commit 7f30737678023b5becaf0e2e012665f71b886a7d Author: Sasha Levin Date: Thu Mar 17 14:11:03 2016 -0400 Linux 4.1.20 Signed-off-by: Sasha Levin commit b014bae072a1dad1767c5c6e7e7b480165685c3e Author: Hannes Frederic Sowa Date: Thu Oct 8 18:19:53 2015 +0200 ipv6: drop frames with attached skb->sk in forwarding [ Upstream commit 9ef2e965e55481a52d6d91ce61977a27836268d3 ] This is a clone of commit 2ab957492d13b ("ip_forward: Drop frames with attached skb->sk") for ipv6. This commit has exactly the same reasons as the above mentioned commit, namely to prevent panics during netfilter reload or a misconfigured stack. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b5c41530ef442dba667c4d964c722e8157f7da72 Author: Marcelo Tosatti Date: Fri Mar 11 16:53:11 2016 +0800 KVM: x86: move steal time initialization to vcpu entry time [ Upstream commit 7cae2bedcbd4680b155999655e49c27b9cf020fa ] As reported at https://bugs.launchpad.net/qemu/+bug/1494350, it is possible to have vcpu->arch.st.last_steal initialized from a thread other than vcpu thread, say the iothread, via KVM_SET_MSRS. Which can cause an overflow later (when subtracting from vcpu threads sched_info.run_delay). To avoid that, move steal time accumulation to vcpu entry time, before copying steal time data to guest. Signed-off-by: Marcelo Tosatti Reviewed-by: David Matlack Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 325940deb74b23351f507d5f1e1e01592c1efa1c Author: Richard Weinberger Date: Sun Feb 21 10:53:03 2016 +0100 ubi: Fix out of bounds write in volume update code [ Upstream commit e4f6daac20332448529b11f09388f1d55ef2084c ] ubi_start_leb_change() allocates too few bytes. ubi_more_leb_change_data() will write up to req->upd_bytes + ubi->min_io_size bytes. Cc: stable@vger.kernel.org Signed-off-by: Richard Weinberger Reviewed-by: Boris Brezillon Signed-off-by: Sasha Levin commit 5a4557b0eb8a2a0b3bccdcbc7a66b8b04262f878 Author: Maciej W. Rozycki Date: Fri Mar 4 01:42:49 2016 +0000 MIPS: traps: Fix SIGFPE information leak from `do_ov' and `do_trap_or_bp' [ Upstream commit e723e3f7f9591b79e8c56b3d7c5a204a9c571b55 ] Avoid sending a partially initialised `siginfo_t' structure along SIGFPE signals issued from `do_ov' and `do_trap_or_bp', leading to information leaking from the kernel stack. Signed-off-by: Maciej W. Rozycki Cc: stable@vger.kernel.org Signed-off-by: Ralf Baechle Signed-off-by: Sasha Levin commit f00b04c358d1583826a7340dc661eff6f8399898 Author: Simon South Date: Wed Mar 2 23:10:44 2016 -0500 ALSA: hda - Fix mic issues on Acer Aspire E1-472 [ Upstream commit 02322ac9dee9aff8d8862e8d6660ebe102f492ea ] This patch applies the microphone-related fix created for the Acer Aspire E1-572 to the E1-472 as well, as it uses the same Realtek ALC282 CODEC and demonstrates the same issues. This patch allows an external, headset microphone to be used and limits the gain on the (quite noisy) internal microphone. Signed-off-by: Simon South Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 8ef267aabd98f9df0279b9bb4245a3b985ead692 Author: Todd E Brandt Date: Wed Mar 2 16:05:29 2016 -0800 PM / sleep / x86: Fix crash on graph trace through x86 suspend [ Upstream commit 92f9e179a702a6adbc11e2fedc76ecd6ffc9e3f7 ] Pause/unpause graph tracing around do_suspend_lowlevel as it has inconsistent call/return info after it jumps to the wakeup vector. The graph trace buffer will otherwise become misaligned and may eventually crash and hang on suspend. To reproduce the issue and test the fix: Run a function_graph trace over suspend/resume and set the graph function to suspend_devices_and_enter. This consistently hangs the system without this fix. Signed-off-by: Todd Brandt Cc: All applicable Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit b13b243e312d56d7ff491a553056454c2723b021 Author: Alex Deucher Date: Wed Feb 24 17:38:38 2016 -0500 drm/radeon/pm: update current crtc info after setting the powerstate [ Upstream commit 5e031d9fe8b0741f11d49667dfc3ebf5454121fd ] On CI, we need to see if the number of crtcs changes to determine whether or not we need to upload the mclk table again. In practice we don't currently upload the mclk table again after the initial load. The only reason you would would be to add new states, e.g., for arbitrary mclk setting which is not currently supported. Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 4765409e36975036eeb5a79ca58d0b3da6131101 Author: Bjørn Mork Date: Tue Mar 1 14:36:32 2016 +0100 USB: qcserial: add Sierra Wireless EM74xx device ID [ Upstream commit 04fdbc825ffc02fb098964b92de802fff44e73fd ] The MC74xx and EM74xx modules use different IDs by default, according to the Lenovo EM7455 driver for Windows. Cc: Signed-off-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit f0adda6a9f5b1689cbf47dd56cf73da201c014d8 Author: Timothy Pearson Date: Fri Feb 26 15:29:32 2016 -0600 drm/ast: Fix incorrect register check for DRAM width [ Upstream commit 2d02b8bdba322b527c5f5168ce1ca10c2d982a78 ] During DRAM initialization on certain ASpeed devices, an incorrect bit (bit 10) was checked in the "SDRAM Bus Width Status" register to determine DRAM width. Query bit 6 instead in accordance with the Aspeed AST2050 datasheet v1.05. Signed-off-by: Timothy Pearson Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie Signed-off-by: Sasha Levin commit b8ad68546922dd5acb6cd32628bc9ae69a4795f9 Author: Helge Deller Date: Tue Jan 19 16:08:49 2016 +0100 parisc: Fix ptrace syscall number and return value modification [ Upstream commit 98e8b6c9ac9d1b1e9d1122dfa6783d5d566bb8f7 ] Mike Frysinger reported that his ptrace testcase showed strange behaviour on parisc: It was not possible to avoid a syscall and the return value of a syscall couldn't be changed. To modify a syscall number, we were missing to save the new syscall number to gr20 which is then picked up later in assembly again. The effect that the return value couldn't be changed is a side-effect of another bug in the assembly code. When a process is ptraced, userspace expects each syscall to report entrance and exit of a syscall. If a syscall number was given which doesn't exist, we jumped to the normal syscall exit code instead of informing userspace that the (non-existant) syscall exits. This unexpected behaviour confuses userspace and thus the bug was misinterpreted as if we can't change the return value. This patch fixes both problems and was tested on 64bit kernel with 32bit userspace. Signed-off-by: Helge Deller Cc: Mike Frysinger Cc: stable@vger.kernel.org # v4.0+ Tested-by: Mike Frysinger Signed-off-by: Sasha Levin commit ebe15c00057a4efad2bae1a90b04a20766cefc8c Author: Takashi Iwai Date: Tue Mar 1 18:30:18 2016 +0100 ALSA: seq: oss: Don't drain at closing a client [ Upstream commit 197b958c1e76a575d77038cc98b4bebc2134279f ] The OSS sequencer client tries to drain the pending events at releasing. Unfortunately, as spotted by syzkaller fuzzer, this may lead to an unkillable process state when the event has been queued at the far future. Since the process being released can't be signaled any longer, it remains and waits for the echo-back event in that far future. Back to history, the draining feature was implemented at the time we misinterpreted POSIX definition for blocking file operation. Actually, such a behavior is superfluous at release, and we should just release the device as is instead of keeping it up forever. This patch just removes the draining call that may block the release for too long time unexpectedly. BugLink: http://lkml.kernel.org/r/CACT4Y+Y4kD-aBGj37rf-xBw9bH3GMU6P+MYg4W1e-s-paVD2pg@mail.gmail.com Reported-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 74a8e4d036f86999d15a4f1c24fc6f33423eb338 Author: Dennis Kadioglu Date: Tue Mar 1 14:23:29 2016 +0100 ALSA: usb-audio: Add a quirk for Plantronics DA45 [ Upstream commit 17e2df4613be57d0fab68df749f6b8114e453152 ] Plantronics DA45 does not support reading the sample rate which leads to many lines of "cannot get freq at ep 0x4" and "cannot get freq at ep 0x84". This patch adds the USB ID of the DA45 to quirks.c and avoids those error messages. Signed-off-by: Dennis Kadioglu Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 63e289a204c69536706706e31a6805035029852d Author: Yegor Yefremov Date: Mon Feb 29 16:39:57 2016 +0100 USB: serial: option: add support for Quectel UC20 [ Upstream commit c0992d0f54847d0d1d85c60fcaa054f175ab1ccd ] Add support for Quectel UC20 and blacklist the QMI interface. Signed-off-by: Yegor Yefremov Cc: stable [johan: amend commit message ] Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 09757912c869346ec88920263aa37a3a854aa038 Author: Daniele Palmas Date: Mon Feb 29 15:36:11 2016 +0100 USB: serial: option: add support for Telit LE922 PID 0x1045 [ Upstream commit 5deef5551c77e488922cc4bf4bc76df63be650d0 ] This patch adds support for 0x1045 PID of Telit LE922. Signed-off-by: Daniele Palmas Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit fcc00f16ba5e947136d81d2c8efbccce1c564548 Author: Vittorio Alfieri Date: Sun Feb 28 14:40:24 2016 +0100 USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder [ Upstream commit 3c4c615d70c8cbdc8ba8c79ed702640930652a79 ] The Parrot NMEA GPS Flight Recorder is a USB composite device consisting of hub, flash storage, and cp210x usb to serial chip. It is an accessory to the mass-produced Parrot AR Drone 2. The device emits standard NMEA messages which make the it compatible with NMEA compatible software. It was tested using gpsd version 3.11-3 as an NMEA interpreter and using the official Parrot Flight Recorder. Signed-off-by: Vittorio Alfieri Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 369ac9cea85f7eea546ddea7e712672ffeabd5ce Author: Patrik Halfar Date: Sat Feb 20 18:49:56 2016 +0100 USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3) [ Upstream commit 013dd239d6220a4e0dfdf0d45a82c34f1fd73deb ] New revision of Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card has new idProduct. Bus 002 Device 006: ID 413c:81b3 Dell Computer Corp. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x413c Dell Computer Corp. idProduct 0x81b3 bcdDevice 0.06 iManufacturer 1 Sierra Wireless, Incorporated iProduct 2 Dell Wireless 5809e Gobi™ 4G HSPA+ Mobile Broadband Card iSerial 3 bNumConfigurations 2 Signed-off-by: Patrik Halfar Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit c8ce76e3c6cd937e8b3fd8ae3573f23767b70eca Author: Al Viro Date: Mon Feb 29 12:12:46 2016 -0500 use ->d_seq to get coherency between ->d_inode and ->d_flags [ Upstream commit a528aca7f359f4b0b1d72ae406097e491a5ba9ea ] Games with ordering and barriers are way too brittle. Just bump ->d_seq before and after updating ->d_inode and ->d_flags type bits, so that verifying ->d_seq would guarantee they are coherent. Cc: stable@vger.kernel.org # v3.13+ Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 4950beba6231d72c54aa5f52d96487fdda8292ed Author: Peter Zijlstra Date: Thu Jun 11 14:46:46 2015 +0200 seqcount: Rename write_seqcount_barrier() [ Upstream commit a7c6f571ff51cc77d90dd54968f7c5c938c43998 ] I'll shortly be introducing another seqcount primitive that's useful to provide ordering semantics and would like to use the write_seqcount_barrier() name for that. Seeing how there's only one user of the current primitive, lets rename it to invalidate, as that appears what its doing. While there, employ lockdep_assert_held() instead of assert_spin_locked() to not generate debug code for regular kernels. Signed-off-by: Peter Zijlstra (Intel) Cc: ktkhai@parallels.com Cc: rostedt@goodmis.org Cc: juri.lelli@gmail.com Cc: pang.xunlei@linaro.org Cc: Oleg Nesterov Cc: wanpeng.li@linux.intel.com Cc: Paul McKenney Cc: Al Viro Cc: Linus Torvalds Cc: umgwanakikbuti@gmail.com Link: http://lkml.kernel.org/r/20150611124743.279926217@infradead.org Signed-off-by: Thomas Gleixner Signed-off-by: Sasha Levin commit 67d352da6e0e14bd5987661a2be95bbaaf4c3d53 Author: Takashi Iwai Date: Mon Feb 29 14:26:43 2016 +0100 ALSA: hdsp: Fix wrong boolean ctl value accesses [ Upstream commit eab3c4db193f5fcccf70e884de9a922ca2c63d80 ] snd-hdsp driver accesses enum item values (int) instead of boolean values (long) wrongly for some ctl elements. This patch fixes them. Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 6177e82a6b6586a057e2f00940e2e220b993547e Author: Takashi Iwai Date: Mon Feb 29 14:32:42 2016 +0100 ALSA: hdspm: Fix zero-division [ Upstream commit c1099c3294c2344110085a38c50e478a5992b368 ] HDSPM driver contains a code issuing zero-division potentially in system sample rate ctl code. This patch fixes it by not processing a zero or invalid rate value as a divisor, as well as excluding the invalid value to be passed via the given ctl element. Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b9800dd1d9eeb4b5f81a485b270702a02b142b9b Author: Takashi Iwai Date: Mon Feb 29 14:25:16 2016 +0100 ALSA: hdspm: Fix wrong boolean ctl value accesses [ Upstream commit 537e48136295c5860a92138c5ea3959b9542868b ] snd-hdspm driver accesses enum item values (int) instead of boolean values (long) wrongly for some ctl elements. This patch fixes them. Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit d850c054f3aeedf5e18290d14b097b5ed67fa9fb Author: Michael S. Tsirkin Date: Sun Feb 28 17:35:59 2016 +0200 MIPS: kvm: Fix ioctl error handling. [ Upstream commit 887349f69f37e71e2a8bfbd743831625a0b2ff51 ] Calling return copy_to_user(...) or return copy_from_user in an ioctl will not do the right thing if there's a pagefault: copy_to_user/copy_from_user return the number of bytes not copied in this case. Fix up kvm on mips to do return copy_to_user(...)) ? -EFAULT : 0; and return copy_from_user(...)) ? -EFAULT : 0; everywhere. Signed-off-by: Michael S. Tsirkin Cc: Paolo Bonzini Cc: James Hogan Cc: linux-kernel@vger.kernel.org Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Cc: kvm@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/12709/ Signed-off-by: Ralf Baechle Signed-off-by: Sasha Levin commit 222b341c1063cb7aa497d7ed051ccb60349f54bb Author: Michael S. Tsirkin Date: Sun Feb 28 17:32:07 2016 +0200 arm/arm64: KVM: Fix ioctl error handling [ Upstream commit 4cad67fca3fc952d6f2ed9e799621f07666a560f ] Calling return copy_to_user(...) in an ioctl will not do the right thing if there's a pagefault: copy_to_user returns the number of bytes not copied in this case. Fix up kvm to do return copy_to_user(...)) ? -EFAULT : 0; everywhere. Cc: stable@vger.kernel.org Acked-by: Christoffer Dall Signed-off-by: Michael S. Tsirkin Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit 092bb6bd432857cde601ab6f2716ef313f6f7023 Author: Yadan Fan Date: Mon Feb 29 14:44:57 2016 +0800 Fix cifs_uniqueid_to_ino_t() function for s390x [ Upstream commit 1ee9f4bd1a97026a7b2d7ae9f1f74b45680d0003 ] This issue is caused by commit 02323db17e3a7 ("cifs: fix cifs_uniqueid_to_ino_t not to ever return 0"), when BITS_PER_LONG is 64 on s390x, the corresponding cifs_uniqueid_to_ino_t() function will cast 64-bit fileid to 32-bit by using (ino_t)fileid, because ino_t (typdefed __kernel_ino_t) is int type. It's defined in arch/s390/include/uapi/asm/posix_types.h #ifndef __s390x__ typedef unsigned long __kernel_ino_t; ... #else /* __s390x__ */ typedef unsigned int __kernel_ino_t; So the #ifdef condition is wrong for s390x, we can just still use one cifs_uniqueid_to_ino_t() function with comparing sizeof(ino_t) and sizeof(u64) to choose the correct execution accordingly. Signed-off-by: Yadan Fan CC: stable Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 78b821d76e779822877604052f06219294e9e038 Author: Pavel Shilovsky Date: Sat Feb 27 11:58:18 2016 +0300 CIFS: Fix SMB2+ interim response processing for read requests [ Upstream commit 6cc3b24235929b54acd5ecc987ef11a425bd209e ] For interim responses we only need to parse a header and update a number credits. Now it is done for all SMB2+ command except SMB2_READ which is wrong. Fix this by adding such processing. Signed-off-by: Pavel Shilovsky Tested-by: Shirish Pargaonkar CC: Stable Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 94a7d752e43717119822fee8b04be903e694017e Author: Justin Maggard Date: Tue Feb 9 15:52:08 2016 -0800 cifs: fix out-of-bounds access in lease parsing [ Upstream commit deb7deff2f00bdbbcb3d560dad2a89ef37df837d ] When opening a file, SMB2_open() attempts to parse the lease state from the SMB2 CREATE Response. However, the parsing code was not careful to ensure that the create contexts are not empty or invalid, which can lead to out- of-bounds memory access. This can be seen easily by trying to read a file from a OSX 10.11 SMB3 server. Here is sample crash output: BUG: unable to handle kernel paging request at ffff8800a1a77cc6 IP: [] SMB2_open+0x804/0x960 PGD 8f77067 PUD 0 Oops: 0000 [#1] SMP Modules linked in: CPU: 3 PID: 2876 Comm: cp Not tainted 4.5.0-rc3.x86_64.1+ #14 Hardware name: NETGEAR ReadyNAS 314 /ReadyNAS 314 , BIOS 4.6.5 10/11/2012 task: ffff880073cdc080 ti: ffff88005b31c000 task.ti: ffff88005b31c000 RIP: 0010:[] [] SMB2_open+0x804/0x960 RSP: 0018:ffff88005b31fa08 EFLAGS: 00010282 RAX: 0000000000000015 RBX: 0000000000000000 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff88007eb8c8b0 RBP: ffff88005b31fad8 R08: 666666203d206363 R09: 6131613030383866 R10: 3030383866666666 R11: 00000000000002b0 R12: ffff8800660fd800 R13: ffff8800a1a77cc2 R14: 00000000424d53fe R15: ffff88005f5a28c0 FS: 00007f7c8a2897c0(0000) GS:ffff88007eb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffff8800a1a77cc6 CR3: 000000005b281000 CR4: 00000000000006e0 Stack: ffff88005b31fa70 ffffffff88278789 00000000000001d3 ffff88005f5a2a80 ffffffff00000003 ffff88005d029d00 ffff88006fde05a0 0000000000000000 ffff88005b31fc78 ffff88006fde0780 ffff88005b31fb2f 0000000100000fe0 Call Trace: [] ? cifsConvertToUTF16+0x159/0x2d0 [] smb2_open_file+0x98/0x210 [] ? __kmalloc+0x1c/0xe0 [] cifs_open+0x2a4/0x720 [] do_dentry_open+0x1ff/0x310 [] ? cifsFileInfo_get+0x30/0x30 [] vfs_open+0x52/0x60 [] path_openat+0x170/0xf70 [] ? remove_wait_queue+0x48/0x50 [] do_filp_open+0x79/0xd0 [] ? __alloc_fd+0x3a/0x170 [] do_sys_open+0x114/0x1e0 [] SyS_open+0x19/0x20 [] entry_SYSCALL_64_fastpath+0x12/0x6a Code: 4d 8d 6c 07 04 31 c0 4c 89 ee e8 47 6f e5 ff 31 c9 41 89 ce 44 89 f1 48 c7 c7 28 b1 bd 88 31 c0 49 01 cd 4c 89 ee e8 2b 6f e5 ff <45> 0f b7 75 04 48 c7 c7 31 b1 bd 88 31 c0 4d 01 ee 4c 89 f6 e8 RIP [] SMB2_open+0x804/0x960 RSP CR2: ffff8800a1a77cc6 ---[ end trace d9f69ba64feee469 ]--- Signed-off-by: Justin Maggard Signed-off-by: Steve French CC: Stable Signed-off-by: Sasha Levin commit fb5b8ac0043cc2c0e8816341f8a875ab320563fe Author: Takashi Iwai Date: Sun Feb 28 11:41:47 2016 +0100 ALSA: timer: Fix ioctls for X32 ABI [ Upstream commit b24e7ad1fdc22177eb3e51584e1cfcb45d818488 ] X32 ABI takes the 64bit timespec, thus the timer user status ioctl becomes incompatible with IA32. This results in NOTTY error when the ioctl is issued. Meanwhile, this struct in X32 is essentially identical with the one in X86-64, so we can just bypassing to the existing code for this specific compat ioctl. Cc: # v3.4+ Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 6dcecec27d0ec5869503ff31b0316c3956a3aa89 Author: Takashi Iwai Date: Sun Feb 28 11:36:14 2016 +0100 ALSA: timer: Fix broken compat timer user status ioctl [ Upstream commit 3a72494ac2a3bd229db941d51e7efe2f6ccd947b ] The timer user status compat ioctl returned the bogus struct used for 64bit architectures instead of the 32bit one. This patch addresses it to return the proper struct. Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e59edea51ad3491f1c110acc1a3f2b0b6ee31f62 Author: Takashi Iwai Date: Sun Feb 28 11:28:08 2016 +0100 ALSA: rawmidi: Fix ioctls X32 ABI [ Upstream commit 2251fbbc1539f05b0b206b37a602d5776be37252 ] Like the previous fixes for ctl and PCM, we need a fix for incompatible X32 ABI regarding the rawmidi: namely, struct snd_rawmidi_status has the timespec, and the size and the alignment on X32 differ from IA32. This patch fixes the incompatible ioctl for X32. Cc: # v3.4+ Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit bffe692e21f78b45735efd8aa0dd17f7141888db Author: Takashi Iwai Date: Sun Feb 28 11:23:09 2016 +0100 ALSA: pcm: Fix ioctls for X32 ABI [ Upstream commit 513ace79b657e2022a592e77f24074e088681ecc ] X32 ABI uses the 64bit timespec in addition to 64bit alignment of 64bit values. This leads to incompatibilities in some PCM ioctls involved with snd_pcm_channel_info, snd_pcm_status and snd_pcm_sync_ptr structs. Fix the PCM compat ABI for these ioctls like the previous commit for ctl API. Reported-by: Steven Newbury Cc: # v3.4+ Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3aa7c24c31ee77017718dea1e4e43a2cbc969b53 Author: Takashi Iwai Date: Sat Feb 27 17:52:42 2016 +0100 ALSA: ctl: Fix ioctls for X32 ABI [ Upstream commit 6236d8bb2afcfe71b88ecea554e0dc638090a45f ] The X32 ABI takes the same alignment like x86-64, and this may result in the incompatible struct size from ia32. Unfortunately, we hit this in some control ABI: struct snd_ctl_elem_value differs between them due to the position of 64bit variable array. This ends up with the unknown ioctl (ENOTTY) error. The fix is to add the compat entries for the new aligned struct. Reported-and-tested-by: Steven Newbury Cc: # v3.4+ Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 1590808b43559d8330599158453f28f1b16ffd54 Author: Michael S. Tsirkin Date: Sun Feb 28 16:31:39 2016 +0200 vfio: fix ioctl error handling [ Upstream commit 8160c4e455820d5008a1116d2dca35f0363bb062 ] Calling return copy_to_user(...) in an ioctl will not do the right thing if there's a pagefault: copy_to_user returns the number of bytes not copied in this case. Fix up vfio to do return copy_to_user(...)) ? -EFAULT : 0; everywhere. Cc: stable@vger.kernel.org Signed-off-by: Michael S. Tsirkin Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 9b77cd137fd841d7a14e1c9428cfc49f4df0306e Author: Al Viro Date: Sat Feb 27 19:23:16 2016 -0500 namei: ->d_inode of a pinned dentry is stable only for positives [ Upstream commit d4565649b6d6923369112758212b851adc407f0c ] both do_last() and walk_component() risk picking a NULL inode out of dentry about to become positive, *then* checking its flags and seeing that it's not negative anymore and using (already stale by then) value they'd fetched earlier. Usually ends up oopsing soon after that... Cc: stable@vger.kernel.org # v3.13+ Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 3960cde3e356057bd60adce1b625a7d178b9581c Author: Al Viro Date: Sat Feb 27 19:17:33 2016 -0500 do_last(): don't let a bogus return value from ->open() et.al. to confuse us [ Upstream commit c80567c82ae4814a41287618e315a60ecf513be6 ] ... into returning a positive to path_openat(), which would interpret that as "symlink had been encountered" and proceed to corrupt memory, etc. It can only happen due to a bug in some ->open() instance or in some LSM hook, etc., so we report any such event *and* make sure it doesn't trick us into further unpleasantness. Cc: stable@vger.kernel.org # v3.6+, at least Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 6cb69cb2840d3c18a469d6c42dbdb060bdf2bb04 Author: Mikulas Patocka Date: Thu Feb 25 18:17:38 2016 +0100 hpfs: don't truncate the file when delete fails [ Upstream commit b6853f78e763d42c7a158d8de3549c9827c604ab ] The delete opration can allocate additional space on the HPFS filesystem due to btree split. The HPFS driver checks in advance if there is available space, so that it won't corrupt the btree if we run out of space during splitting. If there is not enough available space, the HPFS driver attempted to truncate the file, but this results in a deadlock since the commit 7dd29d8d865efdb00c0542a5d2c87af8c52ea6c7 ("HPFS: Introduce a global mutex and lock it on every callback from VFS"). This patch removes the code that tries to truncate the file and -ENOSPC is returned instead. If the user hits -ENOSPC on delete, he should try to delete other files (that are stored in a leaf btree node), so that the delete operation will make some space for deleting the file stored in non-leaf btree node. Reported-by: Al Viro Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org # 2.6.39+ Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 