0x3bc)
      [<8004382c>] (worker_thread) from [<80048f50>] (kthread+0xcc/0xe4)
      [<80048f50>] (kthread) from [<8000e538>] (ret_from_fork+0x14/0x3c)
      Code: bad PC value
      
      Cc: Jun Li <jun.li@freescale.com>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarPeter Chen <peter.chen@freescale.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87a73d80