1. 06 Aug, 2015 40 commits
    • Filipe Manana's avatar
      Btrfs: fix list transaction->pending_ordered corruption · d2deaf0a
      Filipe Manana authored
      commit d3efe084 upstream.
      
      When we call btrfs_commit_transaction(), we splice the list "ordered"
      of our transaction handle into the transaction's "pending_ordered"
      list, but we don't re-initialize the "ordered" list of our transaction
      handle, this means it still points to the same elements it used to
      before the splice. Then we check if the current transaction's state is
      >= TRANS_STATE_COMMIT_START and if it is we end up calling
      btrfs_end_transaction() which simply splices again the "ordered" list
      of our handle into the transaction's "pending_ordered" list, leaving
      multiple pointers to the same ordered extents which results in list
      corruption when we are iterating, removing and freeing ordered extents
      at btrfs_wait_pending_ordered(), resulting in access to dangling
      pointers / use-after-free issues.
      Similarly, btrfs_end_transaction() can end up in some cases calling
      btrfs_commit_transaction(), and both did a list splice of the transaction
      handle's "ordered" list into the transaction's "pending_ordered" without
      re-initializing the handle's "ordered" list, resulting in exactly the
      same problem.
      
      This produces the following warning on a kernel with linked list
      debugging enabled:
      
      [109749.265416] ------------[ cut here ]------------
      [109749.266410] WARNING: CPU: 7 PID: 324 at lib/list_debug.c:59 __list_del_entry+0x5a/0x98()
      [109749.267969] list_del corruption. prev->next should be ffff8800ba087e20, but was fffffff8c1f7c35d
      (...)
      [109749.287505] Call Trace:
      [109749.288135]  [<ffffffff8145f077>] dump_stack+0x4f/0x7b
      [109749.298080]  [<ffffffff81095de5>] ? console_unlock+0x356/0x3a2
      [109749.331605]  [<ffffffff8104b3b0>] warn_slowpath_common+0xa1/0xbb
      [109749.334849]  [<ffffffff81260642>] ? __list_del_entry+0x5a/0x98
      [109749.337093]  [<ffffffff8104b410>] warn_slowpath_fmt+0x46/0x48
      [109749.337847]  [<ffffffff81260642>] __list_del_entry+0x5a/0x98
      [109749.338678]  [<ffffffffa053e8bf>] btrfs_wait_pending_ordered+0x46/0xdb [btrfs]
      [109749.340145]  [<ffffffffa058a65f>] ? __btrfs_run_delayed_items+0x149/0x163 [btrfs]
      [109749.348313]  [<ffffffffa054077d>] btrfs_commit_transaction+0x36b/0xa10 [btrfs]
      [109749.349745]  [<ffffffff81087310>] ? trace_hardirqs_on+0xd/0xf
      [109749.350819]  [<ffffffffa055370d>] btrfs_sync_file+0x36f/0x3fc [btrfs]
      [109749.351976]  [<ffffffff8118ec98>] vfs_fsync_range+0x8f/0x9e
      [109749.360341]  [<ffffffff8118ecc3>] vfs_fsync+0x1c/0x1e
      [109749.368828]  [<ffffffff8118ee1d>] do_fsync+0x34/0x4e
      [109749.369790]  [<ffffffff8118f045>] SyS_fsync+0x10/0x14
      [109749.370925]  [<ffffffff81465197>] system_call_fastpath+0x12/0x6f
      [109749.382274] ---[ end trace 48e0d07f7c03d95a ]---
      
      On a non-debug kernel this leads to invalid memory accesses, causing a
      crash. Fix this by using list_splice_init() instead of list_splice() in
      btrfs_commit_transaction() and btrfs_end_transaction().
      
      Fixes: 50d9aa99 ("Btrfs: make sure logged extents complete in the current transaction V3"
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      d2deaf0a
    • Filipe Manana's avatar
      Btrfs: fix memory leak in the extent_same ioctl · a97c8317
      Filipe Manana authored
      commit 497b4050 upstream.
      
      We were allocating memory with memdup_user() but we were never releasing
      that memory. This affected pretty much every call to the ioctl, whether
      it deduplicated extents or not.
      
      This issue was reported on IRC by Julian Taylor and on the mailing list
      by Marcel Ritter, credit goes to them for finding the issue.
      Reported-by: default avatarJulian Taylor <jtaylor.debian@googlemail.com>
      Reported-by: default avatarMarcel Ritter <ritter.marcel@gmail.com>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarMark Fasheh <mfasheh@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a97c8317
    • Radim Krčmář's avatar
      KVM: VMX: fix vmwrite to invalid VMCS · 7700e86e
      Radim Krčmář authored
      commit 370777da upstream.
      
      fpu_activate is called outside of vcpu_load(), which means it should not
      touch VMCS, but fpu_activate needs to.  Avoid the call by moving it to a
      point where we know that the guest needs eager FPU and VMCS is loaded.
      
      This will get rid of the following trace
      
       vmwrite error: reg 6800 value 0 (err 1)
        [<ffffffff8162035b>] dump_stack+0x19/0x1b
        [<ffffffffa046c701>] vmwrite_error+0x2c/0x2e [kvm_intel]
        [<ffffffffa045f26f>] vmcs_writel+0x1f/0x30 [kvm_intel]
        [<ffffffffa04617e5>] vmx_fpu_activate.part.61+0x45/0xb0 [kvm_intel]
        [<ffffffffa0461865>] vmx_fpu_activate+0x15/0x20 [kvm_intel]
        [<ffffffffa0560b91>] kvm_arch_vcpu_create+0x51/0x70 [kvm]
        [<ffffffffa0548011>] kvm_vm_ioctl+0x1c1/0x760 [kvm]
        [<ffffffff8118b55a>] ? handle_mm_fault+0x49a/0xec0
        [<ffffffff811e47d5>] do_vfs_ioctl+0x2e5/0x4c0
        [<ffffffff8127abbe>] ? file_has_perm+0xae/0xc0
        [<ffffffff811e4a51>] SyS_ioctl+0xa1/0xc0
        [<ffffffff81630949>] system_call_fastpath+0x16/0x1b
      
      (Note: we also unconditionally activate FPU in vmx_vcpu_reset(), so the
       removed code added nothing.)
      
