commit 8097be3bc58315b14498000585299e3c06fb13ce Author: Jiri Slaby Date: Mon Jun 30 13:49:32 2014 +0200 Linux 3.12.24 commit 0af3f13634228f13b0298551326a51b89d95a7e4 Author: Jie Liu Date: Wed Nov 20 16:08:53 2013 +0800 xfs: don't perform discard if the given range length is less than block size commit f9fd0135610084abef6867d984e9951c3099950d upstream. For discard operation, we should return EINVAL if the given range length is less than a block size, otherwise it will go through the file system to discard data blocks as the end range might be evaluated to -1, e.g, /xfs7: 9811378176 bytes were trimmed This issue can be triggered via xfstests/generic/288. Also, it seems to get the request queue pointer via bdev_get_queue() instead of the hard code pointer dereference is not a bad thing. Signed-off-by: Jie Liu Reviewed-by: Christoph Hellwig Signed-off-by: Ben Myers Signed-off-by: Jiri Slaby commit f7009499bc593c23ec4fe9525f4e545ad0c16691 Author: Dave Chinner Date: Tue Oct 29 22:11:44 2013 +1100 xfs: xfs_remove deadlocks due to inverted AGF vs AGI lock ordering commit 273203699f82667296e1f14344c5a5a6c4600470 upstream. Removing an inode from the namespace involves removing the directory entry and dropping the link count on the inode. Removing the directory entry can result in locking an AGF (directory blocks were freed) and removing a link count can result in placing the inode on an unlinked list which results in locking an AGI. The big problem here is that we have an ordering constraint on AGF and AGI locking - inode allocation locks the AGI, then can allocate a new extent for new inodes, locking the AGF after the AGI. Similarly, freeing the inode removes the inode from the unlinked list, requiring that we lock the AGI first, and then freeing the inode can result in an inode chunk being freed and hence freeing disk space requiring that we lock an AGF. Hence the ordering that is imposed by other parts of the code is AGI before AGF. This means we cannot remove the directory entry before we drop the inode reference count and put it on the unlinked list as this results in a lock order of AGF then AGI, and this can deadlock against inode allocation and freeing. Therefore we must drop the link counts before we remove the directory entry. This is still safe from a transactional point of view - it is not until we get to xfs_bmap_finish() that we have the possibility of multiple transactions in this operation. Hence as long as we remove the directory entry and drop the link count in the first transaction of the remove operation, there are no transactional constraints on the ordering here. Change the ordering of the operations in the xfs_remove() function to align the ordering of AGI and AGF locking to match that of the rest of the code. Signed-off-by: Dave Chinner Reviewed-by: Ben Myers Signed-off-by: Ben Myers Signed-off-by: Jiri Slaby commit 67820ad00235119639737a7a4bcf4e526de43d54 Author: Jie Liu Date: Fri Oct 25 14:52:44 2013 +0800 xfs: fix the extent count when allocating an new indirection array entry commit bb86d21cba22a045b09d11b71decf5ca7c3d5def upstream. At xfs_iext_add(), if extent(s) are being appended to the last page in the indirection array and the new extent(s) don't fit in the page, the number of extents(erp->er_extcount) in a new allocated entry should be the minimum value between count and XFS_LINEAR_EXTS, instead of count. For now, there is no existing test case can demonstrates a problem with the er_extcount being set incorrectly here, but it obviously like a bug. Signed-off-by: Jie Liu Reviewed-by: Ben Myers Signed-off-by: Ben Myers Signed-off-by: Jiri Slaby commit 9af76725ffcc8517643fd07d379f4a1232f6ae92 Author: Geyslan G. Bem Date: Wed Oct 30 16:01:00 2013 -0500 xfs: fix possible NULL dereference in xlog_verify_iclog commit 643f7c4e5656bd18c769211f933190f7bb738245 upstream. In xlog_verify_iclog a debug check of the incore log buffers prints an error if icptr is null and then goes on to dereference the pointer regardless. Convert this to an assert so that the intention is clear. This was reported by Coverty. Signed-off-by: Ben Myers Reviewed-by: Eric Sandeen Signed-off-by: Jiri Slaby commit 710246604e1d8b6be253d056c922bdf7f57cc243 Author: Dave Chinner Date: Tue Oct 29 22:11:57 2013 +1100 xfs: prevent stack overflows from page cache allocation commit ad22c7a043c2cc6792820e6c5da699935933e87d upstream. Page cache allocation doesn't always go through ->begin_write and hence we don't always get the opportunity to set the allocation context to GFP_NOFS. Failing to do this means we open up the direct relcaim stack to recurse into the filesystem and consume a significant amount of stack. On RHEL6.4 kernels we are seeing ra_submit() and generic_file_splice_read() from an nfsd context recursing into the filesystem via the inode cache shrinker and evicting inodes. This is causing truncation to be run (e.g EOF block freeing) and causing bmap btree block merges and free space btree block splits to occur. These btree manipulations are occurring with the call chain already 30 functions deep and hence there is not enough stack space to complete such operations. To avoid these specific overruns, we need to prevent the page cache allocation from recursing via direct reclaim. We can do that because the allocation functions take the allocation context from that which is stored in the mapping for the inode. We don't set that right now, so the default is GFP_HIGHUSER_MOVABLE, which is effectively a GFP_KERNEL context. We need it to be the equivalent of GFP_NOFS, so when we initialise an inode, set the mapping gfp mask appropriately. This makes the use of AOP_FLAG_NOFS redundant from other parts of the XFS IO path, so get rid of it. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Signed-off-by: Ben Myers Signed-off-by: Jiri Slaby commit e465c9574dc68d85ec16663b062c93763a6435e4 Author: Eric Sandeen Date: Fri Oct 11 14:14:05 2013 -0500 xfs: don't break from growfs ag update loop on error commit 59e5a0e821d838854b3afd030d31f82cee3ecd58 upstream. When xfs_growfs_data_private() is updating backup superblocks, it bails out on the first error encountered, whether reading or writing: * If we get an error writing out the alternate superblocks, * just issue a warning and continue. The real work is * already done and committed. This can cause a problem later during repair, because repair looks at all superblocks, and picks the most prevalent one as correct. If we bail out early in the backup superblock loop, we can end up with more "bad" matching superblocks than good, and a post-growfs repair may revert the filesystem to the old geometry. With the combination of superblock verifiers and old bugs, we're more likely to encounter read errors due to verification. And perhaps even worse, we don't even properly write any of the newly-added superblocks in the new AGs. Even with this change, growfs will still say: xfs_growfs: XFS_IOC_FSGROWFSDATA xfsctl failed: Structure needs cleaning data blocks changed from 319815680 to 335216640 which might be confusing to the user, but it at least communicates that something has gone wrong, and dmesg will probably highlight the need for an xfs_repair. And this is still best-effort; if verifiers fail on more than half the backup supers, they may still "win" - but that's probably best left to repair to more gracefully handle by doing its own strict verification as part of the backup super "voting." Signed-off-by: Eric Sandeen Acked-by: Dave Chinner Reviewed-by: Mark Tinguely Signed-off-by: Ben Myers Signed-off-by: Jiri Slaby commit 22a16208d5e73c9b84629790c28df0df4183bba4 Author: Eric Sandeen Date: Fri Oct 11 14:12:31 2013 -0500 xfs: don't emit corruption noise on fs probes commit 31625f28ad7be67701dc4cefcf52087addd88af4 upstream. If we get EWRONGFS due to probing of non-xfs filesystems, there's no need to issue the scary corruption error and backtrace. Signed-off-by: Eric Sandeen Reviewed-by: Mark Tinguely Reviewed-by: Christoph Hellwig Signed-off-by: Ben Myers Signed-off-by: Jiri Slaby commit 192fedc5d3840a89a2d31f0f9cb7195f52a11b9d Author: Dave Chinner Date: Tue Oct 15 09:17:49 2013 +1100 xfs: prevent deadlock trying to cover an active log commit 2c6e24ce1aa6b3b147c75d488c2797ee258eb22b upstream. Recent analysis of a deadlocked XFS filesystem from a kernel crash dump indicated that the filesystem was stuck waiting for log space. The short story of the hang on the RHEL6 kernel is this: - the tail of the log is pinned by an inode - the inode has been pushed by the xfsaild - the inode has been flushed to it's backing buffer and is currently flush locked and hence waiting for backing buffer IO to complete and remove it from the AIL - the backing buffer is marked for write - it is on the delayed write queue - the inode buffer has been modified directly and logged recently due to unlinked inode list modification - the backing buffer is pinned in memory as it is in the active CIL context. - the xfsbufd won't start buffer writeback because it is pinned - xfssyncd won't force the log because it sees the log as needing to be covered and hence wants to issue a dummy transaction to move the log covering state machine along. Hence there is no trigger to force the CIL to the log and hence unpin the inode buffer and therefore complete the inode IO, remove it from the AIL and hence move the tail of the log along, allowing transactions to start again. Mainline kernels also have the same deadlock, though the signature is slightly different - the inode buffer never reaches the delayed write lists because xfs_buf_item_push() sees that it is pinned and hence never adds it to the delayed write list that the xfsaild flushes. There are two possible solutions here. The first is to simply force the log before trying to cover the log and so ensure that the CIL is emptied before we try to reserve space for the dummy transaction in the xfs_log_worker(). While this might work most of the time, it is still racy and is no guarantee that we don't get stuck in xfs_trans_reserve waiting for log space to come free. Hence it's not the best way to solve the problem. The second solution is to modify xfs_log_need_covered() to be aware of the CIL. We only should be attempting to cover the log if there is no current activity in the log - covering the log is the process of ensuring that the head and tail in the log on disk are identical (i.e. the log is clean and at idle). Hence, by definition, if there are items in the CIL then the log is not at idle and so we don't need to attempt to cover it. When we don't need to cover the log because it is active or idle, we issue a log force from xfs_log_worker() - if the log is idle, then this does nothing. However, if the log is active due to there being items in the CIL, it will force the items in the CIL to the log and unpin them. In the case of the above deadlock scenario, instead of xfs_log_worker() getting stuck in xfs_trans_reserve() attempting to cover the log, it will instead force the log, thereby unpinning the inode buffer, allowing IO to be issued and complete and hence removing the inode that was pinning the tail of the log from the AIL. At that point, everything will start moving along again. i.e. the xfs_log_worker turns back into a watchdog that can alleviate deadlocks based around pinned items that prevent the tail of the log from being moved... Signed-off-by: Dave Chinner Reviewed-by: Eric Sandeen Signed-off-by: Ben Myers Signed-off-by: Jiri Slaby commit 5b09381286f17ce95e334c32629584a1cad13775 Author: Jie Liu Date: Sun Sep 22 16:25:15 2013 +0800 xfs: fix the wrong new_size/rnew_size at xfs_iext_realloc_direct() commit 17ec81c15fd022842f9bc947841ba9fb9eb52591 upstream. At xfs_iext_realloc_direct(), the new_size is changed by adding if_bytes if originally the extent records are stored at the inline extent buffer, and we have to switch from it to a direct extent list for those new allocated extents, this is wrong. e.g, Create a file with three extents which was showing as following, xfs_io -f -c "truncate 100m" /xfs/testme for i in $(seq 0 5 10); do offset=$(($i * $((1 << 20)))) xfs_io -c "pwrite $offset 1m" /xfs/testme done Inline ------ irec: if_bytes bytes_diff new_size 1st 0 16 16 2nd 16 16 32 Switching --------- rnew_size 3rd 32 16 48 + 32 = 80 roundup=128 In this case, the desired value of new_size should be 48, and then it will be roundup to 64 and be assigned to rnew_size. However, this issue has been covered by resetting the if_bytes to the new_size which is calculated at the begnning of xfs_iext_add() before leaving out this function, and in turn make the rnew_size correctly again. Hence, this can not be detected via xfstestes. This patch fix above problem and revise the new_size comments at xfs_iext_realloc_direct() to make it more readable. Also, fix the comments while switching from the inline extent buffer to a direct extent list to reflect this change. Signed-off-by: Jie Liu Reviewed-by: Dave Chinner Signed-off-by: Ben Myers Signed-off-by: Jiri Slaby commit 89754d5379ab1956b98f51cd2fee0cfcadb18c00 Author: Johan Hedberg Date: Tue Jun 10 09:54:24 2014 +0300 Bluetooth: Fix check for connection encryption commit e694788d73efe139b24f78b036deb97fe57fa8cb upstream. The conn->link_key variable tracks the type of link key in use. It is set whenever we respond to a link key request as well as when we get a link key notification event. These two events do not however always guarantee that encryption is enabled: getting a link key request and responding to it may only mean that the remote side has requested authentication but not encryption. On the other hand, the encrypt change event is a certain guarantee that encryption is enabled. The real encryption state is already tracked in the conn->link_mode variable through the HCI_LM_ENCRYPT bit. This patch fixes a check for encryption in the hci_conn_auth function to use the proper conn->link_mode value and thereby eliminates the chance of a false positive result. Signed-off-by: Johan Hedberg Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org Signed-off-by: Jiri Slaby commit 849dc4c5ccc4348ed2795876b3d85a52b326aef4 Author: Johan Hedberg Date: Fri Apr 11 12:02:32 2014 -0700 Bluetooth: Fix redundant encryption request for reauthentication commit 09da1f3463eb81d59685df723b1c5950b7570340 upstream. When we're performing reauthentication (in order to elevate the security level from an unauthenticated key to an authenticated one) we do not need to issue any encryption command once authentication completes. Since the trigger for the encryption HCI command is the ENCRYPT_PEND flag this flag should not be set in this scenario. Instead, the REAUTH_PEND flag takes care of all necessary steps for reauthentication. Signed-off-by: Johan Hedberg Signed-off-by: Marcel Holtmann Cc: stable@vger.kernel.org Signed-off-by: Jiri Slaby commit 442a395f704df155cbd221ca1f201cb6eaf7e050 Author: Mathias Krause Date: Mon Sep 30 22:05:08 2013 +0200 netfilter: ipt_ULOG: fix info leaks commit 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 upstream. The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Signed-off-by: Mathias Krause Signed-off-by: Pablo Neira Ayuso Signed-off-by: Jiri Slaby commit 8c23d6e199b45b042ae76cdbcfac467c7ce4e52e Author: Andrzej Zaborowski Date: Mon Jun 9 16:50:40 2014 +0200 efi-pstore: Fix an overflow on 32-bit builds commit 783ee43118dc773bc8b0342c5b230e017d5a04d0 upstream. In generic_id the long int timestamp is multiplied by 100000 and needs an explicit cast to u64. Without that the id in the resulting pstore filename is wrong and userspace may have problems parsing it, but more importantly files in pstore can never be deleted and may fill the EFI flash (brick device?). This happens because when generic pstore code wants to delete a file, it passes the id to the EFI backend which reinterpretes it and a wrong variable name is attempted to be deleted. There's no error message but after remounting pstore, deleted files would reappear. Signed-off-by: Andrew Zaborowski Acked-by: David Rientjes Signed-off-by: Matt Fleming Signed-off-by: Jiri Slaby commit cc6f6d1dfee2cd1f26814a9de18e71df7a2a8674 Author: Fathi Boudra Date: Sat Apr 12 13:13:24 2014 +0300 builddeb: use $OBJCOPY variable instead of objcopy commit 6b4a144a92ab81a1f45fb9b12aebaaaee0d08120 upstream. In cross-build environment, we expect to use the cross-compiler objcopy instead of the host objcopy. It fixes following build failures: objcopy --only-keep-debug lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko /srv/build/linux/debian/dbgtmp/usr/lib/debug/lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko objcopy: Unable to recognise the format of the input file `lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko' Signed-off-by: Fathi Boudra Fixes: 810e843746b7 ('deb-pkg: split debug symbols in their own package') Reviewed-by: Ben Hutchings Signed-off-by: Michal Marek Signed-off-by: Jiri Slaby commit b8f4d2179757e17cf16644feb44879c05b5b61ef Author: Andy Lutomirski Date: Mon Jun 23 14:22:15 2014 -0700 x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) commit 554086d85e71f30abe46fc014fea31929a7c6a8a upstream. The bad syscall nr paths are their own incomprehensible route through the entry control flow. Rearrange them to work just like syscalls that return -ENOSYS. This fixes an OOPS in the audit code when fast-path auditing is enabled and sysenter gets a bad syscall nr (CVE-2014-4508). This has probably been broken since Linux 2.6.27: af0575bba0 i386 syscall audit fast-path Cc: Roland McGrath Reported-by: Toralf Förster Signed-off-by: Andy Lutomirski Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net Signed-off-by: H. Peter Anvin Signed-off-by: Jiri Slaby commit 8cef3ce4dab51a09ac4ba1cefedaa89aaf02ee9a Author: Greg Kroah-Hartman Date: Tue Jun 24 16:59:01 2014 -0400 lz4: fix another possible overrun commit 4148c1f67abf823099b2d7db6851e4aea407f5ee upstream. There is one other possible overrun in the lz4 code as implemented by Linux at this point in time (which differs from the upstream lz4 codebase, but will get synced at in a future kernel release.) As pointed out by Don, we also need to check the overflow in the data itself. While we are at it, replace the odd error return value with just a "simple" -1 value as the return value is never used for anything other than a basic "did this work or not" check. Reported-by: "Don A. Bailey" Reported-by: Willy Tarreau Signed-off-by: Jiri Slaby commit 591cb1f862018995e04a596b9bb0c469016c1c99 Author: Eric Sandeen Date: Thu Jun 12 00:39:58 2014 -0500 btrfs: fix use of uninit "ret" in end_extent_writepage() commit 3e2426bd0eb980648449e7a2f5a23e3cd3c7725c upstream. If this condition in end_extent_writepage() is false: if (tree->ops && tree->ops->writepage_end_io_hook) we will then test an uninitialized "ret" at: ret = ret < 0 ? ret : -EIO; The test for ret is for the case where ->writepage_end_io_hook failed, and we'd choose that ret as the error; but if there is no ->writepage_end_io_hook, nothing sets ret. Initializing ret to 0 should be sufficient; if writepage_end_io_hook wasn't set, (!uptodate) means non-zero err was passed in, so we choose -EIO in that case. Signed-of-by: Eric Sandeen Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit f383013c585b3ef91f1f19f0c9d2e60071e5fb01 Author: Liu Bo Date: Mon Jun 9 10:54:07 2014 +0800 Btrfs: fix scrub_print_warning to handle skinny metadata extents commit 6eda71d0c030af0fc2f68aaa676e6d445600855b upstream. The skinny extents are intepreted incorrectly in scrub_print_warning(), and end up hitting the BUG() in btrfs_extent_inline_ref_size. Reported-by: Konstantinos Skarlatos Signed-off-by: Liu Bo Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 9cfeffa534ee24706e3269ec2aff6b8c8d278f68 Author: Liu Bo Date: Sun Jun 8 19:04:13 2014 +0800 Btrfs: use right type to get real comparison commit cd857dd6bc2ae9ecea14e75a34e8a8fdc158e307 upstream. We want to make sure the point is still within the extent item, not to verify the memory it's pointing to. Signed-off-by: Liu Bo Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit b01e4806671d4b756fb35285b08ba140da41ffc8 Author: Rickard Strandqvist Date: Thu May 22 22:43:43 2014 +0200 fs: btrfs: volumes.c: Fix for possible null pointer dereference commit 8321cf2596d283821acc466377c2b85bcd3422b7 upstream. There is