419ddc3099727a291a67d41498c3d1caddb75392 Author: Mel Gorman Date: Fri Feb 26 15:19:31 2016 -0800 mm: numa: quickly fail allocations for NUMA balancing on full nodes [ Upstream commit 8479eba7781fa9ffb28268840de6facfc12c35a7 ] Commit 4167e9b2cf10 ("mm: remove GFP_THISNODE") removed the GFP_THISNODE flag combination due to confusing semantics. It noted that alloc_misplaced_dst_page() was one such user after changes made by commit e97ca8e5b864 ("mm: fix GFP_THISNODE callers and clarify"). Unfortunately when GFP_THISNODE was removed, users of alloc_misplaced_dst_page() started waking kswapd and entering direct reclaim because the wrong GFP flags are cleared. The consequence is that workloads that used to fit into memory now get reclaimed which is addressed by this patch. The problem can be demonstrated with "mutilate" that exercises memcached which is software dedicated to memory object caching. The configuration uses 80% of memory and is run 3 times for varying numbers of clients. The results on a 4-socket NUMA box are mutilate 4.4.0 4.4.0 vanilla numaswap-v1 Hmean 1 8394.71 ( 0.00%) 8395.32 ( 0.01%) Hmean 4 30024.62 ( 0.00%) 34513.54 ( 14.95%) Hmean 7 32821.08 ( 0.00%) 70542.96 (114.93%) Hmean 12 55229.67 ( 0.00%) 93866.34 ( 69.96%) Hmean 21 39438.96 ( 0.00%) 85749.21 (117.42%) Hmean 30 37796.10 ( 0.00%) 50231.49 ( 32.90%) Hmean 47 18070.91 ( 0.00%) 38530.13 (113.22%) The metric is queries/second with the more the better. The results are way outside of the noise and the reason for the improvement is obvious from some of the vmstats 4.4.0 4.4.0 vanillanumaswap-v1r1 Minor Faults 1929399272 2146148218 Major Faults 19746529 3567 Swap Ins 57307366 9913 Swap Outs 50623229 17094 Allocation stalls 35909 443 DMA allocs 0 0 DMA32 allocs 72976349 170567396 Normal allocs 5306640898 5310651252 Movable allocs 0 0 Direct pages scanned 404130893 799577 Kswapd pages scanned 160230174 0 Kswapd pages reclaimed 55928786 0 Direct pages reclaimed 1843936 41921 Page writes file 2391 0 Page writes anon 50623229 17094 The vanilla kernel is swapping like crazy with large amounts of direct reclaim and kswapd activity. The figures are aggregate but it's known that the bad activity is throughout the entire test. Note that simple streaming anon/file memory consumers also see this problem but it's not as obvious. In those cases, kswapd is awake when it should not be. As there are at least two reclaim-related bugs out there, it's worth spelling out the user-visible impact. This patch only addresses bugs related to excessive reclaim on NUMA hardware when the working set is larger than a NUMA node. There is a bug related to high kswapd CPU usage but the reports are against laptops and other UMA hardware and is not addressed by this patch. Signed-off-by: Mel Gorman Cc: Vlastimil Babka Cc: Johannes Weiner Cc: David Rientjes Cc: [4.1+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit d347d0e9ae617bd44ca7679786ebf11a06d50372 Author: Andrea Arcangeli Date: Fri Feb 26 15:19:28 2016 -0800 mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED [ Upstream commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 ] pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were introduced to locklessy (but atomically) detect when a pmd is a regular (stable) pmd or when the pmd is unstable and can infinitely transition from pmd_none() and pmd_trans_huge() from under us, while only holding the mmap_sem for reading (for writing not). While holding the mmap_sem only for reading, MADV_DONTNEED can run from under us and so before we can assume the pmd to be a regular stable pmd we need to compare it against pmd_none() and pmd_trans_huge() in an atomic way, with pmd_trans_unstable(). The old pmd_trans_huge() left a tiny window for a race. Useful applications are unlikely to notice the difference as doing MADV_DONTNEED concurrently with a page fault would lead to undefined behavior. [akpm@linux-foundation.org: tidy up comment grammar/layout] Signed-off-by: Andrea Arcangeli Reported-by: Kirill A. Shutemov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit bb2b7d4ee6fc2c2dea54c12df9c0aea15e1a019c Author: Colin Ian King Date: Fri Feb 26 18:55:31 2016 +0000 x86/mpx: Fix off-by-one comparison with nr_registers [ Upstream commit 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5 ] In the unlikely event that regno == nr_registers then we get an array overrun on regoff because the invalid register check is currently off-by-one. Fix this with a check that regno is >= nr_registers instead. Detected with static analysis using CoverityScan. Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information" Signed-off-by: Colin Ian King Acked-by: Dave Hansen Cc: Borislav Petkov Cc: "Kirill A . Shutemov" Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/1456512931-3388-1-git-send-email-colin.king@canonical.com Signed-off-by: Thomas Gleixner Signed-off-by: Sasha Levin commit 18d609bb0b8c6823a750b32106be5685ca3daff7 Author: Paolo Bonzini Date: Fri Feb 26 12:28:40 2016 +0100 KVM: x86: fix root cause for missed hardware breakpoints [ Upstream commit 70e4da7a8ff62f2775337b705f45c804bb450454 ] Commit 172b2386ed16 ("KVM: x86: fix missed hardware breakpoints", 2016-02-10) worked around a case where the debug registers are not loaded correctly on preemption and on the first entry to KVM_RUN. However, Xiao Guangrong pointed out that the root cause must be that KVM_DEBUGREG_BP_ENABLED is not being set correctly. This can indeed happen due to the lazy debug exit mechanism, which does not call kvm_update_dr7. Fix it by replacing the existing loop (more or less equivalent to kvm_update_dr0123) with calls to all the kvm_update_dr* functions. Cc: stable@vger.kernel.org # 4.1+ Fixes: 172b2386ed16a9143d9a456aae5ec87275c61489 Reviewed-by: Xiao Guangrong Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit d017f850a3b6f84e6d847c6cbb01eaf6ce61f4f6 Author: Harvey Hunt Date: Wed Feb 24 15:16:43 2016 +0000 libata: Align ata_device's id on a cacheline [ Upstream commit 4ee34ea3a12396f35b26d90a094c75db95080baa ] The id buffer in ata_device is a DMA target, but it isn't explicitly cacheline aligned. Due to this, adjacent fields can be overwritten with stale data from memory on non coherent architectures. As a result, the kernel is sometimes unable to communicate with an ATA device. Fix this by ensuring that the id buffer is cacheline aligned. This issue is similar to that fixed by Commit 84bda12af31f ("libata: align ap->sector_buf"). Signed-off-by: Harvey Hunt Cc: linux-kernel@vger.kernel.org Cc: # 2.6.18 Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit 15115bf3b764c4f2b36ea202f45181fd18d4a574 Author: Jay Cornwall Date: Wed Feb 10 15:48:01 2016 -0600 iommu/amd: Apply workaround for ATS write permission check [ Upstream commit 358875fd52ab8f00f66328cbf1a1d2486f265829 ] The AMD Family 15h Models 30h-3Fh (Kaveri) BIOS and Kernel Developer's Guide omitted part of the BIOS IOMMU L2 register setup specification. Without this setup the IOMMU L2 does not fully respect write permissions when handling an ATS translation request. The IOMMU L2 will set PTE dirty bit when handling an ATS translation with write permission request, even when PTE RW bit is clear. This may occur by direct translation (which would cause a PPR) or by prefetch request from the ATC. This is observed in practice when the IOMMU L2 modifies a PTE which maps a pagecache page. The ext4 filesystem driver BUGs when asked to writeback these (non-modified) pages. Enable ATS write permission check in the Kaveri IOMMU L2 if BIOS has not. Signed-off-by: Jay Cornwall Cc: # v3.19+ Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 91d212c02743084892b687fb5cf166fffc01d0f9 Author: Suravee Suthikulpanit Date: Tue Feb 23 13:03:30 2016 +0100 iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered [ Upstream commit 38e45d02ea9f194b89d6bf41e52ccafc8e2c2b47 ] The setup code for the performance counters in the AMD IOMMU driver tests whether the counters can be written. It tests to setup a counter for device 00:00.0, which fails on systems where this particular device is not covered by the IOMMU. Fix this by not relying on device 00:00.0 but only on the IOMMU being present. Cc: stable@vger.kernel.org Signed-off-by: Suravee Suthikulpanit Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 715b09c999aeb1c6e48a1d10b93443d4cdbab01b Author: Takashi Iwai Date: Thu Feb 25 14:31:59 2016 +0100 ALSA: hda - Fix headset support and noise on HP EliteBook 755 G2 [ Upstream commit f883982dc1b117f04579f0896821cd9f2e397f94 ] HP EliteBook 755 G2 with ALC3228 (ALC280) codec [103c:221c] requires the known fixup (ALC269_FIXUP_HEADSET_MIC) for making the headset mic working. Also, it suffers from the loopback noise problem, so we should disable aamix path as well. Reported-by: Derick Eddington Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit fdd575639f6beb61e90be54fcdd14dd9f9b9627f Author: David Henningsson Date: Thu Feb 25 09:37:05 2016 +0100 ALSA: hda - Fixup speaker pass-through control for nid 0x14 on ALC225 [ Upstream commit 2ae955774f29bbd7d16149cb0ae8d0319bf2ecc4 ] On one of the machines we enable, we found that the actual speaker volume did not always correspond to the volume set in alsamixer. This patch fixes that problem. This patch was orginally written by Kailang @ Realtek, I've rebased it to fit sound git master. Cc: stable@vger.kernel.org BugLink: https://bugs.launchpad.net/bugs/1549660 Co-Authored-By: Kailang Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b3c3bdf0959ee2c27305d70bc737da8d5153cdfc Author: Kailang Yang Date: Wed Feb 3 15:20:39 2016 +0800 ALSA: hda/realtek - Support Dell headset mode for ALC225 [ Upstream commit cfc5a845e62853edd36e564c23c64588f4adcae6 ] Dell create new platform with ALC298 codec. This patch will enable headset mode for ALC225/ALC3253 platform. Signed-off-by: Kailang Yang Cc: # v4.4+ Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 49f76896f87b49592781f09d6e6c3f868051a6d7 Author: David Woodhouse Date: Mon Feb 1 14:04:46 2016 +0000 Fix directory hardlinks from deleted directories [ Upstream commit be629c62a603e5935f8177fd8a19e014100a259e ] When a directory is deleted, we don't take too much care about killing off all the dirents that belong to it — on the basis that on remount, the scan will conclude that the directory is dead anyway. This doesn't work though, when the deleted directory contained a child directory which was moved *out*. In the early stages of the fs build we can then end up with an apparent hard link, with the child directory appearing both in its true location, and as a child of the original directory which are this stage of the mount process we don't *yet* know is defunct. To resolve this, take out the early special-casing of the "directories shall not have hard links" rule in jffs2_build_inode_pass1(), and let the normal nlink processing happen for directories as well as other inodes. Then later in the build process we can set ic->pino_nlink to the parent inode#, as is required for directories during normal operaton, instead of the nlink. And complain only *then* about hard links which are still in evidence even after killing off all the unreachable paths. Reported-by: Liu Song Signed-off-by: David Woodhouse Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit e0dae728bf0878ad831440ff5d2e90ec10b794a4 Author: David Woodhouse Date: Mon Feb 1 12:37:20 2016 +0000 jffs2: Fix page lock / f->sem deadlock [ Upstream commit 49e91e7079febe59a20ca885a87dd1c54240d0f1 ] With this fix, all code paths should now be obtaining the page lock before f->sem. Reported-by: Szabó Tamás Tested-by: Thomas Betker Signed-off-by: David Woodhouse Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 74d11976ff45dfe15b8a965d72237ac98533f788 Author: Thomas Betker Date: Tue Nov 10 22:18:15 2015 +0100 Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" [ Upstream commit 157078f64b8a9cd7011b6b900b2f2498df850748 ] This reverts commit 5ffd3412ae55 ("jffs2: Fix lock acquisition order bug in jffs2_write_begin"). The commit modified jffs2_write_begin() to remove a deadlock with