1. 03 Oct, 2016 31 commits
  2. 02 Oct, 2016 9 commits
    • Mathias Nyman's avatar
      xhci: fix null pointer dereference in stop command timeout function · 631f0633
      Mathias Nyman authored
      [ Upstream commit bcf42aa6 ]
      
      The stop endpoint command has its own 5 second timeout timer.
      If the timeout function is triggered between USB3 and USB2 host
      removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd)
      
      the ->primary_hcd will be set to NULL at USB3 hcd removal.
      
      Fix this by first checking if the PCI host is being removed, and
      also by using only xhci_to_hcd() as it will always return the primary
      hcd.
      
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      631f0633
    • Paul Mackerras's avatar
      powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET · 7b6ea253
      Paul Mackerras authored
      [ Upstream commit f077aaf0 ]
      
      In commit c60ac569 ("powerpc: Update kernel VSID range", 2013-03-13)
      we lost a check on the region number (the top four bits of the effective
      address) for addresses below PAGE_OFFSET.  That commit replaced a check
      that the top 18 bits were all zero with a check that bits 46 - 59 were
      zero (performed for all addresses, not just user addresses).
      
      This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
      and we will insert a valid SLB entry for it.  The VSID used will be the
      same as if the top 4 bits were 0, but the page size will be some random
      value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
      array in the paca.  If that page size is the same as would be used for
      region 0, then userspace just has an alias of the region 0 space.  If the
      page size is different, then no HPTE will be found for the access, and
      the process will get a SIGSEGV (since hash_page_mm() will refuse to create
      a HPTE for the bogus address).
      
      The access beyond the end of the mm_ctx_high_slices_psize can be at most
      5.5MB past the array, and so will be in RAM somewhere.  Since the access
      is a load performed in real mode, it won't fault or crash the kernel.
      At most this bug could perhaps leak a little bit of information about
      blocks of 32 bytes of memory located at offsets of i * 512kB past the
      paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.
      
      Fixes: c60ac569 ("powerpc: Update kernel VSID range")
      Cc: stable@vger.kernel.org # v3.9+
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Reviewed-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      7b6ea253
    • Ard Biesheuvel's avatar
      crypto: cryptd - initialize child shash_desc on import · b8e51107
      Ard Biesheuvel authored
      [ Upstream commit 0bd22235 ]
      
      When calling .import() on a cryptd ahash_request, the structure members
      that describe the child transform in the shash_desc need to be initialized
      like they are when calling .init()
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      b8e51107
    • Wei Yongjun's avatar
      ipv6: addrconf: fix dev refcont leak when DAD failed · 81e6db1b
      Wei Yongjun authored
      [ Upstream commit 751eb6b6 ]
      
      In general, when DAD detected IPv6 duplicate address, ifp->state
      will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
      delayed work, the call tree should be like this:
      
      ndisc_recv_ns
        -> addrconf_dad_failure        <- missing ifp put
           -> addrconf_mod_dad_work
             -> schedule addrconf_dad_work()
               -> addrconf_dad_stop()  <- missing ifp hold before call it
      
      addrconf_dad_failure() called with ifp refcont holding but not put.
      addrconf_dad_work() call addrconf_dad_stop() without extra holding
      refcount. This will not cause any issue normally.
      
      But the race between addrconf_dad_failure() and addrconf_dad_work()
      may cause ifp refcount leak and netdevice can not be unregister,
      dmesg show the following messages:
      
      IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
      ...
      unregister_netdevice: waiting for eth0 to become free. Usage count = 1
      
      Cc: stable@vger.kernel.org
      Fixes: c15b1cca ("ipv6: move DAD and addrconf_verify processing
      to workqueue")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      81e6db1b
    • Chris Mason's avatar
      Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns · 12ebbc22
      Chris Mason authored
      [ Upstream commit cbd60aa7 ]
      
      We use a btrfs_log_ctx structure to pass information into the
      tree log commit, and get error values out.  It gets added to a per
      log-transaction list which we walk when things go bad.
      
      Commit d1433deb added an optimization to skip waiting for the log
      commit, but didn't take root_log_ctx out of the list.  This
      patch makes sure we remove things before exiting.
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Fixes: d1433deb
      cc: stable@vger.kernel.org # 3.15+
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      12ebbc22
    • Jan Leupold's avatar
      drm: atmel-hlcdc: Fix vertical scaling · c2aca6bb
      Jan Leupold authored
      [ Upstream commit d31ed3f0 ]
      
      The code is applying the same scaling for the X and Y components,
      thus making the scaling feature only functional when both components
      have the same scaling factor.
      