otherwise a risk of a possible null pointer dereference. Was largely found by using a static code analysis program called cppcheck. Signed-off-by: Rickard Strandqvist Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 2f4f6fcff97f05917b75ecfaa7a5903f1ae089d8 Author: Filipe Manana Date: Sun May 25 04:49:24 2014 +0100 Btrfs: send, don't error in the presence of subvols/snapshots commit 1af56070e3ef9477dbc7eba3b9ad7446979c7974 upstream. If we are doing an incremental send and the base snapshot has a directory with name X that doesn't exist anymore in the second snapshot and a new subvolume/snapshot exists in the second snapshot that has the same name as the directory (name X), the incremental send would fail with -ENOENT error. This is because it attempts to lookup for an inode with a number matching the objectid of a root, which doesn't exist. Steps to reproduce: mkfs.btrfs -f /dev/sdd mount /dev/sdd /mnt mkdir /mnt/testdir btrfs subvolume snapshot -r /mnt /mnt/mysnap1 rmdir /mnt/testdir btrfs subvolume create /mnt/testdir btrfs subvolume snapshot -r /mnt /mnt/mysnap2 btrfs send -p /mnt/mysnap1 /mnt/mysnap2 -f /tmp/send.data A test case for xfstests follows. Reported-by: Robert White Signed-off-by: Filipe David Borba Manana Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 9612bd1d820c62ec1f556ae5ba99191424fc1f16 Author: Wang Shilong Date: Tue May 13 17:05:06 2014 +0800 Btrfs: set right total device count for seeding support commit 298658414a2f0bea1f05a81876a45c1cd96aa2e0 upstream. Seeding device support allows us to create a new filesystem based on existed filesystem. However newly created filesystem's @total_devices should include seed devices. This patch fix the following problem: # mkfs.btrfs -f /dev/sdb # btrfstune -S 1 /dev/sdb # mount /dev/sdb /mnt # btrfs device add -f /dev/sdc /mnt --->fs_devices->total_devices = 1 # umount /mnt # mount /dev/sdc /mnt --->fs_devices->total_devices = 2 This is because we record right @total_devices in superblock, but @fs_devices->total_devices is reset to be 0 in btrfs_prepare_sprout(). Fix this problem by not resetting @fs_devices->total_devices. Signed-off-by: Wang Shilong Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit fbf046315fca47774f4843d74a58b4140d47bd16 Author: Liu Bo Date: Mon May 12 12:47:36 2014 +0800 Btrfs: mark mapping with error flag to report errors to userspace commit 5dca6eea91653e9949ce6eb9e9acab6277e2f2c4 upstream. According to commit 865ffef3797da2cac85b3354b5b6050dc9660978 (fs: fix fsync() error reporting), it's not stable to just check error pages because pages can be truncated or invalidated, we should also mark mapping with error flag so that a later fsync can catch the error. Signed-off-by: Liu Bo Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 05303b9142ed4b49021f26f06d22dee2fe7d7660 Author: Liu Bo Date: Sun May 11 23:14:59 2014 +0800 Btrfs: fix NULL pointer crash of deleting a seed device commit 29cc83f69c8338ff8fd1383c9be263d4bdf52d73 upstream. Same as normal devices, seed devices should be initialized with fs_info->dev_root as well, otherwise we'll get a NULL pointer crash. Cc: Chris Murphy Reported-by: Chris Murphy Signed-off-by: Liu Bo Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 7bfc76578ecf80d87d0e8641c1e7bcbbfca9d811 Author: Wang Shilong Date: Wed Apr 9 19:23:22 2014 +0800 Btrfs: make sure there are not any read requests before stopping workers commit de348ee022175401e77d7662b7ca6e231a94e3fd upstream. In close_ctree(), after we have stopped all workers,there maybe still some read requests(for example readahead) to submit and this *maybe* trigger an oops that user reported before: kernel BUG at fs/btrfs/async-thread.c:619! By hacking codes, i can reproduce this problem with one cpu available. We fix this potential problem by invalidating all btree inode pages before stopping all workers. Thanks to Miao for pointing out this problem. Signed-off-by: Wang Shilong Reviewed-by: David Sterba Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit e3ffc9a32997aa626decfe04e7990ba70ee2cc2a Author: Miao Xie Date: Thu Apr 24 13:31:55 2014 +0800 Btrfs: output warning instead of error when loading free space cache failed commit 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 upstream. If we fail to load a free space cache, we can rebuild it from the extent tree, so it is not a serious error, we should not output a error message that would make the users uncomfortable. This patch uses warning message instead of it. Signed-off-by: Miao Xie Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit ed7eaa4ec0d585b9dc0d23be3e1910702191b174 Author: Qu Wenruo Date: Wed Apr 16 17:02:32 2014 +0800 btrfs: Add ctime/mtime update for btrfs device add/remove. commit 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 upstream. Btrfs will send uevent to udev inform the device change, but ctime/mtime for the block device inode is not udpated, which cause libblkid used by btrfs-progs unable to detect device change and use old cache, causing 'btrfs dev scan; btrfs dev rmove; btrfs dev scan' give an error message. Reported-by: Tsutomu Itoh Cc: Karel Zak Signed-off-by: Qu Wenruo Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 7855e3447a166f5a24d2b95dc2633f7fb9eb6cc9 Author: Chris Mason Date: Wed May 21 05:49:54 2014 -0700 Btrfs: fix double free in find_lock_delalloc_range commit 7d78874273463a784759916fc3e0b4e2eb141c70 upstream. We need to NULL the cached_state after freeing it, otherwise we might free it again if find_delalloc_range doesn't find anything. Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 9335d6f8b8f53fa6da1cc64b8effe2388d4254dd Author: Pavel Shilovsky Date: Sat May 24 16:42:02 2014 +0400 CIFS: Fix memory leaks in SMB2_open commit 663a962151593c69374776e8651238d0da072459 upstream. Signed-off-by: Pavel Shilovsky Reviewed-by: Shirish Pargaonkar Signed-off-by: Steve French Signed-off-by: Jiri Slaby commit 0e2e24e5dc6eb6f0698e9dc97e652f132b885624 Author: Benjamin LaHaise Date: Tue Jun 24 13:32:51 2014 -0400 aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream. A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to aio_read_events_ring() failed to correctly limit the index into ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of an arbitrary page with a copy_to_user() to copy the contents into userspace. This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and Petr for disclosing this issue. This patch applies to v3.12+. A separate backport is needed for 3.10/3.11. Signed-off-by: Benjamin LaHaise Cc: Mateusz Guzik Cc: Petr Matousek Cc: Kent Overstreet Cc: Jeff Moyer Signed-off-by: Jiri Slaby commit 3f29879bfd90cb82cf8a96496499c194b6d3c9dc Author: Thomas Gleixner Date: Thu Mar 7 14:53:45 2013 +0100 genirq: Sanitize spurious interrupt detection of threaded irqs commit 1e77d0a1ed7417d2a5a52a7b8d32aea1833faa6c upstream. Till reported that the spurious interrupt detection of threaded interrupts is broken in two ways: - note_interrupt() is called for each action thread of a shared interrupt line. That's wrong as we are only interested whether none of the device drivers felt responsible for the interrupt, but by calling multiple times for a single interrupt line we account IRQ_NONE even if one of the drivers felt responsible. - note_interrupt() when called from the thread handler is not serialized. That leaves the members of irq_desc which are used for the spurious detection unprotected. To solve this we need to defer the spurious detection of a threaded interrupt to the next hardware interrupt context where we have implicit serialization. If note_interrupt is called with action_ret == IRQ_WAKE_THREAD, we check whether the previous interrupt requested a deferred check. If not, we request a deferred check for the next hardware interrupt and return. If set, we check whether one of the interrupt threads signaled success. Depending on this information we feed the result into the spurious detector. If one primary handler of a shared interrupt returns IRQ_HANDLED we disable the deferred check of irq threads on the same line, as we have found at least one device driver who cared. Reported-by: Till Straumann Signed-off-by: Thomas Gleixner Tested-by: Austin Schuh Cc: Oliver Hartkopp Cc: Wolfgang Grandegger Cc: Pavel Pisa Cc: Marc Kleine-Budde Cc: linux-can@vger.kernel.org Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1303071450130.22263@ionos Signed-off-by: Jiri Slaby commit 672998dd78fe2092cd5cd1db64d654acb877cf9f Author: Mike Frysinger Date: Sun May 4 20:43:15 2014 -0400 x86, x32: Use compat shims for io_{setup,submit} commit 7fd44dacdd803c0bbf38bf478d51d280902bb0f1 upstream. The io_setup takes a pointer to a context id of type aio_context_t. This in turn is typed to a __kernel_ulong_t. We could tweak the exported headers to define this as a 64bit quantity for specific ABIs, but since we already have a 32bit compat shim for the x86 ABI, let's just re-use that logic. The libaio package is also written to expect this as a pointer type, so a compat shim would simplify that. The io_submit func operates on an array of pointers to iocb structs. Padding out the array to be 64bit aligned is a huge pain, so convert it over to the existing compat shim too. We don't convert io_getevents to the compat func as its only purpose is to handle the timespec struct, and the x32 ABI uses 64bit times. With this change, the libaio package can now pass its testsuite when built for the x32 ABI. Signed-off-by: Mike Frysinger Link: http://lkml.kernel.org/r/1399250595-5005-1-git-send-email-vapier@gentoo.org Cc: H.J. Lu Signed-off-by: H. Peter Anvin Signed-off-by: Jiri Slaby commit e45e2e7ab002b90cf01eef6debbfc0c2495ae272 Author: H. Peter Anvin Date: Wed Apr 30 14:03:25 2014 -0700 x86-32, espfix: Remove filter for espfix32 due to race commit 246f2d2ee1d715e1077fc47d61c394569c8ee692 upstream. It is not safe to use LAR to filter when to go down the espfix path, because the LDT is per-process (rather than per-thread) and another thread might change the descriptors behind our back. Fortunately it is always *safe* (if a bit slow) to go down the espfix path, and a 32-bit LDT stack segment is extremely rare. Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/r/1398816946-3351-1-git-send-email-hpa@linux.intel.com Signed-off-by: Jiri Slaby commit 186f32e2096c7d9cd9106b8dedd79c596f4c8398 Author: Nicholas A. Bellinger Date: Mon Jun 16 20:59:52 2014 +0000 target: Explicitly clear ramdisk_mcp backend pages [Note that a different patch to address the same issue went in during v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that don't strictly apply to fixing the bug] This patch changes rd_allocate_sgl_table() to explicitly clear ramdisk_mcp backend memory pages by passing __GFP_ZERO into alloc_pages(). This addresses a potential security issue where reading from a ramdisk_mcp could return sensitive information, and follows what >= v3.15 does to explicitly clear ramdisk_mcp memory at backend device initialization time. Reported-by: Jorge Daniel Sequeira Matias Cc: Jorge Daniel Sequeira Matias Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 3942c33e4b6b84653b04314f526907ae74984f87 Author: Roland Dreier Date: Tue Jun 10 11:07:47 2014 -0700 target: Report correct response length for some commands commit 2426bd456a61407388b6e61fc5f98dbcbebc50e2 upstream. When an initiator sends an allocation length bigger than what its command consumes, the target should only return the actual response data and set the residual length to the unused part of the allocation length. Add a helper function that command handlers (INQUIRY, READ CAPACITY, etc) can use to do this correctly, and use this code to get the correct residual for commands that don't use the full initiator allocation in the handlers for READ CAPACITY, READ CAPACITY(16), INQUIRY, MODE SENSE and REPORT LUNS. This addresses a handful of failures as reported by Christophe with the Windows Certification Kit: http://permalink.gmane.org/gmane.linux.scsi.target.devel/6515 Signed-off-by: Roland Dreier Tested-by: Christophe Vu-Brugier Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 53f1d104f250540853271653f507ac09b4bfc66e Author: Sagi Grimberg Date: Tue Jun 10 18:27:59 2014 +0300 Target/iscsi: Fix sendtargets response pdu for iser transport commit 22c7aaa57e80853b4904a46c18f97db0036a3b97 upstream. In case the transport is iser we should not include the iscsi target info in the sendtargets text response pdu. This causes sendtargets response to include the target info twice. Modify iscsit_build_sendtargets_response to filter transport types that don't match. Signed-off-by: Sagi Grimberg Reported-by: Slava Shwartsman Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 18b0e46ab4670436bcef4df0807ade2ffa7901ce Author: Nicholas Bellinger Date: Tue Jun 10 04:03:54 2014 +0000 iscsi-target: Fix ABORT_TASK + connection reset iscsi_queue_req memory leak commit bbc050488525e1ab1194c27355f63c66814385b8 upstream. This patch fixes a iscsi_queue_req memory leak when ABORT_TASK response has been queued by TFO->queue_tm_rsp() -> lio_queue_tm_rsp() after a long standing I/O completes, but the connection has already reset and waiting for cleanup to complete in iscsit_release_commands_from_conn() -> transport_generic_free_cmd() -> transport_wait_for_tasks() code. It moves iscsit_free_queue_reqs_for_conn() after the per-connection command list has been released, so that the associated se_cmd tag can be completed + released by target-core before freeing any remaining iscsi_queue_req memory for the connection generated by lio_queue_tm_rsp(). Cc: Thomas Glanzmann Cc: Charalampos Pournaris Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit ab7f3e4697f12ad16c816fdb27e3e494809bad91 Author: Nicholas Bellinger Date: Mon Jun 9 23:36:51 2014 +0000 target: Use complete_all for se_cmd->t_transport_stop_comp commit a95d6511303b848da45ee27b35018bb58087bdc6 upstream. This patch fixes a bug where multiple waiters on ->t_transport_stop_comp occurs due to a concurrent ABORT_TASK and session reset both invoking transport_wait_for_tasks(), while waiting for the associated se_cmd descriptor backend processing to complete. For this case, complete_all() should be invoked in order to wake up both waiters in core_tmr_abort_task() + transport_generic_free_cmd() process contexts. Cc: Thomas Glanzmann Cc: Charalampos Pournaris Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit a08f9367aa469714683c41b0780c598945fa1099 Author: Nicholas Bellinger Date: Mon Jun 9 23:13:20 2014 +0000 target: Set CMD_T_ACTIVE bit for Task Management Requests commit f15e9cd910c4d9da7de43f2181f362082fc45f0f upstream. This patch fixes a bug where se_cmd descriptors associated with a Task Management Request (TMR) where not setting CMD_T_ACTIVE before being dispatched into target_tmr_work() process context. This is required in order for transport_generic_free_cmd() -> transport_wait_for_tasks() to wait on se_cmd->t_transport_stop_comp if a session reset event occurs while an ABORT_TASK is outstanding waiting for another I/O to complete. Cc: Thomas Glanzmann Cc: Charalampos Pournaris Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 1d88b1199369e23dae9261f2861cda9e431aee76 Author: Sagi Grimberg Date: Mon May 19 17:44:25 2014 +0300 Target/iser: Wait for proper cleanup before unloading commit f5ebec9629cf78eeeea4b8258882a9f439ab2404 upstream. disconnected_handler works are scheduled on system_wq. When attempting to unload, first make sure all works have cleaned up. Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit f3c158abb8cbde83e5c95431db41d8da9acd7e98 Author: Sagi Grimberg Date: Mon May 19 17:44:24 2014 +0300 Target/iser: Improve cm events handling commit 88c4015fda6d014392f76d3b1688347950d7a12d upstream. There are 4 RDMA_CM events that all basically mean that the user should teardown the IB connection: - DISCONNECTED - ADDR_CHANGE - DEVICE_REMOVAL - TIMEWAIT_EXIT Only in DISCONNECTED/ADDR_CHANGE it makes sense to call rdma_disconnect (send DREQ/DREP to our initiator). So we keep the same teardown handler for all of them but only indicate calling rdma_disconnect for the relevant events. This patch also removes redundant debug prints for each single event. v2 changes: - Call isert_disconnected_handler() for DEVICE_REMOVAL (Or + Sag) Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 34992ea555198a7c1df1700444773324254a7a87 Author: Sagi Grimberg Date: Mon May 19 17:44:23 2014 +0300 Target/iser: Fix hangs in connection teardown commit 9d49f5e284e700576f3b65f1e28dea8539da6661 upstream. In ungraceful teardowns isert close flows seem racy such that isert_wait_conn hangs as RDMA_CM_EVENT_DISCONNECTED never gets invoked (no one called rdma_disconnect). Both graceful and ungraceful teardowns will have rx flush errors (isert posts a batch once connection is established). Once all flush errors are consumed we invoke isert_wait_conn and it will be responsible for calling rdma_disconnect. This way it can be sure that rdma_disconnect was called and it won't wait forever. This patch also removes the logout_posted indicator. either the logout completion was consumed and no problem decrementing the post_send_buf_count, or it was consumed as a flush error. no point of keeping it for isert_wait_conn as there is no danger that isert_conn will be accidentally removed while it is running. (Drop unnecessary sleep_on_conn_wait_comp check in isert_cq_rx_comp_err - nab) Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 391416ca2aeff3a33fdd9fa343b9a622ea00523e Author: Sagi Grimberg Date: Mon May 19 17:44:22 2014 +0300 Target/iser: Bail from accept_np if np_thread is trying to close commit e346ab343f4f58c12a96725c7b13df9cc2ad56f6 upstream. In case np_thread state is in RESET/SHUTDOWN/EXIT states, no point for isert to stall there as we may get a hang in case no one will wake it up later. Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit a9fb5766418105ab7fa4eba2163441869f94be40 Author: Jukka Taimisto Date: Thu May 22 10:02:39 2014 +0000 Bluetooth: Fix L2CAP deadlock commit 8a96f3cd22878fc0bb564a8478a6e17c0b8dca73 upstream. -[0x01 Introduction We have found a programming error causing a deadlock in Bluetooth subsystem of Linux kernel. The problem is caused by missing release_sock() call when L2CAP connection creation fails due full accept queue. The issue can be reproduced with 3.15-rc5 kernel and is also present in earlier kernels. -[0x02 Details The problem occurs when multiple L2CAP connections are created to a PSM which contains listening socket (like SDP) and left pending, for example, configuration (the underlying ACL link is not disconnected between connections). When L2CAP connection request is received and listening socket is found the l2cap_sock_new_connection_cb() function (net/bluetooth/l2cap_sock.c) is called. This function locks the 'parent' socket and then checks if the accept queue is full. 1178 lock_sock(parent); 1179 1180 /* Check for backlog size */ 1181 if (sk_acceptq_is_full(parent)) { 1182 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1183 return NULL; 1184 } If case the accept queue is full NULL is returned, but the 'parent' socket is not released. Thus when next L2CAP connection request is received the code blocks on lock_sock() since the parent is still locked. Also note that for connections already established and waiting for configuration to complete a timeout will occur and l2cap_chan_timeout() (net/bluetooth/l2cap_core.c) will be called. All threads calling this function will also be blocked waiting for the channel mutex since the thread which is waiting on lock_sock() alread holds the channel mutex. We were able to reproduce this by sending continuously L2CAP connection request followed by disconnection request containing invalid CID. This left the created connections pending configuration. After the deadlock occurs it is impossible to kill bluetoothd, btmon will not get any more data etc. requiring reboot to recover. -[0x03 Fix Releasing the 'parent' socket when l2cap_sock_new_connection_cb() returns NULL seems to fix the issue. Signed-off-by: Jukka Taimisto Reported-by: Tommi Mäkilä Signed-off-by: Johan Hedberg Signed-off-by: Jiri Slaby commit 2223d1af7def3027f997782665289d91882e0231 Author: Felipe Balbi Date: Wed Apr 23 09:58:26 2014 -0500 bluetooth: hci_ldisc: fix deadlock condition commit da64c27d3c93ee9f89956b9de86c4127eb244494 upstream. LDISCs shouldn't call tty->ops->write() from within ->write_wakeup(). ->write_wakeup() is called with port lock taken and IRQs disabled, tty->ops->write() will try to acquire the same port lock and we will deadlock. Acked-by: Marcel Holtmann Reviewed-by: Peter Hurley Reported-by: Huang Shijie Signed-off-by: Felipe Balbi Tested-by: Andreas Bießmann Signed-off-by: Jiri Slaby commit 8f375cf896c00bf6a66faf6f1e36699ac4f3cbda Author: Jianguo Wu Date: Thu Apr 24 03:45:56 2014 +0100 ARM: 8037/1: mm: support big-endian page tables commit 86f40622af7329375e38f282f6c0aab95f3e5f72 upstream. When enable LPAE and big-endian in a hisilicon board, while specify mem=384M mem=512M@7680M, will get bad page state: Freeing unused kernel memory: 180K (c0466000 - c0493000) BUG: Bad page state in process init pfn:fa442 page:c7749840 count:0 mapcount:-1 mapping: (null) index:0x0 page flags: 0x40000400(reserved) Modules linked in: CPU: 0 PID: 1 Comm: init Not tainted 3.10.27+ #66 [] (unwind_backtrace+0x0/0x11c) from [] (show_stack+0x10/0x14) [] (show_stack+0x10/0x14) from [] (bad_page+0xd4/0x104) [] (bad_page+0xd4/0x104) from [] (free_pages_prepare+0xa8/0x14c) [] (free_pages_prepare+0xa8/0x14c) from [] (free_hot_cold_page+0x18/0xf0) [] (free_hot_cold_page+0x18/0xf0) from [] (handle_pte_fault+0xcf4/0xdc8) [] (handle_pte_fault+0xcf4/0xdc8) from [] (handle_mm_fault+0xf4/0x120) [] (handle_mm_fault+0xf4/0x120) from [] (do_page_fault+0xfc/0x354) [] (do_page_fault+0xfc/0x354) from [] (do_DataAbort+0x2c/0x90) [] (do_DataAbort+0x2c/0x90) from [] (__dabt_usr+0x34/0x40) The bad pfn:fa442 is not system memory(mem=384M mem=512M@7680M), after debugging, I find in page fault handler, will get wrong pfn from pte just after set pte, as follow: do_anonymous_page() { ... set_pte_at(mm, address, page_table, entry); //debug code pfn = pte_pfn(entry); pr_info("pfn:0x%lx, pte:0x%llxn", pfn, pte_val(entry)); //read out the pte just set new_pte = pte_offset_map(pmd, address); new_pfn = pte_pfn(*new_pte); pr_info("new pfn:0x%lx, new pte:0x%llxn", pfn, pte_val(entry)); ... } pfn: 0x1fa4f5, pte:0xc00001fa4f575f new_pfn:0xfa4f5, new_pte:0xc00000fa4f5f5f //new pfn/pte is wrong. The bug is happened in cpu_v7_set_pte_ext(ptep, pte): An LPAE PTE is a 64bit quantity, passed to cpu_v7_set_pte_ext in the r2 and r3 registers. On an LE kernel, r2 contains the LSB of the PTE, and r3 the MSB. On a BE kernel, the assignment is reversed. Unfortunately, the current code always assumes the LE case, leading to corruption of the PTE when clearing/setting bits. This patch fixes this issue much like it has been done already in the cpu_v7_switch_mm case. Signed-off-by: Jianguo Wu Acked-by: Marc Zyngier Acked-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit da2212cb0877874751262d1ea1a33c1c590da921 Author: Russell King Date: Sat May 3 11:03:28 2014 +0100 ARM: stacktrace: avoid listing stacktrace functions in stacktrace commit 3683f44c42e991d313dc301504ee0fca1aeb8580 upstream. While debugging the FEC ethernet driver using stacktrace, it was noticed that the stacktraces always begin as follows: [] save_stack_trace_tsk+0x0/0x98 [] save_stack_trace+0x24/0x28 ... This is because the stack trace code includes the stack frames for itself. This is incorrect behaviour, and also leads to "skip" doing the wrong thing (which is the number of stack frames to avoid recording.) Perversely, it does the right thing when passed a non-current thread. Fix this by ensuring that we have a known constant number of frames above the main stack trace function, and always skip these. Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit d22659aebe32761443e9d2aa92c6ef16e82a5431 Author: Olivier Langlois Date: Fri Mar 28 02:42:38 2014 -0300 media: uvcvideo: Fix clock param realtime setting commit 3b35fc81e7ec552147a4fd843d0da0bbbe4ef253 upstream. timestamps in v4l2 buffers returned to userspace are updated in uvc_video_clock_update() which uses timestamps fetched from uvc_video_clock_decode() by calling unconditionally ktime_get_ts(). Hence setting the module clock param to realtime has no effect before this patch. This has been tested with ffmpeg: ffmpeg -y -f v4l2 -input_format yuyv422 -video_size 640x480 -framerate 30 -i /dev/video0 \ -f alsa -acodec pcm_s16le -ar 16000 -ac 1 -i default \ -c:v libx264 -preset ultrafast \ -c:a libfdk_aac \ out.mkv and inspecting the v4l2 input starting timestamp. Signed-off-by: Olivier Langlois Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit b9441d724ec9a61f8dcbaec7c2863550ba29c105 Author: Lv Zheng Date: Mon May 12 15:50:16 2014 +0800 ACPI: Fix conflict between customized DSDT and DSDT local copy commit 73577d1df8e1f31f6b1a5eebcdbc334eb0330e47 upstream. This patch fixes the following issue: If DSDT is customized, no local DSDT copy is needed. References: https://bugzilla.kernel.org/show_bug.cgi?id=69711 Signed-off-by: Enrico Etxe Arte Signed-off-by: Lv Zheng [rjw: Subject] Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 1da24fbdaf50f6b2e209a3e569c2071899d9ebb7 Author: David Binderman Date: Fri Apr 4 12:36:55 2014 +0800 ACPICA: utstring: Check array index bound before use. commit 5d42b0fa25df7ef2f575107597c1aaebe2407d10 upstream. ACPICA BZ 1077. David Binderman. References: https://bugs.acpica.org/show_bug.cgi?id=1077 Signed-off-by: David Binderman Signed-off-by: Bob Moore Signed-off-by: Lv Zheng Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 956ff41ab990ddea83717e5bbad2bfb56277ab76 Author: Ezequiel Garcia Date: Thu Apr 17 09:28:20 2014 -0300 media: stk1160: Avoid stack-allocated buffer for control URBs commit 85ac1a1772bb41da895bad83a81f6a62c8f293f6 upstream. Currently stk1160_read_reg() uses a stack-allocated char to get the read control value. This is wrong because usb_control_msg() requires a kmalloc-ed buffer. This commit fixes such issue by kmalloc'ating a 1-byte buffer to receive the read value. While here, let's remove the urb_buf array which was meant for a similar purpose, but never really used. Cc: Alan Stern Reported-by: Sander Eikelenboom Signed-off-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 30d8ffb3f0b2d340f782d464fb35323fb915b593 Author: Takashi Iwai Date: Mon May 5 11:20:05 2014 -0300 media: ivtv: Fix Oops when no firmware is loaded commit deb29e90221a6d4417aa67be971613c353180331 upstream. When ivtv PCM device is accessed at the state where no firmware is loaded, it oopses like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 IP: [] try_mailbox.isra.0+0x11/0x50 [ivtv] Call Trace: [] ivtv_api_call+0x160/0x6b0 [ivtv] [] ivtv_api+0x16/0x40 [ivtv] [] ivtv_vapi+0xac/0xc0 [ivtv] [] ivtv_start_v4l2_encode_stream+0x19d/0x630 [ivtv] [] snd_ivtv_pcm_capture_open+0x173/0x1c0 [ivtv_alsa] [] snd_pcm_open_substream+0x51/0x100 [snd_pcm] [] snd_pcm_open+0xb3/0x260 [snd_pcm] [] snd_pcm_capture_open+0x37/0x50 [snd_pcm] [] snd_open+0xa7/0x1e0 [snd] [] chrdev_open+0x88/0x1d0 [] do_dentry_open+0x1de/0x270 [] do_last+0x1c3/0xec0 [] path_openat+0xb6/0x670 [] do_filp_open+0x35/0x80 [] do_sys_open+0x129/0x210 [] system_call_fastpath+0x1a/0x1f This patch adds the check of firmware at PCM open callback like other open callbacks of this driver. Bugzilla: https://apibugzilla.novell.com/show_bug.cgi?id=875440 Signed-off-by: Takashi Iwai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 957bd4c349be6d8dc9b7ae477543e5a7e1596573 Author: Johan Hovold Date: Mon May 26 19:23:33 2014 +0200 USB: serial: fix potential runtime pm imbalance at device remove commit c14829fad88dbeda57253590695b85ba51270621 upstream. Only call usb_autopm_put_interface() if the corresponding usb_autopm_get_interface() was successful. This prevents a potential runtime PM counter imbalance should usb_autopm_get_interface() fail. Note that the USB PM usage counter is reset when the interface is unbound, but that the runtime PM counter may be left unbalanced. Also add comment on why we don't need to worry about racing resume/suspend on autopm_get failures. Fixes: d5fd650cfc7f ("usb: serial: prevent suspend/resume from racing against probe/remove") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 59f8ef8d0f3874085db8e8ce40762997f7381a61 Author: Johan Hovold Date: Mon May 26 19:22:54 2014 +0200 USB: sierra: fix remote wakeup commit 80cc0fcbdaeaf10d04ba27779a2d7ceb73d2717a upstream. Make sure that needs_remote_wake up is always set when there are open ports. Currently close() would unconditionally set needs_remote_wakeup to 0 even though there might still be open ports. This could lead to blocked input and possibly dropped data on devices that do not support remote wakeup (and which must therefore not be runtime suspended while open). Add an open_ports counter (protected by the susp_lock) and only clear needs_remote_wakeup when the last port is closed. Fixes: e6929a9020ac ("USB: support for autosuspend in sierra while online") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 7e7ccedc9d21441463fd5de3d365779358643541 Author: Johan Hovold Date: Mon May 26 19:22:53 2014 +0200 USB: sierra: fix urb and memory leak on disconnect commit 014333f77c0b71123d6ef7d31a9724e0699c9548 upstream. The delayed-write queue was never emptied on disconnect, something which would lead to leaked urbs and transfer buffers if the device is disconnected before being runtime resumed due to a write. Fixes: e6929a9020ac ("USB: support for autosuspend in sierra while online") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit a2aa73192ac6f2ce57549f39b1944396be1855a6 Author: Johan Hovold Date: Mon May 26 19:22:52 2014 +0200 USB: sierra: fix urb and memory leak in resume error path commit 7fdd26a01eb7b6cb6855ff8f69ef4a720720dfcb upstream. Neither the transfer buffer or the urb itself were released in the resume error path for delayed writes. Also on errors, the remainder of the queue was not even processed, which leads to further urb and buffer leaks. The same error path also failed to balance the outstanding-urb counter, something which results in degraded throughput or completely blocked writes. Fix this by releasing urb and buffer and balancing counters on errors, and by always processing the whole queue even when submission of one urb fails. Fixes: e6929a9020ac ("USB: support for autosuspend in sierra while online") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 06974d798d13f913e2ca85cedba76df8fabb72dd Author: Johan Hovold Date: Mon May 26 19:22:51 2014 +0200 USB: sierra: fix use after free at suspend/resume commit 8452727de70f6ad850cd6d0aaa18b5d9050aa63b upstream. Fix use after free or NULL-pointer dereference during suspend and resume. The port data may never have been allocated (port probe failed) or may already have been released by port_remove (e.g. driver is unloaded) when suspend and resume are called. Fixes: e6929a9020ac ("USB: support for autosuspend in sierra while online") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 8ae7a23bb2f7b01e10f99dbd9b63b9bdca82dd79 Author: Johan Hovold Date: Mon May 26 19:22:50 2014 +0200 USB: sierra: fix AA deadlock in open error path commit 353fe198602e8b4d1c7bdcceb8e60955087201b1 upstream. Fix AA deadlock in open error path that would call close() and try to grab the already held disc_mutex. Fixes: b9a44bc19f48 ("sierra: driver urb handling improvements") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 7a797aa04fca5d0c37cd10058770f98aa3e83c24 Author: Johan Hovold Date: Mon May 26 19:23:18 2014 +0200 USB: usb_wwan: fix potential blocked I/O after resume commit fb7ad4f93d9f0f7d49beda32f5e7becb94b29a4d upstream. Keep trying to submit urbs rather than bail out on first read-urb submission error, which would also prevent I/O for any further ports from being resumed. Instead keep an error count, for all types of failed submissions, and let USB core know that something went wrong. Also make sure to always clear the suspended flag. Currently a failed read-urb submission would prevent cached writes as well as any subsequent writes from being submitted until next suspend-resume cycle, something which may not even necessarily happen. Note that USB core currently only logs an error if an interface resume failed. Fixes: 383cedc3bb43 ("USB: serial: full autosuspend support for the option driver") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit bfd75a498e07ea25e891b94a82e2cb216b19c01c Author: Johan Hovold Date: Mon May 26 19:23:17 2014 +0200 USB: usb_wwan: fix potential NULL-deref at resume commit 9096f1fbba916c2e052651e9de82fcfb98d4bea7 upstream. The interrupt urb was submitted unconditionally at resume, something which could lead to a NULL-pointer dereference in the urb completion handler as resume may be called after the port and port data is gone. Fix this by making sure the interrupt urb is only submitted and active when the port is open. Fixes: 383cedc3bb43 ("USB: serial: full autosuspend support for the option driver") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 9b71d5c368ad55b93a36846f0c4225bd7cd63edb Author: Johan Hovold Date: Mon May 26 19:23:16 2014 +0200 USB: usb_wwan: fix urb leak at shutdown commit 79eed03e77d481b55d85d1cfe5a1636a0d3897fd upstream. The delayed-write queue was never emptied at shutdown (close), something which could lead to leaked urbs if the port is closed before being runtime resumed due to a write. When this happens the output buffer would not drain on close (closing_wait timeout), and after consecutive opens, writes could be corrupted with previously buffered data, transfered with reduced throughput or completely blocked. Note that unbusy_queued_urb() was simply moved out of CONFIG_PM. Fixes: 383cedc3bb43 ("USB: serial: full autosuspend support for the option driver") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 097280999c085494a3e7c441fa1251e4c67ee927 Author: Johan Hovold Date: Mon May 26 19:23:15 2014 +0200 USB: usb_wwan: fix write and suspend race commit 170fad9e22df0063eba0701adb966786d7a4ec5a upstream. Fix race between write() and suspend() which could lead to writes being dropped (or I/O while suspended) if the device is runtime suspended while a write request is being processed. Specifically, suspend() releases the susp_lock after determining the device is idle but before setting the suspended flag, thus leaving a window where a concurrent write() can submit an urb. Fixes: 383cedc3bb43 ("USB: serial: full autosuspend support for the option driver") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 8cba48efceae500f796be3174ae69034d08257ef Author: xiao jin Date: Mon May 26 19:23:14 2014 +0200 USB: usb_wwan: fix race between write and resume commit d9e93c08d8d985e5ef89436ebc9f4aad7e31559f upstream. We find a race between write and resume. usb_wwan_resume run play_delayed() and spin_unlock, but intfdata->suspended still is not set to zero. At this time usb_wwan_write is called and anchor the urb to delay list. Then resume keep running but the delayed urb have no chance to be commit until next resume. If the time of next resume is far away, tty will be blocked in tty_wait_until_sent during time. The race also can lead to writes being reordered. This patch put play_Delayed and intfdata->suspended together in the spinlock, it's to avoid the write race during resume. Fixes: 383cedc3bb43 ("USB: serial: full autosuspend support for the option driver") Signed-off-by: xiao jin Signed-off-by: Zhang, Qi1 Reviewed-by: David Cohen Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 2d08bfbd20880f1e01ddcd6be14cdda64962e337 Author: xiao jin Date: Mon May 26 19:23:13 2014 +0200 USB: usb_wwan: fix urb leak in write error path commit db0904737947d509844e171c9863ecc5b4534005 upstream. When enable usb serial for modem data, sometimes the tty is blocked in tty_wait_until_sent because portdata->out_busy always is set and have no chance to be cleared. We find a bug in write error path. usb_wwan_write set portdata->out_busy firstly, then try autopm async with error. No out urb submit and no usb_wwan_outdat_callback to this write, portdata->out_busy can't be cleared. This patch clear portdata->out_busy if usb_wwan_write try autopm async with error. Fixes: 383cedc3bb43 ("USB: serial: full autosuspend support for the option driver") Signed-off-by: xiao jin Signed-off-by: Zhang, Qi1 Reviewed-by: David Cohen Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit f01bea2e74a6e97ed791b90484c2e67323bda6b5 Author: Mikulas Patocka Date: Thu May 15 06:58:24 2014 -0400 matroxfb: perform a dummy read of M_STATUS commit 972754cfaee94d6e25acf94a497bc0a864d91b7e upstream. I had occasional screen corruption with the matrox framebuffer driver and I found out that the reason for the corruption is that the hardware blitter accesses the videoram while it is being written to. The matrox driver has a macro WaitTillIdle() that should wait until the blitter is idle, but it sometimes doesn't work. I added a dummy read mga_inl(M_STATUS) to WaitTillIdle() to fix the problem. The dummy read will flush the write buffer in the PCI chipset, and the next read of M_STATUS will return the hardware status. Since applying this patch, I had no screen corruption at all. Signed-off-by: Mikulas Patocka Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit 516bf04cd27425f36c30ac05dbac5f9b7edd5dae Author: Maurizio Lombardi Date: Tue May 27 12:48:56 2014 -0400 ext4: fix wrong assert in ext4_mb_normalize_request() commit b5b60778558cafad17bbcbf63e0310bd3c68eb17 upstream. The variable "size" is expressed as number of blocks and not as number of clusters, this could trigger a kernel panic when using ext4 with the size of a cluster different from the size of a block. Signed-off-by: Maurizio Lombardi Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 7e78f828d6bb0b356498fae02196c7047529cbfc Author: Jan Kara Date: Tue May 27 12:48:55 2014 -0400 ext4: fix zeroing of page during writeback commit eeece469dedadf3918bad50ad80f4616a0064e90 upstream. Tail of a page straddling inode size must be zeroed when being written out due to POSIX requirement that modifications of mmaped page beyond inode size must not be written to the file. ext4_bio_write_page() did this only for blocks fully beyond inode size but didn't properly zero blocks partially beyond inode size. Fix this. The problem has been uncovered by mmap_11-4 test in openposix test suite (part of LTP). Reported-by: Xiaoguang Wang Fixes: 5a0dc7365c240 Fixes: bd2d0210cf22f CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit 76516da417386581ce915d1be649d16be81ca949 Author: Namjae Jeon Date: Mon May 12 08:12:25 2014 -0400 ext4: fix data integrity sync in ordered mode commit 1c8349a17137b93f0a83f276c764a6df1b9a116e upstream. When we perform a data integrity sync we tag all the dirty pages with PAGECACHE_TAG_TOWRITE at start of ext4_da_writepages. Later we check for this tag in write_cache_pages_da and creates a struct mpage_da_data containing contiguously indexed pages tagged with this tag and sync these pages with a call to mpage_da_map_and_submit. This process is done in while loop until all the PAGECACHE_TAG_TOWRITE pages are synced. We also do journal start and stop in each iteration. journal_stop could initiate journal commit which would call ext4_writepage which in turn will call ext4_bio_write_page even for delayed OR unwritten buffers. When ext4_bio_write_page is called for such buffers, even though it does not sync them but it clears the PAGECACHE_TAG_TOWRITE of the corresponding page and hence these pages are also not synced by the currently running data integrity sync. We will end up with dirty pages although sync is completed. This could cause a potential data loss when the sync call is followed by a truncate_pagecache call, which is exactly the case in collapse_range. (It will cause generic/127 failure in xfstests) To avoid this issue, we can use set_page_writeback_keepwrite instead of set_page_writeback, which doesn't clear TOWRITE tag. Signed-off-by: Namjae Jeon Signed-off-by: Ashish Sangwan Signed-off-by: "Theodore Ts'o" Reviewed-by: Jan Kara Signed-off-by: Jiri Slaby commit 2375be7812fe1550561502cbbacb4370eaa728ef Author: Christian Borntraeger Date: Mon May 26 21:55:08 2014 +0200 s390/lowcore: reserve 96 bytes for IRB in lowcore commit 993072ee67aa179c48c85eb19869804e68887d86 upstream. The IRB might be 96 bytes if the extended-I/O-measurement facility is used. This feature is currently not used by Linux, but struct irb already has the emw defined. So let's make the irb in lowcore match the size of the internal data structure to be future proof. We also have to add a pad, to correctly align the paste. The bigger irb field also circumvents a bug in some QEMU versions that always write the emw field on test subchannel and therefore destroy the paste definitions of this CPU. Running under these QEMU version broke some timing functions in the VDSO and all users of these functions, e.g. some JREs. Signed-off-by: Christian Borntraeger Signed-off-by: Martin Schwidefsky Cc: Heiko Carstens Cc: Sebastian Ott Cc: Cornelia Huck Signed-off-by: Jiri Slaby commit 09b6ffbba999d9640bb32f2ccf46e883f232e833 Author: Lai Jiangshan Date: Fri Jun 6 14:37:10 2014 -0700 idr: fix overflow bug during maximum ID calculation at maximum height commit 3afb69cb5572b3c8c898c00880803cf1a49852c4 upstream. idr_replace() open-codes the logic to calculate the maximum valid ID given the height of the idr tree; unfortunately, the open-coded logic doesn't account for the fact that the top layer may have unused slots and over-shifts the limit to zero when the tree is at its maximum height. The following test code shows it fails to replace the value for id=((1<<27)+42): static void test5(void) { int id; DEFINE_IDR(test_idr); #define TEST5_START ((1<<27)+42) /* use the highest layer */ printk(KERN_INFO "Start test5\n"); id = idr_alloc(&test_idr, (void *)1, TEST5_START, 0, GFP_KERNEL); BUG_ON(id != TEST5_START); TEST_BUG_ON(idr_replace(&test_idr, (void *)2, TEST5_START) != (void *)1); idr_destroy(&test_idr); printk(KERN_INFO "End of test5\n"); } Fix the bug by using idr_max() which correctly takes into account the maximum allowed shift. sub_alloc() shares the same problem and may incorrectly fail with -EAGAIN; however, this bug doesn't affect correct operation because idr_get_empty_slot(), which already uses idr_max(), retries with the increased @id in such cases. [tj@kernel.org: Updated patch description.] Signed-off-by: Lai Jiangshan Acked-by: Tejun Heo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 177ee132eb7a7209e188c5d77584eedea840a01a Author: Will Deacon Date: Mon Jun 2 11:47:23 2014 +0100 arm64: ptrace: change fs when passing kernel pointer to regset code commit c168870704bcde6bb63d05f7882b620dd3985a46 upstream. Our compat PTRACE_POKEUSR implementation simply passes the user data to regset_copy_from_user after some simple range checking. Unfortunately, the data in question has already been copied to the kernel stack by this point, so the subsequent access_ok check fails and the ptrace request returns -EFAULT. This causes problems tracing fork() with older versions of strace. This patch briefly changes the fs to KERNEL_DS, so that the access_ok check passes even with a kernel address. Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Jiri Slaby commit 7b41b2642dd8f6118049e2e287339cad607cb95b Author: Matthew Dempsky Date: Fri Jun 6 14:36:42 2014 -0700 ptrace: fix fork event messages across pid namespaces commit 4e52365f279564cef0ddd41db5237f0471381093 upstream. When tracing a process in another pid namespace, it's important for fork event messages to contain the child's pid as seen from the tracer's pid namespace, not the parent's. Otherwise, the tracer won't be able to correlate the fork event with later SIGTRAP signals it receives from the child. We still risk a race condition if a ptracer from a different pid namespace attaches after we compute the pid_t value. However, sending a bogus fork event message in this unlikely scenario is still a vast improvement over the status quo where we always send bogus fork event messages to debuggers in a different pid namespace than the forking process. Signed-off-by: Matthew Dempsky Acked-by: Oleg Nesterov Cc: Kees Cook Cc: Julien Tinnes Cc: Roland McGrath Cc: Jan Kratochvil Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit c25f8a8b54b96485e621d743f2f360d326aef9cf Author: Johannes Weiner Date: Fri Jun 6 14:35:35 2014 -0700 mm: vmscan: clear kswapd's special reclaim powers before exiting commit 71abdc15adf8c702a1dd535f8e30df50758848d2 upstream. When kswapd exits, it can end up taking locks that were previously held by allocating tasks while they waited for reclaim. Lockdep currently warns about this: On Wed, May 28, 2014 at 06:06:34PM +0800, Gu Zheng wrote: > inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-R} usage. > kswapd2/1151 [HC0[0]:SC0[0]:HE1:SE1] takes: > (&sig->group_rwsem){+++++?}, at: exit_signals+0x24/0x130 > {RECLAIM_FS-ON-W} state was registered at: > mark_held_locks+0xb9/0x140 > lockdep_trace_alloc+0x7a/0xe0 > kmem_cache_alloc_trace+0x37/0x240 > flex_array_alloc+0x99/0x1a0 > cgroup_attach_task+0x63/0x430 > attach_task_by_pid+0x210/0x280 > cgroup_procs_write+0x16/0x20 > cgroup_file_write+0x120/0x2c0 > vfs_write+0xc0/0x1f0 > SyS_write+0x4c/0xa0 > tracesys+0xdd/0xe2 > irq event stamp: 49 > hardirqs last enabled at (49): _raw_spin_unlock_irqrestore+0x36/0x70 > hardirqs last disabled at (48): _raw_spin_lock_irqsave+0x2b/0xa0 > softirqs last enabled at (0): copy_process.part.24+0x627/0x15f0 > softirqs last disabled at (0): (null) > > other info that might help us debug this: > Possible unsafe locking scenario: > > CPU0 > ---- > lock(&sig->group_rwsem); > > lock(&sig->group_rwsem); > > *** DEADLOCK *** > > no locks held by kswapd2/1151. > > stack backtrace: > CPU: 30 PID: 1151 Comm: kswapd2 Not tainted 3.10.39+ #4 > Call Trace: > dump_stack+0x19/0x1b > print_usage_bug+0x1f7/0x208 > mark_lock+0x21d/0x2a0 > __lock_acquire+0x52a/0xb60 > lock_acquire+0xa2/0x140 > down_read+0x51/0xa0 > exit_signals+0x24/0x130 > do_exit+0xb5/0xa50 > kthread+0xdb/0x100 > ret_from_fork+0x7c/0xb0 This is because the kswapd thread is still marked as a reclaimer at the time of exit. But because it is exiting, nobody is actually waiting on it to make reclaim progress anymore, and it's nothing but a regular thread at this point. Be tidy and strip it of all its powers (PF_MEMALLOC, PF_SWAPWRITE, PF_KSWAPD, and the lockdep reclaim state) before returning from the thread function. Signed-off-by: Johannes Weiner Reported-by: Gu Zheng Cc: Yasuaki Ishimatsu Cc: Tang Chen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit ebbc3be9379379d54253786aac627a492de3c7f7 Author: Kees Cook Date: Thu Apr 17 13:22:09 2014 -0700 HID: core: fix validation of report id 0 commit 1b15d2e5b8077670b1e6a33250a0d9577efff4a5 upstream. Some drivers use the first HID report in the list instead of using an index. In these cases, validation uses ID 0, which was supposed to mean "first known report". This fixes the problem, which was causing at least the lgff family of devices to stop working since hid_validate_values was being called with ID 0, but the devices used single numbered IDs for their reports: 0x05, 0x01, /* Usage Page (Desktop), */ 0x09, 0x05, /* Usage (Gamepad), */ 0xA1, 0x01, /* Collection (Application), */ 0xA1, 0x02, /* Collection (Logical), */ 0x85, 0x01, /* Report ID (1), */ ... Reported-by: Simon Wood Signed-off-by: Kees Cook Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit 6e74114b58ad6f474bb591547ab7d766488251a2 Author: Hugh Dickins Date: Wed Jun 4 16:05:33 2014 -0700 mm: fix sleeping function warning from __put_anon_vma commit 7f39dda9d86fb4f4f17af0de170decf125726f8c upstream. Trinity reports BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:47 in_atomic(): 0, irqs_disabled(): 0, pid: 5787, name: trinity-c27 __might_sleep < down_write < __put_anon_vma < page_get_anon_vma < migrate_pages < compact_zone < compact_zone_order < try_to_compact_pages .. Right, since conversion to mutex then rwsem, we should not put_anon_vma() from inside an rcu_read_lock()ed section: fix the two places that did so. And add might_sleep() to anon_vma_free(), as suggested by Peter Zijlstra. Fixes: 88c22088bf23 ("mm: optimize page_lock_anon_vma() fast-path") Reported-by: Dave Jones Signed-off-by: Hugh Dickins Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 79035696ef6d567b6431e446cdaa01b7951f76b2 Author: Naoya Horiguchi Date: Wed Jun 4 16:11:02 2014 -0700 mm/memory-failure.c: support use of a dedicated thread to handle SIGBUS(BUS_MCEERR_AO) commit 3ba08129e38437561df44c36b7ea9081185d5333 upstream. Currently memory error handler handles action optional errors in the deferred manner by default. And if a recovery aware application wants to handle it immediately, it can do it by setting PF_MCE_EARLY flag. However, such signal can be sent only to the main thread, so it's problematic if the application wants to have a dedicated thread to handler such signals. So this patch adds dedicated thread support to memory error handler. We have PF_MCE_EARLY flags for each thread separately, so with this patch AO signal is sent to the thread with PF_MCE_EARLY flag set, not the main thread. If you want to implement a dedicated thread, you call prctl() to set PF_MCE_EARLY on the thread. Memory error handler collects processes to be killed, so this patch lets it check PF_MCE_EARLY flag on each thread in the collecting routines. No behavioral change for all non-early kill cases. Tony said: : The old behavior was crazy - someone with a multithreaded process might : well expect that if they call prctl(PF_MCE_EARLY) in just one thread, then : that thread would see the SIGBUS with si_code = BUS_MCEERR_A0 - even if : that thread wasn't the main thread for the process. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Naoya Horiguchi Reviewed-by: Tony Luck Cc: Kamil Iskra Cc: Andi Kleen Cc: Borislav Petkov Cc: Chen Gong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit dc06ecd40ab0c87219cbda2ea8e0574442c7fd22 Author: Tony Luck Date: Wed Jun 4 16:11:01 2014 -0700 mm/memory-failure.c: don't let collect_procs() skip over processes for MF_ACTION_REQUIRED commit 74614de17db6fb472370c426d4f934d8d616edf2 upstream. When Linux sees an "action optional" machine check (where h/w has reported an error that is not in the current execution path) we generally do not want to signal a process, since most processes do not have a SIGBUS handler - we'd just prematurely terminate the process for a problem that they might never actually see. task_early_kill() decides whether to consider a process - and it checks whether this specific process has been marked for early signals with "prctl", or if the system administrator has requested early signals for all processes using /proc/sys/vm/memory_failure_early_kill. But for MF_ACTION_REQUIRED case we must not defer. The error is in the execution path of the current thread so we must send the SIGBUS immediatley. Fix by passing a flag argument through collect_procs*() to task_early_kill() so it knows whether we can defer or must take action. Signed-off-by: Tony Luck Signed-off-by: Naoya Horiguchi Cc: Andi Kleen Cc: Borislav Petkov Cc: Chen Gong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit da0cf80ab3b471bc1135b28974b0c232b65e7c81 Author: Tony Luck Date: Wed Jun 4 16:10:59 2014 -0700 mm/memory-failure.c-failure: send right signal code to correct thread commit a70ffcac741d31a406c1d2b832ae43d658e7e1cf upstream. When a thread in a multi-threaded application hits a machine check because of an uncorrectable error in memory - we want to send the SIGBUS with si.si_code = BUS_MCEERR_AR to that thread. Currently we fail to do that if the active thread is not the primary thread in the process. collect_procs() just finds primary threads and this test: if ((flags & MF_ACTION_REQUIRED) && t == current) { will see that the thread we found isn't the current thread and so send a si.si_code = BUS_MCEERR_AO to the primary (and nothing to the active thread at this time). We can fix this by checking whether "current" shares the same mm with the process that collect_procs() said owned the page. If so, we send the SIGBUS to current (with code BUS_MCEERR_AR). Signed-off-by: Tony Luck Signed-off-by: Naoya Horiguchi Reported-by: Otto Bruggeman Cc: Andi Kleen Cc: Borislav Petkov Cc: Chen Gong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 4d6dd826592bc985202d47307f5a0560412f8613 Author: Mel Gorman Date: Wed Jun 4 16:10:16 2014 -0700 mm: page_alloc: use word-based accesses for get/set pageblock bitmaps commit e58469bafd0524e848c3733bc3918d854595e20f upstream. The test_bit operations in get/set pageblock flags are expensive. This patch reads the bitmap on a word basis and use shifts and masks to isolate the bits of interest. Similarly masks are used to set a local copy of the bitmap and then use cmpxchg to update the bitmap if there have been no other changes made in parallel. In a test running dd onto tmpfs the overhead of the pageblock-related functions went from 1.27% in profiles to 0.5%. In addition to the performance benefits, this patch closes races that are possible between: a) get_ and set_pageblock_migratetype(), where get_pageblock_migratetype() reads part of the bits before and other part of the bits after set_pageblock_migratetype() has updated them. b) set_pageblock_migratetype() and set_pageblock_skip(), where the non-atomic read-modify-update set bit operation in set_pageblock_skip() will cause lost updates to some bits changed in the set_pageblock_migratetype(). Joonsoo Kim first reported the case a) via code inspection. Vlastimil Babka's testing with a debug patch showed that either a) or b) occurs roughly once per mmtests' stress-highalloc benchmark (although not necessarily in the same pageblock). Furthermore during development of unrelated compaction patches, it was observed that frequent calls to {start,undo}_isolate_page_range() the race occurs several thousands of times and has resulted in NULL pointer dereferences in move_freepages() and free_one_page() in places where free_list[migratetype] is manipulated by e.g. list_move(). Further debugging confirmed that migratetype had invalid value of 6, causing out of bounds access to the free_list array. That confirmed that the race exist, although it may be extremely rare, and currently only fatal where page isolation is performed due to memory hot remove. Races on pageblocks being updated by set_pageblock_migratetype(), where both old and new migratetype are lower MIGRATE_RESERVE, currently cannot result in an invalid value being observed, although theoretically they may still lead to unexpected creation or destruction of MIGRATE_RESERVE pageblocks. Furthermore, things could get suddenly worse when memory isolation is used more, or when new migratetypes are added. After this patch, the race has no longer been observed in testing. Signed-off-by: Mel Gorman Acked-by: Vlastimil Babka Reported-by: Joonsoo Kim Reported-and-tested-by: Vlastimil Babka Cc: Johannes Weiner Cc: Jan Kara Cc: Michal Hocko Cc: Hugh Dickins Cc: Dave Hansen Cc: Theodore Ts'o Cc: "Paul E. McKenney" Cc: Oleg Nesterov Cc: Rik van Riel Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit c4c34dd67a3588a00713407f797468c02454ca5b Author: Mel Gorman Date: Wed Jun 4 16:07:35 2014 -0700 mm: vmscan: do not throttle based on pfmemalloc reserves if node has no ZONE_NORMAL commit 675becce15f320337499bc1a9356260409a5ba29 upstream. throttle_direct_reclaim() is meant to trigger during swap-over-network during which the min watermark is treated as a pfmemalloc reserve. It throttes on the first node in the zonelist but this is flawed. The user-visible impact is that a process running on CPU whose local memory node has no ZONE_NORMAL will stall for prolonged periods of time, possibly indefintely. This is due to throttle_direct_reclaim thinking the pfmemalloc reserves are depleted when in fact they don't exist on that node. On a NUMA machine running a 32-bit kernel (I know) allocation requests from CPUs on node 1 would detect no pfmemalloc reserves and the process gets throttled. This patch adjusts throttling of direct reclaim to throttle based on the first node in the zonelist that has a usable ZONE_NORMAL or lower zone. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 79e24e2ea96ce5e7c3aa2865d7ff0887f6f53daf Author: Naoya Horiguchi Date: Wed Jun 4 16:05:35 2014 -0700 hugetlb: restrict hugepage_migration_support() to x86_64 commit c177c81e09e517bbf75b67762cdab1b83aba6976 upstream. Currently hugepage migration is available for all archs which support pmd-level hugepage, but testing is done only for x86_64 and there're bugs for other archs. So to avoid breaking such archs, this patch limits the availability strictly to x86_64 until developers of other archs get interested in enabling this feature. Simply disabling hugepage migration on non-x86_64 archs is not enough to fix the reported problem where sys_move_pages() hits the BUG_ON() in follow_page(FOLL_GET), so let's fix this by checking if hugepage migration is supported in vma_migratable(). Signed-off-by: Naoya Horiguchi Reported-by: Michael Ellerman Tested-by: Michael Ellerman Acked-by: Hugh Dickins Cc: Benjamin Herrenschmidt Cc: Tony Luck Cc: Russell King Cc: Martin Schwidefsky Cc: James Hogan Cc: Ralf Baechle Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit c676dde148d99a11da12cc054374e166aaa65e52 Author: Johan Hovold Date: Mon May 26 19:23:10 2014 +0200 USB: option: fix runtime PM handling commit acf47d4f9c39b1cba467aa9442fc2efe0b1da741 upstream. Fix potential I/O while runtime suspended due to missing PM operations in send_setup. Fixes: 383cedc3bb43 ("USB: serial: full autosuspend support for the option driver") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 42103716d97b290a445046e7407849c5ae8da66c Author: Alan Stern Date: Tue Jun 3 11:00:27 2014 -0400 USB: EHCI: avoid BIOS handover on the HASEE E200 commit b0a50e92bda3c4aeb8017d4e6c6e92146ebd5c9b upstream. Leandro Liptak reports that his HASEE E200 computer hangs when we ask the BIOS to hand over control of the EHCI host controller. This definitely sounds like a bug in the BIOS, but at the moment there is no way to fix it. This patch works around the problem by avoiding the handoff whenever the motherboard and BIOS version match those of Leandro's computer. Signed-off-by: Alan Stern Reported-by: Leandro Liptak Tested-by: Leandro Liptak Signed-off-by: Jiri Slaby commit 01a0cb5e65b43abf92ba92a1fbeebe0769265c91 Author: Paul Bolle Date: Fri May 16 12:00:57 2014 +0200 ARM: OMAP: replace checks for CONFIG_USB_GADGET_OMAP commit 77c2f02edbeda9409a7cf3fd66233015820c213a upstream. Commit 193ab2a60700 ("usb: gadget: allow multiple gadgets to be built") apparently required that checks for CONFIG_USB_GADGET_OMAP would be replaced with checks for CONFIG_USB_OMAP. Do so now for the remaining checks for CONFIG_USB_GADGET_OMAP, even though these checks have basically been broken since v3.1. And, since we're touching this code, use the IS_ENABLED() macro, so things will now (hopefully) also work if USB_OMAP is modular. Fixes: 193ab2a60700 ("usb: gadget: allow multiple gadgets to be built") Signed-off-by: Paul Bolle Signed-off-by: Tony Lindgren Signed-off-by: Jiri Slaby commit f32574c5f44b492f13adb821d174e73d16b01432 Author: Felipe Balbi Date: Wed Apr 16 10:30:33 2014 -0500 usb: dwc3: gadget: clear stall when disabling endpoint commit 687ef9817df7ed960d14575b9033dde3d04631fe upstream. so it seems like DWC3 IP doesn't clear stalls automatically when we disable an endpoint, because of that, we _must_ make sure stalls are cleared before clearing the proper bit in DALEPENA register. Reported-by: Johannes Stezenbach Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 4f63298bf686f8357176aedd2a8fd913b81ebe70 Author: Paul Bolle Date: Mon May 26 23:37:09 2014 +0200 usb: gadget: rename CONFIG_USB_GADGET_PXA25X commit d30f2065d6da377cc76771aca5a9850cfca8723b upstream. Commit 193ab2a60700 ("usb: gadget: allow multiple gadgets to be built") basically renamed the Kconfig symbol USB_GADGET_PXA25X to USB_PXA25X. It did not rename the related macros in use at that time. Commit c0a39151a405 ("ARM: pxa: fix inconsistent CONFIG_USB_PXA27X") did so for all but one macro. Rename that last macro too now. Fixes: 193ab2a60700 ("usb: gadget: allow multiple gadgets to be built") Signed-off-by: Paul Bolle Signed-off-by: Jiri Slaby commit c0c1bcdd4ae9d9ca0adfdeeee719f6cacb8320fc Author: Alan Stern Date: Tue Jun 3 11:11:34 2014 -0400 USB: usbtest: add a timeout for scatter-gather tests commit 32b36eeae6a859670d2939a7d6136cb5e9ed64f8 upstream. In usbtest, tests 5 - 8 use the scatter-gather library in usbcore without any sort of timeout. If there's a problem in the gadget or host controller being tested, the test can hang. This patch adds a 10-second timeout to the tests, so that they will fail gracefully with an ETIMEDOUT error instead of hanging. Signed-off-by: Alan Stern Reported-by: Huang Rui Tested-by: Huang Rui Signed-off-by: Jiri Slaby commit cdd3452f62b54413bd4d68e44bac2bfa81adaa12 Author: Huang Rui Date: Mon May 26 10:55:36 2014 +0800 usb: usbtest: fix unlink write error with pattern 1 commit e4d58f5dcb7d7be45df8def31881ebfae99c75da upstream. TEST 12 and TEST 24 unlinks the URB write request for N times. When host and gadget both initialize pattern 1 (mod 63) data series to transfer, the gadget side will complain the wrong data which is not expected. Because in host side, usbtest doesn't fill the data buffer as mod 63 and this patch fixed it. [20285.488974] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready [20285.489181] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active [20285.489423] dwc3 dwc3.0.auto: ep1out-bulk: req ffff8800aa6cb480 dma aeb50800 length 512 last [20285.489727] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params 00000000 a9eaf000 00000000 [20285.490055] dwc3 dwc3.0.auto: Command Complete --> 0 [20285.490281] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready [20285.490492] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Active [20285.490713] dwc3 dwc3.0.auto: ep1out-bulk: endpoint busy [20285.490909] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Complete [20285.491117] dwc3 dwc3.0.auto: request ffff8800aa6cb480 from ep1out-bulk completed 512/512 ===> 0 [20285.491431] zero gadget: bad OUT byte, buf[1] = 0 [20285.491605] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Set Stall' params 00000000 00000000 00000000 [20285.491915] dwc3 dwc3.0.auto: Command Complete --> 0 [20285.492099] dwc3 dwc3.0.auto: queing request ffff8800aa6cb480 to ep1out-bulk length 512 [20285.492387] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready [20285.492595] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active [20285.492830] dwc3 dwc3.0.auto: ep1out-bulk: req ffff8800aa6cb480 dma aeb51000 length 512 last [20285.493135] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params 00000000 a9eaf000 00000000 [20285.493465] dwc3 dwc3.0.auto: Command Complete --> 0 Signed-off-by: Huang Rui Signed-off-by: Jiri Slaby commit 5289d91feb0e3ffd287979abb7e5b7e02a14f752 Author: Dan Carpenter Date: Fri May 9 14:59:16 2014 +0300 applicom: dereferencing NULL on error path commit 8bab797c6e5724a43b7666ad70860712365cdb71 upstream. This is a static checker fix. The "dev" variable is always NULL after the while statement so we would be dereferencing a NULL pointer here. Fixes: 819a3eba4233 ('[PATCH] applicom: fix error handling') Signed-off-by: Dan Carpenter Signed-off-by: Jiri Slaby commit 6493b82225f7b2a92ef8b8386687ba8e78cd7407 Author: Dan Carpenter Date: Mon Apr 7 09:31:21 2014 +0300 Staging: rtl8188eu: overflow in update_sta_support_rate() commit 9dbd79aeb9842144d9a114a979a12c0949ee11eb upstream. The ->SupportedRates[] array has NDIS_802_11_LENGTH_RATES_EX (16) elements. Since "ie_len" comes from then network and can go up to 255 then it means we should add a range check to prevent memory corruption. Fixes: d6846af679e0 ('staging: r8188eu: Add files for new driver - part 7') Signed-off-by: Dan Carpenter Signed-off-by: Jiri Slaby commit 352fb7edefaedab8045465fa8c8bfa69f7c0c273 Author: Paul Bolle Date: Mon May 26 21:47:11 2014 +0200 staging: tidspbridge: check for CONFIG_SND_OMAP_SOC_MCBSP commit d3921a03a89acb1b9ca599590c0131c89f8737d8 upstream. Commit d0f47ff17f29 ("ASoC: OMAP: Build config cleanup for McBSP") removed the Kconfig symbol OMAP_MCBSP. It left two checks for CONFIG_OMAP_MCBSP untouched. Convert these to checks for CONFIG_SND_OMAP_SOC_MCBSP. That must be correct, since that re-enables calls to functions that are all found in sound/soc/omap/mcbsp.c. And that file is built only if CONFIG_SND_OMAP_SOC_MCBSP is defined. Fixes: d0f47ff17f29 ("ASoC: OMAP: Build config cleanup for McBSP") Signed-off-by: Paul Bolle Signed-off-by: Jiri Slaby commit 797dd869d16bfc1b258ab041192d0883a1747377 Author: Krzysztof Kozlowski Date: Wed Apr 9 15:20:12 2014 +0200 extcon: max77693: Fix two NULL pointer exceptions on missing pdata commit d5653f2b7304f05eeb45d84f123cf02f840b8537 upstream. Fix NULL pointer exceptions when platform data is not supplied. Trace of one exception: Unable to handle kernel NULL pointer dereference at virtual address 00000008 pgd = c0004000 [00000008] *pgd=00000000 Internal error: Oops: 5 [#1] PREEMPT SMP ARM Modules linked in: CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.14.0-12045-gead5dd4687a6-dirty #1628 task: eea80000 ti: eea88000 task.ti: eea88000 PC is at max77693_muic_probe+0x27c/0x528 LR is at regmap_write+0x50/0x60 pc : [] lr : [] psr: 20000113 sp : eea89e38 ip : 00000000 fp : c098a834 r10: ee1a5a10 r9 : 00000005 r8 : c098a83c r7 : 0000000a r6 : c098a774 r5 : 00000005 r4 : eeb006d0 r3 : c0697bd8 r2 : 00000000 r1 : 00000001 r0 : 00000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: 4000404a DAC: 00000015 Process swapper/0 (pid: 1, stack limit = 0xeea88240) Stack: (0xeea89e38 to 0xeea8a000) 9e20: c08499fc eeb006d0 9e40: 00000000 00000000 c0915f98 00000001 00000000 ee1a5a10 c098a730 c09a88b8 9e60: 00000000 c098a730 c0915f98 00000000 00000000 c02d6aa0 c02d6a88 ee1a5a10 9e80: c0a712c8 c02d54e4 00001204 c0628b00 ee1a5a10 c098a730 ee1a5a44 00000000 9ea0: eea88000 c02d57b4 00000000 c098a730 c02d5728 c02d3a24 ee813e5c eeb9d534 9ec0: c098a730 ee22f700 c097c720 c02d4b14 c08174ec c098a730 00000006 c098a730 9ee0: 00000006 c092fd30 c09b8500 c02d5df8 00000000 c093cbb8 00000006 c0008928 9f00: 000000c3 ef7fc785 00000000 ef7fc794 00000000 c08af968 00000072 eea89f30 9f20: ef7fc85e c065f198 000000c3 c003e87c 00000003 00000000 c092fd3c 00000000 9f40: c08af618 c0826d58 00000006 00000006 c0956f58 c093cbb8 00000006 c092fd30 9f60: c09b8500 000000c3 c092fd3c c08e8510 00000000 c08e8bb0 00000006 00000006 9f80: c08e8510 c0c0c0c0 00000000 c0628fac 00000000 00000000 00000000 00000000 9fa0: 00000000 c0628fb4 00000000 c000f038 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0 [] (max77693_muic_probe) from [] (platform_drv_probe+0x18/0x48) [] (platform_drv_probe) from [] (driver_probe_device+0x140/0x384) [] (driver_probe_device) from [] (__driver_attach+0x8c/0x90) [] (__driver_attach) from [] (bus_for_each_dev+0x54/0x88) [] (bus_for_each_dev) from [] (bus_add_driver+0xe8/0x204) [] (bus_add_driver) from [] (driver_register+0x78/0xf4) [] (driver_register) from [] (do_one_initcall+0xc4/0x174) [] (do_one_initcall) from [] (kernel_init_freeable+0xfc/0x1c8) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xec) [] (kernel_init) from [] (ret_from_fork+0x14/0x3c) Code: caffffe7 e59d200c e3550001 b3a05001 (e5923008) ---[ end trace 85db969ce011bde7 ]--- Signed-off-by: Krzysztof Kozlowski Fixes: 190d7cfc8632 Signed-off-by: Chanwoo Choi Signed-off-by: Jiri Slaby commit 7f75e8ac57444fa79191fbd108b82b383143e4ad Author: Krzysztof Kozlowski Date: Wed Apr 9 15:20:14 2014 +0200 extcon: max8997: Fix NULL pointer exception on missing pdata commit dfee4111febf3d9ef3a640b2cd6205c75f4e7e3d upstream. Fix NULL pointer exception when platform data is not supplied. The driver dereferenced pdata pointer where it could be NULL. Signed-off-by: Krzysztof Kozlowski Fixes: 810d601f07c Signed-off-by: Chanwoo Choi Signed-off-by: Jiri Slaby commit 1485b05f2a2ff688d94e5e0196133c020efa861e Author: Johan Hovold Date: Thu May 8 10:09:23 2014 +0200 net: cpsw: fix null dereference at probe commit 6954cc1f238199e971ec905c5cc87120806ac981 upstream. Fix null-pointer dereference at probe when the mdio platform device is missing (e.g. when it has been disabled in DT). Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 4c9b5ae9bc67a79ec13a9ea29a0e020cd6cd0855 Author: Ursula Braun Date: Tue May 13 14:38:02 2014 +0200 af_iucv: wrong mapping of sent and confirmed skbs commit f5738e2ef88070ef1372e6e718124d88e9abe4ac upstream. When sending data through IUCV a MESSAGE COMPLETE interrupt signals that sent data memory can be freed or reused again. With commit f9c41a62bba3f3f7ef3541b2a025e3371bcbba97 "af_iucv: fix recvmsg by replacing skb_pull() function" the MESSAGE COMPLETE callback iucv_callback_txdone() identifies the wrong skb as being confirmed, which leads to data corruption. This patch fixes the skb mapping logic in iucv_callback_txdone(). Signed-off-by: Ursula Braun Signed-off-by: Frank Blaschka Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit e98ee26dfbe339f4ee37add68e47ed6fa0603fd9 Author: Stephane Grosjean Date: Tue May 20 11:38:56 2014 +0200 can: peak_pci: prevent use after free at netdev removal commit 0b5a958cf4df3a5cd578b861471e62138f55c85e upstream. As remarked by Christopher R. Baker in his post at http://marc.info/?l=linux-can&m=139707295706465&w=2 there's a possibility for an use after free condition at device removal. This simplified patch introduces an additional variable to prevent the issue. Thanks for catching this. Reported-by: Christopher R. Baker Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: Jiri Slaby commit 22e7597be4cf5a51a710d63f62852afea8f2a5ff Author: Roger Quadros Date: Wed Dec 18 15:40:10 2013 +0530 usb: usbtest: Add timetout to simple_io() commit e5e4746510d140261918aecce2e5e3aa4456f7e9 upstream. Without a timetout some tests e.g. test_halt() can remain stuck forever. Signed-off-by: Roger Quadros Reviewed-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 9fc3a1a2fb2f0db62c8f02cc625d3ba492b72b0a Author: Aleksander Morgado Date: Thu May 29 13:33:27 2014 +0200 usb: qcserial: add additional Sierra Wireless QMI devices commit 0ce5fb58564fd85aa8fd2d24209900e2e845317b upstream. A set of new VID/PIDs retrieved from the out-of-tree GobiNet/GobiSerial Sierra Wireless drivers. Signed-off-by: Aleksander Morgado Link: http://marc.info/?l=linux-usb&m=140136310027293&w=2 Cc: # backport in link above Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 8ab45fc8b33aa4a54a6e4b3515b07343f7f5849f Author: Aleksander Morgado Date: Wed May 28 21:13:51 2014 +0200 usb: qcserial: add Netgear AirCard 341U commit ff1fcd50bc2459744e6f948310bc18eb7d6e8c72 upstream. Signed-off-by: Aleksander Morgado Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 040709a3059dcd5d89d5e9dc4c488ccf15c1aad7 Author: Bjørn Mork Date: Sun Apr 27 16:47:45 2014 +0200 usb: qcserial: define and use Sierra Wireless layout commit 8bc7a069402e1a443ded8088a8be0dc8aa1c2c9b upstream. All the "non Gobi" Qualcomm based devices handled by this driver share a common standard Sierra Wireless specific layout. Adding code specifically for this layout allow us to reduce the number of match entries per device from three to one. This change will result in a penalty wrt stable backports, but simplifies new Sierra device addtitions in the long term. Signed-off-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 6c81d4764aa48f9105480e52296239716c7e8176 Author: Bjørn Mork Date: Sun Apr 27 16:47:44 2014 +0200 usb: qcserial: refactor device layout selection commit d712ca91db6d5463ca5a9b06eb6ba937c59a15fa upstream. Preparing for more supported standard device layouts. Keeping the matching macros unchanged to avoid breaking stable backporting of new device additions. Signed-off-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 6a026de6b5871c5c9c79175c4861d3075c9057d3 Author: Bjørn Mork Date: Sun Apr 27 16:47:43 2014 +0200 usb: qcserial: fix multiline comment coding style commit ce1b066136a30079c4e6e81e015ad9bc2180d46f upstream. Use a consistent style for all multiline comments. Signed-off-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit bb65c27f3caff9ecf118fb3b365a5a5f927a9897 Author: Tomas Winkler Date: Mon Jun 30 11:43:50 2014 +0300 mei: me: fix hw ready reset flow commit b04ada92ffaabb868497a1fce8e4f6bf74e5488f upstream We cleared H_RST for H_CSR on spurious interrupt generated when ME_RDY while cleared and not while ME_RDY is set. The spurious interrupt is not delivered on all platforms in this case the driver may fail to initialize. Cc: stable@vger.kernel.org #3.12 Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit cd9c8ea182f89f0f5ef3e5591a1ff28cbd6e877b Author: Tomas Winkler Date: Mon Jun 30 11:43:49 2014 +0300 mei: me: read H_CSR after asserting reset commit c40765d919d25d2d44d99c4ce39e48808f137e1e upstream. According the spec the host should read H_CSR again after asserting reset H_RST to ensure that reset was read by the firmware Cc: stable@vger.kernel.org #3.12 Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit d5e54437bcb1d82210b7fd810d933c27d1d1fe4e Author: Quentin Casasnovas Date: Tue Mar 18 17:16:52 2014 +0100 drm/radeon: memory leak on bo reservation failure. v2 commit 74073c9dd29905645feb6dee03c144657a9844cd upstream. On bo reservation failure, we end up leaking fpriv. v2 (chk): rebased and added missing free on vm failure as well Fixes: 5e386b574cf7e1 ("drm/radeon: fix missing bo reservation") Cc: stable@vger.kernel.org Cc: Christian König Cc: Alex Deucher Signed-off-by: Quentin Casasnovas Signed-off-by: Christian König Signed-off-by: Jiri Slaby Conflicts: drivers/gpu/drm/radeon/radeon_kms.c commit c0994abad32816af80e7a32b37e1f2868d77a584 Author: Tom Gundersen Date: Mon Feb 3 11:14:13 2014 +1030 module: allow multiple calls to MODULE_DEVICE_TABLE() per module commit 21bdd17b21b45ea48e06e23918d681afbe0622e9 upstream. Commit 78551277e4df5: "Input: i8042 - add PNP modaliases" had a bug, where the second call to MODULE_DEVICE_TABLE() overrode the first resulting in not all the modaliases being exposed. This fixes the problem by including the name of the device_id table in the __mod_*_device_table alias, allowing us to export several device_id tables per module. Suggested-by: Kay Sievers Acked-by: Greg Kroah-Hartman Cc: Dmitry Torokhov Signed-off-by: Tom Gundersen Signed-off-by: Rusty Russell Signed-off-by: Jiri Slaby Conflicts: include/linux/module.h commit e93482952c7fb004c81224da37bca5a9089d85b2 Author: Aaron Lu Date: Fri Nov 15 14:39:12 2013 +0800 ACPI / video: clean up DMI table for initial black screen problem commit 545ef368e08fda654b6e63ce522c66339aa29156 upstream. With commit 2c62333a408f "ACPI / video: Quirk initial backlight level 0" we do not need to have the following systems in DMI table, so remove them. HP Pavilion m4, HP 1000 Notebook PC, HP Pavilion g6 Notebook PC, HP Pavilion dm4, Fujitsu E753, HP Folio 13-2000. With this change, the use_bios_initial_backlight module parameter is no longer needed and thus removed. Signed-off-by: Aaron Lu Tested-by: Alex Hung # for HP 1000 Notebook PC Tested-by: Gustavo Maciel Dias Vieira # for HP Pavilion dm4 Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby Conflicts: drivers/acpi/video.c commit a6f23e021eee3de3100cd93d065393cfd1e81d98 Author: Anton Blanchard Date: Tue Mar 25 10:47:01 2014 +1100 KVM: PPC: Book3S HV: Fix KVM hang with CONFIG_KVM_XICS=n commit 7505258c5fcb0a1cc3c76a47b4cf9506d21d10e6 upstream. I noticed KVM is broken when KVM in-kernel XICS emulation (CONFIG_KVM_XICS) is disabled. The problem was introduced in 48eaef05 (KVM: PPC: Book3S HV: use xics_wake_cpu only when defined). It used CONFIG_KVM_XICS to wrap xics_wake_cpu, where CONFIG_PPC_ICP_NATIVE should have been used. Signed-off-by: Anton Blanchard Cc: stable@vger.kernel.org Signed-off-by: Paul Mackerras Acked-by: Scott Wood Signed-off-by: Jiri Slaby commit f5e6162ab0f52373a61fd5376b1ca292815c5f9c Author: Anssi Hannula Date: Sun Nov 10 21:24:04 2013 +0200 ALSA: hda - hdmi: Use TFx channel positions instead of FxH commit 94908a39ce971f25c3695c334d88eec4d2837428 upstream. Channel map positions FLH, FCH, FRH duplicate positions TFL, TFC, TFR. Both are the speakers above the front speakers (CEA uses "high" and USB audio uses "top" nomenclature). Since the USB audio code has used the TFx positions since v3.8 (04324ccc75f96, "ALSA: usb-audio: add channel map support") but the HDMI code only just started using FxH in a5b7d510b2220cccb ("ALSA: hda - hdmi: Fix channel maps with less common speakers") which is not yet in any released kernel, standardize on TFx instead. Signed-off-by: Anssi Hannula Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 7ee7663da07717a1b31ce60d2ebf12d2058ee975 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:35 2014 +0200 ALSA: control: Make sure that id->index does not overflow commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 669982364299f6f22bea4324f0f7ee8f8a361b87 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:34 2014 +0200 ALSA: control: Handle numid overflow commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream. Each control gets automatically assigned its numids when the control is created. The allocation is done by incrementing the numid by the amount of allocated numids per allocation. This means that excessive creation and destruction of controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to eventually overflow. Currently when this happens for the control that caused the overflow kctl->id.numid + kctl->count will also over flow causing it to be smaller than kctl->id.numid. Most of the code assumes that this is something that can not happen, so we need to make sure that it won't happen Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 0bf595fd311aa4d6e82c43879f2c0d0650e83271 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:33 2014 +0200 ALSA: control: Don't access controls outside of protected regions commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream. A control that is visible on the card->controls list can be freed at any time. This means we must not access any of its memory while not holding the controls_rw_lock. Otherwise we risk a use after free access. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit d8eaff7517ee11b2e7cbc158abbdf899b8351ed3 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:32 2014 +0200 ALSA: control: Fix replacing user controls commit 82262a46627bebb0febcc26664746c25cef08563 upstream. There are two issues with the current implementation for replacing user controls. The first is that the code does not check if the control is actually a user control and neither does it check if the control is owned by the process that tries to remove it. That allows userspace applications to remove arbitrary controls, which can cause a user after free if a for example a driver does not expect a control to be removed from under its feed. The second issue is that on one hand when a control is replaced the user_ctl_count limit is not checked and on the other hand the user_ctl_count is increased (even though the number of user controls does not change). This allows userspace, once the user_ctl_count limit as been reached, to repeatedly replace a control until user_ctl_count overflows. Once that happens new controls can be added effectively bypassing the user_ctl_count limit. Both issues can be fixed by instead of open-coding the removal of the control that is to be replaced to use snd_ctl_remove_user_ctl(). This function does proper permission checks as well as decrements user_ctl_count after the control has been removed. Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at beginning of the function if the control already exists is removed. This is not a problem though since the check is quite useless, because the lock that is protecting the control list is released between the check and before adding the new control to the list, which means that it is possible that a different control with the same settings is added to the list after the check. Luckily there is another check that is done while holding the lock in snd_ctl_add(), so we'll rely on that to make sure that the same control is not added twice. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit ed81e6b21790b717cda5f5bab2bdb07d2ce17ab1 Author: Lars-Peter Clausen Date: Wed Jun 18 13:32:31 2014 +0200 ALSA: control: Protect user controls against concurrent access commit 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 upstream. The user-control put and get handlers as well as the tlv do not protect against concurrent access from multiple threads. Since the state of the control is not updated atomically it is possible that either two write operations or a write and a read operation race against each other. Both can lead to arbitrary memory disclosure. This patch introduces a new lock that protects user-controls from concurrent access. Since applications typically access controls sequentially than in parallel a single lock per card should be fine. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit e30265fbd72b4cacb6c02a2b00dabe86efd37dda Author: David Henningsson Date: Fri Jun 13 11:15:44 2014 +0200 ALSA: hda - Add quirk for external mic on Lifebook U904 commit 2041d56464a067461d7cc21734a0f024587ed2ff upstream. According to the bug reporter (Данило Шеган), the external mic starts to work and has proper jack detection if only pin 0x19 is marked properly as an external headset mic. AlsaInfo at https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1328587/+attachment/4128991/+files/AlsaInfo.txt BugLink: https://bugs.launchpad.net/bugs/1328587 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 0842fb624afa1672f73e8fd7f502debb5ad83b8f Author: Kailang Yang Date: Thu Jun 5 11:13:44 2014 +0800 ALSA: hda/realtek - Add support of ALC891 codec commit b6c5fbad16aa5026f508093a8d651c25e1cb6179 upstream. New codec support for ALC891. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit f4f1bdfbf813db958373ea85439730cec1ce7afd Author: Wang, Xiaoming Date: Thu Jun 12 18:47:07 2014 -0400 ALSA: compress: Cancel the optimization of compiler and fix the size of struct for all platform. commit 2bd0ae464a6cf7363bbf72c8545e0aa43caa57f0 upstream. Cancel the optimization of compiler for struct snd_compr_avail which size will be 0x1c in 32bit kernel while 0x20 in 64bit kernel under the optimizer. That will make compaction between 32bit and 64bit. So add packed to fix the size of struct snd_compr_avail to 0x1c for all platform. Signed-off-by: Zhang Dongxing Signed-off-by: xiaoming wang Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit f1bac1ba17822414d4031f840913b4ea27793ba8 Author: Greg Kroah-Hartman Date: Fri Jun 20 22:01:41 2014 -0700 lz4: ensure length does not wrap commit 206204a1162b995e2185275167b22468c00d6b36 upstream. Given some pathologically compressed data, lz4 could possibly decide to wrap a few internal variables, causing unknown things to happen. Catch this before the wrapping happens and abort the decompression. Reported-by: "Don A. Bailey" Signed-off-by: Jiri Slaby commit 83722ba4bdfa951767cb47ee8aad5fd44350066f Author: Greg Kroah-Hartman Date: Fri Jun 20 22:00:53 2014 -0700 lzo: properly check for overruns commit 206a81c18401c0cde6e579164f752c4b147324ce upstream. The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen. Reported-by: "Don A. Bailey" Tested-by: "Don A. Bailey" Signed-off-by: Jiri Slaby commit 2618b9baad38201a3e5e3d1b9c5263e0fef1a59e Author: Peter Meerwald Date: Tue May 6 09:53:00 2014 +0100 iio: Fix endianness issue in ak8975_read_axis() commit 8ba42fb7b17649c9ab5b5e79d4e90370a0b4645e upstream. i2c_smbus_read_word_data() does host endian conversion already, no need for le16_to_cpu() Signed-off-by: Peter Meerwald Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit f65aa47d01d229191f79e6c5df56b359386aaf8a Author: Dan Carpenter Date: Thu Nov 6 09:13:00 2014 +0000 iio: adc: at91: signedness bug in at91_adc_get_trigger_value_by_name() commit 4f3bcd878f1d3c730fe00f619b7260c6125d49eb upstream. at91_adc_get_trigger_value_by_name() was returning -ENOMEM truncated to a positive u8 and that doesn't work. I've changed it to int and refactored it to preserve the error code. Signed-off-by: Dan Carpenter Acked-by: Alexandre Belloni Tested-by: Alexandre Belloni Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit 7ea3386ddad0272c94f0bbb6d21c86aa3d2ecb60 Author: Mario Schuknecht Date: Tue May 27 07:19:00 2014 +0100 staging: iio: tsl2x7x_core: fix proximity treshold commit c404618cd06dad771495fe1cf9d5a63b5664f65f upstream. Consider high byte of proximity min and max treshold in function 'tsl2x7x_chip_on'. So far, the high byte was not set. Signed-off-by: Mario Schuknecht Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit ed550318f08dd793259f2e6574a22788eb47b130 Author: Peter Ujfalusi Date: Fri May 30 16:47:41 2014 +0300 ASoC: tlv320aci3x: Fix custom snd_soc_dapm_put_volsw_aic3x() function commit e6c111fac4464e3f4bf7b3802b517dafc80f8e0f upstream. For some unknown reason the parameters for snd_soc_test_bits() were in wrong order: It was: snd_soc_test_bits(codec, val, mask, reg); /* WRONG!!! */ while it should be: snd_soc_test_bits(codec, reg, mask, val); Signed-off-by: Peter Ujfalusi Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 0fa09d2e27889cda6b952ac03a681d8b5b24a53e Author: Liam Girdwood Date: Fri May 16 16:55:20 2014 +0300 ASoC: max98090: Fix reset at resume time commit 25b4ab430f8e166c9b63f4db28e7e812d5a59396 upstream. Reset needs to wait 20ms before other codec IO is performed. This wait was not being performed. Fix this by making sure the reset register is not restored with the cache, but use the manual reset method in resume with the wait. Signed-off-by: Liam Girdwood Signed-off-by: Jarkko Nikula Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 347b9fed12a93b917f18437c5749929e42049c3a Author: K. Y. Srinivasan Date: Wed Apr 23 13:53:39 2014 -0700 Drivers: hv: balloon: Ensure pressure reports are posted regularly commit ae339336dc950b9b05e7ccd3565dd3e8781c06d9 upstream. The current code posts periodic memory pressure status from a dedicated thread. Under some conditions, especially when we are releasing a lot of memory into the guest, we may not send timely pressure reports back to the host. Fix this issue by reporting pressure in all contexts that can be active in this driver. Signed-off-by: K. Y. Srinivasan Signed-off-by: Jiri Slaby commit 26c05be0c07c54c685cf8a25aceba4426646c8a5 Author: Johan Hovold Date: Mon May 26 19:23:45 2014 +0200 USB: cdc-acm: fix runtime PM imbalance at shutdown commit 5292afa657d0e790b7479ad8eef9450c1e040b3d upstream. Make sure only to decrement the PM counters if they were actually incremented. Note that the USB PM counter, but not necessarily the driver core PM counter, is reset when the interface is unbound. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit ffc415d3245ad096b318ba521f91c0fb3c724b1a Author: Johan Hovold Date: Mon May 26 19:23:44 2014 +0200 USB: cdc-acm: fix I/O after failed open commit e4c36076c2a6195ec62c35b03c3fde84d0087dc8 upstream. Make sure to kill any already submitted read urbs on read-urb submission failures in open in order to prevent doing I/O for a closed port. Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 5d62cbeb37df5c67a8b5d42d30aa060eba6a2302 Author: Johan Hovold Date: Mon May 26 19:23:41 2014 +0200 USB: cdc-acm: fix potential urb leak and PM imbalance in write commit 183a45087d126d126e8dd1d9b2602fc129dff9ad upstream. Make sure to check return value of autopm get in write() in order to avoid urb leak and PM counter imbalance on errors. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 4ed88943c847357d10658a29c9ff2244a48df7a6 Author: Johan Hovold Date: Mon May 26 19:23:40 2014 +0200 USB: cdc-acm: fix shutdown and suspend race commit ed797074031a37bb9bf4a70952fffc606b77274d upstream. We should stop I/O unconditionally at suspend rather than rely on the tty-port initialised flag (which is set prior to stopping I/O during shutdown) in order to prevent suspend returning with URBs still active. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 4d9aa622d7149e6dcc5d8d07f67d754b598a0931 Author: Johan Hovold Date: Mon May 26 19:23:39 2014 +0200 USB: cdc-acm: fix runtime PM for control messages commit bae3f4c53585e9a170da9436e0f06919874bda9a upstream. Fix runtime PM handling of control messages by adding the required PM counter operations. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 870306cfccf0b0034b23cc6aa188c821f85d0354 Author: Johan Hovold Date: Mon May 26 19:23:38 2014 +0200 USB: cdc-acm: fix broken runtime suspend commit 140cb81ac8c625942a1d695875932c615767a526 upstream. The current ACM runtime-suspend implementation is broken in several ways: Firstly, it buffers only the first write request being made while suspended -- any further writes are silently dropped. Secondly, writes being dropped also leak write urbs, which are never reclaimed (until the device is unbound). Thirdly, even the single buffered write is not cleared at shutdown (which may happen before the device is resumed), something which can lead to another urb leak as well as a PM usage-counter leak. Fix this by implementing a delayed-write queue using urb anchors and making sure to discard the queue properly at shutdown. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Reported-by: Xiao Jin Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 529ce0fc0bae6fa9520f348d2d5bbc94bf1b2dec Author: Johan Hovold Date: Mon May 26 19:23:37 2014 +0200 USB: cdc-acm: fix write and resume race commit e144ed28bed10684f9aaec6325ed974d53f76110 upstream. Fix race between write() and resume() due to improper locking that could lead to writes being reordered. Resume must be done atomically and susp_count be protected by the write_lock in order to prevent racing with write(). This could otherwise lead to writes being reordered if write() grabs the write_lock after susp_count is decremented, but before the delayed urb is submitted. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 06c2f546fe195c3a0178a2ec4f5c0ebf2167a97c Author: Johan Hovold Date: Mon May 26 19:23:36 2014 +0200 USB: cdc-acm: fix write and suspend race commit 5a345c20c17d87099224a4be12e69e5bd7023dca upstream. Fix race between write() and suspend() which could lead to writes being dropped (or I/O while suspended) if the device is runtime suspended while a write request is being processed. Specifically, suspend() releases the write_lock after determining the device is idle but before incrementing the susp_count, thus leaving a window where a concurrent write() can submit an urb. Fixes: 11ea859d64b6 ("USB: additional power savings for cdc-acm devices that support remote wakeup") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 263be4bc1c278389b4bcdccd4e192983bb275f13 Author: James Hogan Date: Thu May 29 10:16:23 2014 +0100 MIPS: KVM: Allocate at least 16KB for exception handlers commit 7006e2dfda9adfa40251093604db76d7e44263b3 upstream. Each MIPS KVM guest has its own copy of the KVM exception vector. This contains the TLB refill exception handler at offset 0x000, the general exception handler at offset 0x180, and interrupt exception handlers at offset 0x200 in case Cause_IV=1. A common handler is copied to offset 0x2000 and offset 0x3000 is used for temporarily storing k1 during entry from guest. However the amount of memory allocated for this purpose is calculated as 0x200 rounded up to the next page boundary, which is insufficient if 4KB pages are in use. This can lead to the common handler at offset 0x2000 being overwritten and infinitely recursive exceptions on the next exit from the guest. Increase the minimum size from 0x200 to 0x4000 to cover the full use of the page. Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: Gleb Natapov Cc: kvm@vger.kernel.org Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: Sanjay Lal Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 331f2b02e8148e4a1263ca988363b5ea31875d18 Author: Paolo Bonzini Date: Wed May 14 17:40:58 2014 +0200 KVM: lapic: sync highest ISR to hardware apic on EOI commit fc57ac2c9ca8109ea97fcc594f4be436944230cc upstream. When Hyper-V enlightenments are in effect, Windows prefers to issue an Hyper-V MSR write to issue an EOI rather than an x2apic MSR write. The Hyper-V MSR write is not handled by the processor, and besides being slower, this also causes bugs with APIC virtualization. The reason is that on EOI the processor will modify the highest in-service interrupt (SVI) field of the VMCS, as explained in section 29.1.4 of the SDM; every other step in EOI virtualization is already done by apic_send_eoi or on VM entry, but this one is missing. We need to do the same, and be careful not to muck with the isr_count and highest_isr_cache fields that are unused when virtual interrupt delivery is enabled. Reviewed-by: Yang Zhang Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 7228e303b34f8ee8c7dec2c5f7c0988d3ff9aee0 Author: Guenter Roeck Date: Sun Sep 8 00:25:36 2013 -0700 mfd: sm501: dbg_regs attribute must be read-only commit 8a8320c2e78d1b619a8fa8eb5ae946b8691de604 upstream. Fix: sm501 sm501: SM501 At b3e00000: Version 050100a0, 8 Mb, IRQ 100 Attribute dbg_regs: write permission without 'store' ------------[ cut here ]------------ WARNING: at drivers/base/core.c:620 dbg_regs does not have a write function and must therefore be marked as read-only. Signed-off-by: Guenter Roeck Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit 1c55a373b6325b5daa7734e45f5b142e45405b77 Author: Benjamin LaHaise Date: Tue Jun 24 13:12:55 2014 -0400 aio: fix aio request leak when events are reaped by userspace commit f8567a3845ac05bb28f3c1b478ef752762bd39ef upstream. The aio cleanups and optimizations by kmo that were merged into the 3.10 tree added a regression for userspace event reaping. Specifically, the reference counts are not decremented if the event is reaped in userspace, leading to the application being unable to submit further aio requests. This patch applies to 3.12+. A separate backport is required for 3.10/3.11. This issue was uncovered as part of CVE-2014-0206. Signed-off-by: Benjamin LaHaise Cc: stable@vger.kernel.org Cc: Kent Overstreet Cc: Mateusz Guzik Cc: Petr Matousek Signed-off-by: Jiri Slaby commit bee3f7b8188d4b2a5dfaeb2eb4a68d99f67daecf Author: Benjamin LaHaise Date: Tue Jun 24 13:32:51 2014 -0400 aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream. A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to aio_read_events_ring() failed to correctly limit the index into ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of an arbitrary page with a copy_to_user() to copy the contents into userspace. This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and Petr for disclosing this issue. This patch applies to v3.12+. A separate backport is needed for 3.10/3.11. Signed-off-by: Benjamin LaHaise Cc: Mateusz Guzik Cc: Petr Matousek Cc: Kent Overstreet Cc: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Jiri Slaby commit be31bc4b3764fb9c9ca99c7cf650d762f3c51a74 Author: James Hogan Date: Tue Dec 10 22:28:04 2013 +0000 serial: 8250_dw: Fix LCR workaround regression commit 6979f8d28049879e6147767d93ba6732c8bd94f4 upstream. Commit c49436b657d0 (serial: 8250_dw: Improve unwritable LCR workaround) caused a regression. It added a check that the LCR was written properly to detect and workaround the busy quirk, but the behaviour of bit 5 (UART_LCR_SPAR) differs between IP versions 3.00a and 3.14c per the docs. On older versions this caused the check to fail and it would repeatedly force idle and rewrite the LCR register, causing delays and preventing any input from serial being received. This is fixed by masking out UART_LCR_SPAR before making the comparison. Signed-off-by: James Hogan Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: Tim Kryger Cc: Ezequiel Garcia Cc: Matt Porter Cc: Markus Mayer Tested-by: Tim Kryger Tested-by: Ezequiel Garcia Tested-by: Heikki Krogerus Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 2401577586898b3590db80f8b97a26f81f0f6d4e Author: Tim Kryger Date: Tue Oct 1 10:18:08 2013 -0700 serial: 8250_dw: Improve unwritable LCR workaround commit c49436b657d0a56a6ad90d14a7c3041add7cf64d upstream. When configured with UART_16550_COMPATIBLE=NO or in versions prior to the introduction of this option, the Designware UART will ignore writes to the LCR if the UART is busy. The current workaround saves a copy of the last written LCR and re-writes it in the ISR for a special interrupt that is raised when a write was ignored. Unfortunately, interrupts are typically disabled prior to performing a sequence of register writes that include the LCR so the point at which the retry occurs is too late. An example is serial8250_do_set_termios() where an ignored LCR write results in the baud divisor not being set and instead a garbage character is sent out the transmitter. Furthermore, since serial_port_out() offers no way to indicate failure, a serious effort must be made to ensure that the LCR is actually updated before returning back to the caller. This is difficult, however, as a UART that was busy during the first attempt is likely to still be busy when a subsequent attempt is made unless some extra action is taken. This updated workaround reads back the LCR after each write to confirm that the new value was accepted by the hardware. Should the hardware ignore a write, the TX/RX FIFOs are cleared and the receive buffer read before attempting to rewrite the LCR out of the hope that doing so will force the UART into an idle state. While this may seem unnecessarily aggressive, writes to the LCR are used to change the baud rate, parity, stop bit, or data length so the data that may be lost is likely not important. Admittedly, this is far from ideal but it seems to be the best that can be done given the hardware limitations. Lastly, the revised workaround doesn't touch the LCR in the ISR, so it avoids the possibility of a "serial8250: too much work for irq" lock up. This problem is rare in real situations but can be reproduced easily by wiring up two UARTs and running the following commands. # stty -F /dev/ttyS1 echo # stty -F /dev/ttyS2 echo # cat /dev/ttyS1 & [1] 375 # echo asdf > /dev/ttyS1 asdf [ 27.700000] serial8250: too much work for irq96 [ 27.700000] serial8250: too much work for irq96 [ 27.710000] serial8250: too much work for irq96 [ 27.710000] serial8250: too much work for irq96 [ 27.720000] serial8250: too much work for irq96 [ 27.720000] serial8250: too much work for irq96 [ 27.730000] serial8250: too much work for irq96 [ 27.730000] serial8250: too much work for irq96 [ 27.740000] serial8250: too much work for irq96 Signed-off-by: Tim Kryger Reviewed-by: Matt Porter Reviewed-by: Markus Mayer Reviewed-by: Heikki Krogerus Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby Conflicts: drivers/tty/serial/8250/8250_dw.c commit 7032d5fbbf1b08586e1463684d6c8f456889c293 Author: Naoya Horiguchi Date: Fri Jun 6 10:00:01 2014 -0400 mm: add !pte_present() check on existing hugetlb_entry callbacks commit d4c54919ed86302094c0ca7d48a8cbd4ee753e92 upstream. The age table walker doesn't check non-present hugetlb entry in common path, so hugetlb_entry() callbacks must check it. The reason for this behavior is that some callers want to handle it in its own way. [ I think that reason is bogus, btw - it should just do what the regular code does, which is to call the "pte_hole()" function for such hugetlb entries - Linus] However, some callers don't check it now, which causes unpredictable result, for example when we have a race between migrating hugepage and reading /proc/pid/numa_maps. This patch fixes it by adding !pte_present checks on buggy callbacks. This bug exists for years and got visible by introducing hugepage migration. ChangeLog v2: - fix if condition (check !pte_present() instead of pte_present()) Reported-by: Sasha Levin Signed-off-by: Naoya Horiguchi Cc: Rik van Riel Cc: [3.12+] Signed-off-by: Andrew Morton [ Backported to 3.15. Signed-off-by: Josh Boyer ] Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 5b96c3796cd207060738ffe225fac7b096ceb11f Author: Jeff Layton Date: Thu Jun 5 09:45:00 2014 -0400 nfsd: don't halt scanning the DRC LRU list when there's an RC_INPROG entry commit 1b19453d1c6abcfa7c312ba6c9f11a277568fc94 upstream. Currently, the DRC cache pruner will stop scanning the list when it hits an entry that is RC_INPROG. It's possible however for a call to take a *very* long time. In that case, we don't want it to block other entries from being pruned if they are expired or we need to trim the cache to get back under the limit. Fix the DRC cache pruner to just ignore RC_INPROG entries. Signed-off-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 04242f7d3df4851b2a4b5fa9c0f5ccfb29a95695 Author: Anatol Pomozov Date: Tue Apr 15 11:31:33 2014 -0700 aio: block io_destroy() until all context requests are completed commit e02ba72aabfade4c9cd6e3263e9b57bf890ad25c upstream. deletes aio context and all resources related to. It makes sense that no IO operations connected to the context should be running after the context is destroyed. As we removed io_context we have no chance to get requests status or call io_getevents(). man page for io_destroy says that this function may block until all context's requests are completed. Before kernel 3.11 io_destroy() blocked indeed, but since aio refactoring in 3.11 it is not true anymore. Here is a pseudo-code that shows a testcase for a race condition discovered in 3.11: initialize io_context io_submit(read to buffer) io_destroy() // context is destroyed so we can free the resources free(buffers); // if the buffer is allocated by some other user he'll be surprised // to learn that the buffer still filled by an outstanding operation // from the destroyed io_context The fix is straight-forward - add a completion struct and wait on it in io_destroy, complete() should be called when number of in-fligh requests reaches zero. If two or more io_destroy() called for the same context simultaneously then only the first one waits for IO completion, other calls behaviour is undefined. Tested: ran http://pastebin.com/LrPsQ4RL testcase for several hours and do not see the race condition anymore. Signed-off-by: Anatol Pomozov Signed-off-by: Benjamin LaHaise Signed-off-by: Jiri Slaby commit 0c9a0cfbedd847c645dd0bca572169a7385c2117 Author: Jeff Layton Date: Thu Dec 5 06:00:51 2013 -0500 nfsd: don't try to reuse an expired DRC entry off the list commit a0ef5e19684f0447da9ff0654a12019c484f57ca upstream. Currently when we are processing a request, we try to scrape an expired or over-limit entry off the list in preference to allocating a new one from the slab. This is unnecessarily complicated. Just use the slab layer. Signed-off-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 9e6f2084969b7a8d7bbf102cf0c1c69dac44af2b Author: Zhichuang SUN Date: Wed May 21 14:13:30 2014 +0800 drivers/video/fbdev/fb-puv3.c: Add header files for function unifb_mmap commit fbc6c4a13bbfb420eedfdb26a0a859f9c07e8a7b upstream. Function unifb_mmap calls functions which are defined in linux/mm.h and asm/pgtable.h The related error (for unicore32 with unicore32_defconfig): CC drivers/video/fbdev/fb-puv3.o drivers/video/fbdev/fb-puv3.c: In function 'unifb_mmap': drivers/video/fbdev/fb-puv3.c:646: error: implicit declaration of function 'vm_iomap_memory' drivers/video/fbdev/fb-puv3.c:646: error: implicit declaration of function 'pgprot_noncached' Signed-off-by: Zhichuang Sun Cc: Jean-Christophe Plagniol-Villard Cc: Tomi Valkeinen Cc: Jingoo Han Cc: Daniel Vetter Cc: Joe Perches Cc: Laurent Pinchart Cc: linux-fbdev@vger.kernel.org Acked-by: Xuetao Guan Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit 976c2ec40c7fad5d4a0eadbbfb9c04c00dc8d1fc Author: Chen Gang Date: Mon Mar 24 20:17:44 2014 +0800 arch/unicore32/mm/alignment.c: include "asm/pgtable.h" to avoid compiling error commit 1ff38c56cbd095c4c0dfa581a859ba3557830f78 upstream. Need include "asm/pgtable.h" to include "asm-generic/pgtable-nopmd.h", so can let 'pmd_t' defined. The related error with allmodconfig: CC arch/unicore32/mm/alignment.o In file included from arch/unicore32/mm/alignment.c:24: arch/unicore32/include/asm/tlbflush.h:135: error: expected .). before .*. token arch/unicore32/include/asm/tlbflush.h:154: error: expected .). before .*. token In file included from arch/unicore32/mm/alignment.c:27: arch/unicore32/mm/mm.h:15: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token arch/unicore32/mm/mm.h:20: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token arch/unicore32/mm/mm.h:25: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token make[1]: *** [arch/unicore32/mm/alignment.o] Error 1 make: *** [arch/unicore32/mm] Error 2 Signed-off-by: Chen Gang Acked-by: Xuetao Guan Signed-off-by: Xuetao Guan Signed-off-by: Jiri Slaby commit fc597a301fb2947af29ce67c12a419c39f044975 Author: Goldwyn Rodrigues Date: Thu Apr 3 14:46:59 2014 -0700 ocfs2: revert iput deferring code in ocfs2_drop_dentry_lock commit 8ed6b23709b346f7bfc1edab47003a205a6a9f69 upstream. The following patches are reverted in this patch because these patches caused performance regression in the remote unlink() calls. ea455f8ab683 - ocfs2: Push out dropping of dentry lock to ocfs2_wq f7b1aa69be13 - ocfs2: Fix deadlock on umount 5fd131893793 - ocfs2: Don't oops in ocfs2_kill_sb on a failed mount Previous patches in this series removed the possible deadlocks from downconvert thread so the above patches shouldn't be needed anymore. The regression is caused because these patches delay the iput() in case of dentry unlocks. This also delays the unlocking of the open lockres. The open lockresource is required to test if the inode can be wiped from disk or not. When the deleting node does not get the open lock, it marks it as orphan (even though it is not in use by another node/process) and causes a journal checkpoint. This delays operations following the inode eviction. This also moves the inode to the orphaned inode which further causes more I/O and a lot of unneccessary orphans. The following script can be used to generate the load causing issues: declare -a create declare -a remove declare -a iterations=(1 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192 16384) unique="`mktemp -u XXXXX`" script="/tmp/idontknow-${unique}.sh" cat < "${script}" for n in {1..8}; do mkdir -p test/dir\${n} eval touch test/dir\${n}/foo{1.."\$1"} done EOF chmod 700 "${script}" function fcreate () { exec 2>&1 /usr/bin/time --format=%E "${script}" "$1" } function fremove () { exec 2>&1 /usr/bin/time --format=%E ssh node2 "cd `pwd`; rm -Rf test*" } function fcp () { exec 2>&1 /usr/bin/time --format=%E ssh node3 "cd `pwd`; cp -R test test.new" } echo ------------------------------------------------- echo "| # files | create #s | copy #s | remove #s |" echo ------------------------------------------------- for ((x=0; x < ${#iterations[*]} ; x++)) do create[$x]="`fcreate ${iterations[$x]}`" copy[$x]="`fcp ${iterations[$x]}`" remove[$x]="`fremove`" printf "| %8d | %9s | %9s | %9s |\n" ${iterations[$x]} ${create[$x]} ${copy[$x]} ${remove[$x]} done rm "${script}" echo "------------------------" Signed-off-by: Srinivas Eeda Signed-off-by: Goldwyn Rodrigues Signed-off-by: Jan Kara Reviewed-by: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 8f265718385a7aa2d396a5d8ac614cb80ff7d9a1 Author: Jan Kara Date: Thu Apr 3 14:46:57 2014 -0700 ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread commit 84d86f83f9d0e8431a3c9eae4c47e9d7ff49a411 upstream. If we are dropping last inode reference from downconvert thread, we will end up calling ocfs2_mark_lockres_freeing() which can block if the lock we are freeing is queued thus creating an A-A deadlock. Luckily, since we are the downconvert thread, we can immediately dequeue the lock and thus avoid waiting in this case. Signed-off-by: Jan Kara Reviewed-by: Mark Fasheh Reviewed-by: Srinivas Eeda Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit cac99bee6f388bfd0aebd2f07d941326a0b4dd0e Author: Jan Kara Date: Thu Apr 3 14:46:56 2014 -0700 ocfs2: implement delayed dropping of last dquot reference commit e3a767b60fd8a9f5e133f42f4970cff77ec43173 upstream. We cannot drop last dquot reference from downconvert thread as that creates the following deadlock: NODE 1 NODE2 holds dentry lock for 'foo' holds inode lock for GLOBAL_BITMAP_SYSTEM_INODE dquot_initialize(bar) ocfs2_dquot_acquire() ocfs2_inode_lock(USER_QUOTA_SYSTEM_INODE) ... downconvert thread (triggered from another node or a different process from NODE2) ocfs2_dentry_post_unlock() ... iput(foo) ocfs2_evict_inode(foo) ocfs2_clear_inode(foo) dquot_drop(inode) ... ocfs2_dquot_release() ocfs2_inode_lock(USER_QUOTA_SYSTEM_INODE) - blocks finds we need more space in quota file ... ocfs2_extend_no_holes() ocfs2_inode_lock(GLOBAL_BITMAP_SYSTEM_INODE) - deadlocks waiting for downconvert thread We solve the problem by postponing dropping of the last dquot reference to a workqueue if it happens from the downconvert thread. Signed-off-by: Jan Kara Reviewed-by: Mark Fasheh Reviewed-by: Srinivas Eeda Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit b5258061a2a8f657aa5900dd3c1ded9e868e3544 Author: Jan Kara Date: Thu Apr 3 14:46:55 2014 -0700 quota: provide function to grab quota structure reference commit 9f985cb6c45bc3f8b7e161c9658d409d051d576f upstream. Provide dqgrab() function to get quota structure reference when we are sure it already has at least one active reference. Make use of this function inside quota code. Signed-off-by: Jan Kara Reviewed-by: Mark Fasheh Reviewed-by: Srinivas Eeda Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 2eb0658fb6525f85a6386e1b7cc8bd7066ed1281 Author: Jan Kara Date: Thu Apr 3 14:46:54 2014 -0700 ocfs2: move dquot_initialize() in ocfs2_delete_inode() somewhat later commit bd62ad7aebd8e8895bb7649ace948040332f27d3 upstream. Move dquot_initalize() call in ocfs2_delete_inode() after the moment we verify inode is actually a sane one to delete. We certainly don't want to initialize quota for system inodes etc. This also avoids calling into quota code from downconvert thread. Add more details into the comment why bailing out from ocfs2_delete_inode() when we are in downconvert thread is OK. Signed-off-by: Jan Kara Reviewed-by: Mark Fasheh Reviewed-by: Srinivas Eeda Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 34b6c0490bfa372876e6907eee779c5cd0e89963 Author: Lidong Zhong Date: Thu Jun 12 10:26:14 2014 -0500 dlm: keep listening connection alive with sctp mode commit 883854c5457a97190f7b0ee20f03bcd9664fc0c2 upstream. The connection struct with nodeid 0 is the listening socket, not a connection to another node. The sctp resend function was not checking that the nodeid was valid (non-zero), so it would mistakenly get and resend on the listening connection when nodeid was zero. Signed-off-by: Lidong Zhong Signed-off-by: David Teigland Signed-off-by: Jiri Slaby commit 9bf37c057d11c6a483a787965bb585e9ab5fa6ab Author: Miao Xie Date: Wed Sep 25 21:47:45 2013 +0800 Btrfs: fix BUG_ON() casued by the reserved space migration commit 20dd2cbf01888a91fdd921403040a710b275a1ff upstream. When we did space balance and snapshot creation at the same time, we might meet the following oops: kernel BUG at fs/btrfs/inode.c:3038! [SNIP] Call Trace: [] btrfs_orphan_cleanup+0x293/0x407 [btrfs] [] btrfs_mksubvol.isra.28+0x259/0x373 [btrfs] [] btrfs_ioctl_snap_create_transid+0x126/0x156 [btrfs] [] btrfs_ioctl_snap_create_v2+0xd0/0x121 [btrfs] [] btrfs_ioctl+0x414/0x1854 [btrfs] [] ? __do_page_fault+0x305/0x379 [] vfs_ioctl+0x1d/0x39 [] do_vfs_ioctl+0x32d/0x3e2 [] ? finish_task_switch+0x80/0xb8 [] SyS_ioctl+0x57/0x83 [] ? do_device_not_available+0x12/0x14 [] system_call_fastpath+0x16/0x1b [SNIP] RIP [] btrfs_orphan_add+0xc3/0x126 [btrfs] The reason of the problem is that the relocation root creation stole the reserved space, which was reserved for orphan item deletion. There are several ways to fix this problem, one is to increasing the reserved space size of the space balace, and then we can use that space to create the relocation tree for each fs/file trees. But it is hard to calculate the suitable size because we doesn't know how many fs/file trees we need relocate. We fixed this problem by reserving the space for relocation root creation actively since the space it need is very small (one tree block, used for root node copy), then we use that reserved space to create the relocation tree. If we don't reserve space for relocation tree creation, we will use the reserved space of the balance. Signed-off-by: Miao Xie Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 8b16b61c2c025a54eae37a3c703ed38aa8c8940a Author: Josef Bacik Date: Mon Sep 30 11:36:38 2013 -0400 Btrfs: fix two use-after-free bugs with transaction cleanup commit 724e2315db3d59a8201d4a87c7c7a873e60e1ce0 upstream. I was noticing the slab redzone stuff going off every once and a while during transaction aborts. This was caused by two things 1) We would walk the pending snapshots and set their error to -ECANCELED. We don't need to do this, the snapshot stuff waits for a transaction commit and if there is a problem we just free our pending snapshot object and exit. Doing this was causing us to touch the pending snapshot object after the thing had already been freed. 2) We were freeing the transaction manually with wanton disregard for it's use_count reference counter. To fix this I cleaned up the transaction freeing loop to either wait for the transaction commit to finish if it was in the middle of that (since it will be cleaned and freed up there) or to do the cleanup oursevles. I also moved the global "kill all things dirty everywhere" stuff outside of the transaction cleanup loop since that only needs to be done once. With this patch I'm no longer seeing slab corruption because of use after frees. Thanks, Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 445d1c3ae946d89d8978fee5985ad42e05e3dfb4 Author: Josef Bacik Date: Fri Sep 27 16:36:02 2013 -0400 Btrfs: don't delete ordered roots from list during cleanup commit 1de2cfde93c20a0357ff1dffed901598470facf3 upstream. During transaction cleanup after an abort we are just removing roots from the ordered roots list which is incorrect. We have a BUG_ON() to make sure that the root is still part of the ordered roots list when we put our ordered extent which we were tripping in this case. So do like we do everywhere else and just move it to the tail of the ordered roots list and allow the normal cleanup to take care of stuff. Thanks, Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit bd32872f2d74ea81fbb80b362052037b5882d414 Author: Josef Bacik Date: Fri Sep 27 16:32:39 2013 -0400 Btrfs: cleanup transaction on abort commit 4e121c06adf53aae478ebce3035116595d063413 upstream. If we abort not during a transaction commit we won't clean up anything until we unmount. Unfortunately if we abort in the middle of writing out an ordered extent we won't clean it up and if somebody is waiting on that ordered extent they will wait forever. To fix this just make the transaction kthread call the cleanup transaction stuff if it notices theres an error, and make btrfs_end_transaction wake up the transaction kthread if there is an error. Thanks, Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 4b6d66d14e0d502e3109659d9ae4a2d87bfd52e3 Author: Josef Bacik Date: Fri Sep 27 14:57:43 2013 -0400 Btrfs: do not release metadata for space cache inodes commit b6d08f0630d51ec09d67f16f6d7839699bbc0402 upstream. I've been testing our error paths and I was tripping the BUG_ON() in drop_outstanding_extent because our outstanding_extents is 0 for space cache inodes. This is because we don't reserve metadata space for these inodes since we depend on the global block reserve for our space. To fix this we need to make sure the DO_ACCOUNTING stuff doesn't actually call release_metadata for space cache inodes. With this patch I'm no longer panicing. Thanks, Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit 596075a2050e50aba69d903c59cbdc71ec954a50 Author: Filipe David Borba Manana Date: Mon Sep 9 19:49:43 2013 +0100 Btrfs: don't leak block group on error commit e84cc14213e2c81ae5a2da341a9da0d58a1dbfad upstream. In extent-tree.c:btrfs_write_dirty_block_groups(), if the call to write_one_cache_group() failed, we would return without putting the block group first. Signed-off-by: Filipe David Borba Manana Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit a2ea3d786a7e8f8ca08b10795a15178b3ba90b04 Author: Filipe David Borba Manana Date: Mon Sep 23 11:35:11 2013 +0100 Btrfs: fix sync fs to actually wait for all data to be persisted commit 9b1998598625fb5b798e8291cafda1a8ec17c1bd upstream. Currently the fs sync function (super.c:btrfs_sync_fs()) doesn't wait for delayed work to finish before returning success to the caller. This change fixes this, ensuring that there's no data loss if a power failure happens right after fs sync returns success to the caller and before the next commit happens. Steps to reproduce the data loss issue: $ mkfs.btrfs -f /dev/sdb3 $ mount /dev/sdb3 /mnt/btrfs $ perl -e '$d = ("\x41" x 6001); open($f,">","/mnt/btrfs/foobar"); print $f $d; close($f);' && btrfs fi sync /mnt/btrfs Right after the btrfs fi sync command (a second or 2 for example), power off the machine and reboot it. The file will be empty, as it can be verified after mounting the filesystem and through btrfs-debug-tree: $ btrfs-debug-tree /dev/sdb3 | egrep '\(257 INODE_ITEM 0\) itemoff' -B 3 -A 8 item 3 key (256 DIR_INDEX 2) itemoff 3751 itemsize 36 location key (257 INODE_ITEM 0) type FILE namelen 6 datalen 0 name: foobar item 4 key (257 INODE_ITEM 0) itemoff 3591 itemsize 160 inode generation 7 transid 7 size 0 block group 0 mode 100644 links 1 item 5 key (257 INODE_REF 256) itemoff 3575 itemsize 16 inode ref index 2 namelen 6 name: foobar checksum tree key (CSUM_TREE ROOT_ITEM 0) leaf 29429760 items 0 free space 3995 generation 7 owner 7 fs uuid 6192815c-af2a-4b75-b3db-a959ffb6166e chunk uuid b529c44b-938c-4d3d-910a-013b4700bcae uuid tree key (UUID_TREE ROOT_ITEM 0) After this patch, the data loss no longer happens after a power failure and btrfs-debug-tree shows: $ btrfs-debug-tree /dev/sdb3 | egrep '\(257 INODE_ITEM 0\) itemoff' -B 3 -A 8 item 3 key (256 DIR_INDEX 2) itemoff 3751 itemsize 36 location key (257 INODE_ITEM 0) type FILE namelen 6 datalen 0 name: foobar item 4 key (257 INODE_ITEM 0) itemoff 3591 itemsize 160 inode generation 6 transid 6 size 6001 block group 0 mode 100644 links 1 item 5 key (257 INODE_REF 256) itemoff 3575 itemsize 16 inode ref index 2 namelen 6 name: foobar item 6 key (257 EXTENT_DATA 0) itemoff 3522 itemsize 53 extent data disk byte 12845056 nr 8192 extent data offset 0 nr 8192 ram 8192 extent compression 0 checksum tree key (CSUM_TREE ROOT_ITEM 0) Signed-off-by: Filipe David Borba Manana Reviewed-by: Miao Xie Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit f19eb84ed2054bf749e702251b40cbbc954b1077 Author: Filipe David Borba Manana Date: Sun Sep 22 21:54:55 2013 +0100 Btrfs: fix tracking of orphan inode count commit 703c88e035242202e3ab48fcbbbe0a7bc62fb7bb upstream. In inode.c:btrfs_orphan_add() if we failed to insert the orphan item, we would return without decrementing the orphan count that we just incremented before attempting the insertion, leaving the orphan inode count wrong. In inode.c:btrfs_orphan_del(), we were decrementing the inode orphan count if the bit BTRFS_INODE_ORPHAN_META_RESERVED was set, which is logically wrong because it should be decremented if the bit BTRFS_INODE_HAS_ORPHAN_ITEM was set - after all we increment the count when we set the bit BTRFS_INODE_HAS_ORPHAN_ITEM elsewhere. Signed-off-by: Filipe David Borba Manana Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Jiri Slaby commit c82b3dd92c24207c8c0d6b4334a53e1245cc13d6 Author: Steve French Date: Tue May 13 13:37:45 2014 -0700 Do not send ClientGUID on SMB2.02 dialect commit 3c5f9be108783c05cade918d29c8711b236acb1d upstream. ClientGUID must be zero for SMB2.02 dialect. See section 2.2.3 of MS-SMB2. For SMB2.1 and later it must be non-zero. Signed-off-by: Steve French CC: Sachin Prabhu Signed-off-by: Jiri Slaby commit 8f7e86ca1df5a1766b9566540a62ff2804104bd4 Author: Sachin Prabhu Date: Tue May 13 00:48:12 2014 +0100 cifs: Set client guid on per connection basis commit 39552ea8120a699dbd0360848c4d949f9f0e6deb upstream. When mounting from a Windows 2012R2 server, we hit the following problem: 1) Mount with any of the following versions - 2.0, 2.1 or 3.0 2) unmount 3) Attempt a mount again using a different SMB version >= 2.0. You end up with the following failure: Status code returned 0xc0000203 STATUS_USER_SESSION_DELETED CIFS VFS: Send error in SessSetup = -5 CIFS VFS: cifs_mount failed w/return code = -5 I cannot reproduce this issue using a Windows 2008 R2 server. This appears to be caused because we use the same client guid for the connection on first mount which we then disconnect and attempt to mount again using a different protocol version. By generating a new guid each time a new connection is Negotiated, we avoid hitting this problem. Signed-off-by: Sachin Prabhu Signed-off-by: Steve French Signed-off-by: Jiri Slaby commit 16e57e5502a55b6a844d4a3de9b5cc2f8e41d3c8 Author: Steve French Date: Tue Nov 19 23:44:46 2013 -0600 Check SMB3 dialects against downgrade attacks commit ff1c038addc4f205d5f1ede449426c7d316c0eed upstream. When we are running SMB3 or SMB3.02 connections which are signed we need to validate the protocol negotiation information, to ensure that the negotiate protocol response was not tampered with. Add the missing FSCTL which is sent at mount time (immediately after the SMB3 Tree Connect) to validate that the capabilities match what we think the server sent. "Secure dialect negotiation is introduced in SMB3 to protect against man-in-the-middle attempt to downgrade dialect negotiation. The idea is to prevent an eavesdropper from downgrading the initially negotiated dialect and capabilities between the client and the server." For more explanation see 2.2.31.4 of MS-SMB2 or http://blogs.msdn.com/b/openspecification/archive/2012/06/28/smb3-secure-dialect-negotiation.aspx Reviewed-by: Pavel Shilovsky Signed-off-by: Steve French [ddiss@suse.de: backported atop kernel without clone_range support] Signed-off-by: David Disseldorp Signed-off-by: Jiri Slaby commit 3f8fd8ad48b66a4fc44f60cde0ea575155a45eff Author: Michal Kubecek Date: Tue Jun 3 10:26:06 2014 +0200 xfrm: fix race between netns cleanup and state expire notification commit 21ee543edc0dea36ab58d24523fcd42b8a270df8 upstream. The xfrm_user module registers its pernet init/exit after xfrm itself so that its net exit function xfrm_user_net_exit() is executed before xfrm_net_exit() which calls xfrm_state_fini() to cleanup the SA's (xfrm states). This opens a window between zeroing net->xfrm.nlsk pointer and deleting all xfrm_state instances which may access it (via the timer). If an xfrm state expires in this window, xfrm_exp_state_notify() will pass null pointer as socket to nlmsg_multicast(). As the notifications are called inside rcu_read_lock() block, it is sufficient to retrieve the nlsk socket with rcu_dereference() and check the it for null. Signed-off-by: Michal Kubecek Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 306ba5b24eab33ed30f13ff2005e021881b3d2bf Author: Michal Kubeček Date: Tue May 20 08:29:25 2014 +0200 vlan: more careful checksum features handling commit da08143b85203b581f4a6461b149186b0e9592df upstream. When combining real_dev's features and vlan_features, simple bitwise AND is used. This doesn't work well for checksum offloading features as if one set has NETIF_F_HW_CSUM and the other NETIF_F_IP_CSUM and/or NETIF_F_IPV6_CSUM, we end up with no checksum offloading. However, from the logical point of view (how can_checksum_protocol() works), NETIF_F_HW_CSUM contains the functionality of NETIF_F_IP_CSUM and NETIF_F_IPV6_CSUM so that the result should be IP/IPV6. Add helper function netdev_intersect_features() implementing this logic and use it in vlan_dev_fix_features(). Signed-off-by: Michal Kubecek Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit e45145b6eb158405fe5cbbcce0a206d3b3090842 Author: Ben Hutchings Date: Mon Nov 18 17:04:58 2013 +0000 net/compat: Fix minor information leak in siocdevprivate_ioctl() commit 417c3522b3202dacce4873cfb0190459fbce95c5 upstream. We don't need to check that ifr_data itself is a valid user pointer, but we should check &ifr_data is. Thankfully the copy of ifr_name is checked, so this can only leak a few bytes from immediately above the user address limit. Signed-off-by: Ben Hutchings Signed-off-by: Jiri Slaby commit 9f6e089cb55bdc5a90fe6ec755a20941da9a0b3b Author: Benjamin Poirier Date: Tue Jan 7 10:11:10 2014 -0500 net: Do not enable tx-nocache-copy by default commit cdb3f4a31b64c3a1c6eef40bc01ebc9594c58a8c upstream. There are many cases where this feature does not improve performance or even reduces it. For example, here are the results from tests that I've run using 3.12.6 on one Intel Xeon W3565 and one i7 920 connected by ixgbe adapters. The results are from the Xeon, but they're similar on the i7. All numbers report the mean±stddev over 10 runs of 10s. 1) latency tests similar to what is described in "c6e1a0d net: Allow no-cache copy from user on transmit" There is no statistically significant difference between tx-nocache-copy on/off. nic irqs spread out (one queue per cpu) 200x netperf -r 1400,1 tx-nocache-copy off 692000±1000 tps 50/90/95/99% latency (us): 275±2/643.8±0.4/799±1/2474.4±0.3 tx-nocache-copy on 693000±1000 tps 50/90/95/99% latency (us): 274±1/644.1±0.7/800±2/2474.5±0.7 200x netperf -r 14000,14000 tx-nocache-copy off 86450±80 tps 50/90/95/99% latency (us): 334.37±0.02/838±1/2100±20/3990±40 tx-nocache-copy on 86110±60 tps 50/90/95/99% latency (us): 334.28±0.01/837±2/2110±20/3990±20 2) single stream throughput tests tx-nocache-copy leads to higher service demand throughput cpu0 cpu1 demand (Gb/s) (Gcycle) (Gcycle) (cycle/B) nic irqs and netperf on cpu0 (1x netperf -T0,0 -t omni -- -d send) tx-nocache-copy off 9402±5 9.4±0.2 0.80±0.01 tx-nocache-copy on 9403±3 9.85±0.04 0.838±0.004 nic irqs on cpu0, netperf on cpu1 (1x netperf -T1,1 -t omni -- -d send) tx-nocache-copy off 9401±5 5.83±0.03 5.0±0.1 0.923±0.007 tx-nocache-copy on 9404±2 5.74±0.03 5.523±0.009 0.958±0.002 As a second example, here are some results from Eric Dumazet with latest net-next. tx-nocache-copy also leads to higher service demand (cpu is Intel(R) Xeon(R) CPU X5660 @ 2.80GHz) lpq83:~# ./ethtool -K eth0 tx-nocache-copy on lpq83:~# perf stat ./netperf -H lpq84 -c MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to lpq84.prod.google.com () port 0 AF_INET Recv Send Send Utilization Service Demand Socket Socket Message Elapsed Send Recv Send Recv Size Size Size Time Throughput local remote local remote bytes bytes bytes secs. 10^6bits/s % S % U us/KB us/KB 87380 16384 16384 10.00 9407.44 2.50 -1.00 0.522 -1.000 Performance counter stats for './netperf -H lpq84 -c': 4282.648396 task-clock # 0.423 CPUs utilized 9,348 context-switches # 0.002 M/sec 88 CPU-migrations # 0.021 K/sec 355 page-faults # 0.083 K/sec 11,812,797,651 cycles # 2.758 GHz [82.79%] 9,020,522,817 stalled-cycles-frontend # 76.36% frontend cycles idle [82.54%] 4,579,889,681 stalled-cycles-backend # 38.77% backend cycles idle [67.33%] 6,053,172,792 instructions # 0.51 insns per cycle # 1.49 stalled cycles per insn [83.64%] 597,275,583 branches # 139.464 M/sec [83.70%] 8,960,541 branch-misses # 1.50% of all branches [83.65%] 10.128990264 seconds time elapsed lpq83:~# ./ethtool -K eth0 tx-nocache-copy off lpq83:~# perf stat ./netperf -H lpq84 -c MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to lpq84.prod.google.com () port 0 AF_INET Recv Send Send Utilization Service Demand Socket Socket Message Elapsed Send Recv Send Recv Size Size Size Time Throughput local remote local remote bytes bytes bytes secs. 10^6bits/s % S % U us/KB us/KB 87380 16384 16384 10.00 9412.45 2.15 -1.00 0.449 -1.000 Performance counter stats for './netperf -H lpq84 -c': 2847.375441 task-clock # 0.281 CPUs utilized 11,632 context-switches # 0.004 M/sec 49 CPU-migrations # 0.017 K/sec 354 page-faults # 0.124 K/sec 7,646,889,749 cycles # 2.686 GHz [83.34%] 6,115,050,032 stalled-cycles-frontend # 79.97% frontend cycles idle [83.31%] 1,726,460,071 stalled-cycles-backend # 22.58% backend cycles idle [66.55%] 2,079,702,453 instructions # 0.27 insns per cycle # 2.94 stalled cycles per insn [83.22%] 363,773,213 branches # 127.757 M/sec [83.29%] 4,242,732 branch-misses # 1.17% of all branches [83.51%] 10.128449949 seconds time elapsed CC: Tom Herbert Signed-off-by: Benjamin Poirier Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit e801ececc95d6df1256d1b7c479456f7dc7dc045 Author: Prarit Bhargava Date: Tue Jan 14 14:21:13 2014 -0500 ACPI / memhotplug: add parameter to disable memory hotplug commit 00159a2013269bc0a617de885e4b921349192bd0 upstream. When booting a kexec/kdump kernel on a system that has specific memory hotplug regions the boot will fail with warnings like: swapper/0: page allocation failure: order:9, mode:0x84d0 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.10.0-65.el7.x86_64 #1 Hardware name: QCI QSSC-S4R/QSSC-S4R, BIOS QSSC-S4R.QCI.01.00.S013.032920111005 03/29/2011 0000000000000000 ffff8800341bd8c8 ffffffff815bcc67 ffff8800341bd950 ffffffff8113b1a0 ffff880036339b00 0000000000000009 00000000000084d0 ffff8800341bd950 ffffffff815b87ee 0000000000000000 0000000000000200 Call Trace: [] dump_stack+0x19/0x1b [] warn_alloc_failed+0xf0/0x160 [] ? __alloc_pages_direct_compact+0xac/0x196 [] __alloc_pages_nodemask+0x7ff/0xa00 [] vmemmap_alloc_block+0x62/0xba [] vmemmap_alloc_block_buf+0x15/0x3b [] vmemmap_populate+0xb4/0x21b [] sparse_mem_map_populate+0x27/0x35 [] sparse_add_one_section+0x7a/0x185 [] __add_pages+0xaf/0x240 [] arch_add_memory+0x59/0xd0 [] add_memory+0xb9/0x1b0 [] acpi_memory_device_add+0x18d/0x26d [] acpi_bus_device_attach+0x7d/0xcd [] acpi_ns_walk_namespace+0xc8/0x17f [] ? acpi_bus_type_and_status+0x90/0x90 [] ? acpi_bus_type_and_status+0x90/0x90 [] acpi_walk_namespace+0x95/0xc5 [] acpi_bus_scan+0x8b/0x9d [] acpi_scan_init+0x63/0x160 [] acpi_init+0x25d/0x2a6 [] ? acpi_sleep_proc_init+0x2a/0x2a [] do_one_initcall+0xe2/0x190 [] kernel_init_freeable+0x17c/0x207 [] ? do_early_param+0x88/0x88 [] ? rest_init+0x80/0x80 [] kernel_init+0xe/0x180 [] ret_from_fork+0x7c/0xb0 [] ? rest_init+0x80/0x80 Mem-Info: Node 0 DMA per-cpu: CPU 0: hi: 0, btch: 1 usd: 0 Node 0 DMA32 per-cpu: CPU 0: hi: 42, btch: 7 usd: 0 active_anon:0 inactive_anon:0 isolated_anon:0 active_file:0 inactive_file:0 isolated_file:0 unevictable:0 dirty:0 writeback:0 unstable:0 free:872 slab_reclaimable:13 slab_unreclaimable:1880 mapped:0 shmem:0 pagetables:0 bounce:0 free_cma:0 because the system has run out of memory at boot time. This occurs because of the following sequence in the boot: Main kernel boots and sets E820 map. The second kernel is booted with a map generated by the kdump service using memmap= and memmap=exactmap. These parameters are added to the kernel parameters of the kexec/kdump kernel. The kexec/kdump kernel has limited memory resources so as not to severely impact the main kernel. The system then panics and the kdump/kexec kernel boots (which is a completely new kernel boot). During this boot ACPI is initialized and the kernel (as can be seen above) traverses the ACPI namespace and finds an entry for a memory device to be hotadded. ie) [] __add_pages+0xaf/0x240 [] arch_add_memory+0x59/0xd0 [] add_memory+0xb9/0x1b0 [] acpi_memory_device_add+0x18d/0x26d [] acpi_bus_device_attach+0x7d/0xcd [] acpi_ns_walk_namespace+0xc8/0x17f [] ? acpi_bus_type_and_status+0x90/0x90 [] ? acpi_bus_type_and_status+0x90/0x90 [] acpi_walk_namespace+0x95/0xc5 [] acpi_bus_scan+0x8b/0x9d [] acpi_scan_init+0x63/0x160 [] acpi_init+0x25d/0x2a6 At this point the kernel adds page table information and the the kexec/kdump kernel runs out of memory. This can also be reproduced by using the memmap=exactmap and mem=X parameters on the main kernel and booting. This patchset resolves the problem by adding a kernel parameter, acpi_no_memhotplug, to disable ACPI memory hotplug. Signed-off-by: Prarit Bhargava Acked-by: Vivek Goyal Acked-by: Toshi Kani Acked-by: David Rientjes Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 5ff029e2b396ac09fc52addd73bb0f4003c70ef2 Author: Peter Zijlstra Date: Thu Feb 27 10:40:35 2014 +0100 sched: Make scale_rt_power() deal with backward clocks commit cadefd3d6cc914d95163ba1eda766bfe7ce1e5b7 upstream. Mike reported that, while unlikely, its entirely possible for scale_rt_power() to see the time go backwards. This yields rather 'interesting' results. So like all other sites that deal with clocks; make this one ignore backward clock movement too. Reported-by: Mike Galbraith Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/20140227094035.GZ9987@twins.programming.kicks-ass.net Cc: Linus Torvalds Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Jiri Slaby commit dcc23f13ff973c49651f0f020495a26baec32343 Author: Wendy Xiong Date: Wed Mar 12 16:08:52 2014 -0500 [SCSI] ipr: Add new CCIN definition for Grand Canyon support commit 5eeac3e99ae220aea787527d1bfd9e846adf9fac upstream. Add the appropriate definition and table entry for new hardware support. Signed-off-by: Wen Xiong Acked-by: Brian King Signed-off-by: James Bottomley Signed-off-by: Jiri Slaby commit 311222a922b478908f21389de1a2b95b80e393b3 Author: Mike Qiu Date: Fri Apr 18 15:07:14 2014 -0700 powerpc/mm: fix ".__node_distance" undefined commit 12c743eb2289bcaace32859d4919417ff5707768 upstream. CHK include/config/kernel.release CHK include/generated/uapi/linux/version.h CHK include/generated/utsrelease.h ... Building modules, stage 2. WARNING: 1 bad relocations c0000000013d6a30 R_PPC64_ADDR64 uprobes_fetch_type_table WRAP arch/powerpc/boot/zImage.pseries WRAP arch/powerpc/boot/zImage.epapr MODPOST 1849 modules ERROR: ".__node_distance" [drivers/block/nvme.ko] undefined! make[1]: *** [__modpost] Error 1 make: *** [modules] Error 2 make: *** Waiting for unfinished jobs.... The reason is symbol "__node_distance" not been exported in powerpc. Signed-off-by: Mike Qiu Acked-by: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Nathan Fontenot Cc: Stephen Rothwell Cc: Srivatsa S. Bhat Cc: Jesse Larrew Cc: Robert Jennings Cc: Alistair Popple Cc: Mike Qiu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 38a572d05464baa6f1d12cd351c4e7f1ec7055aa Author: Petr Mladek Date: Tue Jun 3 18:23:21 2014 +0200 ftrace/x86: Call text_ip_addr() instead of the duplicated code commit 964f7b6b785651a75ef1cbad43a393ca52d4b4f7 upstream. I just went over this when looking at some Xen-related ftrace initialization problems. They were related to Xen code that is not upstream but this clean up would make sense here. I think that this was already the intention when text_ip_addr() was introduced in the commit 87fbb2ac6073a703930 (ftrace/x86: Use breakpoints for converting function graph caller). Anyway, better do it now before it shots people into their leg ;-) Link: http://lkml.kernel.org/p/1401812601-2359-1-git-send-email-pmladek@suse.cz Signed-off-by: Petr Mladek Signed-off-by: Steven Rostedt Signed-off-by: Jiri Slaby commit 2eaaa8d28d3b2a17c02ff41ce526b16e65f9bce1 Author: J. Bruce Fields Date: Tue May 27 11:14:26 2014 -0400 nfsd4: fix FREE_STATEID lockowner leak commit 48385408b45523d9a432c66292d47ef43efcbb94 upstream. 27b11428b7de ("nfsd4: remove lockowner when removing lock stateid") introduced a memory leak. Cc: stable@vger.kernel.org Reported-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 481956841e2e0f88b519267c91d86b7625e2a3af Author: Ying Xue Date: Tue Apr 29 11:12:18 2014 +0800 tipc: fix memory leak of publications commit 1621b94d2a655c8548ddbdfc8ccf907a5bbdc860 upstream. Commit 1bb8dce57f4d15233688c68990852a10eb1cd79f ("tipc: fix memory leak during module removal") introduced a memory leak issue: when name table is stopped, it's forgotten that publication instances are freed properly. Additionally the useless "continue" statement in tipc_nametbl_stop() is removed as well. Reported-by: Jason Signed-off-by: Ying Xue Acked-by: Erik Hugne Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 4c65d4f6fd4ae448900a9c3a0a9a31c5a5583774 Author: Jiang Liu Date: Thu Jan 9 15:30:27 2014 +0800 intel_idle: close avn_cstates array with correct marker commit 88390996c95b879ba365888199b45ace3f5ca80b upstream. Close avn_cstates array with correct marker to avoid overflow in function intel_idle_cpu_init(). [rjw: The problem was introduced when commit 22e580d07f65 was merged on top of eba682a5aeb6 (intel_idle: shrink states tables).] Fixes: 22e580d07f65 (intel_idle: Fixed C6 state on Avoton/Rangeley processors) Signed-off-by: Jiang Liu Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit e54e6e8ec33fa40e0f4eac6efa7ad2eddfaab05c Author: Viresh Kumar Date: Tue Apr 15 10:54:41 2014 +0530 tick-sched: Check tick_nohz_enabled in tick_nohz_switch_to_nohz() commit 27630532ef5ead28b98cfe28d8f95222ef91c2b7 upstream. Since commit d689fe222 (NOHZ: Check for nohz active instead of nohz enabled) the tick_nohz_switch_to_nohz() function returns because it checks for the tick_nohz_active flag. This can't be set, because the function itself sets it. Undo the change in tick_nohz_switch_to_nohz(). Signed-off-by: Viresh Kumar Cc: linaro-kernel@lists.linaro.org Cc: fweisbec@gmail.com Cc: Arvind.Chauhan@arm.com Cc: linaro-networking@linaro.org Cc: # 3.13+ Link: http://lkml.kernel.org/r/40939c05f2d65d781b92b20302b02243d0654224.1397537987.git.viresh.kumar@linaro.org Signed-off-by: Thomas Gleixner Signed-off-by: Jiri Slaby commit c79460f67d0b02465904193764328ceeacfdd549 Author: Konstantin Khlebnikov Date: Tue Jun 17 06:58:05 2014 +0400 epoll: fix use-after-free in eventpoll_release_file commit ebe06187bf2aec10d537ce4595e416035367d703 upstream. This fixes use-after-free of epi->fllink.next inside list loop macro. This loop actually releases elements in the body. The list is rcu-protected but here we cannot hold rcu_read_lock because we need to lock mutex inside. The obvious solution is to use list_for_each_entry_safe(). RCU-ness isn't essential because nobody can change this list under us, it's final fput for this file. The bug was introduced by ae10b2b4eb01 ("epoll: optimize EPOLL_CTL_DEL using rcu") Signed-off-by: Konstantin Khlebnikov Reported-by: Cyrill Gorcunov Cc: Stable # 3.13+ Cc: Sasha Levin Cc: Jason Baron Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit f116dbc9d877c8436f17fd3226c6d4695bbbb928 Author: Li Zhong Date: Mon Apr 28 08:29:51 2014 +0800 powerpc: Fix Oops in rtas_stop_self() commit 4fb8d027dca0236c811272d342cf185569d91311 upstream. commit 41dd03a9 may cause Oops in rtas_stop_self(). The reason is that the rtas_args was moved into stack space. For a box with more that 4GB RAM, the stack could easily be outside 32bit range, but RTAS is 32bit. So the patch moves rtas_args away from stack by adding static before it. Signed-off-by: Li Zhong Signed-off-by: Anton Blanchard Cc: stable@vger.kernel.org # 3.14+ Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Jiri Slaby commit 22d3112ae7f819d3965ede21a79a5b5ad6ff33ed Author: J. Bruce Fields Date: Thu Jan 16 13:51:07 2014 -0500 GFS2: revert "GFS2: d_splice_alias() can't return error" commit d57b9c9a999a8f4475fe73fba629c964245800ca upstream. 0d0d110720d7960b77c03c9f2597faaff4b484ae asserts that "d_splice_alias() can't return error unless it was given an IS_ERR(inode)". That was true of the implementation of d_splice_alias, but this is really a problem with d_splice_alias: at a minimum it should be able to return -ELOOP in the case where inserting the given dentry would cause a directory loop. Signed-off-by: J. Bruce Fields Signed-off-by: Steven Whitehouse Signed-off-by: Jiri Slaby commit 63a97385b3919335ff2a1d502925de4dc3ef4fd4 Author: Jiri Slaby Date: Tue Jun 24 16:04:43 2014 +0200 Revert "bio-integrity: Fix bio_integrity_verify segment start bug" This reverts commit 7cbcb219e4113e10ce4b036118992abdbc4a8273, misapplied upstream commit 5837c80e870bc3b12ac6a98cdc9ce7a9522a8fb6. The upstream commit was applied twice to stable-3.12, the second time to bio_integrity_generate. Revert this second application. Cc: Martin K. Petersen Cc: Jens Axboe Cc: Christoph Hellwig Signed-off-by: Nicholas Bellinger Signed-off-by: Jens Axboe Signed-off-by: Jiri Slaby commit 61844d8e25eb8899b0836afa9796fa239db80f1f Author: Vincent Guittot Date: Wed Jan 22 08:45:34 2014 +0100 Revert "sched: Fix sleep time double accounting in enqueue entity" commit 9390675af0835ae1d654d33bfcf16096028550ad upstream. This reverts commit 282cf499f03ec1754b6c8c945c9674b02631fb0f. With the current implementation, the load average statistics of a sched entity change according to other activity on the CPU even if this activity is done between the running window of the sched entity and have no influence on the running duration of the task. When a task wakes up on the same CPU, we currently update last_runnable_update with the return of __synchronize_entity_decay without updating the runnable_avg_sum and runnable_avg_period accordingly. In fact, we have to sync the load_contrib of the se with the rq's blocked_load_contrib before removing it from the latter (with __synchronize_entity_decay) but we must keep last_runnable_update unchanged for updating runnable_avg_sum/period during the next update_entity_load_avg. Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra Reviewed-by: Ben Segall Cc: pjt@google.com Cc: alex.shi@linaro.org Link: http://lkml.kernel.org/r/1390376734-6800-1-git-send-email-vincent.guittot@linaro.org Signed-off-by: Ingo Molnar Signed-off-by: Jiri Slaby