1. 14 Dec, 2014 40 commits
    • Yann Droneaud's avatar
      fanotify: enable close-on-exec on events' fd when requested in fanotify_init() · e160e937
      Yann Droneaud authored
      commit 0b37e097 upstream.
      
      According to commit 80af2588 ("fanotify: groups can specify their
      f_flags for new fd"), file descriptors created as part of file access
      notification events inherit flags from the event_f_flags argument passed
      to syscall fanotify_init(2)[1].
      
      Unfortunately O_CLOEXEC is currently silently ignored.
      
      Indeed, event_f_flags are only given to dentry_open(), which only seems to
      care about O_ACCMODE and O_PATH in do_dentry_open(), O_DIRECT in
      open_check_o_direct() and O_LARGEFILE in generic_file_open().
      
      It's a pity, since, according to some lookup on various search engines and
      http://codesearch.debian.net/, there's already some userspace code which
      use O_CLOEXEC:
      
      - in systemd's readahead[2]:
      
          fanotify_fd = fanotify_init(FAN_CLOEXEC|FAN_NONBLOCK, O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_NOATIME);
      
      - in clsync[3]:
      
          #define FANOTIFY_EVFLAGS (O_LARGEFILE|O_RDONLY|O_CLOEXEC)
      
          int fanotify_d = fanotify_init(FANOTIFY_FLAGS, FANOTIFY_EVFLAGS);
      
      - in examples [4] from "Filesystem monitoring in the Linux
        kernel" article[5] by Aleksander Morgado:
      
          if ((fanotify_fd = fanotify_init (FAN_CLOEXEC,
                                            O_RDONLY | O_CLOEXEC | O_LARGEFILE)) < 0)
      
      Additionally, since commit 48149e9d ("fanotify: check file flags
      passed in fanotify_init").  having O_CLOEXEC as part of fanotify_init()
      second argument is expressly allowed.
      
      So it seems expected to set close-on-exec flag on the file descriptors if
      userspace is allowed to request it with O_CLOEXEC.
      
      But Andrew Morton raised[6] the concern that enabling now close-on-exec
      might break existing applications which ask for O_CLOEXEC but expect the
      file descriptor to be inherited across exec().
      
      In the other hand, as reported by Mihai Dontu[7] close-on-exec on the file
      descriptor returned as part of file access notify can break applications
      due to deadlock.  So close-on-exec is needed for most applications.
      
      More, applications asking for close-on-exec are likely expecting it to be
      enabled, relying on O_CLOEXEC being effective.  If not, it might weaken
      their security, as noted by Jan Kara[8].
      
      So this patch replaces call to macro get_unused_fd() by a call to function
      get_unused_fd_flags() with event_f_flags value as argument.  This way
      O_CLOEXEC flag in the second argument of fanotify_init(2) syscall is
      interpreted and close-on-exec get enabled when requested.
      
      [1] http://man7.org/linux/man-pages/man2/fanotify_init.2.html
      [2] http://cgit.freedesktop.org/systemd/systemd/tree/src/readahead/readahead-collect.c?id=v208#n294
      [3] https://github.com/xaionaro/clsync/blob/v0.2.1/sync.c#L1631
          https://github.com/xaionaro/clsync/blob/v0.2.1/configuration.h#L38
      [4] http://www.lanedo.com/~aleksander/fanotify/fanotify-example.c
      [5] http://www.lanedo.com/2013/filesystem-monitoring-linux-kernel/
      [6] http://lkml.kernel.org/r/20141001153621.65e9258e65a6167bf2e4cb50@linux-foundation.org
      [7] http://lkml.kernel.org/r/20141002095046.3715eb69@mdontu-l
      [8] http://lkml.kernel.org/r/20141002104410.GB19748@quack.suse.cz
      
      Link: http://lkml.kernel.org/r/cover.1411562410.git.ydroneaud@opteya.comSigned-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Reviewed by: Heinrich Schuchardt <xypron.glpk@gmx.de>
      Tested-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
      Cc: Mihai Don\u021bu <mihai.dontu@gmail.com>
      Cc: Pádraig Brady <P@draigBrady.com>
      Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
      Cc: Michael Kerrisk-manpages <mtk.manpages@gmail.com>
      Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
      Cc: Richard Guy Briggs <rgb@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Michael Kerrisk <mtk.manpages@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e160e937
    • Mike Snitzer's avatar
      block: fix alignment_offset math that assumes io_min is a power-of-2 · 5c250851
      Mike Snitzer authored
      commit b8839b8c upstream.
      
      The math in both blk_stack_limits() and queue_limit_alignment_offset()
      assume that a block device's io_min (aka minimum_io_size) is always a
      power-of-2.  Fix the math such that it works for non-power-of-2 io_min.
      
      This issue (of alignment_offset != 0) became apparent when testing
      dm-thinp with a thinp blocksize that matches a RAID6 stripesize of
      1280K.  Commit fdfb4c8c ("dm thin: set minimum_io_size to pool's data
      block size") unlocked the potential for alignment_offset != 0 due to
      the dm-thin-pool's io_min possibly being a non-power-of-2.
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Acked-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5c250851
    • Al Viro's avatar
      fix misuses of f_count() in ppp and netlink · a59a6d8a
      Al Viro authored
      commit 24dff96a upstream.
      
      we used to check for "nobody else could start doing anything with
      that opened file" by checking that refcount was 2 or less - one
      for descriptor table and one we'd acquired in fget() on the way to
      wherever we are.  That was race-prone (somebody else might have
      had a reference to descriptor table and do fget() just as we'd
      been checking) and it had become flat-out incorrect back when
      we switched to fget_light() on those codepaths - unlike fget(),
      it doesn't grab an extra reference unless the descriptor table
      is shared.  The same change allowed a race-free check, though -
      we are safe exactly when refcount is less than 2.
      