      Fixes: c447e76b ("kvm/fpu: Enable eager restore kvm FPU for MPX")
      Reported-by: default avatarVlastimil Holer <vlastimil.holer@gmail.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      7700e86e
    • Johannes Thumshirn's avatar
      USB: serial: Destroy serial_minors IDR on module exit · 6bd1290e
      Johannes Thumshirn authored
      commit d23f47d4 upstream.
      
      Destroy serial_minors IDR on module exit, reclaiming the allocated memory.
      
      This was detected by the following semantic patch (written by Luis
      Rodriguez <mcgrof@suse.com>)
      
      <SmPL>
      @ defines_module_init @
      declarer name module_init, module_exit;
      declarer name DEFINE_IDR;
      identifier init;
      @@
      
      module_init(init);
      
      @ defines_module_exit @
      identifier exit;
      @@
      
      module_exit(exit);
      
      @ declares_idr depends on defines_module_init && defines_module_exit @
      identifier idr;
      @@
      
      DEFINE_IDR(idr);
      
      @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
      identifier declares_idr.idr, defines_module_exit.exit;
      @@
      
      exit(void)
      {
       ...
       idr_destroy(&idr);
       ...
      }
      
      @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
      identifier declares_idr.idr, defines_module_exit.exit;
      @@
      
      exit(void)
      {
       ...
       +idr_destroy(&idr);
      }
      </SmPL>
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      6bd1290e
    • Mugunthan V N's avatar
      drivers: net: cpsw: fix crash while accessing second slave ethernet interface · 6d3a9127
      Mugunthan V N authored
      commit 1973db0d upstream.
      
      When cpsw's number of slave is set to 1 in device tree and while
      accessing second slave ndev and priv in cpsw_tx_interrupt(),
      there is a kernel crash. This is due to cpsw_get_slave_priv()
      not verifying number of slaves while retriving netdev priv and
      returns a invalid memory region. Fixing the issue by introducing
      number of slave check in cpsw_get_slave_priv() and
      cpsw_get_slave_ndev().
      