jffs2_garbage_collect_live(), but this introduced new deadlocks found by multiple users. page_lock() actually has to be called before mutex_lock(&c->alloc_sem) or mutex_lock(&f->sem) because jffs2_write_end() and jffs2_readpage() are called with the page locked, and they acquire c->alloc_sem and f->sem, resp. In other words, the lock order in jffs2_write_begin() was correct, and it is the jffs2_garbage_collect_live() path that has to be changed. Revert the commit to get rid of the new deadlocks, and to clear the way for a better fix of the original deadlock. Reported-by: Deng Chao Reported-by: Ming Liu Reported-by: wangzaiwei Signed-off-by: Thomas Betker Signed-off-by: David Woodhouse Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 79e6eddd93bc3dfa020a57886d666dea9b9f452e Author: Mike Krinkin Date: Wed Feb 24 21:02:31 2016 +0300 KVM: x86: MMU: fix ubsan index-out-of-range warning [ Upstream commit 17e4bce0ae63c7e03f3c7fa8d80890e7af3d4971 ] Ubsan reports the following warning due to a typo in update_accessed_dirty_bits template, the patch fixes the typo: [ 168.791851] ================================================================================ [ 168.791862] UBSAN: Undefined behaviour in arch/x86/kvm/paging_tmpl.h:252:15 [ 168.791866] index 4 is out of range for type 'u64 [4]' [ 168.791871] CPU: 0 PID: 2950 Comm: qemu-system-x86 Tainted: G O L 4.5.0-rc5-next-20160222 #7 [ 168.791873] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013 [ 168.791876] 0000000000000000 ffff8801cfcaf208 ffffffff81c9f780 0000000041b58ab3 [ 168.791882] ffffffff82eb2cc1 ffffffff81c9f6b4 ffff8801cfcaf230 ffff8801cfcaf1e0 [ 168.791886] 0000000000000004 0000000000000001 0000000000000000 ffffffffa1981600 [ 168.791891] Call Trace: [ 168.791899] [] dump_stack+0xcc/0x12c [ 168.791904] [] ? _atomic_dec_and_lock+0xc4/0xc4 [ 168.791910] [] ubsan_epilogue+0xd/0x8a [ 168.791914] [] __ubsan_handle_out_of_bounds+0x15c/0x1a3 [ 168.791918] [] ? __ubsan_handle_shift_out_of_bounds+0x2bd/0x2bd [ 168.791922] [] ? get_user_pages_fast+0x2bf/0x360 [ 168.791954] [] ? kvm_largepages_enabled+0x30/0x30 [kvm] [ 168.791958] [] ? __get_user_pages_fast+0x360/0x360 [ 168.791987] [] paging64_walk_addr_generic+0x1b28/0x2600 [kvm] [ 168.792014] [] ? init_kvm_mmu+0x1100/0x1100 [kvm] [ 168.792019] [] ? debug_check_no_locks_freed+0x350/0x350 [ 168.792044] [] ? init_kvm_mmu+0x1100/0x1100 [kvm] [ 168.792076] [] paging64_gva_to_gpa+0x7d/0x110 [kvm] [ 168.792121] [] ? paging64_walk_addr_generic+0x2600/0x2600 [kvm] [ 168.792130] [] ? debug_lockdep_rcu_enabled+0x7b/0x90 [ 168.792178] [] emulator_read_write_onepage+0x27a/0x1150 [kvm] [ 168.792208] [] ? __kvm_read_guest_page+0x54/0x70 [kvm] [ 168.792234] [] ? kvm_task_switch+0x160/0x160 [kvm] [ 168.792238] [] ? debug_lockdep_rcu_enabled+0x7b/0x90 [ 168.792263] [] emulator_read_write+0xe7/0x6d0 [kvm] [ 168.792290] [] ? em_cr_write+0x230/0x230 [kvm] [ 168.792314] [] emulator_write_emulated+0x15/0x20 [kvm] [ 168.792340] [] segmented_write+0xf8/0x130 [kvm] [ 168.792367] [] ? em_lgdt+0x20/0x20 [kvm] [ 168.792374] [] ? vmx_read_guest_seg_ar+0x42/0x1e0 [kvm_intel] [ 168.792400] [] writeback+0x3f2/0x700 [kvm] [ 168.792424] [] ? em_sidt+0xa0/0xa0 [kvm] [ 168.792449] [] ? x86_decode_insn+0x1b3d/0x4f70 [kvm] [ 168.792474] [] x86_emulate_insn+0x572/0x3010 [kvm] [ 168.792499] [] x86_emulate_instruction+0x3bd/0x2110 [kvm] [ 168.792524] [] ? reexecute_instruction.part.110+0x2e0/0x2e0 [kvm] [ 168.792532] [] handle_ept_misconfig+0x61/0x460 [kvm_intel] [ 168.792539] [] ? handle_pause+0x450/0x450 [kvm_intel] [ 168.792546] [] vmx_handle_exit+0xd6a/0x1ad0 [kvm_intel] [ 168.792572] [] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm] [ 168.792597] [] kvm_arch_vcpu_ioctl_run+0xd3d/0x6090 [kvm] [ 168.792621] [] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm] [ 168.792627] [] ? __ww_mutex_lock_interruptible+0x1630/0x1630 [ 168.792651] [] ? kvm_arch_vcpu_runnable+0x4f0/0x4f0 [kvm] [ 168.792656] [] ? preempt_notifier_unregister+0x190/0x190 [ 168.792681] [] ? kvm_arch_vcpu_load+0x127/0x650 [kvm] [ 168.792704] [] kvm_vcpu_ioctl+0x553/0xda0 [kvm] [ 168.792727] [] ? vcpu_put+0x40/0x40 [kvm] [ 168.792732] [] ? debug_check_no_locks_freed+0x350/0x350 [ 168.792735] [] ? _raw_spin_unlock+0x27/0x40 [ 168.792740] [] ? handle_mm_fault+0x1673/0x2e40 [ 168.792744] [] ? trace_hardirqs_on_caller+0x478/0x6c0 [ 168.792747] [] ? trace_hardirqs_on+0xd/0x10 [ 168.792751] [] ? debug_lockdep_rcu_enabled+0x7b/0x90 [ 168.792756] [] do_vfs_ioctl+0x1b0/0x12b0 [ 168.792759] [] ? ioctl_preallocate+0x210/0x210 [ 168.792763] [] ? __fget+0x273/0x4a0 [ 168.792766] [] ? __fget+0x50/0x4a0 [ 168.792770] [] ? __fget_light+0x96/0x2b0 [ 168.792773] [] SyS_ioctl+0x79/0x90 [ 168.792777] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 168.792780] ================================================================================ Signed-off-by: Mike Krinkin Reviewed-by: Xiao Guangrong Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 4c3192278b461a23930dd39eaaa683898c1d0009 Author: Kai-Heng Feng Date: Thu Feb 25 15:19:38 2016 +0800 ALSA: hda - Fixing background noise on Dell Inspiron 3162 [ Upstream commit 7cb32ae09a6490c27bc3c110ee42d808a5670142 ] commit 3b43b71f05d3ecd01c4116254666d9492301697d upstream. After login to the desktop on Dell Inspiron 3162, there's a very loud background noise comes from the builtin speaker. The noise does not go away even if the speaker is muted. The noise disappears after using the aamix fixup. Codec: Realtek ALC3234 Address: 0 AFG Function Id: 0x1 (unsol 1) Vendor Id: 0x10ec0255 Subsystem Id: 0x10280725 Revision Id: 0x100002 No Modem Function Group found BugLink: http://bugs.launchpad.net/bugs/1549620 Signed-off-by: Kai-Heng Feng Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 42929fe6d85ae5a3916f79d5c70792fb35d48603 Author: Kailang Date: Mon Dec 28 11:35:24 2015 +0800 ALSA: hda - Add mic mute hotkey quirk for Lenovo ThinkCentre AIO [ Upstream commit 3694cb2947db50753caf432db067487eafae7b9b ] The Lenovo ThinkCenter AIO uses Line2 (NID 0x1b) to implement the micmute hotkey, here we register an input device and use Line2 unsol event to collect the hotkey pressing or releasing. In the meanwhile, the micmute led is controlled by GPIO2, so we use an existing function alc_fixup_gpio_mic_mute_hook() to control the led. [Hui: And there are two places to register the input device, to make the code simple and clean, move the two same code sections into a function.] Cc: Signed-off-by: Kailang Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 559e8bf80c9676b40f1ddcb7a90e1eaa2f3c6a2a Author: Hui Wang Date: Tue Dec 8 12:27:18 2015 +0800 ALSA: hda - Fixing speaker noise on the two latest thinkpad models [ Upstream commit 23adc192b862b69ad80a40bd5206e337f41264ac ] We have two latest thinkpad laptop models which are all based on the Intel skylake platforms, and all of them have the codec alc293 on them. When the machines boot to the desktop, an greeting dialogue shows up with the notification sound. But on these two models, there is noise with the notification sound. We have 3 SKUs for each of the models, all of them have this problem. So far, this problem is only specific to these two thinkpad models, we did not find this problem on the old thinkpad models with the codec alc293 or alc292. A workaround for this problem is disabling the aamix. Cc: stable@vger.kernel.org BugLink: https://bugs.launchpad.net/bugs/1523517 Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 4c440d72709998411c30c9bf6e503980bd655dc3 Author: Hui Wang Date: Tue Nov 24 11:08:18 2015 +0800 ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3 [ Upstream commit 8c69729b4439bbda88c3073df7243f755cc418ed ] We have a machine Dell XPS 13 with the codec alc256, after resume back from S3, the headphone has noise when play sound. Through comparing with the coeff vaule before and after S3, we found restoring a coeff register will help remove noise. BugLink: https://bugs.launchpad.net/bugs/1519168 Cc: Kailang Yang Cc: Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 5352c4b683d846849860a8235ee0a2eaf34147d6 Author: Kailang Yang Date: Mon Oct 26 15:37:39 2015 +0800 ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after resume back [ Upstream commit 6ed1131fe196ad7ffc13acc1a1eadc08a1db0303 ] This machine had I2S codec for speaker output. It need to refill the I2S codec initial verb after resume back. Signed-off-by: Kailang Yang Reported-and-tested-by: George Gugulea Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 0f1b871592766fbadf7074a414d602fd7be5570a Author: Kailang Yang Date: Mon May 18 15:31:20 2015 +0800 ALSA: hda/realtek - Support Dell headset mode for ALC298 [ Upstream commit 977e627684df0f60bdf2a768ec4772f42fe843fc ] Dell create new platform with ALC298 codec. This patch will enable headset mode for ALC298/ALC3266 platform. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 49670184289e48451171179470a7dbbdb63f9549 Author: Peter Chen Date: Wed Feb 24 11:05:25 2016 +0800 usb: chipidea: otg: change workqueue ci_otg as freezable [ Upstream commit d144dfea8af7108f613139623e63952ed7e69c0c ] If we use USB ID pin as wakeup source, and there is a USB block device on this USB OTG (ID) cable, the system will be deadlock after system resume. The root cause for this problem is: the workqueue ci_otg may try to remove hcd before the driver resume has finished, and hcd will disconnect the device on it, then, it will call device_release_driver, and holds the device lock "dev->mutex", but it is never unlocked since it waits workqueue writeback to run to flush the block information, but the workqueue writeback is freezable, it is not thawed before driver resume has finished. When the driver (device: sd 0:0:0:0:) resume goes to dpm_complete, it tries to get its device lock "dev->mutex", but it can't get it forever, then the deadlock occurs. Below call stacks show the situation. So, in order to fix this problem, we need to change workqueue ci_otg as freezable, then the work item in this workqueue will be run after driver's resume, this workqueue will not be blocked forever like above case since the workqueue writeback has been thawed too. Tested at: i.mx6qdl-sabresd and i.mx6sx-sdb. [ 555.178869] kworker/u2:13 D c07de74c 0 826 2 0x00000000 [ 555.185310] Workqueue: ci_otg ci_otg_work [ 555.189353] Backtrace: [ 555.191849] [] (__schedule) from [] (schedule+0x48/0xa0) [ 555.198912] r10:ee471ba0 r9:00000000 r8:00000000 r7:00000002 r6:ee470000 r5:ee471ba4 [ 555.206867] r4:ee470000 [ 555.209453] [] (schedule) from [] (schedule_timeout+0x15c/0x1e0) [ 555.217212] r4:7fffffff r3:edc2b000 [ 555.220862] [] (schedule_timeout) from [] (wait_for_common+0x94/0x144) [ 555.229140] r8:00000000 r7:00000002 r6:ee470000 r5:ee471ba4 r4:7fffffff [ 555.235980] [] (wait_for_common) from [] (wait_for_completion+0x18/0x1c) [ 555.244430] r10:00000001 r9:c0b5563c r8:c0042e48 r7:ef086000 r6:eea4372c r5:ef131b00 [ 555.252383] r4:00000000 [ 555.254970] [] (wait_for_completion) from [] (flush_work+0x19c/0x234) [ 555.263177] [] (flush_work) from [] (flush_delayed_work+0x48/0x4c) [ 555.271106] r8:ed5b5000 r7:c0b38a3c r6:eea439cc r5:eea4372c r4:eea4372c [ 555.277958] [] (flush_delayed_work) from [] (bdi_unregister+0x84/0xec) [ 555.286236] r4:eea43520 r3:20000153 [ 555.289885] [] (bdi_unregister) from [] (blk_cleanup_queue+0x180/0x29c) [ 555.298250] r5:eea43808 r4:eea43400 [ 555.301909] [] (blk_cleanup_queue) from [] (__scsi_remove_device+0x48/0xb8) [ 555.310623] r7:00000000 r6:20000153 r5:ededa950 r4:ededa800 [ 555.316403] [] (__scsi_remove_device) from [] (scsi_forget_host+0x64/0x68) [ 555.325028] r5:ededa800 r4:ed5b5000 [ 555.328689] [] (scsi_forget_host) from [] (scsi_remove_host+0x78/0x104) [ 555.337054] r5:ed5b5068 r4:ed5b5000 [ 555.340709] [] (scsi_remove_host) from [] (usb_stor_disconnect+0x50/0xb4) [ 555.349247] r6:ed5b56e4 r5:ed5b5818 r4:ed5b5690 r3:00000008 [ 555.355025] [] (usb_stor_disconnect) from [] (usb_unbind_interface+0x78/0x25c) [ 555.363997] r8:c13919b4 r7:edd3c000 r6:edd3c020 r5:ee551c68 r4:ee551c00 r3:c04cdf7c [ 555.371892] [] (usb_unbind_interface) from [] (__device_release_driver+0x8c/0x118) [ 