      It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading
      to ppp one) and 2.6.17 for sendmsg() (netlink one).  OTOH,
      netlink hadn't grown that check until 3.9 and ppp used to live
      in drivers/net, not drivers/net/ppp until 3.1.  The bug existed
      well before that, though, and the same fix used to apply in old
      location of file.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: drop changes to netlink_mmap_sendmsg()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a59a6d8a
    • Mikulas Patocka's avatar
      fs: make cont_expand_zero interruptible · 4a49ed83
      Mikulas Patocka authored
      commit c2ca0fcd upstream.
      
      This patch makes it possible to kill a process looping in
      cont_expand_zero. A process may spend a lot of time in this function, so
      it is desirable to be able to kill it.
      
      It happened to me that I wanted to copy a piece data from the disk to a
      file. By mistake, I used the "seek" parameter to dd instead of "skip". Due
      to the "seek" parameter, dd attempted to extend the file and became stuck
      doing so - the only possibility was to reset the machine or wait many
      hours until the filesystem runs out of space and cont_expand_zero fails.
      We need this patch to be able to terminate the process.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4a49ed83
    • Tetsuo Handa's avatar
      fs: Fix theoretical division by 0 in super_cache_scan(). · 73a38fc3
      Tetsuo Handa authored
      commit 475d0db7 upstream.
      
      total_objects could be 0 and is used as a denom.
      
      While total_objects is a "long", total_objects == 0 unlikely happens for
      3.12 and later kernels because 32-bit architectures would not be able to
      hold (1 << 32) objects. However, total_objects == 0 may happen for kernels
      between 3.1 and 3.11 because total_objects in prune_super() was an "int"
      and (e.g.) x86_64 architecture might be able to hold (1 << 32) objects.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      73a38fc3
    • Scott Carter's avatar
      pata_serverworks: disable 64-KB DMA transfers on Broadcom OSB4 IDE Controller · 7927bb3c
      Scott Carter authored
      commit 37017ac6 upstream.
      
      The Broadcom OSB4 IDE Controller (vendor and device IDs: 1166:0211)
      does not support 64-KB DMA transfers.
      Whenever a 64-KB DMA transfer is attempted,
      the transfer fails and messages similar to the following
      are written to the console log:
      
         [ 2431.851125] sr 0:0:0:0: [sr0] Unhandled sense code
         [ 2431.851139] sr 0:0:0:0: [sr0]  Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
         [ 2431.851152] sr 0:0:0:0: [sr0]  Sense Key : Hardware Error [current]
         [ 2431.851166] sr 0:0:0:0: [sr0]  Add. Sense: Logical unit communication time-out
         [ 2431.851182] sr 0:0:0:0: [sr0] CDB: Read(10): 28 00 00 00 76 f4 00 00 40 00
         [ 2431.851210] end_request: I/O error, dev sr0, sector 121808
      
      When the libata and pata_serverworks modules
      are recompiled with ATA_DEBUG and ATA_VERBOSE_DEBUG defined in libata.h,
      the 64-KB transfer size in the scatter-gather list can be seen
      in the console log:
      
         [ 2664.897267] sr 9:0:0:0: [sr0] Send:
         [ 2664.897274] 0xf63d85e0
         [ 2664.897283] sr 9:0:0:0: [sr0] CDB:
         [ 2664.897288] Read(10): 28 00 00 00 7f b4 00 00 40 00
         [ 2664.897319] buffer = 0xf6d6fbc0, bufflen = 131072, queuecommand 0xf81b7700
         [ 2664.897331] ata_scsi_dump_cdb: CDB (1:0,0,0) 28 00 00 00 7f b4 00 00 40
         [ 2664.897338] ata_scsi_translate: ENTER
         [ 2664.897345] ata_sg_setup: ENTER, ata1
         [ 2664.897356] ata_sg_setup: 3 sg elements mapped
         [ 2664.897364] ata_bmdma_fill_sg: PRD[0] = (0x66FD2000, 0xE000)
         [ 2664.897371] ata_bmdma_fill_sg: PRD[1] = (0x65000000, 0x10000)
         ------------------------------------------------------> =======
         [ 2664.897378] ata_bmdma_fill_sg: PRD[2] = (0x66A10000, 0x2000)
         [ 2664.897386] ata1: ata_dev_select: ENTER, device 0, wait 1
         [ 2664.897422] ata_sff_tf_load: feat 0x1 nsect 0x0 lba 0x0 0x0 0xFC
         [ 2664.897428] ata_sff_tf_load: device 0xA0
         [ 2664.897448] ata_sff_exec_command: ata1: cmd 0xA0
         [ 2664.897457] ata_scsi_translate: EXIT
         [ 2664.897462] leaving scsi_dispatch_cmnd()
         [ 2664.897497] Doing sr request, dev = sr0, block = 0
         [ 2664.897507] sr0 : reading 64/256 512 byte blocks.
         [ 2664.897553] ata_sff_hsm_move: ata1: protocol 7 task_state 1 (dev_stat 0x58)
         [ 2664.897560] atapi_send_cdb: send cdb
         [ 2666.910058] ata_bmdma_port_intr: ata1: host_stat 0x64
         [ 2666.910079] __ata_sff_port_intr: ata1: protocol 7 task_state 3
         [ 2666.910093] ata_sff_hsm_move: ata1: protocol 7 task_state 3 (dev_stat 0x51)
         [ 2666.910101] ata_sff_hsm_move: ata1: protocol 7 task_state 4 (dev_stat 0x51)
         [ 2666.910129] sr 9:0:0:0: [sr0] Done:
         [ 2666.910136] 0xf63d85e0 TIMEOUT
      
      lspci shows that the driver used for the Broadcom OSB4 IDE Controller is
      pata_serverworks:
      