      [   15.879589] Unable to handle kernel paging request at virtual address 0f0e142c
      [   15.888540] pgd = ed374000
      [   15.891359] [0f0e142c] *pgd=00000000
      [   15.895105] Internal error: Oops: 5 [#1] SMP ARM
      [   15.899936] Modules linked in:
      [   15.903139] CPU: 0 PID: 593 Comm: udhcpc Tainted: G        W       4.1.0-12205-gfda8b18c-dirty #10
      [   15.912386] Hardware name: Generic AM43 (Flattened Device Tree)
      [   15.918557] task: ed2a2e00 ti: ed3fe000 task.ti: ed3fe000
      [   15.924187] PC is at cpsw_tx_interrupt+0x30/0x44
      [   15.929008] LR is at _raw_spin_unlock_irqrestore+0x40/0x44
      [   15.934726] pc : [<c048b9cc>]    lr : [<c05ef4f4>]    psr: 20000193
      [   15.934726] sp : ed3ffc08  ip : ed2a2e40  fp : 00000000
      [   15.946685] r10: c0969ce8  r9 : c0969cfc  r8 : 00000000
      [   15.952129] r7 : 000000c6  r6 : ee54ab00  r5 : ee169c64  r4 : ee534e00
      [   15.958932] r3 : 0f0e0d0c  r2 : 00000000  r1 : ed3ffbc0  r0 : 00000001
      [   15.965735] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
      [   15.973261] Control: 10c5387d  Table: ad374059  DAC: 00000015
      [   15.979246] Process udhcpc (pid: 593, stack limit = 0xed3fe218)
      [   15.985414] Stack: (0xed3ffc08 to 0xed400000)
      [   15.989954] fc00:                   ee54ab00 c009928c c0a9e648 60000193 000032e4 ee169c00
      [   15.998478] fc20: ee169c64 ee169c00 ee169c64 ee54ab00 00000001 00000001 ee67e268 ee008800
      [   16.006995] fc40: ee534800 c009946c ee169c00 ee169c64 c08bd660 c009c370 c009c2a4 000000c6
      [   16.015513] fc60: c08b75c4 c08b0854 00000000 c0098b3c 000000c6 c0098c50 ed3ffcb0 0000003a
      [   16.024033] fc80: ed3ffcb0 fa24010c c08b7800 fa240100 ee7e9880 c00094c4 c05ef4e8 60000013
      [   16.032556] fca0: ffffffff ed3ffce4 ee7e9880 c05ef964 00000001 ed2a33d8 00000000 ed2a2e00
      [   16.041080] fcc0: 60000013 ee536bf8 60000013 ee51b800 ee7e9880 ee67e268 ee7e9880 ee534800
      [   16.049603] fce0: c0ad0768 ed3ffcf8 c008e910 c05ef4e8 60000013 ffffffff 00000001 00000001
      [   16.058121] fd00: ee536bf8 c0487a04 00000000 00000000 ee534800 00000000 00000156 c048c990
      [   16.066645] fd20: 00000000 00000000 c0969f40 00000000 00000000 c05000e8 00000001 00000000
      [   16.075167] fd40: 00000000 c051eefc 00000000 ee67e268 00000000 00000000 ee51b800 ed3ffd9c
      [   16.083690] fd60: 00000000 ee67e200 ee51b800 ee7e9880 ee67e268 00000000 00000000 ee67e200
      [   16.092211] fd80: ee51b800 ee7e9880 ee67e268 ee534800 ee67e200 c051eedc ee67e268 00000010
      [   16.100727] fda0: 00000000 00000000 ee7e9880 ee534800 00000000 ee67e268 ee51b800 c05006fc
      [   16.109247] fdc0: ee67e268 00000001 c0500488 00000156 ee7e9880 00000000 ed3fe000 fffffff4
      [   16.117771] fde0: ed3fff1c ee7e9880 ee534800 00000148 00000000 ed1f8340 00000000 00000000
      [   16.126289] fe00: 00000000 c05a9054 00000000 00000000 00000156 c0ab62a8 00000010 ed3e7000
      [   16.134812] fe20: 00000000 00000008 edcfb700 ed3fff1c c0fb5f94 ed2a2e00 c0fb5f64 000005d8
      [   16.143336] fe40: c0a9b3b8 00000000 ed3e7070 00000000 00000000 00000000 00009f40 00000000
      [   16.151858] fe60: 00000000 00020022 00110008 00000000 00000000 43004400 00000000 ffffffff
      [   16.160374] fe80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [   16.168898] fea0: edcfb700 bee5f380 00000014 00000000 ed3fe000 00000000 00004400 c04e2b64
      [   16.177415] fec0: 00000002 c04e3b00 ed3ffeec 00000001 0000011a 00000000 00000000 bee5f394
      [   16.185937] fee0: 00000148 ed3fff10 00000014 00000001 00000000 00000000 ed3ffee4 00000000
      [   16.194459] ff00: 00000000 00000000 00000000 c04e3664 00080011 00000002 06000000 ffffffff
      [   16.202980] ff20: 0000ffff ffffffff 0000ffff c008dd54 ee5a6f08 ee636e80 c096972d c0089c14
      [   16.211499] ff40: 00000000 60000013 ee5a6f40 60000013 00000000 ee5a6f40 00000002 00000006
      [   16.220023] ff60: 00000000 edcfb700 00000001 ed2a2e00 c000f60c 00000001 0000011a c008ea34
      [   16.228540] ff80: 00000006 00000000 bee5f380 00000014 bee5f380 00000014 bee5f380 00000122
      [   16.237059] ffa0: c000f7c4 c000f5e0 bee5f380 00000014 00000006 bee5f394 00000148 00000000
      [   16.245581] ffc0: bee5f380 00000014 bee5f380 00000122 fffffd6e 00004300 00004800 00004400
      [   16.254104] ffe0: bee5f378 bee5f36c 000307ec b6f39044 40000010 00000006 ed36fa40 00000000
      [   16.262642] [<c048b9cc>] (cpsw_tx_interrupt) from [<c009928c>] (handle_irq_event_percpu+0x64/0x204)
      [   16.272076] [<c009928c>] (handle_irq_event_percpu) from [<c009946c>] (handle_irq_event+0x40/0x64)
      [   16.281330] [<c009946c>] (handle_irq_event) from [<c009c370>] (handle_fasteoi_irq+0xcc/0x1a8)
      [   16.290220] [<c009c370>] (handle_fasteoi_irq) from [<c0098b3c>] (generic_handle_irq+0x20/0x30)
      [   16.299197] [<c0098b3c>] (generic_handle_irq) from [<c0098c50>] (__handle_domain_irq+0x64/0xdc)
      [   16.308273] [<c0098c50>] (__handle_domain_irq) from [<c00094c4>] (gic_handle_irq+0x20/0x60)
      [   16.316987] [<c00094c4>] (gic_handle_irq) from [<c05ef964>] (__irq_svc+0x44/0x5c)
      [   16.324779] Exception stack(0xed3ffcb0 to 0xed3ffcf8)
      [   16.330044] fca0:                                     00000001 ed2a33d8 00000000 ed2a2e00
      [   16.338567] fcc0: 60000013 ee536bf8 60000013 ee51b800 ee7e9880 ee67e268 ee7e9880 ee534800
      [   16.347090] fce0: c0ad0768 ed3ffcf8 c008e910 c05ef4e8 60000013 ffffffff
      [   16.353987] [<c05ef964>] (__irq_svc) from [<c05ef4e8>] (_raw_spin_unlock_irqrestore+0x34/0x44)
      [   16.362973] [<c05ef4e8>] (_raw_spin_unlock_irqrestore) from [<c0487a04>] (cpdma_check_free_tx_desc+0x60/0x6c)
      [   16.373311] [<c0487a04>] (cpdma_check_free_tx_desc) from [<c048c990>] (cpsw_ndo_start_xmit+0xb4/0x1ac)
      [   16.383017] [<c048c990>] (cpsw_ndo_start_xmit) from [<c05000e8>] (dev_hard_start_xmit+0x2a4/0x4c0)
      [   16.392364] [<c05000e8>] (dev_hard_start_xmit) from [<c051eedc>] (sch_direct_xmit+0xf4/0x210)
      [   16.401246] [<c051eedc>] (sch_direct_xmit) from [<c05006fc>] (__dev_queue_xmit+0x2ac/0x7bc)
      [   16.409960] [<c05006fc>] (__dev_queue_xmit) from [<c05a9054>] (packet_sendmsg+0xc68/0xeb4)
      [   16.418585] [<c05a9054>] (packet_sendmsg) from [<c04e2b64>] (sock_sendmsg+0x14/0x24)
      [   16.426663] [<c04e2b64>] (sock_sendmsg) from [<c04e3b00>] (SyS_sendto+0xb4/0xe0)
      [   16.434377] [<c04e3b00>] (SyS_sendto) from [<c000f5e0>] (ret_fast_syscall+0x0/0x54)
      [   16.442360] Code: e5943118 e593303c e3530000 0a000002 (e5930720)
      [   16.448716] ---[ end trace a68159f094d85ba6 ]---
      [   16.453526] Kernel panic - not syncing: Fatal exception in interrupt
      [   16.460149] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
      Signed-off-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      6d3a9127
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Have branch tracer use recursive field of task struct · 414240e9
      Steven Rostedt (Red Hat) authored
      commit 6224beb1 upstream.
      
      Fengguang Wu's tests triggered a bug in the branch tracer's start up
      test when CONFIG_DEBUG_PREEMPT set. This was because that config
      adds some debug logic in the per cpu field, which calls back into
      the branch tracer.
      
      The branch tracer has its own recursive checks, but uses a per cpu
      variable to implement it. If retrieving the per cpu variable calls
      back into the branch tracer, you can see how things will break.
      
      Instead of using a per cpu variable, use the trace_recursion field
      of the current task struct. Simply set a bit when entering the
      branch tracing and clear it when leaving. If the bit is set on
      entry, just don't do the tracing.
      
      There's also the case with lockdep, as the local_irq_save() called
      before the recursion can also trigger code that can call back into
      the function. Changing that to a raw_local_irq_save() will protect
      that as well.
      
      This prevents the recursion and the inevitable crash that follows.
      
      Link: http://lkml.kernel.org/r/20150630141803.GA28071@wfg-t540p.sh.intel.comReported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Tested-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      414240e9
    • Stefan Wahren's avatar
      ARM: dts: mx23: fix iio-hwmon support · 16825e96
      Stefan Wahren authored
      commit e8e94ed6 upstream.
      