555.381213] r10:00000001 r9:edd90c00 r8:c13919b4 r7:ee551c68 r6:c0b546e0 r5:c0b5563c [ 555.389167] r4:edd3c020 [ 555.391752] [] (__device_release_driver) from [] (device_release_driver+0x28/0x34) [ 555.401071] r5:edd3c020 r4:edd3c054 [ 555.404721] [] (device_release_driver) from [] (bus_remove_device+0xe0/0x110) [ 555.413607] r5:edd3c020 r4:ef17f04c [ 555.417253] [] (bus_remove_device) from [] (device_del+0x114/0x21c) [ 555.425270] r6:edd3c028 r5:edd3c020 r4:ee551c00 r3:00000000 [ 555.431045] [] (device_del) from [] (usb_disable_device+0xa4/0x1e8) [ 555.439061] r8:edd3c000 r7:eded8000 r6:00000000 r5:00000001 r4:ee551c00 [ 555.445906] [] (usb_disable_device) from [] (usb_disconnect+0x74/0x224) [ 555.454271] r9:edd90c00 r8:ee551000 r7:ee551c68 r6:ee551c9c r5:ee551c00 r4:00000001 [ 555.462156] [] (usb_disconnect) from [] (usb_disconnect+0x1d8/0x224) [ 555.470259] r10:00000001 r9:edd90000 r8:ee471e2c r7:ee551468 r6:ee55149c r5:ee551400 [ 555.478213] r4:00000001 [ 555.480797] [] (usb_disconnect) from [] (usb_remove_hcd+0xa0/0x1ac) [ 555.488813] r10:00000001 r9:ee471eb0 r8:00000000 r7:ef3d9500 r6:eded810c r5:eded80b0 [ 555.496765] r4:eded8000 [ 555.499351] [] (usb_remove_hcd) from [] (host_stop+0x28/0x64) [ 555.506847] r6:eeb50010 r5:eded8000 r4:eeb51010 [ 555.511563] [] (host_stop) from [] (ci_otg_work+0xc4/0x124) [ 555.518885] r6:00000001 r5:eeb50010 r4:eeb502a0 r3:c04d4130 [ 555.524665] [] (ci_otg_work) from [] (process_one_work+0x194/0x420) [ 555.532682] r6:ef086000 r5:eeb502a0 r4:edc44480 [ 555.537393] [] (process_one_work) from [] (worker_thread+0x34/0x514) [ 555.545496] r10:edc44480 r9:ef086000 r8:c0b1a100 r7:ef086034 r6:00000088 r5:edc44498 [ 555.553450] r4:ef086000 [ 555.556032] [] (worker_thread) from [] (kthread+0xdc/0xf8) [ 555.563268] r10:00000000 r9:00000000 r8:00000000 r7:c004577c r6:edc44480 r5:eddc15c0 [ 555.571221] r4:00000000 [ 555.573804] [] (kthread) from [] (ret_from_fork+0x14/0x24) [ 555.581040] r7:00000000 r6:00000000 r5:c004b9d8 r4:eddc15c0 [ 553.429383] sh D c07de74c 0 694 691 0x00000000 [ 553.435801] Backtrace: [ 553.438295] [] (__schedule) from [] (schedule+0x48/0xa0) [ 553.445358] r10:edd3c054 r9:edd3c078 r8:edddbd50 r7:edcbbc00 r6:c1377c34 r5:60000153 [ 553.453313] r4:eddda000 [ 553.455896] [] (schedule) from [] (schedule_preempt_disabled+0x10/0x14) [ 553.464261] r4:edd3c058 r3:0000000a [ 553.467910] [] (schedule_preempt_disabled) from [] (mutex_lock_nested+0x1a0/0x3e8) [ 553.477254] [] (mutex_lock_nested) from [] (dpm_complete+0xc0/0x1b0) [ 553.485358] r10:00561408 r9:edd3c054 r8:c0b4863c r7:edddbd90 r6:c0b485d8 r5:edd3c020 [ 553.493313] r4:edd3c0d0 [ 553.495896] [] (dpm_complete) from [] (dpm_resume_end+0x1c/0x20) [ 553.503652] r9:00000000 r8:c0b1a9d0 r7:c1334ec0 r6:c1334edc r5:00000003 r4:00000010 [ 553.511544] [] (dpm_resume_end) from [] (suspend_devices_and_enter+0x158/0x504) [ 553.520604] r4:00000000 r3:c1334efc [ 553.524250] [] (suspend_devices_and_enter) from [] (pm_suspend+0x234/0x2cc) [ 553.532961] r10:00561408 r9:ed6b7300 r8:00000004 r7:c1334eec r6:00000000 r5:c1334ee8 [ 553.540914] r4:00000003 [ 553.543493] [] (pm_suspend) from [] (state_store+0x6c/0xc0) [ 555.703684] 7 locks held by kworker/u2:13/826: [ 555.708140] #0: ("%s""ci_otg"){++++.+}, at: [] process_one_work+0x128/0x420 [ 555.716277] #1: ((&ci->work)){+.+.+.}, at: [] process_one_work+0x128/0x420 [ 555.724317] #2: (usb_bus_list_lock){+.+.+.}, at: [] usb_remove_hcd+0x98/0x1ac [ 555.732626] #3: (&dev->mutex){......}, at: [] usb_disconnect+0x48/0x224 [ 555.740403] #4: (&dev->mutex){......}, at: [] usb_disconnect+0x48/0x224 [ 555.748179] #5: (&dev->mutex){......}, at: [] device_release_driver+0x20/0x34 [ 555.756487] #6: (&shost->scan_mutex){+.+.+.}, at: [] scsi_remove_host+0x20/0x104 Cc: #v3.14+ Cc: Jun Li Signed-off-by: Peter Chen Signed-off-by: Sasha Levin commit 66333f910d64623fa9cc886c259d57e6d24863cd Author: Ilya Dryomov Date: Fri Feb 19 11:38:57 2016 +0100 libceph: use the right footer size when skipping a message [ Upstream commit dbc0d3caff5b7591e0cf8e34ca686ca6f4479ee1 ] ceph_msg_footer is 21 bytes long, while ceph_msg_footer_old is only 13. Don't skip too much when CEPH_FEATURE_MSG_AUTH isn't negotiated. Cc: stable@vger.kernel.org # 3.19+ Signed-off-by: Ilya Dryomov Reviewed-by: Alex Elder Signed-off-by: Sasha Levin commit 265570c9977908479db74fd07b710ec5d5c96e12 Author: Ilya Dryomov Date: Wed Feb 17 20:04:08 2016 +0100 libceph: don't bail early from try_read() when skipping a message [ Upstream commit e7a88e82fe380459b864e05b372638aeacb0f52d ] The contract between try_read() and try_write() is that when called each processes as much data as possible. When instructed by osd_client to skip a message, try_read() is violating this contract by returning after receiving and discarding a single message instead of checking for more. try_write() then gets a chance to write out more requests, generating more replies/skips for try_read() to handle, forcing the messenger into a starvation loop. Cc: stable@vger.kernel.org # 3.10+ Reported-by: Varada Kari Signed-off-by: Ilya Dryomov Tested-by: Varada Kari Reviewed-by: Alex Elder Signed-off-by: Sasha Levin commit 621a963c422618d1793d9245302766e87cdabb83 Author: Steven Rostedt (Red Hat) Date: Wed Feb 24 09:04:24 2016 -0500 tracing: Fix showing function event in available_events [ Upstream commit d045437a169f899dfb0f6f7ede24cc042543ced9 ] The ftrace:function event is only displayed for parsing the function tracer data. It is not used to enable function tracing, and does not include an "enable" file in its event directory. Originally, this event was kept separate from other events because it did not have a ->reg parameter. But perf added a "reg" parameter for its use which caused issues, because it made the event available to functions where it was not compatible for. Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable" added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event from being enabled by normal trace events. But this commit missed keeping the function event from being displayed by the "available_events" directory, which is used to show what events can be enabled by set_event. One documented way to enable all events is to: cat available_events > set_event But because the function event is displayed in the available_events, this now causes an INVALID error: cat: write error: Invalid argument Reported-by: Chunyu Hu Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable" Cc: stable@vger.kernel.org # 3.4+ Signed-off-by: Steven Rostedt Signed-off-by: Sasha Levin commit 56029ce94469d7e183e8241e214837ac92c8520b Author: Christian Borntraeger Date: Fri Feb 19 13:11:46 2016 +0100 KVM: async_pf: do not warn on page allocation failures [ Upstream commit d7444794a02ff655eda87e3cc54e86b940e7736f ] In async_pf we try to allocate with NOWAIT to get an element quickly or fail. This code also handle failures gracefully. Lets silence potential page allocation failures under load. qemu-system-s39: page allocation failure: order:0,mode:0x2200000 [...] Call Trace: ([<00000000001146b8>] show_trace+0xf8/0x148) [<000000000011476a>] show_stack+0x62/0xe8 [<00000000004a36b8>] dump_stack+0x70/0x98 [<0000000000272c3a>] warn_alloc_failed+0xd2/0x148 [<000000000027709e>] __alloc_pages_nodemask+0x94e/0xb38 [<00000000002cd36a>] new_slab+0x382/0x400 [<00000000002cf7ac>] ___slab_alloc.constprop.30+0x2dc/0x378 [<00000000002d03d0>] kmem_cache_alloc+0x160/0x1d0 [<0000000000133db4>] kvm_setup_async_pf+0x6c/0x198 [<000000000013dee8>] kvm_arch_vcpu_ioctl_run+0xd48/0xd58 [<000000000012fcaa>] kvm_vcpu_ioctl+0x372/0x690 [<00000000002f66f6>] do_vfs_ioctl+0x3be/0x510 [<00000000002f68ec>] SyS_ioctl+0xa4/0xb8 [<0000000000781c5e>] system_call+0xd6/0x264 [<000003ffa24fa06a>] 0x3ffa24fa06a Cc: stable@vger.kernel.org Signed-off-by: Christian Borntraeger Reviewed-by: Dominik Dingel Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 0ccb848f62b5c9077cdeb903e324ca635806f804 Author: Paolo Bonzini Date: Wed Feb 10 17:50:23 2016 +0100 KVM: x86: fix missed hardware breakpoints [ Upstream commit 172b2386ed16a9143d9a456aae5ec87275c61489 ] Sometimes when setting a breakpoint a process doesn't stop on it. This is because the debug registers are not loaded correctly on VCPU load. The following simple reproducer from Oleg Nesterov tries using debug registers in two threads. To see the bug, run a 2-VCPU guest with "taskset -c 0" and run "./bp 0 1" inside the guest. #include #include #include #include #include #include #include #include #include #define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER) unsigned long encode_dr7(int drnum, int enable, unsigned int type, unsigned int len) { unsigned long dr7; dr7 = ((len | type) & 0xf) << (DR_CONTROL_SHIFT + drnum * DR_CONTROL_SIZE); if (enable) dr7 |= (DR_GLOBAL_ENABLE << (drnum * DR_ENABLE_SIZE)); return dr7; } int write_dr(int pid, int dr, unsigned long val) { return ptrace(PTRACE_POKEUSER, pid, offsetof (struct user, u_debugreg[dr]), val); } void set_bp(pid_t pid, void *addr) { unsigned long dr7; assert(write_dr(pid, 0, (long)addr) == 0); dr7 = encode_dr7(0, 1, DR_RW_EXECUTE, DR_LEN_1); assert(write_dr(pid, 7, dr7) == 0); } void *get_rip(int pid) { return (void*)ptrace(PTRACE_PEEKUSER, pid, offsetof(struct user, regs.rip), 0); } void test(int nr) { void *bp_addr = &&label + nr, *bp_hit; int pid; printf("test bp %d\n", nr); assert(nr < 16); // see 16 asm nops below pid = fork(); if (!pid) { assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0); kill(getpid(), SIGSTOP); for (;;) { label: asm ( "nop; nop; nop; nop;" "nop; nop; nop; nop;" "nop; nop; nop; nop;" "nop; nop; nop; nop;" ); } } assert(pid == wait(NULL)); set_bp(pid, bp_addr); for (;;) { assert(ptrace(PTRACE_CONT, pid, 0, 0) == 0); assert(pid == wait(NULL)); bp_hit = get_rip(pid); if (bp_hit != bp_addr) fprintf(stderr, "ERR!! hit wrong bp %ld != %d\n", bp_hit - &&label, nr); } } int main(int argc, const char *argv[]) { while (--argc) { int nr = atoi(*++argv); if (!fork()) test(nr); } while (wait(NULL) > 0) ; return 0; } Cc: stable@vger.kernel.org Suggested-by: Nadav Amit Reported-by: Andrey Wagin Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit b29de09dab6c486a7cecdf4741632fa48d903428 Author: Mark Rutland Date: Tue Feb 16 14:47:31 2016 +0000 KVM: arm/arm64: vgic: Ensure bitmaps are long enough [ Upstream commit 236cf17c2502007a9d2dda3c39fb0d9a6bd03cc2 ] When we allocate bitmaps in vgic_vcpu_init_maps, we divide the number of bits we need by 8 to figure out how many bytes to allocate. However, bitmap elements are always accessed as unsigned longs, and if we didn't happen to allocate a size such that size % sizeof(unsigned long) == 0, bitmap accesses may go past the end of the allocation. When using KASAN (which does byte-granular access checks), this results in a continuous stream of BUGs whenever these bitmaps are accessed: ============================================================================= BUG kmalloc-128 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in vgic_init.part.25+0x55c/0x990 age=7493 cpu=3 pid=1730 INFO: Slab 0xffffffbde6d5da40 objects=16 used=15 fp=0xffffffc935769700 flags=0x4000000000000080 INFO: Object 0xffffffc935769500 @offset=1280 fp=0x (null) Bytes b4 ffffffc9357694f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffffffc935769500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffffffc935769510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffffffc935769520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffffffc935769530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffffffc935769540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffffffc935769550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffffffc935769560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffffffc935769570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Padding ffffffc9357695b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Padding ffffffc9357695c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Padding ffffffc9357695d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Padding ffffffc9357695e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Padding