      Do the s/_w/_h/ replacement where appropriate to fix vertical scaling.
      Signed-off-by: default avatarJan Leupold <leupold@rsi-elektrotechnik.de>
      Fixes: 1a396789 ("drm: add Atmel HLCDC Display Controller support")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      c2aca6bb
    • Miklos Szeredi's avatar
      ovl: fix workdir creation · 12c68a9c
      Miklos Szeredi authored
      [ Upstream commit e1ff3dd1 ]
      
      Workdir creation fails in latest kernel.
      
      Fix by allowing EOPNOTSUPP as a valid return value from
      vfs_removexattr(XATTR_NAME_POSIX_ACL_*).  Upper filesystem may not support
      ACL and still be perfectly able to support overlayfs.
      Reported-by: default avatarMartin Ziegler <ziegler@uni-freiburg.de>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: c11b9fdd ("ovl: remove posix_acl_default from workdir")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      12c68a9c
    • Yoshihiro Shimoda's avatar
      usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition · 8af2ce07
      Yoshihiro Shimoda authored
      [ Upstream commit 519d8bd4 ]
      
      The previous driver is possible to stop the transfer wrongly.
      For example:
       1) An interrupt happens, but not BRDY interruption.
       2) Read INTSTS0. And than state->intsts0 is not set to BRDY.
       3) BRDY is set to 1 here.
       4) Read BRDYSTS.
       5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly.
      
      Remarks:
       - The INTSTS0.BRDY is read only.
        - If any bits of BRDYSTS are set to 1, the BRDY is set to 1.
        - If BRDYSTS is 0, the BRDY is set to 0.
      
      So, this patch adds condition to avoid such situation. (And about
      NRDYSTS, this is not used for now. But, avoiding any side effects,
      this patch doesn't touch it.)
      
      Fixes: d5c6a1e0 ("usb: renesas_usbhs: fixup interrupt status clear method")
      Cc: <stable@vger.kernel.org> # v3.8+
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      8af2ce07
    • Balbir Singh's avatar
      sched/core: Fix a race between try_to_wake_up() and a woken up task · 431d09f2
      Balbir Singh authored
      [ Upstream commit 135e8c92 ]
      
      The origin of the issue I've seen is related to
      a missing memory barrier between check for task->state and
      the check for task->on_rq.
      
      The task being woken up is already awake from a schedule()
      and is doing the following:
      
      	do {
      		schedule()
      		set_current_state(TASK_(UN)INTERRUPTIBLE);
      	} while (!cond);
      
      The waker, actually gets stuck doing the following in
      try_to_wake_up():
      
      	while (p->on_cpu)
      		cpu_relax();
      
      Analysis:
      
      The instance I've seen involves the following race:
      
       CPU1					CPU2
      
       while () {
         if (cond)
           break;
         do {
           schedule();
           set_current_state(TASK_UN..)
         } while (!cond);
      					wakeup_routine()
      					  spin_lock_irqsave(wait_lock)
         raw_spin_lock_irqsave(wait_lock)	  wake_up_process()
       }					  try_to_wake_up()
       set_current_state(TASK_RUNNING);	  ..
       list_del(&waiter.list);
      
      CPU2 wakes up CPU1, but before it can get the wait_lock and set
      current state to TASK_RUNNING the following occurs:
      
       CPU3
       wakeup_routine()
       raw_spin_lock_irqsave(wait_lock)
       if (!list_empty)
         wake_up_process()
         try_to_wake_up()
         raw_spin_lock_irqsave(p->pi_lock)
         ..
         if (p->on_rq && ttwu_wakeup())
         ..
         while (p->on_cpu)
           cpu_relax()
         ..
      
      CPU3 tries to wake up the task on CPU1 again since it finds
      it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
      after CPU2, CPU3 got it.
      
      CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
      the task is spinning on the wait_lock. Interestingly since p->on_rq
      is checked under pi_lock, I've noticed that try_to_wake_up() finds
      p->on_rq to be 0. This was the most confusing bit of the analysis,
      but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
      check is not reliable without this fix IMHO. The race is visible
      (based on the analysis) only when ttwu_queue() does a remote wakeup
      via ttwu_queue_remote. In which case the p->on_rq change is not
      done uder the pi_lock.
      
      The result is that after a while the entire system locks up on
      the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
      
      Reproduction of the issue:
      
      The issue can be reproduced after a long run on my system with 80
      threads and having to tweak available memory to very low and running
      memory stress-ng mmapfork test. It usually takes a long time to
      reproduce. I am trying to work on a test case that can reproduce
      the issue faster, but thats work in progress. I am still testing the
      changes on my still in a loop and the tests seem OK thus far.
      
      Big thanks to Benjamin and Nick for helping debug this as well.
      Ben helped catch the missing barrier, Nick caught every missing
      bit in my theory.
      Signed-off-by: default avatarBalbir Singh <bsingharora@gmail.com>
      [ Updated comment to clarify matching barriers. Many
        architectures do not have a full barrier in switch_to()
        so that cannot be relied upon. ]
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      431d09f2