      In order to get iio-hwmon support, the lradc must be declared as an
      iio provider. So fix this issue by adding the #io-channel-cells property.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: bd798f9c ("ARM: dts: mxs: Add iio-hwmon to mx23 soc")
      Reviewed-by: default avatarMarek Vasut <marex@denx.de>
      Reviewed-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarShawn Guo <shawn.guo@linaro.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      16825e96
    • Mike Snitzer's avatar
      bio integrity: do not assume bio_integrity_pool exists if bioset exists · 61b80f9d
      Mike Snitzer authored
      commit bb8bd38b upstream.
      
      bio_integrity_alloc() and bio_integrity_free() assume that if a bio was
      allocated from a bioset that that bioset also had its bio_integrity_pool
      allocated using bioset_integrity_create().  This is a very bad
      assumption given that bioset_create() and bioset_integrity_create() are
      completely disjoint.  Not all callers of bioset_create() have been
      trained to also call bioset_integrity_create() -- and they may not care
      to be.
      
      Fix this by falling back to kmalloc'ing 'struct bio_integrity_payload'
      rather than force all bioset consumers to (wastefully) preallocate a
      bio_integrity_pool that they very likely won't actually need (given the
      niche nature of the current block integrity support).
      
      Otherwise, a NULL pointer "Kernel BUG" with a trace like the following
      will be observed (as seen on s390x using zfcp storage) because dm-io
      doesn't use bioset_integrity_create() when creating its bioset:
      
          [  791.643338] Call Trace:
          [  791.643339] ([<00000003df98b848>] 0x3df98b848)
          [  791.643341]  [<00000000002c5de8>] bio_integrity_alloc+0x48/0xf8
          [  791.643348]  [<00000000002c6486>] bio_integrity_prep+0xae/0x2f0
          [  791.643349]  [<0000000000371e38>] blk_queue_bio+0x1c8/0x3d8
          [  791.643355]  [<000000000036f8d0>] generic_make_request+0xc0/0x100
          [  791.643357]  [<000000000036f9b2>] submit_bio+0xa2/0x198
          [  791.643406]  [<000003ff801f9774>] dispatch_io+0x15c/0x3b0 [dm_mod]
          [  791.643419]  [<000003ff801f9b3e>] dm_io+0x176/0x2f0 [dm_mod]
          [  791.643423]  [<000003ff8074b28a>] do_reads+0x13a/0x1a8 [dm_mirror]
          [  791.643425]  [<000003ff8074b43a>] do_mirror+0x142/0x298 [dm_mirror]
          [  791.643428]  [<0000000000154fca>] process_one_work+0x18a/0x3f8
          [  791.643432]  [<000000000015598a>] worker_thread+0x132/0x3b0
          [  791.643435]  [<000000000015d49a>] kthread+0xd2/0xd8
          [  791.643438]  [<00000000005bc0ca>] kernel_thread_starter+0x6/0xc
          [  791.643446]  [<00000000005bc0c4>] kernel_thread_starter+0x0/0xc
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      61b80f9d
    • Zhao Junwang's avatar
      drm: add a check for x/y in drm_mode_setcrtc · bcfd1bcf
      Zhao Junwang authored
      commit 01447e9f upstream.
      
      legacy setcrtc ioctl does take a 32 bit value which might indeed
      overflow
      
      the checks of crtc_req->x > INT_MAX and crtc_req->y > INT_MAX aren't
      needed any more with this
      
      v2: -polish the annotation according to Daniel's comment
      
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarZhao Junwang <zhjwpku@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      bcfd1bcf
    • Daniel Kurtz's avatar
      drm/rockchip: use drm_gem_mmap helpers · 4be221ff
      Daniel Kurtz authored
      commit 41315b79 upstream.
      
      Rather than (incompletely [0]) re-implementing drm_gem_mmap() and
      drm_gem_mmap_obj() helpers, call them directly from the rockchip mmap
      routines.
      
      Once the core functions return successfully, the rockchip mmap routines
      can still use dma_mmap_attrs() to simply mmap the entire buffer.
      
      [0] Previously, we were performing the mmap() without first taking a
      reference on the underlying gem buffer.  This could leak ptes if the gem
      object is destroyed while userspace is still holding the mapping.
      Signed-off-by: default avatarDaniel Kurtz <djkurtz@chromium.org>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      4be221ff
    • Martin Schwidefsky's avatar
      s390/sclp: clear upper register halves in _sclp_print_early · 88967e41
      Martin Schwidefsky authored
      commit f9c87a6f upstream.
      
      If the kernel is compiled with gcc 5.1 and the XZ compression option
      the decompress_kernel function calls _sclp_print_early in 64-bit mode
      while the content of the upper register half of %r6 is non-zero.
      This causes a specification exception on the servc instruction in
      _sclp_servc.
      
      The _sclp_print_early function saves and restores the upper registers
      halves but it fails to clear them for the 31-bit code of the mini sclp
      driver.
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      88967e41
    • Michal Nazarewicz's avatar
      usb: f_mass_storage: limit number of reported LUNs · 2902a2f3
      Michal Nazarewicz authored
      commit 8515bac0 upstream.
      
      Mass storage function created via configfs always reports eight LUNs
      to the hosts even if only one LUN has been configured.  Adjust the
      number when the USB function is allocated based on LUNs that user
      has created.
      Tested-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      2902a2f3
    • Felipe Balbi's avatar
      usb: musb: host: rely on port_mode to call musb_start() · 575ddb59
      Felipe Balbi authored
      commit be9d3988 upstream.
      
      Currently, we're calling musb_start() twice for DRD ports
      in some situations. This has been observed to cause enumeration
      issues after suspend/resume cycles with AM335x.
      
      In order to fix the problem, we just have to fix the check
      on musb_has_gadget() so that it only returns true if
      current mode is Host and ignore the fact that we have or
      not a gadget driver loaded.
      
      Fixes: ae44df2e (usb: musb: call musb_start() only once in OTG mode)
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Tested-by: default avatarSekhar Nori <nsekhar@ti.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      575ddb59
    • Joe Thornber's avatar
      dm btree: silence lockdep lock inversion in dm_btree_del() · a394a9cc
      Joe Thornber authored
      commit 1c751879 upstream.
      
      Allocate memory using GFP_NOIO when deleting a btree.  dm_btree_del()
      can be called via an ioctl and we don't want to recurse into the FS or
      block layer.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a394a9cc
    • Peter Sanford's avatar
      USB: cp210x: add ID for Aruba Networks controllers · 8a403517
      Peter Sanford authored
      commit f98a7aa8 upstream.
      
      Add the USB serial console device ID for Aruba Networks 7xxx series
      controllers which have a USB port for their serial console.
      Signed-off-by: default avatarPeter Sanford <peter@sanford.io>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      8a403517
    • Claudio Cappelli's avatar
      USB: option: add 2020:4000 ID · 35fd2f99
      Claudio Cappelli authored
      commit f6d7fb37 upstream.
      
      Add device Olivetti Olicard 300 (Network Connect: MT6225) - IDs 2020:4000.
      
      T:  Bus=01 Lev=02 Prnt=04 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=2020 ProdID=4000 Rev=03.00
      S:  Manufacturer=Network Connect
      S:  Product=MT6225
      C:  #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=02 Prot=01 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      Signed-off-by: default avatarClaudio Cappelli <claudio.cappelli.linux@gmail.com>
      Suggested-by: default avatarLars Melin <larsm17@gmail.com>
      [johan: amend commit message with devices info ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      35fd2f99
    • Vutla, Lokesh's avatar
      crypto: omap-des - Fix unmapping of dma channels · a7312563
      Vutla, Lokesh authored
      commit acb33cc5 upstream.
      
      dma_unmap_sg() is being called twice after completing the
      task. Looks like this is a copy paste error when creating
      des driver.
      With this the following warn appears during boot:
      
      [    4.210457] ------------[ cut here ]------------
      [    4.215114] WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:1080 check_unmap+0x710/0x9a0()
      [    4.222899] omap-des 480a5000.des: DMA-API: device driver tries to free DMA memory it has not allocated [device address=0x00000000ab2ce000] [size=8 bytes]
      [    4.236785] Modules linked in:
      [    4.239860] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.14.39-02999-g1bc045a-dirty #182
      [    4.247918] [<c001678c>] (unwind_backtrace) from [<c0012574>] (show_stack+0x10/0x14)
      [    4.255710] [<c0012574>] (show_stack) from [<c05a37e8>] (dump_stack+0x84/0xb8)
      [    4.262977] [<c05a37e8>] (dump_stack) from [<c0046464>] (warn_slowpath_common+0x68/0x8c)
      [    4.271107] [<c0046464>] (warn_slowpath_common) from [<c004651c>] (warn_slowpath_fmt+0x30/0x40)
      [    4.279854] [<c004651c>] (warn_slowpath_fmt) from [<c02d50a4>] (check_unmap+0x710/0x9a0)
      [    4.287991] [<c02d50a4>] (check_unmap) from [<c02d5478>] (debug_dma_unmap_sg+0x90/0x19c)
      [    4.296128] [<c02d5478>] (debug_dma_unmap_sg) from [<c04a77d8>] (omap_des_done_task+0x1cc/0x3e4)
      [    4.304963] [<c04a77d8>] (omap_des_done_task) from [<c004a090>] (tasklet_action+0x84/0x124)
      [    4.313370] [<c004a090>] (tasklet_action) from [<c004a4ac>] (__do_softirq+0xf0/0x20c)
      [    4.321235] [<c004a4ac>] (__do_softirq) from [<c004a840>] (irq_exit+0x98/0xec)
      [    4.328500] [<c004a840>] (irq_exit) from [<c000f9ac>] (handle_IRQ+0x50/0xb0)
      [    4.335589] [<c000f9ac>] (handle_IRQ) from [<c0008688>] (gic_handle_irq+0x28/0x5c)
      
      Removing the duplicate call to dma_unmap_sg().
      Reported-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarLokesh Vutla <lokeshvutla@ti.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a7312563
    • Vineet Gupta's avatar
      ARC: Override toplevel default -O2 with -O3 · 4fe8d21a
      Vineet Gupta authored
      commit 97709069 upstream.
      
      ARC kernels have historically been built with -O3, despite top level
      Makefile defaulting to -O2. This was facilitated by implicitly ordering
      of arch makefile include AFTER top level assigned -O2.
      
      An upstream fix to top level a1c48bb1 ("Makefile: Fix unrecognized
      cross-compiler command line options") changed the ordering, making ARC
      -O3 defunct.
      
      Fix that by NOT relying on any ordering whatsoever and use the proper
      arch override facility now present in kbuild (ARCH_*FLAGS)
      
      Depends-on: ("kbuild: Allow arch Makefiles to override {cpp,ld,c}flags")
      Suggested-by: default avatarMichal Marek <mmarek@suse.cz>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      4fe8d21a
    • Michal Marek's avatar
      kbuild: Allow arch Makefiles to override {cpp,ld,c}flags · 61d79891
      Michal Marek authored
      commit 61754c18 upstream.
      
      Since commit a1c48bb1 (Makefile: Fix unrecognized cross-compiler command
      line options), the arch Makefile is included earlier by the main
      Makefile, preventing the arc architecture to set its -O3 compiler
      option. Since there might be more use cases for an arch Makefile to
      fine-tune the options, add support for ARCH_CPPFLAGS, ARCH_AFLAGS and
      ARCH_CFLAGS variables that are appended to the respective kbuild
      variables. The user still has the final say via the KCPPFLAGS, KAFLAGS
      and KCFLAGS variables.
      Reported-by: default avatarVineet Gupta <Vineet.Gupta1@synopsys.com>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      61d79891
    • Joe Thornber's avatar
      dm thin: allocate the cell_sort_array dynamically · fd5544f0
      Joe Thornber authored
      commit a822c83e upstream.
      
      Given the pool's cell_sort_array holds 8192 pointers it triggers an
      order 5 allocation via kmalloc.  This order 5 allocation is prone to
      failure as system memory gets more fragmented over time.
      
      Fix this by allocating the cell_sort_array using vmalloc.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      fd5544f0
    • Dennis Yang's avatar
      dm btree remove: fix bug in redistribute3 · 4d703b88
      Dennis Yang authored
      commit 4c7e3093 upstream.
      
      redistribute3() shares entries out across 3 nodes.  Some entries were
      being moved the wrong way, breaking the ordering.  This manifested as a
      BUG() in dm-btree-remove.c:shift() when entries were removed from the
      btree.
      
      For additional context see:
      https://www.redhat.com/archives/dm-devel/2015-May/msg00113.htmlSigned-off-by: default avatarDennis Yang <shinrairis@gmail.com>
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      4d703b88
    • Peter Meerwald's avatar
      iio: tmp006: Check channel info on write · b92aa9bf
      Peter Meerwald authored
      commit 8d05abfa upstream.
      
      only SAMP_FREQ is writable
      
      Will lead to SAMP_FREQ being written by any attempt to write
      to the other exported attributes and hence a rather unexpected
      result!
      Signed-off-by: default avatarPeter Meerwald <pmeerw@pmeerw.net>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      b92aa9bf
    • Dominic Sacré's avatar
      ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4 · 65037c17
      Dominic Sacré authored
      commit 0689a86a upstream.
      
      The Steinberg MI2 and MI4 interfaces are compatible with the USB class
      audio spec, but the MIDI part of the devices is reported as a vendor
      specific interface.
      
      This patch adds entries to quirks-table.h to recognize the MIDI
      endpoints. Audio functionality was already working and is unaffected by
      this change.
      Signed-off-by: default avatarDominic Sacré <dominic.sacre@gmx.de>
      Signed-off-by: default avatarAlbert Huitsing <albert@huitsing.nl>
      Acked-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      65037c17
    • Peter Meerwald's avatar
      iio: light: tcs3414: Fix bug preventing to set integration time · ca54c928
      Peter Meerwald authored
      commit 33361e56 upstream.
      
      the millisecond values in tcs3414_times should be checked against
      val2, not val, which is always zero.
      Signed-off-by: default avatarPeter Meerwald <pmeerw@pmeerw.net>
      Reported-by: default avatarStephan Kleisinger <stephan.kleisinger@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ca54c928
    • Jan Leupold's avatar
      iio: adc: at91_adc: allow to use full range of startup time · d1ccf1c4
      Jan Leupold authored
      commit 2ab5f39b upstream.
      
      The DT-Property "atmel,adc-startup-time" is stored in an u8 for a microsecond
      value. When trying to increase the value of STARTUP in Register AT91_ADC_MR
      some higher values can't be reached.
      
      Change the type in function parameter and private structure field from u8 to
      u32.
      Signed-off-by: default avatarJan Leupold <leupold@rsi-elektrotechnik.de>
      [nicolas.ferre@atmel.com: change commit message, increase u16 to u32 for startup time]
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Acked-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      d1ccf1c4
    • JM Friedt's avatar
      iio: DAC: ad5624r_spi: fix bit shift of output data value · c0dc841d
      JM Friedt authored
      commit adfa9698 upstream.
      
      The value sent on the SPI bus is shifted by an erroneous number of bits.
      The shift value was already computed in the iio_chan_spec structure and
      hence subtracting this argument to 16 yields an erroneous data position
      in the SPI stream.
      Signed-off-by: default avatarJM Friedt <jmfriedt@femto-st.fr>
      Acked-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      c0dc841d
    • Adriana Reus's avatar
      iio: inv-mpu: Specify the expected format/precision for write channels · 9c86e9b9
      Adriana Reus authored
      commit 6a3c45bb upstream.
      
      The gyroscope needs IIO_VAL_INT_PLUS_NANO for the scale channel and
      unless specified write returns MICRO by default.
      This needs to be properly specified so that write operations into scale
      have the expected behaviour.
      Signed-off-by: default avatarAdriana Reus <adriana.reus@intel.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      9c86e9b9
    • Fabio Estevam's avatar
      iio: twl4030-madc: Pass the IRQF_ONESHOT flag · 3466a6bb
      Fabio Estevam authored
      commit 6c0d48cb upstream.
      
      Since commit 1c6c6952 ("genirq: Reject bogus threaded irq requests")
      threaded IRQs without a primary handler need to be requested with
      IRQF_ONESHOT, otherwise the request will fail.
      
      So pass the IRQF_ONESHOT flag in this case.
      
      The semantic patch that makes this change is available
      in scripts/coccinelle/misc/irqf_oneshot.cocci.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      3466a6bb
    • Heiko Stuebner's avatar
      iio: adc: rockchip_saradc: add missing MODULE_* data · 8b4fcae6
      Heiko Stuebner authored
      commit dc7b8d98 upstream.
      
      The module-data is currently missing. This includes the license-information
      which makes the driver taint the kernel and miss symbols when compiled as
      module.
      
      Fixes: 44d6f2ef ("iio: adc: add driver for Rockchip saradc")
      Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      8b4fcae6
    • Giuseppe Cavallaro's avatar
      drivers: clk: st: Fix flexgen lock init · 2f502e43
      Giuseppe Cavallaro authored
      commit 0f4f2afd upstream.
      
      While proving lock, the following warning happens
      and it is fixed after initializing lock in the setup
      function
      
      INFO: trying to register non-static key.
      the code is fine but needs lockdep annotation.
      turning off the locking correctness validator.
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.10.27-02861-g39df285-dirty #33
      [<c00154ac>] (unwind_backtrace+0x0/0xf4) from [<c0011b50>] (show_stack+0x10/0x14)
      [<c0011b50>] (show_stack+0x10/0x14) from [<c00689ac>] (__lock_acquire+0x900/0xb14)
      [<c00689ac>] (__lock_acquire+0x900/0xb14) from [<c0069394>] (lock_acquire+0x68/0x7c)
      [<c0069394>] (lock_acquire+0x68/0x7c) from [<c04958f8>] (_raw_spin_lock_irqsave+0x48/0x5c)
      [<c04958f8>] (_raw_spin_lock_irqsave+0x48/0x5c) from [<c0381e6c>] (clk_gate_endisable+0x28/0x88)
      [<c0381e6c>] (clk_gate_endisable+0x28/0x88) from [<c0381ee0>] (clk_gate_enable+0xc/0x14)
      [<c0381ee0>] (clk_gate_enable+0xc/0x14) from [<c0386c68>] (flexgen_enable+0x28/0x40)
      [<c0386c68>] (flexgen_enable+0x28/0x40) from [<c037f260>] (__clk_enable+0x5c/0x9c)
      [<c037f260>] (__clk_enable+0x5c/0x9c) from [<c037f558>] (clk_enable+0x18/0x2c)
      [<c037f558>] (clk_enable+0x18/0x2c) from [<c064a1dc>] (st_lpc_of_register+0xc0/0x248)
      [<c064a1dc>] (st_lpc_of_register+0xc0/0x248) from [<c0649e44>] (clocksource_of_init+0x34/0x58)
      [<c0649e44>] (clocksource_of_init+0x34/0x58) from [<c0637ddc>] (sti_timer_init+0x10/0x18)
      [<c0637ddc>] (sti_timer_init+0x10/0x18) from [<c06343f8>] (time_init+0x20/0x30)
      [<c06343f8>] (time_init+0x20/0x30) from [<c0632984>] (start_kernel+0x20c/0x2e8)
      [<c0632984>] (start_kernel+0x20c/0x2e8) from [<40008074>] (0x40008074)
      Signed-off-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Signed-off-by: default avatarGabriel Fernandez <gabriel.fernandez@linaro.org>
      Fixes: b1165170 ("clk: st: STiH407: Support for Flexgen Clocks")
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      2f502e43
    • Stephen Boyd's avatar
      ARM: 8393/1: smp: Fix suspicious RCU usage with ipi tracepoints · e266acbc
      Stephen Boyd authored
      commit 398f7456 upstream.
      
      John Stultz reports an RCU splat on boot with ARM ipi trace
      events enabled.
      
      ===============================
      [ INFO: suspicious RCU usage. ]
      4.1.0-rc7-00033-gb5bed2f #153 Not tainted
      -------------------------------
      include/trace/events/ipi.h:68 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      RCU used illegally from idle CPU!
      rcu_scheduler_active = 1, debug_locks = 0
      RCU used illegally from extended quiescent state!
      no locks held by swapper/0/0.
      
      stack backtrace:
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.1.0-rc7-00033-gb5bed2f #153
      Hardware name: Qualcomm (Flattened Device Tree)
      [<c0216b08>] (unwind_backtrace) from [<c02136e8>] (show_stack+0x10/0x14)
      [<c02136e8>] (show_stack) from [<c075e678>] (dump_stack+0x70/0xbc)
      [<c075e678>] (dump_stack) from [<c0215a80>] (handle_IPI+0x428/0x604)
      [<c0215a80>] (handle_IPI) from [<c020942c>] (gic_handle_irq+0x54/0x5c)
      [<c020942c>] (gic_handle_irq) from [<c0766604>] (__irq_svc+0x44/0x7c)
      Exception stack(0xc09f3f48 to 0xc09f3f90)
      3f40:                   00000001 00000001 00000000 c09f73b8 c09f4528 c0a5de9c
      3f60: c076b4f0 00000000 00000000 c09ef108 c0a5cec1 00000001 00000000 c09f3f90
      3f80: c026bf60 c0210ab8 20000113 ffffffff
      [<c0766604>] (__irq_svc) from [<c0210ab8>] (arch_cpu_idle+0x20/0x3c)
      [<c0210ab8>] (arch_cpu_idle) from [<c02647f0>] (cpu_startup_entry+0x2c0/0x5dc)
      [<c02647f0>] (cpu_startup_entry) from [<c099bc1c>] (start_kernel+0x358/0x3c4)
      [<c099bc1c>] (start_kernel) from [<8020807c>] (0x8020807c)
      
      At this point in the IPI handling path we haven't called
      irq_enter() yet, so RCU doesn't know that we're about to exit
      idle and properly warns that we're using RCU from an idle CPU.
      Use trace_ipi_entry_rcuidle() instead of trace_ipi_entry() so
      that RCU is informed about our exit from idle.
      
      Fixes: 365ec7b1 ("ARM: add IPI tracepoints")
      Reported-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Tested-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      e266acbc
    • Gabriel Fernandez's avatar
      drivers: clk: st: Fix mux bit-setting for Cortex A9 clocks · 8a92e0c5
      Gabriel Fernandez authored
      commit 3be6d8ce upstream.
      
      This patch fixes the mux bit-setting for ClockgenA9.
      Signed-off-by: default avatarGabriel Fernandez <gabriel.fernandez@linaro.org>
      Fixes: 13e6f2da ("clk: st: STiH407: Support for A9 MUX Clocks")
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      8a92e0c5
    • Pankaj Dev's avatar
      drivers: clk: st: Incorrect register offset used for lock_status · ddac306d
      Pankaj Dev authored
      commit 56551da9 upstream.
      
      Incorrect register offset used for sthi407 clockgenC
      Signed-off-by: default avatarPankaj Dev <pankaj.dev@st.com>
      Signed-off-by: default avatarGabriel Fernandez <gabriel.fernandez@linaro.org>
      Fixes: 51306d56 ("clk: st: STiH407: Support for clockgenC0")
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ddac306d
    • Hai Li's avatar
      clk: qcom: Use parent rate when set rate to pixel RCG clock · 547dca92
      Hai Li authored
      commit 6d451367 upstream.
      
      Since the parent rate has been recalculated, pixel RCG clock
      should rely on it to find the correct M/N values during set_rate,
      instead of calling __clk_round_rate() to its parent again.
      Signed-off-by: default avatarHai Li <hali@codeaurora.org>
      Tested-by: default avatarArchit Taneja <architt@codeaurora.org>
      Fixes: 99cbd064 ("clk: qcom: Support display RCG clocks")
      [sboyd@codeaurora.org: Silenced unused parent variable warning]
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      [ kamal: backport to 3.19-stable: context ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      547dca92
    • Al Viro's avatar
      freeing unlinked file indefinitely delayed · f644ddac
      Al Viro authored
      commit 75a6f82a upstream.
      
      	Normally opening a file, unlinking it and then closing will have
      the inode freed upon close() (provided that it's not otherwise busy and
      has no remaining links, of course).  However, there's one case where that
      does *not* happen.  Namely, if you open it by fhandle with cold dcache,
      then unlink() and close().
      
      	In normal case you get d_delete() in unlink(2) notice that dentry
      is busy and unhash it; on the final dput() it will be forcibly evicted from
      dcache, triggering iput() and inode removal.  In this case, though, we end
      up with *two* dentries - disconnected (created by open-by-fhandle) and
      regular one (used by unlink()).  The latter will have its reference to inode
      dropped just fine, but the former will not - it's considered hashed (it
      is on the ->s_anon list), so it will stay around until the memory pressure
      will finally do it in.  As the result, we have the final iput() delayed
      indefinitely.  It's trivial to reproduce -
      
      void flush_dcache(void)
      {
              system("mount -o remount,rw /");
      }
      
      static char buf[20 * 1024 * 1024];
      
      main()
      {
              int fd;
              union {
                      struct file_handle f;
                      char buf[MAX_HANDLE_SZ];
              } x;
              int m;
      
              x.f.handle_bytes = sizeof(x);
              chdir("/root");
              mkdir("foo", 0700);
              fd = open("foo/bar", O_CREAT | O_RDWR, 0600);
              close(fd);
              name_to_handle_at(AT_FDCWD, "foo/bar", &x.f, &m, 0);
              flush_dcache();
              fd = open_by_handle_at(AT_FDCWD, &x.f, O_RDWR);
              unlink("foo/bar");
              write(fd, buf, sizeof(buf));
              system("df .");			/* 20Mb eaten */
              close(fd);
              system("df .");			/* should've freed those 20Mb */
              flush_dcache();
              system("df .");			/* should be the same as #2 */
      }
      
      will spit out something like
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 303843      1131 100% /
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 303843      1131 100% /
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 283282     21692  93% /
      - inode gets freed only when dentry is finally evicted (here we trigger
      than by remount; normally it would've happened in response to memory
      pressure hell knows when).
      Acked-by: default avatarJ. Bruce Fields <bfields@fieldses.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [ kamal: backport to 3.19-stable: no fast_dput() ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      f644ddac
    • Al Viro's avatar
      9p: don't leave a half-initialized inode sitting around · 43af4b20
      Al Viro authored
      commit 0a73d0a2 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      43af4b20
    • John David Anglin's avatar
      parisc: Fix some PTE/TLB race conditions and optimize __flush_tlb_range based on timing results · fbe677d6
      John David Anglin authored
      commit 01ab6057 upstream.
      
      The increased use of pdtlb/pitlb instructions seemed to increase the
      frequency of random segmentation faults building packages. Further, we
      had a number of cases where TLB inserts would repeatedly fail and all
      forward progress would stop. The Haskell ghc package caused a lot of
      trouble in this area. The final indication of a race in pte handling was
      this syslog entry on sibaris (C8000):
      
       swap_free: Unused swap offset entry 00000004
       BUG: Bad page map in process mysqld  pte:00000100 pmd:019bbec5
       addr:00000000ec464000 vm_flags:00100073 anon_vma:0000000221023828 mapping: (null) index:ec464
       CPU: 1 PID: 9176 Comm: mysqld Not tainted 4.0.0-2-parisc64-smp #1 Debian 4.0.5-1
       Backtrace:
        [<0000000040173eb0>] show_stack+0x20/0x38
        [<0000000040444424>] dump_stack+0x9c/0x110
        [<00000000402a0d38>] print_bad_pte+0x1a8/0x278
        [<00000000402a28b8>] unmap_single_vma+0x3d8/0x770
        [<00000000402a4090>] zap_page_range+0xf0/0x198
        [<00000000402ba2a4>] SyS_madvise+0x404/0x8c0
      
      Note that the pte value is 0 except for the accessed bit 0x100. This bit
      shouldn't be set without the present bit.
      
      It should be noted that the madvise system call is probably a trigger for many
      of the random segmentation faults.
      
      In looking at the kernel code, I found the following problems:
      
      1) The pte_clear define didn't take TLB lock when clearing a pte.
      2) We didn't test pte present bit inside lock in exception support.
      3) The pte and tlb locks needed to merged in order to ensure consistency
      between page table and TLB. This also has the effect of serializing TLB
      broadcasts on SMP systems.
      
      The attached change implements the above and a few other tweaks to try
      to improve performance. Based on the timing code, TLB purges are very
      slow (e.g., ~ 209 cycles per page on rp3440). Thus, I think it
      beneficial to test the split_tlb variable to avoid duplicate purges.
      Probably, all PA 2.0 machines have combined TLBs.
      
      I dropped using __flush_tlb_range in flush_tlb_mm as I realized all
      applications and most threads have a stack size that is too large to
      make this useful. I added some comments to this effect.
      
      Since implementing 1 through 3, I haven't had any random segmentation
      faults on mx3210 (rp3440) in about one week of building code and running
      as a Debian buildd.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      fbe677d6
    • Daniel Axtens's avatar
      cxl: Check if afu is not null in cxl_slbia · 6005d1af
      Daniel Axtens authored
      commit 2c069a11 upstream.
      
      The pointer to an AFU in the adapter's list of AFUs can be null
      if we're in the process of removing AFUs. The afu_list_lock
      doesn't guard against this.
      
      Say we have 2 slices, and we're in the process of removing cxl.
       - We remove the AFUs in order (see cxl_remove). In cxl_remove_afu
         for AFU 0, we take the lock, set adapter->afu[0] = NULL, and
         release the lock.
       - Then we get an slbia. In cxl_slbia we take the lock, and set
         afu = adapter->afu[0], which is NULL.
       - Therefore our attempt to check afu->enabled will blow up.
      
      Therefore, check if afu is a null pointer before dereferencing it.
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Acked-by: default avatarMichael Neuling <mikey@neuling.org>
      Acked-by: default avatarIan Munsie <imunsie@au1.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      6005d1af
    • Joe Perches's avatar
      hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead · bb7728b8
      Joe Perches authored
      commit a28e4b2b upstream.
      
      Removing unnecessary static buffers is good.
      Use the vsprintf %pV extension instead.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarMikulas Patocka <mikulas@twibright.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      bb7728b8
    • Sanidhya Kashyap's avatar
      hpfs: kstrdup() out of memory handling · 2fab688e
      Sanidhya Kashyap authored
      commit ce657611 upstream.
      
      There is a possibility of nothing being allocated to the new_opts in
      case of memory pressure, therefore return ENOMEM for such case.
      Signed-off-by: default avatarSanidhya Kashyap <sanidhya.gatech@gmail.com>
      Signed-off-by: default avatarMikulas Patocka <mikulas@twibright.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      2fab688e