ffffffc9357695f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 3 PID: 1740 Comm: kvm-vcpu-0 Tainted: G B 4.4.0+ #17 Hardware name: ARM Juno development board (r1) (DT) Call trace: [] dump_backtrace+0x0/0x280 [] show_stack+0x14/0x20 [] dump_stack+0x100/0x188 [] print_trailer+0xfc/0x168 [] object_err+0x3c/0x50 [] kasan_report_error+0x244/0x558 [] __asan_report_load8_noabort+0x48/0x50 [] __bitmap_or+0xc0/0xc8 [] kvm_vgic_flush_hwstate+0x1bc/0x650 [] kvm_arch_vcpu_ioctl_run+0x2ec/0xa60 [] kvm_vcpu_ioctl+0x474/0xa68 [] do_vfs_ioctl+0x5b8/0xcb0 [] SyS_ioctl+0x8c/0xa0 [] el0_svc_naked+0x24/0x28 Memory state around the buggy address: ffffffc935769400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffc935769480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffffc935769500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffffc935769580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffc935769600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Fix the issue by always allocating a multiple of sizeof(unsigned long), as we do elsewhere in the vgic code. Fixes: c1bfb577a ("arm/arm64: KVM: vgic: switch to dynamic allocation") Cc: stable@vger.kernel.org Acked-by: Marc Zyngier Acked-by: Christoffer Dall Signed-off-by: Mark Rutland Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit 4ba9f8051f7fc263cc5915fd6c2ac6d9195418b4 Author: Stefan Hajnoczi Date: Thu Feb 18 18:55:54 2016 +0000 sunrpc/cache: fix off-by-one in qword_get() [ Upstream commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 ] The qword_get() function NUL-terminates its output buffer. If the input string is in hex format \xXXXX... and the same length as the output buffer, there is an off-by-one: int qword_get(char **bpp, char *dest, int bufsize) { ... while (len < bufsize) { ... *dest++ = (h << 4) | l; len++; } ... *dest = '\0'; return len; } This patch ensures the NUL terminator doesn't fall outside the output buffer. Signed-off-by: Stefan Hajnoczi Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit a7927a04ac273abc6e15ffe31120f95d1f49b023 Author: Alex Deucher Date: Fri Feb 19 18:05:10 2016 -0500 drm/radeon/pm: adjust display configuration after powerstate [ Upstream commit 39d4275058baf53e89203407bf3841ff2c74fa32 ] set_power_state defaults to no displays, so we need to update the display configuration after setting up the powerstate on the first call. In most cases this is not an issue since ends up getting called multiple times at any given modeset and the proper order is achieved in the display changed handling at the top of the function. Reviewed-by: Christian König Acked-by: Jordan Lazare Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 907c39407e1407d50768943367852c5abd5cde14 Author: Martin Schwidefsky Date: Fri Feb 19 14:44:14 2016 +0100 s390/compat: correct restore of high gprs on signal return [ Upstream commit 342300cc9cd3428bc6bfe5809bfcc1b9a0f06702 ] git commit 8070361799ae1e3f4ef347bd10f0a508ac10acfb "s390: add support for vector extension" broke 31-bit compat processes in regard to signal handling. The restore_sigregs_ext32() function is used to restore the additional elements from the user space signal frame. Among the additional elements are the upper registers halves for 64-bit register support for 31-bit processes. The copy_from_user that is used to retrieve the high-gprs array from the user stack uses an incorrect length, 8 bytes instead of 64 bytes. This causes incorrect upper register halves to get loaded. Cc: stable@vger.kernel.org # 3.8+ Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 82f8c49d31dc618d1508a2870595eab2f7d5cbbd Author: Mike Snitzer Date: Sun Feb 21 19:09:22 2016 -0500 dm: fix dm_rq_target_io leak on faults with .request_fn DM w/ blk-mq paths [ Upstream commit 4328daa2e79ed904a42ce00a9f38b9c36b44b21a ] Using request-based DM mpath configured with the following stacking (.request_fn DM mpath ontop of scsi-mq paths): echo Y > /sys/module/scsi_mod/parameters/use_blk_mq echo N > /sys/module/dm_mod/parameters/use_blk_mq 'struct dm_rq_target_io' would leak if a request is requeued before a blk-mq clone is allocated (or fails to allocate). free_rq_tio() wasn't being called. kmemleak reported: unreferenced object 0xffff8800b90b98c0 (size 112): comm "kworker/7:1H", pid 5692, jiffies 4295056109 (age 78.589s) hex dump (first 32 bytes): 00 d0 5c 2c 03 88 ff ff 40 00 bf 01 00 c9 ff ff ..\,....@....... e0 d9 b1 34 00 88 ff ff 00 00 00 00 00 00 00 00 ...4............ backtrace: [] kmemleak_alloc+0x4e/0xb0 [] kmem_cache_alloc+0xc3/0x1e0 [] mempool_alloc_slab+0x15/0x20 [] mempool_alloc+0x6e/0x170 [] dm_old_prep_fn+0x3c/0x180 [dm_mod] [] blk_peek_request+0x168/0x290 [] dm_request_fn+0xb2/0x1b0 [dm_mod] [] __blk_run_queue+0x33/0x40 [] blk_delay_work+0x25/0x40 [] process_one_work+0x14f/0x3d0 [] worker_thread+0x125/0x4b0 [] kthread+0xd8/0xf0 [] ret_from_fork+0x3f/0x70 [] 0xffffffffffffffff crash> struct -o dm_rq_target_io struct dm_rq_target_io { ... } SIZE: 112 Fixes: e5863d9ad7 ("dm: allocate requests in target when stacking on blk-mq devices") Cc: stable@vger.kernel.org # 4.0+ Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 0861e96600db2ecbd9659b3eafc292641e3ec69c Author: Gerhard Uttenthaler Date: Tue Dec 22 17:29:16 2015 +0100 can: ems_usb: Fix possible tx overflow [ Upstream commit 90cfde46586d2286488d8ed636929e936c0c9ab2 ] This patch fixes the problem that more CAN messages could be sent to the interface as could be send on the CAN bus. This was more likely for slow baud rates. The sleeping _start_xmit was woken up in the _write_bulk_callback. Under heavy TX load this produced another bulk transfer without checking the free_slots variable and hence caused the overflow in the interface. Signed-off-by: Gerhard Uttenthaler Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit cbd382759e953e56701202591e765e7e17957eef Author: Lisa Du Date: Wed Feb 17 09:32:52 2016 +0800 drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE [ Upstream commit 7a64cd887fdb97f074c3fda03bee0bfb9faceac3 ] There's one point was missed in the patch commit da49889deb34 ("staging: binder: Support concurrent 32 bit and 64 bit processes."). When configure BINDER_IPC_32BIT, the size of binder_uintptr_t was 32bits, but size of void * is 64bit on 64bit system. Correct it here. Signed-off-by: Lisa Du Signed-off-by: Nicolas Boichat Fixes: da49889deb34 ("staging: binder: Support concurrent 32 bit and 64 bit processes.") Cc: Acked-by: Olof Johansson Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e0a8bcb7cd5e71dfb3d8d5ed3e2db6d9a7c2b0df Author: Nishanth Menon Date: Fri Feb 19 18:09:51 2016 -0600 hwmon: (gpio-fan) Remove un-necessary speed_index lookup for thermal hook [ Upstream commit 000e0949148382c4962489593a2f05504c2a6771 ] Thermal hook gpio_fan_get_cur_state is only interested in knowing the current speed index that was setup in the system, this is already available as part of fan_data->speed_index which is always set by set_fan_speed. Using get_fan_speed_index is useful when we have no idea about the fan speed configuration (for example during fan_ctrl_init). When thermal framework invokes gpio_fan_get_cur_state=>get_fan_speed_index via gpio_fan_get_cur_state especially in a polled configuration for thermal governor, we basically hog the i2c interface to the extent that other functions fail to get any traffic out :(. Instead, just provide the last state set in the driver - since the gpio fan driver is responsible for the fan state immaterial of override, the fan_data->speed_index should accurately reflect the state. Fixes: b5cf88e46bad ("(gpio-fan): Add thermal control hooks") Reported-by: Tony Lindgren Cc: Guenter Roeck Cc: Eduardo Valentin Signed-off-by: Nishanth Menon Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 9077dc77a92526b028111db2943a26ff8e475d03 Author: Peter Rosin Date: Thu Feb 18 14:07:52 2016 +0100 hwmon: (ads1015) Handle negative conversion values correctly [ Upstream commit acc146943957d7418a6846f06e029b2c5e87e0d5 ] Make the divisor signed as DIV_ROUND_CLOSEST is undefined for negative dividends when the divisor is unsigned. Signed-off-by: Peter Rosin Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 5294fcf306de471172dd4a1ed7b35592fea858cd Author: Alexandra Yates Date: Wed Feb 17 19:36:20 2016 -0800 Adding Intel Lewisburg device IDs for SATA [ Upstream commit f5bdd66c705484b4bc77eb914be15c1b7881fae7 ] This patch complements the list of device IDs previously added for lewisburg sata. Signed-off-by: Alexandra Yates Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 2340493041d9a65fd16a3f356f0a0fda4e48934b Author: Alexandra Yates Date: Tue Nov 3 14:14:18 2015 -0800 ahci: add new Intel device IDs [ Upstream commit 56e74338a535cbcc2f2da08b1ea1a92920194364 ] Adding Intel codename Lewisburg platform device IDs for SATA. Signed-off-by: Alexandra Yates Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit 79151933d58376c5d7429047b397c6d59fad8968 Author: Alexandra Yates Date: Mon Nov 16 11:22:16 2015 -0500 ahci: Order SATA device IDs for codename Lewisburg [ Upstream commit 4d92f0099a06ef0e36c7673f7c090f1a448b2d1b ] This change was to preserve the ascending order of device IDs. There was an exception with the first two Lewisburg device IDs to keep all device IDs of the same kind grouped by code name. Signed-off-by: Alexandra Yates signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit 664a608ef37cf8f8bf155d865876314618686756 Author: Bjørn Mork Date: Fri Feb 12 16:40:00 2016 +0100 USB: option: add "4G LTE usb-modem U901" [ Upstream commit d061c1caa31d4d9792cfe48a2c6b309a0e01ef46 ] Thomas reports: T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=05c6 ProdID=6001 Rev=00.00 S: Manufacturer=USB Modem S: Product=USB Modem S: SerialNumber=1234567890ABCDEF C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan I: If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage Cc: Reported-by: Thomas Schäfer Signed-off-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit d15706c9c9d206bb2ad9c8a589da380daf1356aa Author: Ken Lin Date: Mon Feb 1 14:57:25 2016 -0500 USB: cp210x: add IDs for GE B650V3 and B850V3 boards [ Upstream commit 6627ae19385283b89356a199d7f03c75ba35fb29 ] Add USB ID for cp2104/5 devices on GE B650v3 and B850v3 boards. Signed-off-by: Ken Lin Signed-off-by: Akshay Bhat Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 619400280f304285af5ae99fe674f11ebf9e40cc Author: Andrey Skvortsov Date: Fri Jan 29 00:07:30 2016 +0300 USB: option: add support for SIM7100E [ Upstream commit 3158a8d416f4e1b79dcc867d67cb50013140772c ] $ lsusb: Bus 001 Device 101: ID 1e0e:9001 Qualcomm / Option $ usb-devices: T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=101 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 2 P: Vendor=1e0e ProdID=9001 Rev= 2.32 S: Manufacturer=SimTech, Incorporated S: Product=SimTech, Incorporated S: SerialNumber=0123456789ABCDEF C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) The last interface (6) is used for Android Composite ADB interface. Serial port layout: 0: QCDM/DIAG 1: NMEA 2: AT 3: AT/PPP 4: audio Signed-off-by: Andrey Skvortsov Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 038d8248fc62423b16810878f14d59070a0076cb Author: Benjamin Coddington Date: Wed Feb 17 10:41:41 2016 -0500 NFSv4: Fix a dentry leak on alias use [ Upstream commit d9dfd8d741683347ee159d25f5b50c346a0df557 ] In the case where d_add_unique() finds an appropriate alias to use it will have already incremented the reference count. An additional dget() to swap the open context's dentry is unnecessary and will leak a reference. Signed-off-by: Benjamin Coddington Fixes: 275bb307865a3 ("NFSv4: Move dentry instantiation into the NFSv4-...") Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 40b43e3cc942d3149c4a6ef4692703ee64e8ba62 Author: John Youn Date: Tue Feb 16 20:10:53 2016 -0800 usb: dwc3: Fix assignment of EP transfer resources [ Upstream commit c450960187f45d4260db87c7dd4fc0bceb5565d8 ] The assignement of EP transfer resources was not handled properly in the dwc3 driver. Commit aebda6187181 ("usb: dwc3: Reset the transfer resource index on SET_INTERFACE") previously fixed one aspect of this where resources may be exhausted with multiple calls to SET_INTERFACE. However, it introduced an issue where composite devices with multiple interfaces can be assigned the same transfer resources for different endpoints. This patch solves both issues. The assignment of transfer resources cannot perfectly follow the data book due to the fact that the controller driver does not have all knowledge of the configuration in advance. It is given this information piecemeal by the composite gadget framework after every SET_CONFIGURATION and SET_INTERFACE. Trying to follow the databook programming model in this scenario can cause errors. For two reasons: 1) The databook says to do DEPSTARTCFG for every SET_CONFIGURATION and SET_INTERFACE (8.1.5). This is incorrect in the scenario of multiple interfaces. 2) The databook does not mention doing more DEPXFERCFG for new endpoint on alt setting (8.1.6). The following simplified method is used instead: All hardware endpoints can be assigned a transfer resource and this setting will stay persistent until either a core reset or hibernation. So whenever we do a DEPSTARTCFG(0) we can go ahead and do DEPXFERCFG for every hardware endpoint as well. We are guaranteed that there are as many transfer resources as endpoints. This patch triggers off of the calling dwc3_gadget_start_config() for EP0-out, which always happens first, and which should only happen in one of the above conditions. Fixes: aebda6187181 ("usb: dwc3: Reset the transfer resource index on SET_INTERFACE") Cc: # v3.2+ Reported-by: Ravi Babu Signed-off-by: John Youn Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit f0b73a580df467705a7a316daf03a0ecdac1ec8c Author: Hans Verkuil Date: Wed Feb 10 08:09:10 2016 -0200 [media] adv7604: fix tx 5v detect regression [ Upstream commit 0ba4581c84cfb39fd527f6b3457f1c97f6356c04 ] The 5 volt detect functionality broke in 3.14: the code reads IO register 0x70 again after it has already been cleared. Instead it should use the cached irq_reg_0x70 value and the io_write to 0x71 to clear 0x70 can be dropped since this has already been done. Signed-off-by: Hans Verkuil Cc: # for v3.14 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9a30ae51a5bb55570004afba8016611cff882cb2 Author: Konrad Rzeszutek Wilk Date: Thu Feb 11 16:10:26 2016 -0500 xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted. [ Upstream commit 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e ] Occasionaly PV guests would crash with: pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16 BUG: unable to handle kernel paging request at 0000000d1a8c0be0 .. snip.. ] find_next_bit+0xb/0x10 [] cpumask_next_and+0x22/0x40 [] pci_device_probe+0xb8/0x120 [] ? driver_sysfs_add+0x77/0xa0 [] driver_probe_device+0x1a4/0x2d0 [] ? pci_match_device+0xdd/0x110 [] __device_attach_driver+0xa7/0xb0 [] ? __driver_attach+0xa0/0xa0 [] bus_for_each_drv+0x62/0x90 [] __device_attach+0xbd/0x110 [] device_attach+0xb/0x10 [] pci_bus_add_device+0x3c/0x70 [] pci_bus_add_devices+0x38/0x80 [] pcifront_scan_root+0x13e/0x1a0 [] pcifront_backend_changed+0x262/0x60b [] ? xenbus_gather+0xd6/0x160 [] ? put_object+0x2f/0x50 [] xenbus_otherend_changed+0x9d/0xa0 [] backend_changed+0xe/0x10 [] xenwatch_thread+0xc8/0x190 [] ? woken_wake_function+0x10/0x10 which was the result of two things: When we call pci_scan_root_bus we would pass in 'sd' (sysdata) pointer which was an 'pcifront_sd' structure. However in the pci_device_add it expects that the 'sd' is 'struct sysdata' and sets the dev->node to what is in sd->node (offset 4): set_dev_node(&dev->dev, pcibus_to_node(bus)); __pcibus_to_node(const struct pci_bus *bus) { const struct pci_sysdata *sd = bus->sysdata; return sd->node; } However our structure was pcifront_sd which had nothing at that offset: struct pcifront_sd { int domain; /* 0 4 */ /* XXX 4 bytes hole, try to pack */ struct pcifront_device * pdev; /* 8 8 */ } That is an hole - filled with garbage as we used kmalloc instead of kzalloc (the second problem). This patch fixes the issue by: 1) Use kzalloc to initialize to a well known state. 2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That way access to the 'node' will access the right offset. Signed-off-by: Konrad Rzeszutek Wilk Cc: Reviewed-by: Boris Ostrovsky Signed-off-by: David Vrabel Signed-off-by: Sasha Levin commit a7b4133de42f7eb7a926e1a5a1aaf0c1e7bfad12 Author: Konrad Rzeszutek Wilk Date: Thu Feb 11 16:10:23 2016 -0500 xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY [ Upstream commit d52a24819677bbb45eb1ce93a42daa1ae6c4d61d ] commit 8d47065f7d1980dde52abb874b301054f3013602 upstream. Commit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 (xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set) prevented enabling MSI-X on passed-through virtual functions, because it checked the VF for PCI_COMMAND_MEMORY but this is not a valid bit for VFs. Instead, check the physical function for PCI_COMMAND_MEMORY. Signed-off-by: Konrad Rzeszutek Wilk Reviewed-by: Jan Beulich Signed-off-by: David Vrabel Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fda3e3e7b638f742149fb32aa9b691413bb91f41 Author: Konrad Rzeszutek Wilk Date: Mon Nov 2 18:13:27 2015 -0500 xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set. [ Upstream commit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 ] commit f598282f51 ("PCI: Fix the NIU MSI-X problem in a better way") teaches us that dealing with MSI-X can be troublesome. Further checks in the MSI-X architecture shows that if the PCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we may not be able to access the BAR (since they are memory regions). Since the MSI-X tables are located in there.. that can lead to us causing PCIe errors. Inhibit us performing any operation on the MSI-X unless the MEMORY bit is set. Note that Xen hypervisor with: "x86/MSI-X: access MSI-X table only after having enabled MSI-X" will return: xen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3! When the generic MSI code tries to setup the PIRQ without MEMORY bit set. Which means with later versions of Xen (4.6) this patch is not neccessary. This is part of XSA-157 CC: stable@vger.kernel.org Reviewed-by: Jan Beulich Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Sasha Levin commit a6c762381cc34ff6df5f75afa46e7f153116cf78 Author: Konrad Rzeszutek Wilk Date: Mon Nov 2 18:07:44 2015 -0500 xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled [ Upstream commit 5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 ] The guest sequence of: a) XEN_PCI_OP_enable_msix b) XEN_PCI_OP_enable_msix results in hitting an NULL pointer due to using freed pointers. The device passed in the guest MUST have MSI-X capability. The a) constructs and SysFS representation of MSI and MSI groups. The b) adds a second set of them but adding in to SysFS fails (duplicate entry). 'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that in a) pdev->msi_irq_groups is still set) and also free's ALL of the MSI-X entries of the device (the ones allocated in step a) and b)). The unwind code: 'free_msi_irqs' deletes all the entries and tries to delete the pdev->msi_irq_groups (which hasn't been set to NULL). However the pointers in the SysFS are already freed and we hit an NULL pointer further on when 'strlen' is attempted on a freed pointer. The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard against that. The check for msi_enabled is not stricly neccessary. This is part of XSA-157 CC: stable@vger.kernel.org Reviewed-by: David Vrabel Reviewed-by: Jan Beulich Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Sasha Levin commit 05584b5815ecb05a6b8f394eef566781eb66b821 Author: Konrad Rzeszutek Wilk Date: Thu Feb 11 16:10:24 2016 -0500 xen/pciback: Save the number of MSI-X entries to be copied later. [ Upstream commit 4cf5aa2ffe17403385d75a5b1d9d97071500ea18 ] commit d159457b84395927b5a52adb72f748dd089ad5e5 upstream. Commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 (xen/pciback: Save xen_pci_op commands before processing it) broke enabling MSI-X because it would never copy the resulting vectors into the response. The number of vectors requested was being overwritten by the return value (typically zero for success). Save the number of vectors before processing the op, so the correct number of vectors are copied afterwards. Signed-off-by: Konrad Rzeszutek Wilk Reviewed-by: Jan Beulich Signed-off-by: David Vrabel Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b0a4f565b1dba16cb98842d3129fa0f57445b044 Author: Konrad Rzeszutek Wilk Date: Mon Nov 16 12:40:48 2015 -0500 xen/pciback: Save xen_pci_op commands before processing it [ Upstream commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 ] Double fetch vulnerabilities that happen when a variable is fetched twice from shared memory but a security check is only performed the first time. The xen_pcibk_do_op function performs a switch statements on the op->cmd value which is stored in shared memory. Interestingly this can result in a double fetch vulnerability depending on the performed compiler optimization. This patch fixes it by saving the xen_pci_op command before processing it. We also use 'barrier' to make sure that the compiler does not perform any optimization. This is part of XSA155. CC: stable@vger.kernel.org Reviewed-by: Konrad Rzeszutek Wilk Signed-off-by: Jan Beulich Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Sasha Levin commit 18ddf12c2de57556909778af1ab31177bf53d5cb Author: Sasha Levin Date: Mon Mar 7 12:23:04 2016 -0500 iwlwifi: mvm: don't allow sched scans without matches to be started [ Upstream commit 5e56276e7555b34550d51459a801ff75eca8b907 ] The firmware can perform a scheduled scan with not matchsets passed, but it can't send notification that results were found. Since the userspace then cannot know when we got new results and the firmware wouldn't trigger a wake in case we are sleeping, it's better not to allow scans without matchsets. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=110831 Cc: [3.17+] Signed-off-by: Luca Coelho Signed-off-by: Emmanuel Grumbach [SL: Backport to 4.1] Signed-off-by: Sasha Levin commit 891985fa8e08d0c625ee71096fc3d10350eb051b Author: Arnd Bergmann Date: Thu Feb 11 14:16:27 2016 +0100 libata: fix HDIO_GET_32BIT ioctl [ Upstream commit 287e6611ab1eac76c2c5ebf6e345e04c80ca9c61 ] As reported by Soohoon Lee, the HDIO_GET_32BIT ioctl does not work correctly in compat mode with libata. I have investigated the issue further and found multiple problems that all appeared with the same commit that originally introduced HDIO_GET_32BIT handling in libata back in linux-2.6.8 and presumably also linux-2.4, as the code uses "copy_to_user(arg, &val, 1)" to copy a 'long' variable containing either 0 or 1 to user space. The problems with this are: * On big-endian machines, this will always write a zero because it stores the wrong byte into user space. * In compat mode, the upper three bytes of the variable are updated by the compat_hdio_ioctl() function, but they now contain uninitialized stack data. * The hdparm tool calling this ioctl uses a 'static long' variable to store the result. This means at least the upper bytes are initialized to zero, but calling another ioctl like HDIO_GET_MULTCOUNT would fill them with data that remains stale when the low byte is overwritten. Fortunately libata doesn't implement any of the affected ioctl commands, so this would only happen when we query both an IDE and an ATA device in the same command such as "hdparm -N -c /dev/hda /dev/sda" * The libata code for unknown reasons started using ATA_IOC_GET_IO32 and ATA_IOC_SET_IO32 as aliases for HDIO_GET_32BIT and HDIO_SET_32BIT, while the ioctl commands that were added later use the normal HDIO_* names. This is harmless but rather confusing. This addresses all four issues by changing the code to use put_user() on an 'unsigned long' variable in HDIO_GET_32BIT, like the IDE subsystem does, and by clarifying the names of the ioctl commands. Signed-off-by: Arnd Bergmann Reported-by: Soohoon Lee