         00:0f.1 IDE interface: Broadcom OSB4 IDE Controller (prog-if 8e [Master SecP SecO PriP])
                 Flags: bus master, medium devsel, latency 64
                 [virtual] Memory at 000001f0 (32-bit, non-prefetchable) [size=8]
                 [virtual] Memory at 000003f0 (type 3, non-prefetchable) [size=1]
                 I/O ports at 0170 [size=8]
                 I/O ports at 0374 [size=4]
                 I/O ports at 1440 [size=16]
                 Kernel driver in use: pata_serverworks
      
      The pata_serverworks driver supports five distinct device IDs,
      one being the OSB4 and the other four belonging to the CSB series.
      The CSB series appears to support 64-KB DMA transfers,
      as tests on a machine with an SAI2 motherboard
      containing a Broadcom CSB5 IDE Controller (vendor and device IDs: 1166:0212)
      showed no problems with 64-KB DMA transfers.
      
      This problem was first discovered when attempting to install openSUSE
      from a DVD on a machine with an STL2 motherboard.
      Using the pata_serverworks module,
      older releases of openSUSE will not install at all due to the timeouts.
      Releases of openSUSE prior to 11.3 can be installed by disabling
      the pata_serverworks module using the brokenmodules boot parameter,
      which causes the serverworks module to be used instead.
      Recent releases of openSUSE (12.2 and later) include better error recovery and
      will install, though very slowly.
      On all openSUSE releases, the problem can be recreated
      on a machine containing a Broadcom OSB4 IDE Controller
      by mounting an install DVD and running a command similar to the following:
      
         find /mnt -type f -print | xargs cat > /dev/null
      
      The patch below corrects the problem.
      Similar to the other ATA drivers that do not support 64-KB DMA transfers,
      the patch changes the ata_port_operations qc_prep vector to point to a routine
      that breaks any 64-KB segment into two 32-KB segments and
      changes the scsi_host_template sg_tablesize element to reduce by half
      the number of scatter/gather elements allowed.
      These two changes affect only the OSB4.
      Signed-off-by: default avatarScott Carter <ccscott@funsoft.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7927bb3c
    • Chao Yu's avatar
      ecryptfs: avoid to access NULL pointer when write metadata in xattr · a4f2b936
      Chao Yu authored
      commit 35425ea2 upstream.
      
      Christopher Head 2014-06-28 05:26:20 UTC described:
      "I tried to reproduce this on 3.12.21. Instead, when I do "echo hello > foo"
      in an ecryptfs mount with ecryptfs_xattr specified, I get a kernel crash:
      
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
      PGD d7840067 PUD b2c3c067 PMD 0
      Oops: 0002 [#1] SMP
      Modules linked in: nvidia(PO)
      CPU: 3 PID: 3566 Comm: bash Tainted: P           O 3.12.21-gentoo-r1 #2
      Hardware name: ASUSTek Computer Inc. G60JX/G60JX, BIOS 206 03/15/2010
      task: ffff8801948944c0 ti: ffff8800bad70000 task.ti: ffff8800bad70000
      RIP: 0010:[<ffffffff8110eb39>]  [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
      RSP: 0018:ffff8800bad71c10  EFLAGS: 00010246
      RAX: 00000000000181a4 RBX: ffff880198648480 RCX: 0000000000000000
      RDX: 0000000000000004 RSI: ffff880172010450 RDI: 0000000000000000
      RBP: ffff880198490e40 R08: 0000000000000000 R09: 0000000000000000
      R10: ffff880172010450 R11: ffffea0002c51e80 R12: 0000000000002000
      R13: 000000000000001a R14: 0000000000000000 R15: ffff880198490e40
      FS:  00007ff224caa700(0000) GS:ffff88019fcc0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 00000000bb07f000 CR4: 00000000000007e0
      Stack:
      ffffffff811826e8 ffff8800a39d8000 0000000000000000 000000000000001a
      ffff8800a01d0000 ffff8800a39d8000 ffffffff81185fd5 ffffffff81082c2c
      00000001a39d8000 53d0abbc98490e40 0000000000000037 ffff8800a39d8220
      Call Trace:
      [<ffffffff811826e8>] ? ecryptfs_setxattr+0x40/0x52
      [<ffffffff81185fd5>] ? ecryptfs_write_metadata+0x1b3/0x223
      [<ffffffff81082c2c>] ? should_resched+0x5/0x23
      [<ffffffff8118322b>] ? ecryptfs_initialize_file+0xaf/0xd4
      [<ffffffff81183344>] ? ecryptfs_create+0xf4/0x142
      [<ffffffff810f8c0d>] ? vfs_create+0x48/0x71
      [<ffffffff810f9c86>] ? do_last.isra.68+0x559/0x952
      [<ffffffff810f7ce7>] ? link_path_walk+0xbd/0x458
      [<ffffffff810fa2a3>] ? path_openat+0x224/0x472
      [<ffffffff810fa7bd>] ? do_filp_open+0x2b/0x6f
      [<ffffffff81103606>] ? __alloc_fd+0xd6/0xe7
      [<ffffffff810ee6ab>] ? do_sys_open+0x65/0xe9
      [<ffffffff8157d022>] ? system_call_fastpath+0x16/0x1b
      RIP  [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
      RSP <ffff8800bad71c10>
      CR2: 0000000000000000
      ---[ end trace df9dba5f1ddb8565 ]---"
      
      If we create a file when we mount with ecryptfs_xattr_metadata option, we will
      encounter a crash in this path:
      ->ecryptfs_create
        ->ecryptfs_initialize_file
          ->ecryptfs_write_metadata
            ->ecryptfs_write_metadata_to_xattr
              ->ecryptfs_setxattr
                ->fsstack_copy_attr_all
      It's because our dentry->d_inode used in fsstack_copy_attr_all is NULL, and it
      will be initialized when ecryptfs_initialize_file finish.
      
      So we should skip copying attr from lower inode when the value of ->d_inode is
      invalid.
      Signed-off-by: default avatarChao Yu <chao2.yu@samsung.com>
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a4f2b936
    • Theodore Ts'o's avatar
      ext4: add ext4_iget_normal() which is to be used for dir tree lookups · cb3a8d20
      Theodore Ts'o authored
      commit f4bb2981 upstream.
      
      If there is a corrupted file system which has directory entries that
      point at reserved, metadata inodes, prohibit them from being used by
      treating them the same way we treat Boot Loader inodes --- that is,
      mark them to be bad inodes.  This prohibits them from being opened,
      deleted, or modified via chmod, chown, utimes, etc.
      
      In particular, this prevents a corrupted file system which has a
      directory entry which points at the journal inode from being deleted
      and its blocks released, after which point Much Hilarity Ensues.
      Reported-by: default avatarSami Liedes <sami.liedes@iki.fi>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cb3a8d20
    • Theodore Ts'o's avatar
      ext4: don't orphan or truncate the boot loader inode · a9fa6b67
      Theodore Ts'o authored
      commit e2bfb088 upstream.
      
      The boot loader inode (inode #5) should never be visible in the
      directory hierarchy, but it's possible if the file system is corrupted
      that there will be a directory entry that points at inode #5.  In
      order to avoid accidentally trashing it, when such a directory inode
      is opened, the inode will be marked as a bad inode, so that it's not
      possible to modify (or read) the inode from userspace.
      
      Unfortunately, when we unlink this (invalid/illegal) directory entry,
      we will put the bad inode on the ophan list, and then when try to
      unlink the directory, we don't actually remove the bad inode from the
      orphan list before freeing in-memory inode structure.  This means the
      in-memory orphan list is corrupted, leading to a kernel oops.
      
      In addition, avoid truncating a bad inode in ext4_destroy_inode(),
      since truncating the boot loader inode is not a smart thing to do.
      Reported-by: default avatarSami Liedes <sami.liedes@iki.fi>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a9fa6b67
    • Alexey Khoroshilov's avatar
      dm log userspace: fix memory leak in dm_ulog_tfr_init failure path · 6df54425
      Alexey Khoroshilov authored
      commit 56ec16cb upstream.
      
      If cn_add_callback() fails in dm_ulog_tfr_init(), it does not
      deallocate prealloced memory but calls cn_del_callback().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Reviewed-by: default avatarJonathan Brassow <jbrassow@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6df54425
    • Joe Thornber's avatar
      dm bufio: update last_accessed when relinking a buffer · 801da9d2
      Joe Thornber authored
      commit eb76faf5 upstream.
      
      The 'last_accessed' member of the dm_buffer structure was only set when
      the the buffer was created.  This led to each buffer being discarded
      after dm_bufio_max_age time even if it was used recently.  In practice
      this resulted in all thinp metadata being evicted soon after being read
      -- this is particularly problematic for metadata intensive workloads
      like multithreaded small random IO.
      
      'last_accessed' is now updated each time the buffer is moved to the head
      of the LRU list, so the buffer is now properly discarded if it was not
      used in dm_bufio_max_age time.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      801da9d2
    • Geert Uytterhoeven's avatar
      m68k: Disable/restore interrupts in hwreg_present()/hwreg_write() · b60b67ea
      Geert Uytterhoeven authored
      commit e4dc601b upstream.
      
      hwreg_present() and hwreg_write() temporarily change the VBR register to
      another vector table. This table contains a valid bus error handler
      only, all other entries point to arbitrary addresses.
      
      If an interrupt comes in while the temporary table is active, the
      processor will start executing at such an arbitrary address, and the
      kernel will crash.
      
      While most callers run early, before interrupts are enabled, or
      explicitly disable interrupts, Finn Thain pointed out that macsonic has
      one callsite that doesn't, causing intermittent boot crashes.
      There's another unsafe callsite in hilkbd.
      
      Fix this for good by disabling and restoring interrupts inside
      hwreg_present() and hwreg_write().
      
      Explicitly disabling interrupts can be removed from the callsites later.
      Reported-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b60b67ea
    • Jan Kara's avatar
      vfs: fix data corruption when blocksize < pagesize for mmaped data · cf1e28c9
      Jan Kara authored
      commit 90a80202 upstream.
      
      ->page_mkwrite() is used by filesystems to allocate blocks under a page
      which is becoming writeably mmapped in some process' address space. This
      allows a filesystem to return a page fault if there is not enough space
      available, user exceeds quota or similar problem happens, rather than
      silently discarding data later when writepage is called.
      
      However VFS fails to call ->page_mkwrite() in all the cases where
      filesystems need it when blocksize < pagesize. For example when
      blocksize = 1024, pagesize = 4096 the following is problematic:
        ftruncate(fd, 0);
        pwrite(fd, buf, 1024, 0);
        map = mmap(NULL, 1024, PROT_WRITE, MAP_SHARED, fd, 0);
        map[0] = 'a';       ----> page_mkwrite() for index 0 is called
        ftruncate(fd, 10000); /* or even pwrite(fd, buf, 1, 10000) */
        mremap(map, 1024, 10000, 0);
        map[4095] = 'a';    ----> no page_mkwrite() called
      
      At the moment ->page_mkwrite() is called, filesystem can allocate only
      one block for the page because i_size == 1024. Otherwise it would create
      blocks beyond i_size which is generally undesirable. But later at
      ->writepage() time, we also need to store data at offset 4095 but we
      don't have block allocated for it.
      
      This patch introduces a helper function filesystems can use to have
      ->page_mkwrite() called at all the necessary moments.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2:
       - Adjust context
       - truncate_setsize() already has an oldsize variable]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cf1e28c9
    • Quinn Tran's avatar
      target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE · 87718988
      Quinn Tran authored
      commit 082f58ac upstream.
      
      During temporary resource starvation at lower transport layer, command
      is placed on queue full retry path, which expose this problem.  The TCM
      queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same
      cmd twice to lower layer.  The 1st time led to cmd normal free path.
      The 2nd time cause Null pointer access.
      
      This regression bug was originally introduced v3.1-rc code in the
      following commit:
      
      commit e057f533
      Author: Christoph Hellwig <hch@infradead.org>
      Date:   Mon Oct 17 13:56:41 2011 -0400
      
          target: remove the transport_qf_callback se_cmd callback
      Signed-off-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarSaurav Kashyap <saurav.kashyap@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      87718988
    • Andy Adamson's avatar
      NFSv4.1: Fix an NFSv4.1 state renewal regression · f615f664
      Andy Adamson authored
      commit d1f456b0 upstream.
      
      Commit 2f60ea6b ("NFSv4: The NFSv4.0 client must send RENEW calls if it holds a delegation") set the NFS4_RENEW_TIMEOUT flag in nfs4_renew_state, and does
      not put an nfs41_proc_async_sequence call, the NFSv4.1 lease renewal heartbeat
      call, on the wire to renew the NFSv4.1 state if the flag was not set.
      
      The NFS4_RENEW_TIMEOUT flag is set when "now" is after the last renewal
      (cl_last_renewal) plus the lease time divided by 3. This is arbitrary and
      sometimes does the following:
      
      In normal operation, the only way a future state renewal call is put on the
      wire is via a call to nfs4_schedule_state_renewal, which schedules a
      nfs4_renew_state workqueue task. nfs4_renew_state determines if the
      NFS4_RENEW_TIMEOUT should be set, and the calls nfs41_proc_async_sequence,
      which only gets sent if the NFS4_RENEW_TIMEOUT flag is set.
      Then the nfs41_proc_async_sequence rpc_release function schedules
      another state remewal via nfs4_schedule_state_renewal.
      
      Without this change we can get into a state where an application stops
      accessing the NFSv4.1 share, state renewal calls stop due to the
      NFS4_RENEW_TIMEOUT flag _not_ being set. The only way to recover
      from this situation is with a clientid re-establishment, once the application
      resumes and the server has timed out the lease and so returns
      NFS4ERR_BAD_SESSION on the subsequent SEQUENCE operation.
      
      An example application:
      open, lock, write a file.
      
      sleep for 6 * lease (could be less)
      
      ulock, close.
      
      In the above example with NFSv4.1 delegations enabled, without this change,
      there are no OP_SEQUENCE state renewal calls during the sleep, and the
      clientid is recovered due to lease expiration on the close.
      
      This issue does not occur with NFSv4.1 delegations disabled, nor with
      NFSv4.0, with or without delegations enabled.
      Signed-off-by: default avatarAndy Adamson <andros@netapp.com>
      Link: http://lkml.kernel.org/r/1411486536-23401-1-git-send-email-andros@netapp.com
      Fixes: 2f60ea6b (NFSv4: The NFSv4.0 client must send RENEW calls...)
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f615f664
    • Mikulas Patocka's avatar
      framebuffer: fix screen corruption when copying · 6bbdc38d
      Mikulas Patocka authored
      commit 5b789da8 upstream.
      
      The function bitcpy_rev has a bug that may result in screen corruption.
      The bug happens under these conditions:
      * the end of the destination area of a copy operation is aligned on a long
        word boundary
      * the end of the source area is not aligned on a long word boundary
      * we are copying more than one long word
      
      In this case, the variable shift is non-zero and the variable first is
      zero. The statements FB_WRITEL(comp(d0, FB_READL(dst), first), dst) reads
      the last long word of the destination and writes it back unchanged
      (because first is zero). Correctly, we should write the variable d0 to the
      last word of the destination in this case.
      
      This patch fixes the bug by introducing and extra test if first is zero.
      
      The patch also removes the references to fb_memmove in the code that is
      commented out because fb_memmove was removed from framebuffer subsystem.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6bbdc38d
    • Mikulas Patocka's avatar
      framebuffer: fix border color · d15f4650
      Mikulas Patocka authored
      commit f74a289b upstream.
      
      The framebuffer code uses the current background color to fill the border
      when switching consoles, however, this results in inconsistent behavior.
      For example:
      - start Midnigh Commander
      - the border is black
      - switch to another console and switch back
      - the border is cyan
      - type something into the command line in mc
      - the border is cyan
      - switch to another console and switch back
      - the border is black
      - press F9 to go to menu
      - the border is black
      - switch to another console and switch back
      - the border is dark blue
      
      When switching to a console with Midnight Commander, the border is random
      color that was left selected by the slang subsystem.
      
      This patch fixes this inconsistency by always using black as the
      background color when switching consoles.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d15f4650
    • Trond Myklebust's avatar
      NFSv4: fix open/lock state recovery error handling · 9fda051c
      Trond Myklebust authored
      commit df817ba3 upstream.
      
      The current open/lock state recovery unfortunately does not handle errors
      such as NFS4ERR_CONN_NOT_BOUND_TO_SESSION correctly. Instead of looping,
      just proceeds as if the state manager is finished recovering.
      This patch ensures that we loop back, handle higher priority errors
      and complete the open/lock state recovery.
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9fda051c
    • Ondrej Zary's avatar
      libata-sff: Fix controllers with no ctl port · 69e46f0d
      Ondrej Zary authored
      commit 6d8ca28f upstream.
      
      Currently, ata_sff_softreset is skipped for controllers with no ctl port.
      But that also skips ata_sff_dev_classify required for device detection.
      This means that libata is currently broken on controllers with no ctl port.
      
      No device connected:
      [    1.872480] pata_isapnp 01:01.02: activated
      [    1.889823] scsi2 : pata_isapnp
      [    1.890109] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11
      [    6.888110] ata3.01: qc timeout (cmd 0xec)
      [    6.888179] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5)
      [   16.888085] ata3.01: qc timeout (cmd 0xec)
      [   16.888147] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5)
      [   46.888086] ata3.01: qc timeout (cmd 0xec)
      [   46.888148] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5)
      [   51.888100] ata3.00: qc timeout (cmd 0xec)
      [   51.888160] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5)
      [   61.888079] ata3.00: qc timeout (cmd 0xec)
      [   61.888141] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5)
      [   91.888089] ata3.00: qc timeout (cmd 0xec)
      [   91.888152] ata3.00: failed to IDENTIFY (I/O error, err_mask=0x5)
      
      ATAPI device connected:
      [    1.882061] pata_isapnp 01:01.02: activated
      [    1.893430] scsi2 : pata_isapnp
      [    1.893719] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11
      [    6.892107] ata3.01: qc timeout (cmd 0xec)
      [    6.892171] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5)
      [   16.892079] ata3.01: qc timeout (cmd 0xec)
      [   16.892138] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5)
      [   46.892079] ata3.01: qc timeout (cmd 0xec)
      [   46.892138] ata3.01: failed to IDENTIFY (I/O error, err_mask=0x5)
      [   46.908586] ata3.00: ATAPI: ACER CD-767E/O, V1.5X, max PIO2, CDB intr
      [   46.924570] ata3.00: configured for PIO0 (device error ignored)
      [   46.926295] scsi 2:0:0:0: CD-ROM            ACER     CD-767E/O        1.5X PQ: 0 ANSI: 5
      [   46.984519] sr0: scsi3-mmc drive: 6x/6x xa/form2 tray
      [   46.984592] cdrom: Uniform CD-ROM driver Revision: 3.20
      
      So don't skip ata_sff_softreset, just skip the reset part of ata_bus_softreset
      if the ctl port is not available.
      
      This makes IDE port on ES968 behave correctly:
      
      No device connected:
      [    4.670888] pata_isapnp 01:01.02: activated
      [    4.673207] scsi host2: pata_isapnp
      [    4.673675] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11
      [    7.081840] Adding 2541652k swap on /dev/sda2.  Priority:-1 extents:1 across:2541652k
      
      ATAPI device connected:
      [    4.704362] pata_isapnp 01:01.02: activated
      [    4.706620] scsi host2: pata_isapnp
      [    4.706877] ata3: PATA max PIO0 cmd 0x1e8 ctl 0x0 irq 11
      [    4.872782] ata3.00: ATAPI: ACER CD-767E/O, V1.5X, max PIO2, CDB intr
      [    4.888673] ata3.00: configured for PIO0 (device error ignored)
      [    4.893984] scsi 2:0:0:0: CD-ROM            ACER     CD-767E/O        1.5X PQ: 0 ANSI: 5
      [    7.015578] Adding 2541652k swap on /dev/sda2.  Priority:-1 extents:1 across:2541652k
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      69e46f0d
    • Willy Tarreau's avatar
      lzo: check for length overrun in variable length encoding. · 69d33070
      Willy Tarreau authored
      commit 72cf9012 upstream.
      
      This fix ensures that we never meet an integer overflow while adding
      255 while parsing a variable length encoding. It works differently from
      commit 206a81c1 ("lzo: properly check for overruns") because instead of
      ensuring that we don't overrun the input, which is tricky to guarantee
      due to many assumptions in the code, it simply checks that the cumulated
      number of 255 read cannot overflow by bounding this number.
      
      The MAX_255_COUNT is the maximum number of times we can add 255 to a base
      count without overflowing an integer. The multiply will overflow when
      multiplying 255 by more than MAXINT/255. The sum will overflow earlier
      depending on the base count. Since the base count is taken from a u8
      and a few bits, it is safe to assume that it will always be lower than
      or equal to 2*255, thus we can always prevent any overflow by accepting
      two less 255 steps.
      
      This patch also reduces the CPU overhead and actually increases performance
      by 1.1% compared to the initial code, while the previous fix costs 3.1%
      (measured on x86_64).
      
      The fix needs to be backported to all currently supported stable kernels.
      Reported-by: default avatarWillem Pinckaers <willem@lekkertech.net>
      Cc: "Don A. Bailey" <donb@securitymouse.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      69d33070
    • Willy Tarreau's avatar
      Revert "lzo: properly check for overruns" · 6656d18e
      Willy Tarreau authored
      commit af958a38 upstream.
      
      This reverts commit 206a81c1 ("lzo: properly check for overruns").
      
      As analysed by Willem Pinckaers, this fix is still incomplete on
      certain rare corner cases, and it is easier to restart from the
      original code.
      Reported-by: default avatarWillem Pinckaers <willem@lekkertech.net>
      Cc: "Don A. Bailey" <donb@securitymouse.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6656d18e
    • Willy Tarreau's avatar
      Documentation: lzo: document part of the encoding · fbfb4b2d
      Willy Tarreau authored
      commit d98a0526 upstream.
      
      Add a complete description of the LZO format as processed by the
      decompressor. I have not found a public specification of this format
      hence this analysis, which will be used to better understand the code.
      
      Cc: Willem Pinckaers <willem@lekkertech.net>
      Cc: "Don A. Bailey" <donb@securitymouse.com>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fbfb4b2d
    • Lars-Peter Clausen's avatar
      staging:iio:ad5933: Drop "raw" from channel names · 4a8117fa
      Lars-Peter Clausen authored
      commit 6822ee34 upstream.
      
      "raw" is the name of a channel property, but should not be part of the
      channel name itself.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      [bwh: Backported to 3.2: using IIO_CHAN() macro to initialise the structures]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4a8117fa
    • Stanislaw Gruszka's avatar
      rt2800: correct BBP1_TX_POWER_CTRL mask · 7d78f4e6
      Stanislaw Gruszka authored
      commit 01f7feea upstream.
      
      Two bits control TX power on BBP_R1 register. Correct the mask,
      otherwise we clear additional bit on BBP_R1 register, what can have
      unknown, possible negative effect.
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7d78f4e6
    • Benjamin Coddington's avatar
      lockd: Try to reconnect if statd has moved · 3aabe891
      Benjamin Coddington authored
      commit 173b3afc upstream.
      
      If rpc.statd is restarted, upcalls to monitor hosts can fail with
      ECONNREFUSED.  In that case force a lookup of statd's new port and retry the
      upcall.
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      [bwh: Backported to 3.2: not using RPC_TASK_SOFTCONN]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3aabe891
    • Bryan O'Donoghue's avatar
      x86/intel/quark: Switch off CR4.PGE so TLB flush uses CR3 instead · 9c838750
      Bryan O'Donoghue authored
      commit ee1b5b16 upstream.
      
      Quark x1000 advertises PGE via the standard CPUID method
      PGE bits exist in Quark X1000's PTEs. In order to flush
      an individual PTE it is necessary to reload CR3 irrespective
      of the PTE.PGE bit.
      
      See Quark Core_DevMan_001.pdf section 6.4.11
      
      This bug was fixed in Galileo kernels, unfixed vanilla kernels are expected to
      crash and burn on this platform.
      Signed-off-by: default avatarBryan O'Donoghue <pure.logic@nexus-software.ie>
      Cc: Borislav Petkov <bp@alien8.de>
      Link: http://lkml.kernel.org/r/1411514784-14885-1-git-send-email-pure.logic@nexus-software.ieSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9c838750
    • David Matlack's avatar
      kvm: don't take vcpu mutex for obviously invalid vcpu ioctls · f9b5299d
      David Matlack authored
      commit 2ea75be3 upstream.
      
      vcpu ioctls can hang the calling thread if issued while a vcpu is running.
      However, invalid ioctls can happen when userspace tries to probe the kind
      of file descriptors (e.g. isatty() calls ioctl(TCGETS)); in that case,
      we know the ioctl is going to be rejected as invalid anyway and we can
      fail before trying to take the vcpu mutex.
      
      This patch does not change functionality, it just makes invalid ioctls
      fail faster.
      Signed-off-by: default avatarDavid Matlack <dmatlack@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f9b5299d
    • Andy Shevchenko's avatar
      spi: dw-mid: terminate ongoing transfers at exit · 0e251ad9
      Andy Shevchenko authored
      commit 8e45ef68 upstream.
      
      Do full clean up at exit, means terminate all ongoing DMA transfers.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0e251ad9
    • Andy Shevchenko's avatar
      spi: dw-mid: check that DMA was inited before exit · 186b5538
      Andy Shevchenko authored
      commit 63d84b1a upstream.
      
      commit fb57862e upstream.
      
      If the driver was compiled with DMA support, but DMA channels weren't acquired
      by some reason, mid_spi_dma_exit() will crash the kernel.
      
      Fixes: 7063c0d9 (spi/dw_spi: add DMA support)
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      186b5538
    • Andy Shevchenko's avatar
      spi: dw-mid: respect 8 bit mode · 55bddf3a
      Andy Shevchenko authored
      commit b41583e7 upstream.
      
      In case of 8 bit mode and DMA usage we end up with every second byte written as
      0. We have to respect bits_per_word settings what this patch actually does.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      55bddf3a
    • K. Y. Srinivasan's avatar
      Drivers: hv: vmbus: Cleanup hv_post_message() · f9149ce3
      K. Y. Srinivasan authored
      commit b29ef354 upstream.
      
      Minimize failures in this function by pre-allocating the buffer
      for posting messages. The hypercall for posting the message can fail
      for a number of reasons:
      
              1. Transient resource related issues
              2. Buffer alignment
              3. Buffer cannot span a page boundry
      
      We address issues 2 and 3 by preallocating a per-cpu page for the buffer.
      Transient resource related failures are handled by retrying by the callers
      of this function.
      
      This patch is based on the investigation
      done by Dexuan Cui <decui@microsoft.com>.
      
      I would like to thank Sitsofe Wheeler <sitsofe@yahoo.com>
      for reporting the issue and helping in debuggging.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Reported-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
      Tested-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2:
       - s/NR_CPUS/MAX_NUM_CPUS/
       - Adjust context, indentation
       - Also free the page in hv_synic_init() error path]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f9149ce3
    • K. Y. Srinivasan's avatar
      Drivers: hv: vmbus: Cleanup vmbus_close_internal() · 65a50c65
      K. Y. Srinivasan authored
      commit 98d731bb upstream.
      
      Eliminate calls to BUG_ON() in vmbus_close_internal().
      We have chosen to potentially leak memory, than crash the guest
      in case of failures.
      
      In this version of the patch I have addressed comments from
      Dan Carpenter (dan.carpenter@oracle.com).
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Tested-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: function is extern; don't change the return
       type to int as callers will ignore the value]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      65a50c65
    • K. Y. Srinivasan's avatar
      Drivers: hv: vmbus: Fix a bug in vmbus_open() · 2e4bf9fd
      K. Y. Srinivasan authored
      commit 45d727ce upstream.
      
      Fix a bug in vmbus_open() and properly propagate the error. I would
      like to thank Dexuan Cui <decui@microsoft.com> for identifying the
      issue.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Tested-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2e4bf9fd
    • K. Y. Srinivasan's avatar
      Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl() · bb076b38
      K. Y. Srinivasan authored
      commit 72c6b71c upstream.
      
      Eliminate the call to BUG_ON() by waiting for the host to respond. We are
      trying to reclaim the ownership of memory that was given to the host and so
      we will have to wait until the host responds.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Tested-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bb076b38
    • K. Y. Srinivasan's avatar
      Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl() · 9e16dbba
      K. Y. Srinivasan authored
      commit 66be6530 upstream.
      
      Eliminate calls to BUG_ON() by properly handling errors. In cases where
      rollback is possible, we will return the appropriate error to have the
      calling code decide how to rollback state. In the case where we are
      transferring ownership of the guest physical pages to the host,
      we will wait for the host to respond.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Tested-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9e16dbba
    • K. Y. Srinivasan's avatar
      Drivers: hv: vmbus: Cleanup vmbus_post_msg() · b8097f90
      K. Y. Srinivasan authored
      commit fdeebcc6 upstream.
      
      Posting messages to the host can fail because of transient resource
      related failures. Correctly deal with these failures and increase the
      number of attempts to post the message before giving up.
      
      In this version of the patch, I have normalized the error code to
      Linux error code.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Tested-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b8097f90
    • Kees Cook's avatar
      firmware_class: make sure fw requests contain a name · 21636a4d
      Kees Cook authored
      commit 471b095d upstream.
      
      An empty firmware request name will trigger warnings when building
      device names. Make sure this is caught earlier and rejected.
      
      The warning was visible via the test_firmware.ko module interface:
      
      echo -ne "\x00" > /sys/devices/virtual/misc/test_firmware/trigger_request
      Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      21636a4d
    • Lu Baolu's avatar
      USB: Add device quirk for ASUS T100 Base Station keyboard · 43e986b5
      Lu Baolu authored
      commit ddbe1fca upstream.
      
      This full-speed USB device generates spurious remote wakeup event
      as soon as USB_DEVICE_REMOTE_WAKEUP feature is set. As the result,
      Linux can't enter system suspend and S0ix power saving modes once
      this keyboard is used.
      
      This patch tries to introduce USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk.
      With this quirk set, wakeup capability will be ignored during
      device configure.
      
      This patch could be back-ported to kernels as old as 2.6.39.
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      43e986b5
    • Joonyoung Shim's avatar
      USB: add reset resume quirk for usb3503 · 5bcaa5fb
      Joonyoung Shim authored
      commit 526a4045 upstream.
      
      The usb device will autoresume from choose_wakeup() if it is
      autosuspended with the wrong wakeup setting, but below errors occur
      because usb3503 misc driver will switch to standby mode when suspended.
      
      As add USB_QUIRK_RESET_RESUME, it can stop setting wrong wakeup from
      autosuspend_check().
      
      [    7.734717] usb 1-3: reset high-speed USB device number 3 using exynos-ehci
      [    7.854658] usb 1-3: device descriptor read/64, error -71
      [    8.079657] usb 1-3: device descriptor read/64, error -71
      [    8.294664] usb 1-3: reset high-speed USB device number 3 using exynos-ehci
      [    8.414658] usb 1-3: device descriptor read/64, error -71
      [    8.639657] usb 1-3: device descriptor read/64, error -71
      [    8.854667] usb 1-3: reset high-speed USB device number 3 using exynos-ehci
      [    9.264598] usb 1-3: device not accepting address 3, error -71
      [    9.374655] usb 1-3: reset high-speed USB device number 3 using exynos-ehci
      [    9.784601] usb 1-3: device not accepting address 3, error -71
      [    9.784838] usb usb1-port3: device 1-3 not suspended yet
      Signed-off-by: default avatarJoonyoung Shim <jy0922.shim@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5bcaa5fb
    • Maciej Matraszek's avatar
      v4l2-common: fix overflow in v4l_bound_align_image() · 557e62e8
      Maciej Matraszek authored
      commit 3bacc10c upstream.
      
      Fix clamp_align() used in v4l_bound_align_image() to prevent overflow
      when passed large value like UINT32_MAX.
      
       In the current implementation:
          clamp_align(UINT32_MAX, 8, 8192, 3)
      
      returns 8, because in line:
      
          x = (x + (1 << (align - 1))) & mask;
      
      x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192.
      
      v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and
      VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter
      explicitly states that:
      
      "The modified format should be as close as possible to the original
      request."
        -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html
      
      Thus one would expect, that passing UINT32_MAX as format width and
      height will result in setting maximum possible resolution for the
      device. Particularly, when the driver doesn't support
      VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase.
      
      Fixes changeset: b0d3159bSigned-off-by: default avatarMaciej Matraszek <m.matraszek@samsung.com>
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      557e62e8