Tested-by: Soohoon Lee Cc: stable@vger.kernel.org Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit 64ecdd296041c4eb9522c7cebed877c47d92a278 Author: Christoph Hellwig Date: Mon Feb 8 21:11:50 2016 +0100 nfs: fix nfs_size_to_loff_t [ Upstream commit 50ab8ec74a153eb30db26529088bc57dd700b24c ] See http: //www.infradead.org/rpr.html X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org Content-Transfer-Encoding: 8bit Mime-Version: 1.0 We support OFFSET_MAX just fine, so don't round down below it. Also switch to using min_t to make the helper more readable. Signed-off-by: Christoph Hellwig Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()") Cc: stable@vger.kernel.org # 2.6.23+ Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 86708275f1c1ba89c2d1ef7cd4a1c66a10b35b45 Author: Juergen Gross Date: Mon Feb 8 15:30:18 2016 +0100 xen/scsiback: correct frontend counting [ Upstream commit f285aa8db7cc4432c1a03f8b55ff34fe96317c11 ] When adding a new frontend to xen-scsiback don't decrement the number of active frontends in case of no error. Doing so results in a failure when trying to remove the xen-pvscsi nexus even if no domain is using it. Signed-off-by: Juergen Gross Reviewed-by: Boris Ostrovsky Cc: stable@vger.kernel.org Signed-off-by: David Vrabel Signed-off-by: Sasha Levin commit eef85746c932a90df78492598c501315c7e0c5c1 Author: David Ahern Date: Fri Jun 5 13:42:53 2015 -0400 perf tools: Update MANIFEST per files removed from kernel [ Upstream commit c8ad7063626406181a7ebab10cb31b4f741b13d4 ] Building perf out of kernel tree is currently broken because the MANIFEST file refers to kernel files that have been removed. With this patch make perf-targz-src-pkg succeeds as does building perf using the generated tarfile. Signed-off-by: David Ahern Link: http://lkml.kernel.org/r/1433526173-172332-1-git-send-email-david.ahern@oracle.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit e94991ebb5b4d95735731683770cde961cdf9cb4 Author: Nicholas Bellinger Date: Sun Mar 6 01:24:29 2016 +0000 target: Fix linux-4.1.y specific compile warning The linux-4.1.y specific patch to fix a previous v4.1 UNIT_ATTENTION read-copy-update conversion regression: commit 35afa65642a9a88c81913377b93a3a66220f8b9d Author: Nicholas Bellinger Date: Wed Sep 23 07:49:26 2015 +0000 target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer introduced the following compile warning: drivers/target/target_core_pr.c: In function ‘core_scsi3_pr_seq_non_holder’: drivers/target/target_core_pr.c:332:3: warning: ‘return’ with no value, in function returning non-void [-Wreturn-type] Go ahead and fix this up to always returning zero when no ACL device list exists within core_scsi3_pr_seq_non_holder(). Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit 4aa04a257993e90d573a5dbfa4d3f3259e3f8ba1 Author: Nicholas Bellinger Date: Sun Mar 6 01:24:28 2016 +0000 target: Fix race with SCF_SEND_DELAYED_TAS handling commit 310d3d314be7f0a84011ebdc4bdccbcae9755a87 upstream. This patch fixes a race between setting of SCF_SEND_DELAYED_TAS in transport_send_task_abort(), and check of the same bit in transport_check_aborted_status(). It adds a __transport_check_aborted_status() version that is used by target_execute_cmd() when se_cmd->t_state_lock is held, and a transport_check_aborted_status() wrapper for all other existing callers. Also, it handles the case where the check happens before transport_send_task_abort() gets called. For this, go ahead and set SCF_SEND_DELAYED_TAS early when necessary, and have transport_send_task_abort() send the abort. Cc: Quinn Tran Cc: Himanshu Madhani Cc: Sagi Grimberg Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Andy Grover Cc: Mike Christie Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit 08367c9e8f0337b0fea23acb459fb4bc40cb7be7 Author: Nicholas Bellinger Date: Sun Mar 6 01:24:27 2016 +0000 target: Fix remote-port TMR ABORT + se_cmd fabric stop commit 0f4a943168f31d29a1701908931acaba518b131a upstream. To address the bug where fabric driver level shutdown of se_cmd occurs at the same time when TMR CMD_T_ABORTED is happening resulting in a -1 ->cmd_kref, this patch adds a CMD_T_FABRIC_STOP bit that is used to determine when TMR + driver I_T nexus shutdown is happening concurrently. It changes target_sess_cmd_list_set_waiting() to obtain se_cmd->cmd_kref + set CMD_T_FABRIC_STOP, and drop local reference in target_wait_for_sess_cmds() and invoke extra target_put_sess_cmd() during Task Aborted Status (TAS) when necessary. Also, it adds a new target_wait_free_cmd() wrapper around transport_wait_for_tasks() for the special case within transport_generic_free_cmd() to set CMD_T_FABRIC_STOP, and is now aware of CMD_T_ABORTED + CMD_T_TAS status bits to know when an extra transport_put_cmd() during TAS is required. Note transport_generic_free_cmd() is expected to block on cmd->cmd_wait_comp in order to follow what iscsi-target expects during iscsi_conn context se_cmd shutdown. Cc: Quinn Tran Cc: Himanshu Madhani Cc: Sagi Grimberg Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Andy Grover Cc: Mike Christie Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit 29190c778c5d98b03a9bedf03b5d6771aa140e0c Author: Nicholas Bellinger Date: Sun Mar 6 01:24:26 2016 +0000 target: Fix TAS handling for multi-session se_node_acls commit ebde1ca5a908b10312db4ecd7553e3ba039319ab upstream. This patch fixes a bug in TMR task aborted status (TAS) handling when multiple sessions are connected to the same target WWPN endpoint and se_node_acl descriptor, resulting in TASK_ABORTED status to not be generated for aborted se_cmds on the remote port. This is due to core_tmr_handle_tas_abort() incorrectly comparing se_node_acl instead of se_session, for which the multi-session case is expected to be sharing the same se_node_acl. Instead, go ahead and update core_tmr_handle_tas_abort() to compare tmr_sess + cmd->se_sess in order to determine if the LUN_RESET was received on a different I_T nexus, and TASK_ABORTED status response needs to be generated. Reviewed-by: Christoph Hellwig Cc: Quinn Tran Cc: Himanshu Madhani Cc: Sagi Grimberg Cc: Hannes Reinecke Cc: Andy Grover Cc: Mike Christie Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit 3286a2fea80a6ee53eadb95fdd900e3e81b0fbce Author: Nicholas Bellinger Date: Sun Mar 6 01:24:25 2016 +0000 target: Fix LUN_RESET active I/O handling for ACK_KREF commit febe562c20dfa8f33bee7d419c6b517986a5aa33 upstream. This patch fixes a NULL pointer se_cmd->cmd_kref < 0 refcount bug during TMR LUN_RESET with active se_cmd I/O, that can be triggered during se_cmd descriptor shutdown + release via core_tmr_drain_state_list() code. To address this bug, add common __target_check_io_state() helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE checking, and set CMD_T_ABORTED + obtain ->cmd_kref for both cases ahead of last target_put_sess_cmd() after TFO->aborted_task() -> transport_cmd_finish_abort() callback has completed. It also introduces SCF_ACK_KREF to determine when transport_cmd_finish_abort() needs to drop the second extra reference, ahead of calling target_put_sess_cmd() for the final kref_put(&se_cmd->cmd_kref). It also updates transport_cmd_check_stop() to avoid holding se_cmd->t_state_lock while dropping se_cmd device state via target_remove_from_state_list(), now that core_tmr_drain_state_list() is holding the se_device lock while checking se_cmd state from within TMR logic. Finally, move transport_put_cmd() release of SGL + TMR + extended CDB memory into target_free_cmd_mem() in order to avoid potential resource leaks in TMR ABORT_TASK + LUN_RESET code-paths. Also update target_release_cmd_kref() accordingly. Reviewed-by: Quinn Tran Cc: Himanshu Madhani Cc: Sagi Grimberg Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Andy Grover Cc: Mike Christie Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit 7a2903243093459623817fa1b25a63c5d4c60f85 Author: Jan Engelhardt Date: Sun Mar 6 01:24:24 2016 +0000 target: fix COMPARE_AND_WRITE non zero SGL offset data corruption [ Upstream commit d94e5a61357a04938ce14d6033b4d33a3c5fd780 ] target_core_sbc's compare_and_write functionality suffers from taking data at the wrong memory location when writing a CAW request to disk when a SGL offset is non-zero. This can happen with loopback and vhost-scsi fabric drivers when SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC is used to map existing user-space SGL memory into COMPARE_AND_WRITE READ/WRITE payload buffers. Given the following sample LIO subtopology, % targetcli ls /loopback/ o- loopback ................................. [1 Target] o- naa.6001405ebb8df14a ....... [naa.60014059143ed2b3] o- luns ................................... [2 LUNs] o- lun0 ................ [iblock/ram0 (/dev/ram0)] o- lun1 ................ [iblock/ram1 (/dev/ram1)] % lsscsi -g [3:0:1:0] disk LIO-ORG IBLOCK 4.0 /dev/sdc /dev/sg3 [3:0:1:1] disk LIO-ORG IBLOCK 4.0 /dev/sdd /dev/sg4 the following bug can be observed in Linux 4.3 and 4.4~rc1: % perl -e 'print chr$_ for 0..255,reverse 0..255' >rand % perl -e 'print "\0" x 512' >zero % cat rand >/dev/sdd % sg_compare_and_write -i rand -D zero --lba 0 /dev/sdd % sg_compare_and_write -i zero -D rand --lba 0 /dev/sdd Miscompare reported % hexdump -Cn 512 /dev/sdd 00000000 0f 0e 0d 0c 0b 0a 09 08 07 06 05 04 03 02 01 00 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 * 00000200 Rather than writing all-zeroes as instructed with the -D file, it corrupts the data in the sector by splicing some of the original bytes in. The page of the first entry of cmd->t_data_sg includes the CDB, and sg->offset is set to a position past the CDB. I presume that sg->offset is also the right choice to use for subsequent sglist members. Signed-off-by: Jan Engelhardt Tested-by: Douglas Gilbert Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit 5dd73bb38031a5d8f81bf7d9b4f10135ab950f64 Author: Nicholas Bellinger Date: Sun Mar 6 01:24:23 2016 +0000 target: Fix race for SCF_COMPARE_AND_WRITE_POST checking [ Upstream commit 057085e522f8bf94c2e691a5b76880f68060f8ba ] This patch addresses a race + use after free where the first stage of COMPARE_AND_WRITE in compare_and_write_callback() is rescheduled after the backend sends the secondary WRITE, resulting in second stage compare_and_write_post() callback completing in target_complete_ok_work() before the first can return. Because current code depends on checking se_cmd->se_cmd_flags after return from se_cmd->transport_complete_callback(), this results in first stage having SCF_COMPARE_AND_WRITE_POST set, which incorrectly falls through into second stage CAW processing code, eventually triggering a NULL pointer dereference due to use after free. To address this bug, pass in a new *post_ret parameter into se_cmd->transport_complete_callback(), and depend upon this value instead of ->se_cmd_flags to determine when to return or fall through into ->queue_status() code for CAW. Cc: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit 4b4bc57ac1c2fd740f39e5849d45b9bcf6fbaf8b Author: Nicholas Bellinger Date: Sun Mar 6 01:24:22 2016 +0000 iscsi-target: Fix rx_login_comp hang after login failure [ Upstream commit ca82c2bded29b38d36140bfa1e76a7bbfcade390 ] This patch addresses a case where iscsi_target_do_tx_login_io() fails sending the last login response PDU, after the RX/TX threads have already been started. The case centers around iscsi_target_rx_thread() not invoking allow_signal(SIGINT) before the send_sig(SIGINT, ...) occurs from the failure path, resulting in RX thread hanging indefinately on iscsi_conn->rx_login_comp. Note this bug is a regression introduced by: commit e54198657b65625085834847ab6271087323ffea Author: Nicholas Bellinger Date: Wed Jul 22 23:14:19 2015 -0700 iscsi-target: Fix iscsit_start_kthreads failure OOPs To address this bug, complete ->rx_login_complete for good measure in the failure path, and immediately return from RX thread context if connection state did not actually reach full feature phase (TARG_CONN_STATE_LOGGED_IN). Cc: Sagi Grimberg Cc: # v3.10+ Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin