commit fdf81f0f290f8f76617361d074187687de327412
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri Oct 7 15:22:05 2016 +0200
Linux 4.7.7
commit 81b18fbe9829f293a24ee8d666f02968649f771e
Author: Takashi Iwai <tiwai@suse.de>
Date: Tue Sep 27 16:44:49 2016 +0200
ALSA: hda - Add the top speaker pin config for HP Spectre x360
commit 0eec880966e77bdbee0112989a2be67d92e39929 upstream.
HP Spectre x360 with CX20724 codec has two speaker outputs while the
BIOS sets up only the bottom one (NID 0x17) and disables the top one
(NID 0x1d).
This patch adds a fixup simply defining the proper pincfg for NID 0x1d
so that the top speaker works as is.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=169071
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 28e2aad955925a5c47f3a07c9dce39192f939a63
Author: Hui Wang <hui.wang@canonical.com>
Date: Sun Sep 11 11:26:16 2016 +0800
ALSA: hda - Fix headset mic detection problem for several Dell laptops
commit 3f640970a41429f0a076c01270bbd014c9eae61c upstream.
One of the laptops has the codec ALC256 on it, applying the
ALC255_FIXUP_DELL1_MIC_NO_PRESENCE can fix the problem, the rest
of laptops have the codec ALC295 on them, they are similar to machines
with ALC225, applying the ALC269_FIXUP_DELL1_MIC_NO_PRESENCE can fix
the problem.
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c8d80159e98279a493e50ba82167f16f42dc8fe4
Author: Hui Wang <hui.wang@canonical.com>
Date: Mon Sep 26 10:59:38 2016 +0800
ALSA: hda - Adding one more ALC255 pin definition for headset problem
commit 392c9da24a994f238c5d7ea611c6245be4617014 upstream.
We have two new Dell laptop models, they have the same ALC255 pin
definition, but not in the pin quirk table yet, as a result, the
headset microphone can't work. After adding the definition in the
table, the headset microphone works well.
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c215a12f04e48ab817ac726e45110a8e0fb9f59e
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed Sep 28 11:48:44 2016 +0200
Revert "usbtmc: convert to devm_kzalloc"
commit ab21b63e8aedfc73565dd9cdd51eb338341177cb upstream.
This reverts commit e6c7efdcb76f11b04e3d3f71c8d764ab75c9423b.
Turns out it was totally wrong. The memory is supposed to be bound to
the kref, as the original code was doing correctly, not the
device/driver binding as the devm_kzalloc() would cause.
This fixes an oops when read would be called after the device was
unbound from the driver.
Reported-by: Ladislav Michl <ladis@linux-mips.org>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bd2739690357696a1fa1a5b2ab5fc32f8f405f11
Author: Kyle Jones <kyle@kf5jwc.us>
Date: Fri Sep 23 13:28:37 2016 -0500
USB: serial: cp210x: Add ID for a Juniper console
commit decc5360f23e9efe0252094f47f57f254dcbb3a9 upstream.
Signed-off-by: Kyle Jones <kyle@kf5jwc.us>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 57a265bc9d8d2c18f5577081588406e86dc0e9ab
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date: Tue Aug 23 17:13:29 2016 +0200
usb: usbip: vudc: fix left shift overflow
commit 238b7bd91b16d5a08326f858db42229b212e53d8 upstream.
In v_recv_cmd_submit(), urb_p->urb->pipe has the type unsigned int
(which is 32-bit long on x86_64) but 11<<30 results in a 34-bit integer.
Therefore the 2 leading bits are truncated and
urb_p->urb->pipe &= ~(11 << 30);
has the same meaning as
urb_p->urb->pipe &= ~(3 << 30);
This second statement seems to be how the code was intended to be
written, as PIPE_ constants have values between 0 and 3.
The overflow has been detected with a clang warning:
drivers/usb/usbip/vudc_rx.c:145:27: warning: signed shift result
(0x2C0000000) requires 35 bits to represent, but 'int' only has 32
bits [-Wshift-overflow]
urb_p->urb->pipe &= ~(11 << 30);
~~ ^ ~~
Fixes: 79c02cb1fd5c ("usbip: vudc: Add vudc_rx")
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 41cba9cd039fc121285e96714683f74dc72137d4
Author: Ksenija Stanojevic <ksenija.stanojevic@gmail.com>
Date: Sun Oct 2 17:42:35 2016 +0200
Staging: fbtft: Fix bug in fbtft-core
commit fc1e2c8ea85e109acf09e74789e9b852f6eed251 upstream.
Commit 367e8560e8d7a62d96e9b1d644028a3816e04206 introduced a bug
in fbtft-core where fps is always 0, this is because variable
update_time is not assigned correctly.
Signed-off-by: Ksenija Stanojevic <ksenija.stanojevic@gmail.com>
Fixes: 367e8560e8d7 ("Staging: fbtbt: Replace timespec with ktime_t")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 03f8e90de1365975ea21fee41b0c16f558c466a8
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon Sep 19 19:09:51 2016 +0100
usb: misc: legousbtower: Fix NULL pointer deference
commit 2fae9e5a7babada041e2e161699ade2447a01989 upstream.
This patch fixes a NULL pointer dereference caused by a race codition in
the probe function of the legousbtower driver. It re-structures the
probe function to only register the interface after successfully reading
the board's firmware ID.
The probe function does not deregister the usb interface after an error
receiving the devices firmware ID. The device file registered
(/dev/usb/legousbtower%d) may be read/written globally before the probe
function returns. When tower_delete is called in the probe function
(after an r/w has been initiated), core dev structures are deleted while
the file operation functions are still running. If the 0 address is
mappable on the machine, this vulnerability can be used to create a
Local Priviege Escalation exploit via a write-what-where condition by
remapping dev->interrupt_out_buffer in tower_write. A forged USB device
and local program execution would be required for LPE. The USB device
would have to delay the control message in tower_probe and accept
the control urb in tower_open whilst guest code initiated a write to the
device file as tower_delete is called from the error in tower_probe.
This bug has existed since 2003. Patch tested by emulated device.
Reported-by: James Patrick-Evans <james@jmp-e.com>
Tested-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit acae2cb2d9d9c7e1852ee38124f181c1443e7dc4
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: Tue Aug 30 16:20:55 2016 -0400
dm log writes: fix bug with too large bios
commit 7efb367320f56fc4d549875b6f3a6940018ef2e5 upstream.
bio_alloc() can allocate a bio with at most BIO_MAX_PAGES (256) vector
entries. However, the incoming bio may have more vector entries if it
was allocated by other means. For example, bcache submits bios with
more than BIO_MAX_PAGES entries. This results in bio_alloc() failure.
To avoid the failure, change the code so that it allocates bio with at
most BIO_MAX_PAGES entries. If the incoming bio has more entries,
bio_add_page() will fail and a new bio will be allocated - the code that
handles bio_add_page() failure already exists in the dm-log-writes
target.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f4a75a57f324e29d0d7b927ef5c1bcbebfb1b7d1
Author: Jann Horn <jann@thejh.net>
Date: Fri Sep 16 00:31:22 2016 +0200
aio: mark AIO pseudo-fs noexec
commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a upstream.
This ensures that do_mmap() won't implicitly make AIO memory mappings
executable if the READ_IMPLIES_EXEC personality flag is set. Such
behavior is problematic because the security_mmap_file LSM hook doesn't
catch this case, potentially permitting an attacker to bypass a W^X
policy enforced by SELinux.
I have tested the patch on my machine.
To test the behavior, compile and run this:
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/personality.h>
#include <linux/aio_abi.h>
#include <err.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/syscall.h>
int main(void) {
personality(READ_IMPLIES_EXEC);
aio_context_t ctx = 0;
if (syscall(__NR_io_setup, 1, &ctx))
err(1, "io_setup");
char cmd[1000];
sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
(int)getpid());
system(cmd);
return 0;
}
In the output, "rw-s" is good, "rwxs" is bad.
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8e20d9300ac8d29bd5ce8f9e6f635af2c696bab8
Author: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Date: Tue Apr 19 12:54:18 2016 +0300
tpm_crb: fix mapping of the buffers
commit 422eac3f7deae34dbaffd08e03e27f37a5394a56 upstream.
On my Lenovo x250 the following situation occurs:
[18697.813871] tpm_crb MSFT0101:00: can't request region for resource
[mem 0xacdff080-0xacdfffff]
The mapping of the control area overlaps the mapping of the command
buffer. The control area is mapped over page, which is not right. It
should mapped over sizeof(struct crb_control_area).
Fixing this issue unmasks another issue. Command and response buffers
can overlap and they do interleave on this machine. According to the PTP
specification the overlapping means that they are mapped to the same
buffer.
The commit has been also on a Haswell NUC where things worked before
applying this fix so that the both code paths for response buffer
initialization are tested.
Cc: stable@vger.kernel.org
Fixes: 1bd047be37d9 ("tpm_crb: Use devm_ioremap_resource")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5a58005763c3e66468814706eeb79999525a6cf5
Author: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Date: Tue Mar 15 21:41:40 2016 +0200
tpm_crb: drop struct resource res from struct crb_priv
commit 14ddfbf488a0223b19abf7e4634e6e676a91a12d upstream.
The iomem resource is needed only temporarily so it is better to pass
it on instead of storing it permanently. Named the variable as io_res
so that the code better documents itself.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 30131b1fa0916a5bf9bcae5e53c5b46b8ee909cf
Author: Marek Lindner <mareklindner@neomailbox.ch>
Date: Mon May 2 21:58:50 2016 +0800
batman-adv: remove unused callback from batadv_algo_ops struct
commit d9f179877e50ae2681fe7b0b83e0d9f63b6165ad upstream.
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 11e4257d6f382b890d872bd8c9fa5c9f266ce2b9
Author: Maor Gottlieb <maorg@mellanox.com>
Date: Mon Sep 12 19:16:24 2016 +0300
IB/mlx5: Set source mac address in FTE
commit ee3da804ad1b1dd4c766199a6e8443542b0aaaef upstream.
Set the source mac address in the FTE when L2 specification
is provided.
Fixes: 038d2ef87572 ('IB/mlx5: Add flow steering support')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d02402496370a80d6fe0d72a73d9a3b6b297cd1e
Author: Noa Osherovich <noaos@mellanox.com>
Date: Mon Sep 12 19:16:23 2016 +0300
IB/mlx5: Enable MAD_IFC commands for IB ports only
commit 7fae6655a0c897875bd34501ec092232b526d3e4 upstream.
MAD_IFC command is supported only for physical functions (PF)
and when physical port is IB. The proposed fix enforces it.
Fixes: d603c809ef91 ("IB/mlx5: Fix decision on using MAD_IFC")
Reported-by: David Chang <dchang@suse.com>
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 23c1162cd9186936648923e490dc3d5d30635e42
Author: Jack Morgenstein <jackm@dev.mellanox.co.il>
Date: Mon Sep 12 19:16:20 2016 +0300
IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV
commit 8ec07bf8a8b57d6c58927a16a0a22c0115cf2855 upstream.
When sending QP1 MAD packets which use a GRH, the source GID
(which consists of the 64-bit subnet prefix, and the 64 bit port GUID)
must be included in the packet GRH.
For SR-IOV, a GID cache is used, since the source GID needs to be the
slave's source GID, and not the Hypervisor's GID. This cache also
included a subnet_prefix. Unfortunately, the subnet_prefix field in
the cache was never initialized (to the default subnet prefix 0xfe80::0).
As a result, this field remained all zeroes. Therefore, when SR-IOV
was active, all QP1 packets which included a GRH had a source GID
subnet prefix of all-zeroes.
However, the subnet-prefix should initially be 0xfe80::0 (the default
subnet prefix). In addition, if OpenSM modifies a port's subnet prefix,
the new subnet prefix must be used in the GRH when sending QP1 packets.
To fix this we now initialize the subnet prefix in the SR-IOV GID cache
to the default subnet prefix. We update the cached value if/when OpenSM
modifies the port's subnet prefix. We take this cached value when sending
QP1 packets when SR-IOV is active.
Note that the value is stored as an atomic64. This eliminates any need
for locking when the subnet prefix is being updated.
Note also that we depend on the FW generating the "port management change"
event for tracking subnet-prefix changes performed by OpenSM. If running
early FW (before 2.9.4630), subnet prefix changes will not be tracked (but
the default subnet prefix still will be stored in the cache; therefore
users who do not modify the subnet prefix will not have a problem).
IF there is a need for such tracking also for early FW, we will add that
capability in a subsequent patch.
Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 342386791d210623c0828be0523e0cad43998656
Author: Jack Morgenstein <jackm@dev.mellanox.co.il>
Date: Mon Sep 12 19:16:19 2016 +0300
IB/mlx4: Fix code indentation in QP1 MAD flow
commit baa0be7026e2f7d1d40bfd45909044169e9e3c68 upstream.
The indentation in the QP1 GRH flow in procedure build_mlx_header is
really confusing. Fix it, in preparation for a commit which touches
this code.
Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c15021593e5dd096d2f4fb63f825c374cca8741f
Author: Alex Vesker <valex@mellanox.com>
Date: Mon Sep 12 19:16:18 2016 +0300
IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV
commit e5ac40cd66c2f3cd11bc5edc658f012661b16347 upstream.
Because of an incorrect bit-masking done on the join state bits, when
handling a join request we failed to detect a difference between the
group join state and the request join state when joining as send only
full member (0x8). This caused the MC join request not to be sent.
This issue is relevant only when SRIOV is enabled and SM supports
send only full member.
This fix separates scope bits and join states bits a nibble each.
Fixes: b9c5d6a64358 ('IB/mlx4: Add multicast group (MCG) paravirtualization for SR-IOV')
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 749fd55dd210f9676f0d445a6efaaa3bec65174a
Author: Alex Vesker <valex@mellanox.com>
Date: Mon Sep 12 09:55:28 2016 +0300
IB/ipoib: Don't allow MC joins during light MC flush
commit 344bacca8cd811809fc33a249f2738ab757d327f upstream.
This fix solves a race between light flush and on the fly joins.
Light flush doesn't set the device to down and unset IPOIB_OPER_UP
flag, this means that if while flushing we have a MC join in progress
and the QP was attached to BC MGID we can have a mismatches when
re-attaching a QP to the BC MGID.
The light flush would set the broadcast group to NULL causing an on
the fly join to rejoin and reattach to the BC MCG as well as adding
the BC MGID to the multicast list. The flush process would later on
remove the BC MGID and detach it from the QP. On the next flush
the BC MGID is present in the multicast list but not found when trying
to detach it because of the previous double attach and single detach.
[18332.714265] ------------[ cut here ]------------
[18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core]
...
[18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011
[18332.779411] 0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000
[18332.784960] 0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300
[18332.790547] ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280
[18332.796199] Call Trace:
[18332.798015] [<ffffffff813fed47>] dump_stack+0x63/0x8c
[18332.801831] [<ffffffff8109add1>] __warn+0xd1/0xf0
[18332.805403] [<ffffffff8109aebd>] warn_slowpath_null+0x1d/0x20
[18332.809706] [<ffffffffa025d90f>] ib_dealloc_pd+0xff/0x120 [ib_core]
[18332.814384] [<ffffffffa04f3d7c>] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib]
[18332.820031] [<ffffffffa04ed648>] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib]
[18332.825220] [<ffffffffa04e62c8>] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib]
[18332.830290] [<ffffffffa04e656f>] ipoib_uninit+0x2f/0x40 [ib_ipoib]
[18332.834911] [<ffffffff81772a8a>] rollback_registered_many+0x1aa/0x2c0
[18332.839741] [<ffffffff81772bd1>] rollback_registered+0x31/0x40
[18332.844091] [<ffffffff81773b18>] unregister_netdevice_queue+0x48/0x80
[18332.848880] [<ffffffffa04f489b>] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib]
[18332.853848] [<ffffffffa04df1cd>] delete_child+0x7d/0xf0 [ib_ipoib]
[18332.858474] [<ffffffff81520c08>] dev_attr_store+0x18/0x30
[18332.862510] [<ffffffff8127fe4a>] sysfs_kf_write+0x3a/0x50
[18332.866349] [<ffffffff8127f4e0>] kernfs_fop_write+0x120/0x170
[18332.870471] [<ffffffff81207198>] __vfs_write+0x28/0xe0
[18332.874152] [<ffffffff810e09bf>] ? percpu_down_read+0x1f/0x50
[18332.878274] [<ffffffff81208062>] vfs_write+0xa2/0x1a0
[18332.881896] [<ffffffff812093a6>] SyS_write+0x46/0xa0
[18332.885632] [<ffffffff810039b7>] do_syscall_64+0x57/0xb0
[18332.889709] [<ffffffff81883321>] entry_SYSCALL64_slow_path+0x25/0x25
[18332.894727] ---[ end trace 09ebbe31f831ef17 ]---
Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 27241dbfcf11ca5599140a027927d56cb31e3993
Author: Johannes Thumshirn <jthumshirn@suse.de>
Date: Wed Aug 17 11:46:17 2016 +0200
scsi: ses: use scsi_is_sas_rphy instead of is_sas_attached
commit 835831c57e9b0cccc24e96a812542875471d75b5 upstream.
Use scsi_is_sas_rphy() instead of is_sas_attached() to decide whether we
should obtain the SAS address from a scsi device or not. This will
prevent us from tripping on the BUG_ON() in sas_sdev_to_rdev() if the
rphy isn't attached to the SAS transport class, like it is with hpsa's
logical devices.
Fixes: 3f8d6f2a0 ('ses: fix discovery of SATA devices in SAS enclosures')
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c31d2667729ab5ba75e1e4da6a870e7d79ede04e
Author: Johannes Thumshirn <jthumshirn@suse.de>
Date: Wed Aug 17 11:46:16 2016 +0200
scsi: sas: provide stub implementation for scsi_is_sas_rphy
commit c1a23f6d64552b4480208aa584ec7e9c13d6d9c3 upstream.
Provide a stub implementation for scsi_is_sas_rphy for kernel
configurations which do not have CONFIG_SCSI_SAS_ATTRS defined.
Reported-by: kbuild test robot <lkp@intel.com>
Suggested-by: James Bottomley <jejb@linux.vnet.ibm.com>
Reviewed-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1ee64247675e80f0438ecc819d4e42e1cb06f1d4
Author: Lars-Peter Clausen <lars@metafoo.de>
Date: Thu Aug 4 17:22:16 2016 +0200
regmap: rbtree: Avoid overlapping nodes
commit 1bc8da4e143c0fd8807e061a66d91d5972601ab1 upstream.
When searching for a suitable node that should be used for inserting a new
register, which does not fall within the range of any existing node, we not
only looks for nodes which are directly adjacent to the new register, but
for nodes within a certain proximity. This is done to avoid creating lots
of small nodes with just a few registers spacing in between, which would
increase memory usage as well as tree traversal time.
This means there might be multiple node candidates which fall within the
proximity range of the new register. If we choose the first node we
encounter, under certain register insertion patterns it is possible to end
up with overlapping ranges. This will break order in the rbtree and can
cause the cached register value to become corrupted.
E.g. take the simplified example where the proximity range is 2 and the
register insertion sequence is 1, 4, 2, 3, 5.
* Insert of register 1 creates a new node, this is the root of the rbtree
* Insert of register 4 creates a new node, which is inserted to the right
of the root.
* Insert of register 2 gets inserted to the first node
* Insert of register 3 gets inserted to the first node
* Insert of register 5 also gets inserted into the first node since
this is the first node encountered and it is within the proximity range.
Now there are two overlapping nodes.
To avoid this always choose the node that is closest to the new register.
This will ensure that nodes will not overlap. The tree traversal is still
done as a binary search, we just don't stop at the first node found. So the
complexity of the algorithm stays within the same order.
Ideally if a new register is in the range of two adjacent blocks those
blocks should be merged, but that is a much more invasive change and left
for later.
The issue was initially introduced in commit 472fdec7380c ("regmap: rbtree:
Reduce number of nodes, take 2"), but became much more exposed by commit
6399aea629b0 ("regmap: rbtree: When adding a reg do a bsearch for target
node") which changed the order in which nodes are looked-up.
Fixes: 6399aea629b0 ("regmap: rbtree: When adding a reg do a bsearch for target node")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fe459deb1840fe4cdb5b6a299376d7a710b87094
Author: Erez Shitrit <erezsh@mellanox.com>
Date: Sun Aug 28 10:58:30 2016 +0300
IB/core: Fix use after free in send_leave function
commit 68c6bcdd8bd00394c234b915ab9b97c74104130c upstream.
The function send_leave sets the member: group->query_id
(group->query_id = ret) after calling the sa_query, but leave_handler
can be executed before the setting and it might delete the group object,
and will get a memory corruption.
Additionally, this patch gets rid of group->query_id variable which is
not used.
Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a734679bdf768e370ef3d32254871ada91ad261f
Author: Ashok Raj Nagarajan <arnagara@qti.qualcomm.com>
Date: Fri Aug 19 13:37:37 2016 +0300
ath10k: fix get rx_status from htt context
commit 237e15dfd5d651868726111c3a9d828bec700490 upstream.
On handling amsdu on rx path, get the rx_status from htt context. Without this
fix, we are seeing warnings when running DBDC traffic like this.
WARNING: CPU: 0 PID: 0 at net/mac80211/rx.c:4105 ieee80211_rx_napi+0x88/0x7d8 [mac80211]()
[ 1715.878248] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.21 #1
[ 1715.878273] [<c001d3f4>] (unwind_backtrace) from [<c001a4b0>] (show_stack+0x10/0x14)
[ 1715.878293] [<c001a4b0>] (show_stack) from [<c01bee64>] (dump_stack+0x70/0xbc)
[ 1715.878315] [<c01bee64>] (dump_stack) from [<c002a61c>] (warn_slowpath_common+0x64/0x88)
[ 1715.878339] [<c002a61c>] (warn_slowpath_common) from [<c002a6d0>] (warn_slowpath_null+0x18/0x20)
[ 1715.878395] [<c002a6d0>] (warn_slowpath_null) from [<bf4caa98>] (ieee80211_rx_napi+0x88/0x7d8 [mac80211])
[ 1715.878474] [<bf4caa98>] (ieee80211_rx_napi [mac80211]) from [<bf568658>] (ath10k_htt_t2h_msg_handler+0xb48/0xbfc [ath10k_core])
[ 1715.878535] [<bf568658>] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [<bf568708>] (ath10k_htt_t2h_msg_handler+0xbf8/0xbfc [ath10k_core])
[ 1715.878597] [<bf568708>] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [<bf569160>] (ath10k_htt_txrx_compl_task+0xa54/0x1170 [ath10k_core])
[ 1715.878639] [<bf569160>] (ath10k_htt_txrx_compl_task [ath10k_core]) from [<c002db14>] (tasklet_action+0xb4/0x130)
[ 1715.878659] [<c002db14>] (tasklet_action) from [<c002d110>] (__do_softirq+0xe0/0x210)
[ 1715.878678] [<c002d110>] (__do_softirq) from [<c002d4b4>] (irq_exit+0x84/0xe0)
[ 1715.878700] [<c002d4b4>] (irq_exit) from [<c005a544>] (__handle_domain_irq+0x98/0xd0)
[ 1715.878722] [<c005a544>] (__handle_domain_irq) from [<c00085f4>] (gic_handle_irq+0x38/0x5c)
[ 1715.878741] [<c00085f4>] (gic_handle_irq) from [<c0009680>] (__irq_svc+0x40/0x74)
[ 1715.878753] Exception stack(0xc05f9f50 to 0xc05f9f98)
[ 1715.878767] 9f40: ffffffed 00000000 00399e1e c000a220
[ 1715.878786] 9f60: 00000000 c05f6780 c05f8000 00000000 c05f5db8 ffffffed c05f8000 c04d1980
[ 1715.878802] 9f80: 00000000 c05f9f98 c0018110 c0018114 60000013 ffffffff
[ 1715.878822] [<c0009680>] (__irq_svc) from [<c0018114>] (arch_cpu_idle+0x2c/0x50)
[ 1715.878844] [<c0018114>] (arch_cpu_idle) from [<c00530d4>] (cpu_startup_entry+0x108/0x234)
[ 1715.878866] [<c00530d4>] (cpu_startup_entry) from [<c05c7be0>] (start_kernel+0x33c/0x3b8)
[ 1715.878879] ---[ end trace 6d5e1cc0fef8ed6a ]---
[ 1715.878899] ------------[ cut here ]------------
Fixes: 18235664e7f9 ("ath10k: cleanup amsdu processing for rx indication")
Signed-off-by: Ashok Raj Nagarajan <arnagara@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 40d5ac1c932686823768c8aec75140805102f5f6
Author: Erez Shitrit <erezsh@mellanox.com>
Date: Sun Aug 28 10:58:31 2016 +0300
IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
commit 546481c2816ea3c061ee9d5658eb48070f69212e upstream.
When a new CM connection is being requested, ipoib driver copies data
from the path pointer in the CM/tx object, the path object might be
invalid at the point and memory corruption will happened later when now
the CM driver will try using that data.
The next scenario demonstrates it:
neigh_add_path --> ipoib_cm_create_tx -->
queue_work (pointer to path is in the cm/tx struct)
#while the work is still in the queue,
#the port goes down and causes the ipoib_flush_paths:
ipoib_flush_paths --> path_free --> kfree(path)
#at this point the work scheduled starts.
ipoib_cm_tx_start --> copy from the (invalid)path pointer:
(memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);)
-> memory corruption.
To fix that the driver now starts the CM/tx connection only if that
specific path exists in the general paths database.
This check is protected with the relevant locks, and uses the gid from
the neigh member in the CM/tx object which is valid according to the ref
count that was taken by the CM/tx.
Fixes: 839fcaba35 ('IPoIB: Connected mode experimental support')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 44bd8641756c3f4caa2e78f5de79d722706ad12a
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date: Sun Aug 28 18:47:12 2016 +0200
ceph: do not modify fi->frag in need_reset_readdir()
commit 0f5aa88a7bb28b73253fb42b3df8202142769f39 upstream.
Commit f3c4ebe65ea1 ("ceph: using hash value to compose dentry offset")
modified "if (fpos_frag(new_pos) != fi->frag)" to "if (fi->frag |=
fpos_frag(new_pos))" in need_reset_readdir(), thus replacing a
comparison operator with an assignment one.
This looks like a typo which is reported by clang when building the
kernel with some warning flags:
fs/ceph/dir.c:600:22: error: using the result of an assignment as a
condition without parentheses [-Werror,-Wparentheses]
} else if (fi->frag |= fpos_frag(new_pos)) {
~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
fs/ceph/dir.c:600:22: note: place parentheses around the assignment
to silence this warning
} else if (fi->frag |= fpos_frag(new_pos)) {
^
( )
fs/ceph/dir.c:600:22: note: use '!=' to turn this compound
assignment into an inequality comparison
} else if (fi->frag |= fpos_frag(new_pos)) {
^~
!=
Fixes: f3c4ebe65ea1 ("ceph: using hash value to compose dentry offset")
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 11669327a8f2dfb26e2acb9ca7bf496e9645bae6
Author: Radim KrÄmář <rkrcmar@redhat.com>
Date: Mon Aug 8 20:16:23 2016 +0200
KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
commit dccbfcf52cebb8963246eba5b177b77f26b34da0 upstream.
If vmcs12 does not intercept APIC_BASE writes, then KVM will handle the
write with vmcs02 as the current VMCS.
This will incorrectly apply modifications intended for vmcs01 to vmcs02
and L2 can use it to gain access to L0's x2APIC registers by disabling
virtualized x2APIC while using msr bitmap that assumes enabled.
Postpone execution of vmx_set_virtual_x2apic_mode until vmcs01 is the
current VMCS. An alternative solution would temporarily make vmcs01 the
current VMCS, but it requires more care.
Fixes: 8d14695f9542 ("x86, apicv: add virtual x2apic support")
Reported-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Radim KrÄmář <rkrcmar@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cc16f59b3fd71a99779df242139129956bfcaa97
Author: Wei Yongjun <weiyj.lk@gmail.com>
Date: Wed Aug 10 03:17:09 2016 +0000
dmaengine: at_xdmac: fix to pass correct device identity to free_irq()
commit 6a8b0c6b18f62a277ffb2139d0c0253fe35d7feb upstream.
free_irq() expects the same device identity that was passed to
corresponding request_irq(), otherwise the IRQ is not freed.
Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver")
Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0379e8b6ff2be6801c514f6786ffb332c3913af0
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Thu Sep 1 16:14:53 2016 -0700
lib/test_hash.c: fix warning in preprocessor symbol evaluation
commit e6173ba42bbdba05fd4f3021c0beda0506271507 upstream.
Some versions of gcc don't like tests for the value of an undefined
preprocessor symbol, even in the #else branch of an #ifndef:
lib/test_hash.c:224:7: warning: "HAVE_ARCH__HASH_32" is not defined [-Wundef]
#elif HAVE_ARCH__HASH_32 != 1
^
lib/test_hash.c:229:7: warning: "HAVE_ARCH_HASH_32" is not defined [-Wundef]
#elif HAVE_ARCH_HASH_32 != 1
^
lib/test_hash.c:234:7: warning: "HAVE_ARCH_HASH_64" is not defined [-Wundef]
#elif HAVE_ARCH_HASH_64 != 1
^
Seen with gcc 4.9, not seen with 4.1.2.
Change the logic to only check the value inside an #ifdef to fix this.
Fixes: 468a9428521e7d00 ("<linux/hash.h>: Add support for architecture-specific functions")
Link: http://lkml.kernel.org/r/20160829214952.1334674-4-arnd@arndb.de
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: George Spelvin <linux@sciencehorizons.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2702f818f13614122deac7795c4dbb9c17f6be03
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Sun Aug 14 12:47:49 2016 -0400
pNFS/flexfiles: Fix layoutstat periodic reporting
commit 1c8d477a77e2d1d3504419e7f2e02e6422becf9a upstream.
Putting the periodicity timer in the mirror instances is causing
non-scalable reporting behaviour and missed reporting intervals.
When you recall layouts and/or implement client side mirroring, it
leads to consecutive reports with only a few ms between RPC calls.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Fixes: d0379a5d066a9 ("pNFS/flexfiles: Support server-supplied...")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8374aee399534e17955b7a468895beed5f87ba73
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Mon Aug 22 14:57:42 2016 -0400
SUNRPC: Silence WARN_ON when NFSv4.1 over RDMA is in use
commit 16590a228109e2f318d2cc6466221134cfab723a upstream.
Using NFSv4.1 on RDMA should be safe, so broaden the new checks in
rpc_create().
WARN_ON_ONCE is used, matching most other WARN call sites in clnt.c.
Fixes: 39a9beab5acb ("rpc: share one xps between all backchannels")
Fixes: d50039ea5ee6 ("nfsd4/rpc: move backchannel create logic...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d926cd9f7b907f6ae3fc2c49684f51da3c8f2f72
Author: Michal Hocko <mhocko@suse.com>
Date: Thu Sep 1 16:15:13 2016 -0700
kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
commit 735f2770a770156100f534646158cb58cb8b2939 upstream.
Commit fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal
exit") has caused a subtle regression in nscd which uses
CLONE_CHILD_CLEARTID to clear the nscd_certainly_running flag in the
shared databases, so that the clients are notified when nscd is
restarted. Now, when nscd uses a non-persistent database, clients that
have it mapped keep thinking the database is being updated by nscd, when
in fact nscd has created a new (anonymous) one (for non-persistent
databases it uses an unlinked file as backend).
The original proposal for the CLONE_CHILD_CLEARTID change claimed
(https://lkml.org/lkml/2006/10/25/233):
: The NPTL library uses the CLONE_CHILD_CLEARTID flag on clone() syscalls
: on behalf of pthread_create() library calls. This feature is used to
: request that the kernel clear the thread-id in user space (at an address
: provided in the syscall) when the thread disassociates itself from the
: address space, which is done in mm_release().
:
: Unfortunately, when a multi-threaded process incurs a core dump (such as
: from a SIGSEGV), the core-dumping thread sends SIGKILL signals to all of
: the other threads, which then proceed to clear their user-space tids
: before synchronizing in exit_mm() with the start of core dumping. This
: misrepresents the state of process's address space at the time of the
: SIGSEGV and makes it more difficult for someone to debug NPTL and glibc
: problems (misleading him/her to conclude that the threads had gone away
: before the fault).
:
: The fix below is to simply avoid the CLONE_CHILD_CLEARTID action if a
: core dump has been initiated.
The resulting patch from Roland (https://lkml.org/lkml/2006/10/26/269)
seems to have a larger scope than the original patch asked for. It
seems that limitting the scope of the check to core dumping should work
for SIGSEGV issue describe above.
[Changelog partly based on Andreas' description]
Fixes: fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit")
Link: http://lkml.kernel.org/r/1471968749-26173-1-git-send-email-mhocko@kernel.org
Signed-off-by: Michal Hocko <mhocko@suse.com>
Tested-by: William Preston <wpreston@suse.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Andreas Schwab <schwab@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 575a715454ea32e2e569b31b2d9a4ecfc9bb985a
Author: Wei Yongjun <weiyj.lk@gmail.com>
Date: Fri Aug 5 13:46:49 2016 +0000
IB/core: Fix possible memory leak in cma_resolve_iboe_route()
commit 23d70503ee187819a3775c7ac73f17c5bfe3fad0 upstream.
'work' and 'route->path_rec' are malloced in cma_resolve_iboe_route()
and should be freed before leaving from the error handling cases,
otherwise it will cause memory leak.
Fixes: 200298326b27 ('IB/core: Validate route when we init ah')
Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
Reviewed-by: Haggai Eran <haggaie@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3157e7e748ceb7d532d43209ff5951038f3e5d7d
Author: Peter Ujfalusi <peter.ujfalusi@ti.com>
Date: Tue Aug 23 10:27:19 2016 +0300
ASoC: omap-mcpdm: Fix irq resource handling
commit a8719670687c46ed2e904c0d05fa4cd7e4950cd1 upstream.
Fixes: ddd17531ad908 ("ASoC: omap-mcpdm: Clean up with devm_* function")
Managed irq request will not doing any good in ASoC probe level as it is
not going to free up the irq when the driver is unbound from the sound
card.
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reported-by: Russell King <linux@armlinux.org.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f4cea51e9a3d536e2ca2b74a958f7c0b4ea733c3
Author: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Date: Thu Aug 25 15:16:51 2016 -0700
sysctl: handle error writing UINT_MAX to u32 fields
commit e7d316a02f683864a12389f8808570e37fb90aa3 upstream.
We have scripts which write to certain fields on 3.18 kernels but this
seems to be failing on 4.4 kernels. An entry which we write to here is
xfrm_aevent_rseqth which is u32.
echo 4294967295 > /proc/sys/net/core/xfrm_aevent_rseqth
Commit 230633d109e3 ("kernel/sysctl.c: detect overflows when converting
to int") prevented writing to sysctl entries when integer overflow
occurs. However, this does not apply to unsigned integers.
Heinrich suggested that we introduce a new option to handle 64 bit
limits and set min as 0 and max as UINT_MAX. This might not work as it
leads to issues similar to __do_proc_doulongvec_minmax. Alternatively,
we would need to change the datatype of the entry to 64 bit.
static int __do_proc_doulongvec_minmax(void *data, struct ctl_table
{
i = (unsigned long *) data; //This cast is causing to read beyond the size of data (u32)
vleft = table->maxlen / sizeof(unsigned long); //vleft is 0 because maxlen is sizeof(u32) which is lesser than sizeof(unsigned long) on x86_64.
Introduce a new proc handler proc_douintvec. Individual proc entries
will need to be updated to use the new handler.
[akpm@linux-foundation.org: coding-style fixes]
Fixes: 230633d109e3 ("kernel/sysctl.c:detect overflows when converting to int")
Link: http://lkml.kernel.org/r/1471479806-5252-1-git-send-email-subashab@codeaurora.org
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Ingo Molnar <mingo@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ef2d1c344a93d1a9aa182dbaa7a13dd0c28ec643
Author: Michael Ellerman <mpe@ellerman.id.au>
Date: Fri Aug 12 21:45:52 2016 +1000
powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support
commit 66443efa83dc73775100b7442962ce2cb0d4472e upstream.
When booting from an OpenFirmware which supports it, we use the
"ibm,client-architecture-support" firmware call to communicate
our capabilities to firmware.
The format of the structure we pass to firmware is specified in
PAPR (Power Architecture Platform Requirements), or the public version
LoPAPR (Linux on Power Architecture Platform Reference).
Referring to table 244 in LoPAPR v1.1, option vector 5 contains a 4 byte
field at bytes 17-20 for the "Platform Facilities Enable". This is
followed by a 1 byte field at byte 21 for "Sub-Processor Represenation
Level".
Comparing to the code, there we have the Platform Facilities
options (OV5_PFO_*) at byte 17, but we fail to pad that field out to its
full width of 4 bytes. This means the OV5_SUB_PROCESSORS option is
incorrectly placed at byte 18.
Fix it by adding zero bytes for bytes 18, 19, 20, and comment the bytes
to hopefully make it clearer in future.
As far as I'm aware nothing actually consumes this value at this time,
so the effect of this bug is nil in practice.
It does mean we've been incorrectly setting bit 15 of the "Platform
Facilities Enable" option for the past ~3 1/2 years, so we should avoid
allocating that bit to anything else in future.
Fixes: df77c7992029 ("powerpc/pseries: Update ibm,architecture.vec for PAPR 2.7/POWER8")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 62a3f954e3cc161851cb59ed7953afd50a6493d1
Author: Phil Turnbull <phil.turnbull@oracle.com>
Date: Fri Jul 29 09:43:56 2016 -0400
staging: comedi: adv_pci1760: Do not return EINVAL for CMDF_ROUND_DOWN.
commit c71f20ee76342376e3c4c67cdbe7421d8c4e886e upstream.
The CMDF_ROUND_DOWN case falls through and so always returns -EINVAL.
Fixes: 14b93bb6bbf0 ("staging: comedi: adv_pci_dio: separate out PCI-1760 support")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cd8fb09885bec8f6592a2a6e18975b863fe44777
Author: Florian Fainelli <f.fainelli@gmail.com>
Date: Mon Jul 18 16:24:37 2016 -0700
brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream.
wlc_phy_txpower_get_current() does a logical OR of power->flags, which
presumes that power.flags was initiliazed earlier by the caller,
unfortunately, this is not the case, so make sure we zero out the struct
tx_power before calling into wlc_phy_txpower_get_current().
Reported-by: coverity (CID 146011)
Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4e72aaca2db72a29a90ccebdb762b300c2f29562
Author: Florian Fainelli <f.fainelli@gmail.com>
Date: Mon Jul 18 16:24:35 2016 -0700
brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill
commit 5c5fa1f464ac954982df1d96b9f9a5103d21aedd upstream.
In case dma_mapping_error() returns an error in dma_rxfill, we would be
leaking a packet that we allocated with brcmu_pkt_buf_get_skb().
Reported-by: coverity (CID 1081819)
Fixes: 67d0cf50bd32 ("brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c5f4ac50d97527ea0bce0284e6605c07d730e1b1
Author: Florian Fainelli <f.fainelli@gmail.com>
Date: Mon Jul 18 16:24:34 2016 -0700
brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain
commit 3bdae810721b33061d2e541bd78a70f86ca42af3 upstream.
In case brcmf_sdiod_recv_chain() cannot complete a succeful call to
brcmf_sdiod_buffrw, we would be leaking glom_skb and not free it as we
should, fix this.
Reported-by: coverity (CID 1164856)
Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 44ced8fcf96783928aa4f0aa3b87721b88e562c8
Author: Wei Yongjun <weiyj.lk@gmail.com>
Date: Fri Aug 12 11:45:18 2016 +0000
ASoC: Intel: Skylake: Fix error return code in skl_probe()
commit 979cf59acc9d634cc140aadd0d2915947ab303cc upstream.
Fix to return error code -ENODEV from the error handling
case instead of 0, as done elsewhere in this function.
Fixes: 87b2bdf02278 ("ASoC: Intel: Skylake: Initialize NHLT table")
Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
Acked-By: Vinod Koul <vinod.kou@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5337a8ba4e07bc0cd0249a8282d1a11983337f0f
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Wed Jun 29 13:52:12 2016 -0400
xprtrdma: Remove FMRs from the unmap list after unmapping
commit 38f1932e60ba249660bbae585f61ef2dee3313a4 upstream.
ib_unmap_fmr() takes a list of FMRs to unmap. However, it does not
remove the FMRs from this list as it processes them. Other
ib_unmap_fmr() call sites are careful to remove FMRs from the list
after ib_unmap_fmr() returns.
Since commit 7c7a5390dc6c8 ("xprtrdma: Add ro_unmap_sync method for FMR")
fmr_op_unmap_sync passes more than one FMR to ib_unmap_fmr(), but
it didn't bother to remove the FMRs from that list once the call was
complete.
I've noticed some instability that could be related to list
tangling by the new fmr_op_unmap_sync() logic. In an abundance
of caution, add some defensive logic to clean up properly after
ib_unmap_fmr().
Fixes: 7c7a5390dc6c8 ("xprtrdma: Add ro_unmap_sync method for FMR")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b3c5b399e6614c17c428e453e528b7c717edbf2c
Author: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Date: Fri Jul 15 17:20:36 2016 +1000
cxl: fix potential NULL dereference in free_adapter()
commit 8fbaa51d43ef2c6a72849ec34060910723a0365f upstream.
If kzalloc() fails when allocating adapter->guest in
cxl_guest_init_adapter(), we call free_adapter() before erroring out.
free_adapter() in turn attempts to dereference adapter->guest, which in
this case is NULL.
In free_adapter(), skip the adapter->guest cleanup if adapter->guest is
NULL.
Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b7d9885f97676b5b0c5162bd4720c1f956306813
Author: Guenter Roeck <linux@roeck-us.net>
Date: Thu Jul 21 14:21:56 2016 -0700
watchdog: core: Clear WDOG_HW_RUNNING before calling the stop function
commit 3c10bbde10fe4dca52726e246cefa6b0a1dfbd3e upstream.
WDOG_HW_RUNNING indicates that the hardware watchdog is running while the
watchdog device is closed. The flag may be set by the driver when it is
instantiated to indicate that the watchdog is running, and that the
watchdog core needs to send heartbeat requests to the driver until the
watchdog device is opened.
When the watchdog device is closed, the flag can be used by the driver's
stop function to indicate to the watchdog core that it was unable to stop
the watchdog, and that the watchdog core needs to send heartbeat requests.
This only works if the flag is actually cleared when the watchdog is
stopped. To avoid having to clear the flag in each driver's stop function,
clear it in the watchdog core before calling the stop function.
Reported-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Fixes: ee142889e32f ("watchdog: Introduce WDOG_HW_RUNNING flag")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0c8716b6e61f139f22ddd2d9a9366b696830e73f
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Sun Jun 26 12:39:49 2016 -0400
pNFS/flexfiles: Fix layoutcommit after a commit to DS
commit c001c87a63aa2f35358e33eb05e45e4cbcb34f54 upstream.
We should always do a layoutcommit after commit to DS, except if
the layout segment we're using has set FF_FLAGS_NO_LAYOUTCOMMIT.
Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2bd1cf2e2f64fe257eec8ea06a71e8b94abd06c0
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Sun Jun 26 12:27:25 2016 -0400
pNFS/files: Fix layoutcommit after a commit to DS
commit 73e6c5d854d3f7f75e8b46d3e54aeb5d83fe6b1f upstream.
According to the errata
https://www.rfc-editor.org/errata_search.php?rfc=5661&eid=2751
we should always send layout commit after a commit to DS.
Fixes: bc7d4b8fd091 ("nfs/filelayout: set layoutcommit...")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2d46690499095bc4620d8d064385968fd3ce8c7d
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Wed Jun 29 13:55:22 2016 -0400
NFS: Don't drop CB requests with invalid principals
commit a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 upstream.
Before commit 778be232a207 ("NFS do not find client in NFSv4
pg_authenticate"), the Linux callback server replied with
RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB
request. Let's restore that behavior so the server has a chance to
do something useful about it, and provide a warning that helps
admins correct the problem.
Fixes: 778be232a207 ("NFS do not find client in NFSv4 ...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d1026ba2c0cb31cdbe2710faa46e7e09f169b67b
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Wed Jun 29 13:55:14 2016 -0400
svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
commit 0533b13072f4bf35738290d2cf9e299c7bc6c42a upstream.
If an RPC program does not set vs_dispatch and pc_func() returns
rpc_drop_reply, the server sends a reply anyway containing a single
word containing the value RPC_DROP_REPLY (in network byte-order, of
course). This is a nonsense RPC message.
Fixes: 9e701c610923 ("svcrpc: simpler request dropping")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c31ebfa6e16a2daa04e9b8888c2071679aa8256b
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Tue Jun 28 13:54:09 2016 -0400
NFS/pnfs: Do not clobber existing pgio_done_cb in nfs4_proc_read_setup
commit ca857cc1d4cf17aba4bbb3b95d35454ad96924b3 upstream.
If a pNFS client sets hdr->pgio_done_cb, then we should not overwrite that
in nfs4_proc_read_setup()
Fixes: 75bf47ebf6b5 ("pNFS/flexfile: Fix erroneous fall back to...")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 013e460e7ac688bac81c63671d68d1817a4b17e0
Author: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Date: Wed Jun 29 19:44:51 2016 +0200
dmaengine: at_xdmac: fix debug string
commit 3935e08768ff777da6496521b1fc36f72823672c upstream.
mbr_ds is an integer, don't use %pad to print it.
Fixes: commit 268914f4e7a0 ("dmaengine: at_xdmac: use %pad format string for dma_addr_t")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8409e9f230a9b75df7b7d1cdbc0a27fa9f13f858
Author: Arnd Bergmann <arnd@arndb.de>
Date: Thu Jun 30 14:47:10 2016 +0200
dmaengine: bcm2835: fix 64-bit warning
commit 4aa819c79bb73f3d1bdf5244d0a0f7f15261504c upstream.
When building this driver on arm64, we get a harmless type
mismatch warning:
drivers/dma/bcm2835-dma.c: In function 'bcm2835_dma_fill_cb_chain_with_sg':
include/linux/kernel.h:743:17: warning: comparison of distinct pointer types lacks a cast
(void) (&_min1 == &_min2); \
^
drivers/dma/bcm2835-dma.c:409:21: note: in expansion of macro 'min'
cb->cb->length = min(len, max_len);
This changes the type of the 'len' variable to size_t, which
avoids the problem.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 388cc7a281c0 ("dmaengine: bcm2835: add slave_sg support to bcm2835-dma")
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 42ecc48879c3c4ed9e889f2a9d2e365352a6d197
Author: Tom Zanussi <tom.zanussi@linux.intel.com>
Date: Sun Jul 3 08:51:34 2016 -0500
tracing: Have HIST_TRIGGERS select TRACING
commit 7ad8fb61c4abf589596f0a4da34d987471481569 upstream.
The kbuild test robot reported a compile error if HIST_TRIGGERS was
enabled but nothing else that selected TRACING was configured in.
HIST_TRIGGERS should directly select it and not rely on anything else
to do it.
Link: http://lkml.kernel.org/r/57791866.8080505@linux.intel.com
Reported-by: kbuild test robot <fennguang.wu@intel.com>
Fixes: 7ef224d1d0e3a ("tracing: Add 'hist' event trigger command")
Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b91fa3dd127829be491a84ace6213e9d10bdb655
Author: Alexander Potapenko <glider@google.com>
Date: Thu Jul 28 15:49:04 2016 -0700
mm, kasan: account for object redzone in SLUB's nearest_obj()
commit c146a2b98eb5898eb0fab15a332257a4102ecae9 upstream.
When looking up the nearest SLUB object for a given address, correctly
calculate its offset if SLAB_RED_ZONE is enabled for that cache.
Previously, when KASAN had detected an error on an object from a cache
with SLAB_RED_ZONE set, the actual start address of the object was
miscalculated, which led to random stacks having been reported.
When looking up the nearest SLUB object for a given address, correctly
calculate its offset if SLAB_RED_ZONE is enabled for that cache.
Fixes: 7ed2f9e663854db ("mm, kasan: SLAB support")
Link: http://lkml.kernel.org/r/1468347165-41906-2-git-send-email-glider@google.com
Signed-off-by: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <adech.fo@gmail.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Kuthonuzo Luruo <kuthonuzo.luruo@hpe.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit be784fafa10c5021a1c03369944edce75b95d1f9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu Jul 7 11:23:59 2016 +0300
fnic: pci_dma_mapping_error() doesn't return an error code
commit dd7328e4c53649c1c7ec36bc1cf5b229b8662047 upstream.
pci_dma_mapping_error() returns true on error and false on success.
Fixes: fd6ddfa4c1dd ('fnic: check pci_map_single() return value')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5a2c5cb739408dab9f76da832245c0443330d08f
Author: Sawan Chandak <sawan.chandak@qlogic.com>
Date: Wed Jul 6 11:14:34 2016 -0400
qla2xxx: Fix BBCR offset
commit 061b5c3c48a1e276f8fd539bfa8aab8b359ffc31 upstream.
Fixes: 969a619 ("qla2xxx: Add support for buffer to buffer credit value for ISP27XX.")
Signed-off-by: Sawan Chandak <sawan.chandak@qlogic.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 064500b2cd31028572a02c84b427bd08d58e8a70
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed Jul 13 13:08:55 2016 +0300
avr32: off by one in at32_init_pio()
commit 55f1cf83d5cf885c75267269729805852039c834 upstream.
The pio_dev[] array has MAX_NR_PIO_DEVICES elements so the > should be
>=.
Fixes: 5f97f7f9400d ('[PATCH] avr32 architecture')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 609442ec9a188e665da4897c6eace09a5afab791
Author: Sudeep Holla <sudeep.holla@arm.com>
Date: Tue May 24 17:12:04 2016 +0100
mailbox: mailbox-test: set tdev->signal to NULL after freeing
commit 9ef3c5112139cc5c5666ee096e05bc1e00e94015 upstream.
tdev->signal is not set NULL after it's freed. This will cause random
exceptions when the stale pointer is accessed after tdev->signal is
freed. Also, since tdev->signal allocation is skipped the next time
it's written, this leads to continuous fault finally leading to the
total death of the system.
Fixes: d1c2f87c9a8f ("mailbox: mailbox-test: Prevent memory leak")
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b2c866c3d4bfa785fc082f0e3bd71317f231242c
Author: Sven Eckelmann <sven@narfation.org>
Date: Wed Jun 29 19:29:30 2016 +0300
ath9k: Fix programming of minCCA power threshold
commit aaab50fcea78ae3414c3afc25aae8d0603df34d0 upstream.
The function ar9003_hw_apply_minccapwr_thresh takes as second parameter not
a pointer to the channel but a boolean value describing whether the channel
is 2.4GHz or not. This broke (according to the origin commit) the ETSI
regulatory compliance on 5GHz channels.
Fixes: 3533bf6b15a0 ("ath9k: Fix regulatory compliance")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Cc: Simon Wunderlich <sw@simonwunderlich.de>
Cc: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 28e61be97caaec0631e6b7fa8731a4a012d52c38
Author: Arnd Bergmann <arnd@arndb.de>
Date: Mon Jul 4 10:21:40 2016 -0300
gspca: avoid unused variable warnings
commit d7e92e15e92fc987640772bf110586898b5f15aa upstream.
When CONFIG_INPUT is disabled, multiple gspca backend drivers
print compile-time warnings about unused variables:
media/usb/gspca/cpia1.c: In function 'sd_stopN':
media/usb/gspca/cpia1.c:1627:13: error: unused variable 'sd' [-Werror=unused-variable]
media/usb/gspca/konica.c: In function 'sd_stopN':
media/usb/gspca/konica.c:246:13: error: unused variable 'sd' [-Werror=unused-variable]
This annotates the variables as __maybe_unused, to let the compiler
know that they are declared intentionally.
Fixes: ee186fd96a5f ("[media] gscpa_t613: Add support for the camera button")
Fixes: c2f644aeeba3 ("[media] gspca_cpia1: Add support for button")
Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for konica chipset using cams")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5df20b95ea7ca7b4cfb1705eee95f53d19597065
Author: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Date: Wed May 18 20:01:21 2016 -0300
v4l: vsp1: Fix crash when resetting pipeline
commit d69e40fade97b6b19837c1772efa516bc28cc870 upstream.
The vsp1_pipeline_reset() function loops over pipeline inputs and output
and resets them. When doing so it assumes both that the pipeline has
been correctly configured with an output, and that inputs are are stored
in the pipe inputs array at positions 0 to num_inputs-1.
Both the assumptions are incorrect. The pipeline might need to be reset
after a failed attempts to configure it, without any output specified.
Furthermore, inputs are stored in a positiong equal to their RPF index,
possibly creating holes in the inputs array if the RPFs are not used in
sequence.
Fix both issues by looping over the whole inputs array and skipping
unused entries, and ignoring the output when not set.
Fixes: ff7e97c94d9f ("[media] v4l: vsp1: Store pipeline pointer in rwpf")
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 58ae1d53c880ddac8f408d848c1f64760834c770
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon May 9 05:22:55 2016 -0300
em28xx-i2c: rt_mutex_trylock() returns zero on failure
commit e44c153b30c9a0580fc2b5a93f3c6d593def2278 upstream.
The code is checking for negative returns but it should be checking for
zero.
Fixes: aab3125c43d8 ('[media] em28xx: add support for registering multiple i2c buses')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8050f4653473140037aee786dfa2b36fc499427c
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Sun Jun 5 11:17:10 2016 +0200
NFC: fdp: Detect errors from fdp_nci_create_conn()
commit fa1ce54ea38f7f83473fce62e64fefbd7ebd170e upstream.
drivers/nfc/fdp/fdp.c: In function ‘fdp_nci_patch_otp’:
drivers/nfc/fdp/fdp.c:373: warning: comparison is always false due to limited range of data type
drivers/nfc/fdp/fdp.c: In function ‘fdp_nci_patch_ram’:
drivers/nfc/fdp/fdp.c:444: warning: comparison is always false due to limited range of data type
fdp_nci_create_conn() may return a negative error code, which is
silently ignored by assigning it to a u8.
Change conn_id from u8 to int to fix this.
Fixes: a06347c04c13e380 ("NFC: Add Intel Fields Peak NFC solution driver")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bcaf33eea097d2da64dfa9a3127e4828b53c2c0a
Author: striebit <shaul.triebitz@intel.com>
Date: Tue Jun 7 15:05:26 2016 +0300
iwlmvm: mvm: set correct state in smart-fifo configuration
commit 849a9627299100ae3f0ce573fc87d2b476f3bb59 upstream.
Currently the state sent in SF configuration is always
FULL_ON.
This commit sets the correct state (e.g. INIT_OFF
when station is not associated).
Fixes: commit f4a3ee493e69 ("iwlwifi: mvm: Always enable the smart FIFO")
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 53cf454058e67f009dc2149939f354e74b65996b
Author: Jacob Keller <jacob.e.keller@intel.com>
Date: Mon Apr 18 15:45:00 2016 -0700
fm10k: fix incorrect index calculation in fm10k_write_reta
commit 34875887f360d7bd0b7f0a89f7c6d65eca616ee3 upstream.
The index calculated when looping through the indir array passed to
fm10k_write_reta was incorrectly calculated as the first part i needs to
be multiplied by 4.
Fixes: 0cfea7a65738 ("fm10k: fix possible null pointer deref after kcalloc", 2016-04-13)
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Krishneil Singh <Krishneil.k.singh@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b78ac0135ecc22ffa37762fcb39775e718eaa50d
Author: James Hogan <james.hogan@imgtec.com>
Date: Mon Jul 25 16:59:54 2016 +0100
tile: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
commit cdf8b4633075f2171d440d2e37c9c2609019a81a upstream.
AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
for tile at all even though ARCH_DLINFO will contain one NEW_AUX_ENT for
the VDSO address.
This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
AT_BASE_PLATFORM which tile doesn't use, but lets define it now and add
the comment above ARCH_DLINFO as found in several other architectures to
remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
date.
Fixes: 4a556f4f56da ("tile: implement gettimeofday() via vDSO")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Chris Metcalf <cmetcalf@mellanox.com>
Signed-off-by: Chris Metcalf <cmetcalf@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4d66d6d28d6d7db5c88f60f7acb6cd9a33238577
Author: Geliang Tang <geliangtang@163.com>
Date: Sat Nov 7 12:43:49 2015 +0800
pstore: drop file opened reference count
commit 52d210d961a62a9662e27f14d6505d6741b2fb02 upstream.
In ee1d267423a1 ("pstore: add pstore unregister") I added:
.owner = THIS_MODULE,
in both pstore_fs_type and pstore_file_operations to increase a reference
count when pstore filesystem is mounted and pstore file is opened.
But, it's repetitive. There is no need to increase the opened reference
count. We only need to increase the mounted reference count. When a file
is opened, the filesystem can't be unmounted. Hence the pstore module
can't be unloaded either.
So I drop the opened reference count in this patch.
Fixes: ee1d267423a1 ("pstore: add pstore unregister")
Signed-off-by: Geliang Tang <geliangtang@163.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit efa079a92395c01d927bc5221c90dff2ec5003e9
Author: Omar Sandoval <osandov@fb.com>
Date: Wed Jun 8 18:22:20 2016 -0700
blk-mq: actually hook up defer list when running requests
commit 52b9c330c6a8a4b5a1819bdaddf4ec76ab571e81 upstream.
If ->queue_rq() returns BLK_MQ_RQ_QUEUE_OK, we use continue and skip
over the rest of the loop body. However, dptr is assigned later in the
loop body, and the BLK_MQ_RQ_QUEUE_OK case is exactly the case that we'd
want it for.
NVMe isn't actually using BLK_MQ_F_DEFER_ISSUE yet, nor is any other
in-tree driver, but if the code's going to be there, it might as well
work.
Fixes: 74c450521dd8 ("blk-mq: add a 'list' parameter to ->queue_rq()")
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aaad4422e7477908549a445c1edae9d45c9c1124
Author: Nishanth Menon <nm@ti.com>
Date: Fri Jun 24 11:50:39 2016 -0500
hwrng: omap - Fix assumption that runtime_get_sync will always succeed
commit 61dc0a446e5d08f2de8a24b45f69a1e302bb1b1b upstream.
pm_runtime_get_sync does return a error value that must be checked for
error conditions, else, due to various reasons, the device maynot be
enabled and the system will crash due to lack of clock to the hardware
module.
Before:
12.562784] [00000000] *pgd=fe193835
12.562792] Internal error: : 1406 [#1] SMP ARM
[...]
12.562864] CPU: 1 PID: 241 Comm: modprobe Not tainted 4.7.0-rc4-next-20160624 #2
12.562867] Hardware name: Generic DRA74X (Flattened Device Tree)
12.562872] task: ed51f140 ti: ed44c000 task.ti: ed44c000
12.562886] PC is at omap4_rng_init+0x20/0x84 [omap_rng]
12.562899] LR is at set_current_rng+0xc0/0x154 [rng_core]
[...]
After the proper checks:
[ 94.366705] omap_rng 48090000.rng: _od_fail_runtime_resume: FIXME:
missing hwmod/omap_dev info
[ 94.375767] omap_rng 48090000.rng: Failed to runtime_get device -19
[ 94.382351] omap_rng 48090000.rng: initialization failed.
Fixes: 665d92fa85b5 ("hwrng: OMAP: convert to use runtime PM")
Cc: Paul Walmsley <paul@pwsan.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 359533e056b2b6505c39a0eaa7557c14cb072c1b
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date: Wed Aug 31 08:49:43 2016 +0100
pcmcia: ds: fix suspend/resume
commit ad8d52b897a14711e026889053befbbee7fd51ba upstream.
PCMCIA suspend/resume no longer works since the commit mentioned below,
as the callbacks are no longer made. Convert the driver to the new
dev_pm_ops, which restores the suspend/resume functionality. Tested on
the arm arch Assabet platform.
Fixes: aa8e54b559479 ("PM / sleep: Go direct_complete if driver has no callbacks")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 09cc15a96e8bd090fbf2e6db86ba6f5b79aa54ac
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date: Tue Sep 6 14:34:05 2016 +0100
ARM: sa1111: fix pcmcia suspend/resume
commit 06dfe5cc0cc684e735cb0232fdb756d30780b05d upstream.
SA1111 PCMCIA was broken when PCMCIA switched to using dev_pm_ops for
the PCMCIA socket class. PCMCIA used to handle suspend/resume via the
socket hosting device, which happened at normal device suspend/resume
time.
However, the referenced commit changed this: much of the resume now
happens much earlier, in the noirq resume handler of dev_pm_ops.
However, on SA1111, the PCMCIA device is not accessible as the SA1111
has not been resumed at _noirq time. It's slightly worse than that,
because the SA1111 has already been put to sleep at _noirq time, so
suspend doesn't work properly.
Fix this by converting the core SA1111 code to use dev_pm_ops as well,
and performing its own suspend/resume at noirq time.
This fixes these errors in the kernel log:
pcmcia_socket pcmcia_socket0: time out after reset
pcmcia_socket pcmcia_socket1: time out after reset
and the resulting lack of PCMCIA cards after a S2RAM cycle.
Fixes: d7646f7632549 ("pcmcia: use dev_pm_ops for class pcmcia_socket_class")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7558428ca744f83f2ca2e3c00bebaa71e302d53e
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date: Tue Aug 30 21:50:22 2016 +0200
ARM: shmobile: fix regulator quirk for Gen2
commit c2f321126e31cd69365e65ecd4a7c774e4fc71d2 upstream.
The current implementation only works if the da9xxx devices are added
before their drivers are registered. Only then it can apply the fixes to
both devices. Otherwise, the driver for the first device gets probed
before the fix for the second device can be applied. This is what
fails when using the IP core switcher or when having the i2c master
driver as a module.
So, we need to disable both da9xxx once we detected one of them. We now
use i2c_transfer with hardcoded i2c_messages and device addresses, so we
don't need the da9xxx client devices to be instantiated. Because the
fixup is used on specific boards only, the addresses are not going to
change.
Fixes: 663fbb52159cca ("ARM: shmobile: R-Car Gen2: Add da9063/da9210 regulator quirk")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be> (r8a7791/koelsch)
Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d34169012d2a5af628bef031f8404a4d0e8b55b5
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date: Fri Aug 19 16:34:45 2016 +0100
ARM: sa1100: clear reset status prior to reboot
commit da60626e7d02a4f385cae80e450afc8b07035368 upstream.
Clear the current reset status prior to rebooting the platform. This
adds the bit missing from 04fef228fb00 ("[ARM] pxa: introduce
reset_status and clear_reset_status for driver's usage").
Fixes: 04fef228fb00 ("[ARM] pxa: introduce reset_status and clear_reset_status for driver's usage")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6c7f76bbb921ca075820fdf020ab1e2c94617216
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date: Fri Aug 19 12:44:29 2016 +0100
ARM: sa1100: fix 3.6864MHz clock
commit 02ba38a5b6d6e0bc89c7b74651f1873055028a56 upstream.
pxa_timer wants to be able to call clk_enable() etc on this clock,
but our clk_enable() implementation expects non-NULL enable/disable
operations. Provide these dummy implementations.
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0204000
[00000000] *pgd=00000000
Internal error: Oops: 80000005 [#1] ARM
Modules linked in:
CPU: 0 PID: 0 Comm: swapper Not tainted 4.8.0-rc2+ #887
Hardware name: Intel-Assabet
task: c0644590 task.stack: c0640000
PC is at 0x0
LR is at clk_enable+0x40/0x58
pc : [<00000000>] lr : [<c021b178>] psr: 600000d3
sp : c0641f60 ip : c0641f4c fp : c0641f74
r10: c1ffc7a0 r9 : 6901b118 r8 : 00000001
r7 : c0639a34 r6 : 0000001b r5 : a00000d3 r4 : c0645d70
r3 : c0645d78 r2 : 00000001 r1 : c0641ef0 r0 : c0645d70
Flags: nZCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none
Control: c020717f Table: c020717f DAC: 00000053
Process swapper (pid: 0, stack limit = 0xc0640188)
Stack: (0xc0641f60 to 0xc0642000)
1f60: 00384000 c08762e4 c0641f98 c0641f78 c063308c c021b144 00000000 00000000
1f80: 00000000 c0660b20 ffffffff c0641fa8 c0641f9c c06220ec c0633058 c0641fb8
1fa0: c0641fac c061f114 c06220dc c0641ff4 c0641fbc c061bb68 c061f0fc ffffffff
1fc0: ffffffff 00000000 c061b6cc c0639a34 c0660cd4 c0642038 c0639a30 c0645434
1fe0: c0204000 c06380f8 00000000 c0641ff8 c0208048 c061b954 00000000 00000000
Backtrace:
[<c021b138>] (clk_enable) from [<c063308c>] (pxa_timer_nodt_init+0x40/0x120)
r5:c08762e4 r4:00384000
[<c063304c>] (pxa_timer_nodt_init) from [<c06220ec>] (sa1100_timer_init+0x1c/0x20)
r6:ffffffff r5:c0660b20 r4:00000000
[<c06220d0>] (sa1100_timer_init) from [<c061f114>] (time_init+0x24/0x2c)
[<c061f0f0>] (time_init) from [<c061bb68>] (start_kernel+0x220/0x42c)
[<c061b948>] (start_kernel) from [<c0208048>] (0xc0208048)
r10:c06380f8 r8:c0204000 r7:c0645434 r6:c0639a30 r5:c0642038 r4:c0660cd4
Code: bad PC value
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Attempted to kill the idle task!
Fixes: ee3a4020f7c9 ("ARM: 8250/1: sa1100: provide OSTIMER0 clock for pxa_timer")
Acked-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6b5d6d8c57fe845f57af5dc039a63468d200ef7d
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date: Fri Aug 19 12:47:54 2016 +0100
ARM: sa1100: register clocks early
commit 198b51e8a6a31d3a6f8e9dd9cade3635d0291f26 upstream.
Since we switched to use pxa_timer, we need to provide the OSTIMER0
clock. However, as the clock is initialised early, we need to provide
the clock early as well, so that pxa_timer can find it. Adding the
clock to the clkdev table at core_initcall() time is way too late.
Move the initialisation earlier.
Fixes: ee3a4020f7c9 ("ARM: 8250/1: sa1100: provide OSTIMER0 clock for pxa_timer")
Acked-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1de8f1d3e976e67629ec2557fd52d149d9baf955
Author: Hugo Grostabussiat <bonstra@bonstra.fr.eu.org>
Date: Tue Aug 16 20:34:07 2016 +0200
ARM: sun5i: Fix typo in trip point temperature
commit 539d5c48a4aff5a4afcff117418618b49126c54c upstream.
Set cpu_alert0 temperature to 85°C instead of 850°C.
Fixes: 32a5d2d170cc ("ARM: dts: sun5i: Add cpu thermal zones to dtsi")
Signed-off-by: Hugo Grostabussiat <bonstra@bonstra.fr.eu.org>
Acked-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 547178281692b2661d9ba1cab7201ac538ae4620
Author: Andreas Färber <afaerber@suse.de>
Date: Tue Jul 5 06:04:08 2016 +0200
ARM: dts: imx6sx-sabreauto: Fix misspelled property
commit b9700be51bf00bbe9e1dabcb4838d6aa420192d1 upstream.
In commit 99fc5ba0bfb6 ("ARM: dts: imx6sx: add i.mx6sx sabreauto board
support") it should've been enable-sdio-wakeup (not -wakup). But that is
now considered a legacy name for wakeup-source, so directly use the new
name instead, as done in commit 26cefdd15db1 for the other occurrence.
Fixes: 26cefdd15db1 ("ARM: dts: imx: replace legacy wakeup property with 'wakeup-source'")
Signed-off-by: Andreas Färber <afaerber@suse.de>
Acked-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 55e84a2fe669968224213ddce9c17403c1fd4de2
Author: Stephen Boyd <sboyd@codeaurora.org>
Date: Mon Jul 11 14:50:08 2016 -0700
regulator: qcom_smd: Fix voltage ranges for pma8084 ftsmps and pldo
commit c488f0071eacd10a290df4fb34bbdeb4eb8e7888 upstream.
The voltage ranges listed here are wrong. The pma8084 pldo
supports three different overlapping voltage ranges with
differing step sizes and the pma8084 ftsmps supports two. These
ranges can be seen in the "native" spmi regulator driver
(qcom_spmi-regulator.c) at pldo_ranges[] and ftsmps_ranges[]
respectively. Port these ranges over to the RPM SMD regulator
driver so that we list the appropriate set of supported voltages
on these types of regulators.
Fixes: ee01d0c91ef1 ("regulator: qcom-smd: Add support for PMA8084")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Reviewed-by: Andy Gross <andy.gross@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit df6060f8abee6e1d527c8fff64c318fb297baac4
Author: Stephen Boyd <sboyd@codeaurora.org>
Date: Mon Jul 11 14:50:07 2016 -0700
regulator: qcom_smd: Fix voltage ranges for pm8x41
commit 290284776bb281759b11faa287b8abccaf74bfcb upstream.
The voltage ranges listed here are wrong. The correct ranges can
be seen in the "native" spmi regulator driver
qcom_spmi-regulator.c at pldo_ranges[], ftsmps_ranges[] and
boost_ranges[] for the pldo, ftsmps, and boost type regulators.
Port these ranges over to the RPM SMD regulator driver so that we
list the appropriate set of supported voltages on pldos.
Doing this allows us to specify a voltage like 3075000 for l24,
whereas before that wasn't a supported voltage.
Fixes: da65e367b67e ("regulator: Regulator driver for the Qualcomm RPM")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Reviewed-by: Andy Gross <andy.gross@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3c50bb5c92da4359246944444bf24a1e35637e3e
Author: Stephen Boyd <stephen.boyd@linaro.org>
Date: Sat Jun 25 22:52:12 2016 -0700
regulator: qcom_spmi: Update mvs1/mvs2 switches on pm8941
commit 93bfe79b03365f410aa91caf04263173c008ecdf upstream.
The mvs1 and mvs2 switches are actually called 5vs1 and 5vs2 on
some datasheets. Let's rename them to match the datasheets and
also match the RPM based regulator driver which calls these by
their 5vs names (see qcom_smd-regulator.c). There aren't any
users of these regulators so far, so there aren't any concerns of
DT ABI breakage here. While we're here making updates to the
switches, also mandate usage of the OCP irq for these switches
too.
Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
Fixes: e92a4047419c ("regulator: Add QCOM SPMI regulator driver")
Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 10c685570d2efe6c8e36d32962c0cec182f53b69
Author: Stephen Boyd <stephen.boyd@linaro.org>
Date: Sat Jun 25 22:52:13 2016 -0700
regulator: qcom_spmi: Add support for get_mode/set_mode on switches
commit 919163f6362ac23138d31fc8befdd52e5d7e488d upstream.
The voltage switches support mode switching, so add support for
these ops to those types of regulators.
Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
Fixes: e92a4047419c ("regulator: Add QCOM SPMI regulator driver")
Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2dd0f1910640046bacfc7a87a906526602c96a36
Author: Stephen Boyd <stephen.boyd@linaro.org>
Date: Sat Jun 25 22:52:11 2016 -0700
regulator: qcom_spmi: Add support for S4 supply on pm8941
commit c333dfe8dba7d3e47e97e1cee3c38123e19ae73c upstream.
The S4 supply is sometimes called the boost regulator because it
outputs 5V. Typically it's connected to the 5vs1 and 5vs2
switches for use in USB OTG and HDMI applications. Add support
for this regulator which was mistakenly left out from the initial
submission of this driver.
Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
Fixes: e92a4047419c ("regulator: Add QCOM SPMI regulator driver")
Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bb7da9f3ff05c74651798ca99fae9bebd329c037
Author: Douglas Anderson <dianders@chromium.org>
Date: Wed Jul 6 11:42:01 2016 -0700
regulator: pwm: Fix regulator ramp delay for continuous mode
commit c2588393e6315ab68207323d37d2a73713d6bc81 upstream.
The original commit adding support for continuous voltage mode didn't
handle the regulator ramp delay properly. It treated the delay as a
fixed delay in uS despite the property being defined as uV / uS. Let's
adjust it. Luckily there appear to be no users of this ramp delay for
PWM regulators (as per grepping through device trees in linuxnext).
Note also that the upper bound of usleep_range probably shouldn't be a
full 1 ms longer than the lower bound since I've seen plenty of hardware
with a ramp rate of ~5000 uS / uV and for small jumps the total delays
are in the tens of uS. 1000 is way too much. We'll try to be dynamic
and use 10%.
NOTE: This commit doesn't add support for regulator-enable-ramp-delay.
That could be done in a future patch when someone has a user of that
featre.
Though this patch is shows as "fixing" a bug, there are no actual known
users of continuous mode PWM regulator w/ ramp delay in mainline and so
this likely won't have any effect on anyone unless they are working
out-of-tree with private patches. For anyone in this state, it is
highly encouraged to also pick Boris Brezillon's WIP patches to get
yourself a reliable and glitch-free regulator.
Fixes: 4773be185a0f ("regulator: pwm-regulator: Add support for continuous-voltage")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Laxman Dewangan <ldewangan@nvidia.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 63cab845dd0839ef680d28629b8e9e1fe75f7575
Author: apronin@chromium.org <apronin@chromium.org>
Date: Thu Jul 14 18:07:18 2016 -0700
tpm: fix byte-order for the value read by tpm2_get_tpm_pt
commit 1b0612b04090e416828c0dd5ed197b0913d834a0 upstream.
The result must be converted from BE byte order, which is used by the
TPM2 protocol. This has not popped out because tpm2_get_tpm_pt() has
been only used for probing.
Fixes: 7a1d7e6dd76a ("tpm: TPM 2.0 baseline support")
Change-Id: I7d71cd379b1a3b7659d20a1b6008216762596590
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f1a9189e1c804f6695e96f04942cee31470fe25c
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Thu Sep 1 16:14:50 2016 -0700
lib/test_hash.c: fix warning in two-dimensional array init
commit ed76b7a131f41c91b0c725d472f9b969d75ce888 upstream.
lib/test_hash.c: In function 'test_hash_init':
lib/test_hash.c:146:2: warning: missing braces around initializer [-Wmissing-braces]
Fixes: 468a9428521e7d00 ("<linux/hash.h>: Add support for architecture-specific functions")
Link: http://lkml.kernel.org/r/20160829214952.1334674-3-arnd@arndb.de
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: George Spelvin <linux@sciencehorizons.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 641cd3a7d43ee707b7ae86e313b25e7e567596e7
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Wed Jul 27 11:40:14 2016 -0700
Bluetooth: split sk_filter in l2cap_sock_recv_cb
commit dbb50887c8f619fc5c3489783ebc3122bc134a31 upstream.
During an audit for sk_filter(), we found that rx_busy_skb handling
in l2cap_sock_recv_cb() and l2cap_sock_recvmsg() looks not quite as
intended.
The assumption from commit e328140fdacb ("Bluetooth: Use event-driven
approach for handling ERTM receive buffer") is that errors returned
from sock_queue_rcv_skb() are due to receive buffer shortage. However,
nothing should prevent doing a setsockopt() with SO_ATTACH_FILTER on
the socket, that could drop some of the incoming skbs when handled in
sock_queue_rcv_skb().
In that case sock_queue_rcv_skb() will return with -EPERM, propagated
from sk_filter() and if in L2CAP_MODE_ERTM mode, wrong assumption was
that we failed due to receive buffer being full. From that point onwards,
due to the to-be-dropped skb being held in rx_busy_skb, we cannot make
any forward progress as rx_busy_skb is never cleared from l2cap_sock_recvmsg(),
due to the filter drop verdict over and over coming from sk_filter().
Meanwhile, in l2cap_sock_recv_cb() all new incoming skbs are being
dropped due to rx_busy_skb being occupied.
Instead, just use __sock_queue_rcv_skb() where an error really tells that
there's a receive buffer issue. Split the sk_filter() and enable it for
non-segmented modes at queuing time since at this point in time the skb has
already been through the ERTM state machine and it has been acked, so dropping
is not allowed. Instead, for ERTM and streaming mode, call sk_filter() in
l2cap_data_rcv() so the packet can be dropped before the state machine sees it.
Fixes: e328140fdacb ("Bluetooth: Use event-driven approach for handling ERTM receive buffer")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d8f4420f85adc846d69eb9e34e468e9016147d58
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date: Thu Aug 25 15:17:00 2016 -0700
printk: fix parsing of "brl=" option
commit ae6c33ba6e37eea3012fe2640b22400ef3f2d0f3 upstream.
Commit bbeddf52adc1 ("printk: move braille console support into separate
braille.[ch] files") moved the parsing of braille-related options into
_braille_console_setup(), changing the type of variable str from char*
to char**. In this commit, memcmp(str, "brl,", 4) was correctly updated
to memcmp(*str, "brl,", 4) but not memcmp(str, "brl=", 4).
Update the code to make "brl=" option work again and replace memcmp()
with strncmp() to make the compiler able to detect such an issue.
Fixes: bbeddf52adc1 ("printk: move braille console support into separate braille.[ch] files")
Link: http://lkml.kernel.org/r/20160823165700.28952-1-nicolas.iooss_linux@m4x.org
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Cc: Joe Perches <joe@perches.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9472e7dde00680bdd5ca6d5d42acd755761bb412
Author: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Date: Thu Sep 22 15:38:33 2016 +0200
MIPS: uprobes: fix use of uninitialised variable
commit ca86c9ef2b322ebf24772009fdea037688cbdac1 upstream.
arch_uprobe_pre_xol needs to emulate a branch if a branch instruction
has been replaced with a breakpoint, but in fact an uninitialised local
variable was passed to the emulator routine instead of the original
instruction
Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Fixes: 40e084a506eb ('MIPS: Add uprobes support.')
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14300/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0f2c4751ef8d726c42171e150d9d637a27df53df
Author: Paul Burton <paul.burton@imgtec.com>
Date: Fri Sep 2 16:07:10 2016 +0100
MIPS: Malta: Fix IOCU disable switch read for MIPS64
commit 305723ab439e14debc1d339aa04e835d488b8253 upstream.
Malta boards used with CPU emulators feature a switch to disable use of
an IOCU. Software has to check this switch & ignore any present IOCU if
the switch is closed. The read used to do this was unsafe for 64 bit
kernels, as it simply casted the address 0xbf403000 to a pointer &
dereferenced it. Whilst in a 32 bit kernel this would access kseg1, in a
64 bit kernel this attempts to access xuseg & results in an address
error exception.
Fix by accessing a correctly formed ckseg1 address generated using the
CKSEG1ADDR macro.
Whilst modifying this code, define the name of the register and the bit
we care about within it, which indicates whether PCI DMA is routed to
the IOCU or straight to DRAM. The code previously checked that bit 0 was
also set, but the least significant 7 bits of the CONFIG_GEN0 register
contain the value of the MReqInfo signal provided to the IOCU OCP bus,
so singling out bit 0 makes little sense & that part of the check is
dropped.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: b6d92b4a6bdb ("MIPS: Add option to disable software I/O coherency.")
Cc: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14187/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8e60b04467ba451e941d0f7c8c0885467911e82d
Author: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Date: Thu Sep 22 15:38:31 2016 +0200
MIPS: fix uretprobe implementation
commit db06068a4fd44a57b642b369d2a295b8448f6b65 upstream.
arch_uretprobe_hijack_return_addr should replace the return address for
a call with a trampoline address.
Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Fixes: 40e084a506eb ('MIPS: Add uprobes support.')
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14298/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 65057b0f12254a2e821999d7cda9013c093aa931
Author: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Date: Thu Sep 22 15:38:32 2016 +0200
MIPS: uprobes: remove incorrect set_orig_insn
commit ddabfa5c2e33f1b495f3e0176de7057850915c0b upstream.
Generic kernel code implements a weak version of set_orig_insn that
moves cached 'insn' from arch_uprobe to the original code location when
the trap is removed.
MIPS variant used arch_uprobe->orig_inst which was never initialised
properly, so this code only inserted a nop instead of the original
instruction. With that change orig_inst can also be safely removed.
Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Fixes: 40e084a506eb ('MIPS: Add uprobes support.')
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14299/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9dc902ebc0d98cdc9e3c9efbec72683add760c61
Author: Will Deacon <will.deacon@arm.com>
Date: Fri Aug 26 11:36:39 2016 +0100
arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP
commit 3a402a709500c5a3faca2111668c33d96555e35a upstream.
When TIF_SINGLESTEP is set for a task, the single-step state machine is
enabled and we must take care not to reset it to the active-not-pending
state if it is already in the active-pending state.
Unfortunately, that's exactly what user_enable_single_step does, by
unconditionally setting the SS bit in the SPSR for the current task.
This causes failures in the GDB testsuite, where GDB ends up missing
expected step traps if the instruction being stepped generates another
trap, e.g. PTRACE_EVENT_FORK from an SVC instruction.
This patch fixes the problem by preserving the current state of the
stepping state machine when TIF_SINGLESTEP is set on the current thread.
Cc: <stable@vger.kernel.org>
Reported-by: Yao Qi <yao.qi@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 76750bd71b220461e5d362160d321b95a3f23a79
Author: Srinivas Ramana <sramana@codeaurora.org>
Date: Fri Sep 30 15:03:31 2016 +0100
ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7
commit 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 upstream.
If the bootloader uses the long descriptor format and jumps to
kernel decompressor code, TTBCR may not be in a right state.
Before enabling the MMU, it is required to clear the TTBCR.PD0
field to use TTBR0 for translation table walks.
The commit dbece45894d3a ("ARM: 7501/1: decompressor:
reset ttbcr for VMSA ARMv7 cores") does the reset of TTBCR.N, but
doesn't consider all the bits for the size of TTBCR.N.
Clear TTBCR.PD0 field and reset all the three bits of TTBCR.N to
indicate the use of TTBR0 and the correct base address width.
Fixes: dbece45894d3 ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores")
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 638512295f791363485a50b933e8b854c4868ec8
Author: James Morse <james.morse@arm.com>
Date: Mon Sep 19 18:29:15 2016 +0100
irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning
commit 727653d6ce7103b245eb8041f55dd5885f4c3289 upstream.
gic_raise_softirq() walks the list of cpus using for_each_cpu(), it calls
gic_compute_target_list() which advances the iterator by the number of
CPUs in the cluster.
If gic_compute_target_list() reaches the last CPU it leaves the iterator
pointing at the last CPU. This means the next time round the for_each_cpu()
loop cpumask_next() will be called with an invalid CPU.
This triggers a warning when built with CONFIG_DEBUG_PER_CPU_MAPS:
[ 3.077738] GICv3: CPU1: found redistributor 1 region 0:0x000000002f120000
[ 3.077943] CPU1: Booted secondary processor [410fd0f0]
[ 3.078542] ------------[ cut here ]------------
[ 3.078746] WARNING: CPU: 1 PID: 0 at ../include/linux/cpumask.h:121 gic_raise_softirq+0x12c/0x170
[ 3.078812] Modules linked in:
[ 3.078869]
[ 3.078930] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-rc5+ #5188
[ 3.078994] Hardware name: Foundation-v8A (DT)
[ 3.079059] task: ffff80087a1a0080 task.stack: ffff80087a19c000
[ 3.079145] PC is at gic_raise_softirq+0x12c/0x170
[ 3.079226] LR is at gic_raise_softirq+0xa4/0x170
[ 3.079296] pc : [<ffff0000083ead24>] lr : [<ffff0000083eac9c>] pstate: 200001c9
[ 3.081139] Call trace:
[ 3.081202] Exception stack(0xffff80087a19fbe0 to 0xffff80087a19fd10)
[ 3.082269] [<ffff0000083ead24>] gic_raise_softirq+0x12c/0x170
[ 3.082354] [<ffff00000808e614>] smp_send_reschedule+0x34/0x40
[ 3.082433] [<ffff0000080e80a0>] resched_curr+0x50/0x88
[ 3.082512] [<ffff0000080e89d0>] check_preempt_curr+0x60/0xd0
[ 3.082593] [<ffff0000080e8a60>] ttwu_do_wakeup+0x20/0xe8
[ 3.082672] [<ffff0000080e8bb8>] ttwu_do_activate+0x90/0xc0
[ 3.082753] [<ffff0000080ea9a4>] try_to_wake_up+0x224/0x370
[ 3.082836] [<ffff0000080eabc8>] default_wake_function+0x10/0x18
[ 3.082920] [<ffff000008103134>] __wake_up_common+0x5c/0xa0
[ 3.083003] [<ffff0000081031f4>] __wake_up_locked+0x14/0x20
[ 3.083086] [<ffff000008103f80>] complete+0x40/0x60
[ 3.083168] [<ffff00000808df7c>] secondary_start_kernel+0x15c/0x1d0
[ 3.083240] [<00000000808911a4>] 0x808911a4
[ 3.113401] Detected PIPT I-cache on CPU2
Avoid updating the iterator if the next call to cpumask_next() would
cause the for_each_cpu() loop to exit.
There is no change to gic_raise_softirq()'s behaviour, (cpumask_next()s
eventual call to _find_next_bit() will return early as start >= nbits),
this patch just silences the warning.
Fixes: 021f653791ad ("irqchip: gic-v3: Initial support for GICv3")
Signed-off-by: James Morse <james.morse@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: Jason Cooper <jason@lakedaemon.net>
Link: http://lkml.kernel.org/r/1474306155-3303-1-git-send-email-james.morse@arm.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a03ad5a96d39bfcc18b0e80b0026d57355e48db5
Author: Linus Lüssing <linus.luessing@c0d3.blue>
Date: Tue Aug 23 03:13:03 2016 +0200
batman-adv: fix elp packet data reservation
commit 1e5d343b8f23770e8ac5d31f5c439826bdb35148 upstream.
The skb_reserve() call only reserved headroom for the mac header, but
not the elp packet header itself.
Fixing this by using skb_put()'ing towards the skb tail instead of
skb_push()'ing towards the skb head.
Fixes: d6f94d91f766 ("batman-adv: ELP - adding basic infrastructure")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2c7398559e770aecaace325ca0f951a4e82318b1
Author: Sven Eckelmann <sven@narfation.org>
Date: Sat Aug 6 15:50:52 2016 +0200
batman-adv: Add missing refcnt for last_candidate
commit 936523441bb64cdc9a5b263e8fd2782e70313a57 upstream.
batadv_find_router dereferences last_bonding_candidate from
orig_node without making sure that it has a valid reference. This reference
has to be retrieved by increasing the reference counter while holding
neigh_list_lock. The lock is required to avoid that
batadv_last_bonding_replace removes the current last_bonding_candidate,
reduces the reference counter and maybe destroys the object in this
process.
Fixes: f3b3d9018975 ("batman-adv: add bonding again")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 96e2c6229dc204e6ba92cda06a85c06831525b3a
Author: Shiraz Saleem <shiraz.saleem@intel.com>
Date: Thu Aug 25 11:53:24 2016 -0500
i40iw: Receive notification events correctly
commit b71121b4b70a995c0b794026e84c880c4f26c361 upstream.
Device notifications are not received after the first interface is
closed; since there is an unregister for notifications on every
interface close. Correct this by unregistering for device
notifications only when the last interface is closed. Also, make
all operations on the i40iw_notifiers_registered atomic as it
can be read/modified concurrently.
Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0402876c03169c9ed360cc3419cb02dc4c4e0f1c
Author: Mustafa Ismail <mustafa.ismail@intel.com>
Date: Thu Aug 25 11:52:47 2016 -0500
i40iw: Update hw_iwarp_state
commit 866e0f4d73390ee6f5cd68aa92cf74eef3a2b0f2 upstream.
Update iwqp->hw_iwarp_state to reflect the new state of the CQP
modify QP operation. This avoids reissuing a CQP operation to
modify a QP to a state that it is already in.
Fixes: 4e9042e647ff ("i40iw: add hw and utils files")
Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d62293515889a392409773877bce795a6b215501
Author: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Date: Wed Aug 24 13:59:17 2016 -0500
i40iw: Send last streaming mode message for loopback connections
commit 07c72d7d54d138eb2ca37709a5a3d55fbcc01536 upstream.
Send a zero length last streaming mode message for loopback
connections to synchronize between accepting QP and connecting QP.
This avoids data transfer to start on the accepting QP before
the connecting QP is in RTS. Also remove function i40iw_loopback_nop()
as it is no longer used.
Fixes: f27b4746f378 ("i40iw: add connection management code")
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e4df513333e73291e130a44dd0a4bd664d5ac6c4
Author: Shiraz Saleem <shiraz.saleem@intel.com>
Date: Mon Aug 22 18:16:37 2016 -0500
i40iw: Add missing NULL check for MPA private data
commit 5dfd5e5e3bc68ab3912acc712c8180942094fc69 upstream.
Add NULL check for pdata and pdata->addr before the memcpy in
i40iw_form_cm_frame(). This fixes a NULL pointer de-reference
which occurs when the MPA private data pointer is NULL. Also
only copy pdata->size bytes in the memcpy to prevent reading
past the length of the private data buffer provided by upper layer.
Fixes: f27b4746f378 ("i40iw: add connection management code")
Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0bdb4f53663f5b218f2db48d7344845e569b7169
Author: Mustafa Ismail <mustafa.ismail@intel.com>
Date: Tue Aug 23 17:24:56 2016 -0500
i40iw: Avoid writing to freed memory
commit 433c58139f6a7d59824aadd23d6c9cac1d4e6100 upstream.
iwpbl->iwmr points to the structure that contains iwpbl,
which is iwmr. Setting this to NULL would result in
writing to freed memory. So just free iwmr, and return.
Fixes: d37498417947 ("i40iw: add files for iwarp interface")
Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 72ca46e3f655fc2a902b63fb913858017c2c88df
Author: Mustafa Ismail <mustafa.ismail@intel.com>
Date: Mon Aug 22 19:01:47 2016 -0500
i40iw: Do not set self-referencing pointer to NULL after kfree
commit 7eaf8313b1cfe93417a22bdc3f7380cac2a3dc6d upstream.
In i40iw_free_virt_mem(), do not set mem->va to NULL
after freeing it as mem->va is a self-referencing pointer
to mem.
Fixes: 4e9042e647ff ("i40iw: add hw and utils files")
Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f75f0a0ac7507a1856066fd1a429784b6865934f
Author: Mustafa Ismail <mustafa.ismail@intel.com>
Date: Tue Aug 23 16:50:13 2016 -0500
i40iw: Fix double free of allocated_buffer
commit d41d0910d97f05be987d2d60de7e8685c108963b upstream.
Memory allocated for iwqp; iwqp->allocated_buffer is freed twice in
the create_qp error path. Correct this by having it freed only once in
i40iw_free_qp_resources().
Fixes: d37498417947 ("i40iw: add files for iwarp interface")
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 296fe7f04a1e0db4023e93f1dc949b3595bcbb89
Author: Shiraz Saleem <shiraz.saleem@intel.com>
Date: Mon Aug 22 18:09:14 2016 -0500
i40iw: Change mem_resources pointer to a u8
commit 6c7d46fdb8165ece4b0a17fb8f0b9320dbfeffc2 upstream.
iwdev->mem_resources is incorrectly defined as an unsigned
long instead of u8. As a result, the offset into the dynamic
allocated structures in i40iw_initialize_hw_resources() is
incorrectly calculated and would lead to writing of memory
regions outside of the allocated buffer.
Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1a38d2ab4932698cd4f257f2df86111505846950
Author: Mustafa Ismail <mustafa.ismail@intel.com>
Date: Mon Aug 22 18:17:12 2016 -0500
i40iw: Add missing check for interface already open
commit faa739fb5df56aadab96bcd2f6eb3486cc3a3aec upstream.
In i40iw_open(), check if interface is already open
and return success if it is.
Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d8db2da632f3af15c4e12d3982a7102a746c21d2
Author: Mustafa Ismail <mustafa.ismail@intel.com>
Date: Mon Aug 22 18:15:58 2016 -0500
i40iw: Protect req_resource_num update
commit 44856be3e95c87f03e850ef4fdf8c0503c2dde18 upstream.
In i40iw_alloc_resource(), ensure that the update to
req_resource_num is protected by the lock.
Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
Reported-by: Stefan Assmann <sassmann@redhat.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5c091f61e600b5b2b996b5f7fc8c840fee8db809
Author: Johannes Berg <johannes.berg@intel.com>
Date: Wed Sep 14 09:41:34 2016 +0200
mac80211: check skb_linearize() return value
commit 0b97a484e52cb423662eb98904aad82dafcc1f10 upstream.
The A-MSDU TX code (within TXQs) didn't always check the return value
of skb_linearize() properly, resulting in potentially passing a frag-
list SKB down to the driver even when it said it can't handle it. Fix
that.
Fixes: 6e0456b545456 ("mac80211: add A-MSDU tx support")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b0e88ea4a43f44403d4e97fd2054f1b380a8f842
Author: Russell King <rmk+kernel@armlinux.org.uk>
Date: Mon Aug 29 11:24:10 2016 +0100
gpio: sa1100: fix irq probing for ucb1x00
commit 56beac95cb88c188d2a885825a5da131edb41fe3 upstream.
ucb1x00 has used IRQ probing since it's dawn to find the GPIO interrupt
that it's connected to. However, commit 23393d49fb75 ("gpio: kill off
set_irq_flags usage") broke this by disabling IRQ probing on GPIO
interrupts. Fix this.
Fixes: 23393d49fb75 ("gpio: kill off set_irq_flags usage")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7984b3d299209fa7f67b85f80b853c9451030f7a
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri Jul 15 14:15:47 2016 +0300
usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
commit f4693b08cc901912a87369c46537b94ed4084ea0 upstream.
We can't assign -EINVAL to a u16.
Fixes: 3948f0e0c999 ('usb: add Freescale QE/CPM USB peripheral controller driver')
Acked-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 58cffe3bca474afd4cbdb227d03b1bde79af8dc9
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date: Wed Aug 3 22:06:43 2016 +0300
iwlwifi: mvm: don't use ret when not initialised
commit ff6e58e648ed5f3cc43891767811d5c3c88bbd41 upstream.
fw-dbg code return ret but that variable was either 0
or not initialised. Return 0 always.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Fixes: 6a95126763fb ("iwlwifi: mvm: send dbg config hcmds to fw if set in tlv")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 31bfef6edb60528e585fdd5f56dfb63e774668f0
Author: Arnd Bergmann <arnd@arndb.de>
Date: Fri May 27 15:07:03 2016 +0200
iwlwifi: mvm: avoid harmless -Wmaybe-uninialized warning
commit 5a7d87da8d9b9f04ecdbebe7e5710a1391f85fa8 upstream.
gcc is apparently unablel to track the state of the local 'resp_v2'
variable across the kzalloc() function, and warns about the response
variable being used without an initialization:
drivers/net/wireless/intel/iwlwifi/mvm/nvm.c: In function ‘iwl_mvm_update_mcc’:
drivers/net/wireless/intel/iwlwifi/mvm/nvm.c:727:36: warning: ‘mcc_resp_v1’ may be used uninitialized in this function [-Wmaybe-uninitialized]
resp_cp->n_channels = mcc_resp_v1->n_channels;
drivers/net/wireless/intel/iwlwifi/mvm/nvm.c:721:3: warning: ‘mcc_resp’ may be used uninitialized in this function [-Wmaybe-uninitialized]
memcpy(resp_cp, mcc_resp, resp_len);
The warning showed up in x86 allmodconfig after my patch to
unhide -Wmaybe-uninitialized warnings by default was merged,
though it always existed in randconfig builds. I did not
catch the warning earlier because I was testing on ARM, which
never produced the warning.
This rearranges the code in a way that improves readability for
both humans and the compiler, and that avoids the warning.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 6fa52430f0b3 ("iwlwifi: mvm: change mcc update API")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a8762bfbbb321489c287aac3794cdbe09a320a30
Author: Sara Sharon <sara.sharon@intel.com>
Date: Tue Jun 21 14:14:08 2016 +0300
iwlwifi: mvm: free RX reorder buffer on restart
commit 60dec5233cd8651860e8010c953d116fb0f1ba86 upstream.
Restart flow zeroes the rx_ba_sessions counter. Mac80211 asks
driver to tear down of the session only afterwards, and as a
result driver didn't free the data. Fix it.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Fixes: 10b2b2019d81 ("iwlwifi: mvm: add infrastructure for tracking BA session in driver")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9d518a8470aa07b1b67c7b9490c118230883bb56
Author: Sara Sharon <sara.sharon@intel.com>
Date: Thu Jun 9 17:19:35 2016 +0300
iwlwifi: pcie: fix access to scratch buffer
commit d5d0689aefc59c6a5352ca25d7e6d47d03f543ce upstream.
This fixes a pretty ancient bug that hasn't manifested itself
until now.
The scratchbuf for command queue is allocated only for 32 slots
but is accessed with the queue write pointer - which can be
up to 256.
Since the scratch buf size was 16 and there are up to 256 TFDs
we never passed a page boundary when accessing the scratch buffer,
but when attempting to increase the size of the scratch buffer a
panic was quick to follow when trying to access the address resulted
in a page boundary.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Fixes: 38c0f334b359 ("iwlwifi: use coherent DMA memory for command header")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 26d682167c6be2b6f7b193037105114d304cee21
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date: Sun Jun 19 20:57:02 2016 +0300
iwlwifi: mvm: unmap the paging memory before freeing it
commit 3edbc7dabab8ce85aa75c5e290ecda7a3692ebc9 upstream.
This led to a DMA splat.
Fixes: a6c4fb4441f4 ("iwlwifi: mvm: Add FW paging mechanism for the UMAC on PCI")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b50c78a11e371e93b6d9956e89cdafcfc11e1923
Author: Golan Ben-Ami <golan.ben.ami@intel.com>
Date: Wed Jun 15 09:16:24 2016 +0300
iwlwifi: mvm: write the correct internal TXF index
commit e7c9bd1cc632e924a69bf704385484386bb10933 upstream.
The TX fifos are arranged consecutively in the SMEM, beginning
with the regular fifos, and tailed by the internal fifos.
In the current code, while trying to read the internal fifos,
we read the fifos beginning with the index zero.
By doing this we actually re-read the regular fifos.
In order to read the internal fifos, start the reading index
from the number of regular fifos configured by the fw.
Signed-off-by: Golan Ben-Ami <golan.ben.ami@intel.com>
Fixes: 39654cb3a6a2 ("iwlwifi: don't access a nonexistent register upon assert")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aba2ee27a10ff52a0bf47e1a32b45b09c6b42d49
Author: Oren Givon <oren.givon@intel.com>
Date: Sun May 29 14:05:50 2016 +0300
iwlwifi: mvm: fix txq aggregation bug
commit 2c4a247e42526d9aae8f5ce1f190b893532f2806 upstream.
Fix an issue where nullfunc frames and block ack requests
had the same tid as aggregation frames and were queued on
a non aggregation queue. The pending frames counter included
those frames but the check whether to decrement the pending
frames counter relied on the tid status and not on the txq id.
The result was an inconsistent state of the pending frames
counter followed by a failure to remove the station.
This failure triggered SYSASSERT 0x3421.
In addition, fix a situation in DQA mode where the number
of pending frames turned negative. This was due to the TX queue
being on the IWL_EMPTYING_HW_QUEUE_DELBA state and its frames
were still decremented.
Even though the SYSASSERT issue is fixed when DQA is disabled,
the issue is not completely solved when DQA is enabled and
should still be fixed.
Signed-off-by: Oren Givon <oren.givon@intel.com>
Fixes: cf961e16620f ("iwlwifi: mvm: support dqa-mode agg on non-shared queue")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bdbbdb59debc39287e261446bfdfed4c5c0a798d
Author: Sara Sharon <sara.sharon@intel.com>
Date: Wed Jun 8 15:15:41 2016 +0300
iwlwifi: mvm: checksum IPv6 fragmented packet
commit ecf51424152bad1b2727409f42ddf1bd86f44b7d upstream.
Our HW does not support checksum of fragmented packets.
Fix code accordingly to checksum those packets in the driver.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Fixes: 5e6a98dc4863 ("iwlwifi: mvm: enable TCP/UDP checksum support for 9000 family")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5001a9558c1c8a05941922d3a99101e8a0a00384
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date: Fri Aug 5 10:17:52 2016 +0200
spi: sh-msiof: Avoid invalid clock generator parameters
commit c3ccf357c3d75bd2924e049b6a991f7c0c111068 upstream.
The conversion from a look-up table to a calculation for clock generator
parameters forgot to take into account that BRDV x 1/1 is valid only if
BRPS is x 1/1 or x 1/2, leading to undefined behavior (e.g. arbitrary
clock rates).
This limitation is documented for the MSIOF module in all supported
SH/R-Mobile and R-Car Gen2/Gen3 ARM SoCs.
Tested on r8a7791/koelsch and r8a7795/salvator-x.
Fixes: 65d5665bb260b034 ("spi: sh-msiof: Update calculation of frequency dividing")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit afca668faa80cbd97ca767d41c2845a175d931c2
Author: Wanpeng Li <wanpeng.li@hotmail.com>
Date: Mon Jun 13 18:32:45 2016 +0800
sched/cputime: Fix prev steal time accouting during CPU hotplug
commit 3d89e5478bf550a50c99e93adf659369798263b0 upstream.
Commit:
e9532e69b8d1 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")
... set rq->prev_* to 0 after a CPU hotplug comes back, in order to
fix the case where (after CPU hotplug) steal time is smaller than
rq->prev_steal_time.
However, this should never happen. Steal time was only smaller because of the
KVM-specific bug fixed by the previous patch. Worse, the previous patch
triggers a bug on CPU hot-unplug/plug operation: because
rq->prev_steal_time is cleared, all of the CPU's past steal time will be
accounted again on hot-plug.
Since the root cause has been fixed, we can just revert commit e9532e69b8d1.
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Radim KrÄmář <rkrcmar@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 'commit e9532e69b8d1 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")'
Link: http://lkml.kernel.org/r/1465813966-3116-3-git-send-email-wanpeng.li@hotmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a73cf94f9a8a3e2e87f43fa93ee34b330db388c6
Author: Michael Walle <michael@walle.cc>
Date: Tue Jul 19 16:43:26 2016 +0200
hwmon: (adt7411) set bit 3 in CFG1 register
commit b53893aae441a034bf4dbbad42fe218561d7d81f upstream.
According to the datasheet you should only write 1 to this bit. If it is
not set, at least AIN3 will return bad values on newer silicon revisions.
Fixes: d84ca5b345c2 ("hwmon: Add driver for ADT7411 voltage and temperature sensor")
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 45492799fc315414b7ec803d0f7bc63c4948ea80
Author: Guenter Roeck <linux@roeck-us.net>
Date: Thu Jun 2 12:05:12 2016 +0100
nvmem: Declare nvmem_cell_read() consistently
commit a6c50912508d80164a5e607993b617be85a46d73 upstream.
nvmem_cell_read() is declared as void * if CONFIG_NVMEM is enabled, and
as char * otherwise. This can result in a build warning if CONFIG_NVMEM
is not enabled and a caller asigns the result to a type other than char *
without using a typecast. Use a consistent declaration to avoid the
problem.
Fixes: e2a5402ec7c6 ("nvmem: Add nvmem_device based consumer apis.")
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b7ee4c9ae074f3316e697cbed6706eced21e016d
Author: Jon Hunter <jonathanh@nvidia.com>
Date: Tue Jul 12 14:53:37 2016 +0100
mmc: tegra: Only advertise UHS modes if IO regulator is present
commit 4f6aa3264af4d44caaa649dd3ff1fe98f5817251 upstream.
To support UHS modes for Tegra an external regulator must be present
to adjust the IO voltage accordingly. Even if the regulator is not
present but the host supports the UHS modes and the device supports the
UHS modes, then we will attempt to switch to a high-speed mode. Without
an external regulator, Tegra will fail to switch to the high-speed
mode.
It has been found that with some SD cards, that once it has been switch
to operate at a high-speed mode, all subsequent commands issues to the
card will fail and so it will not be possible to switch back to a non
high-speed mode and so the SD card initialisation will fail.
The SDHCI core does not require that the host have an external regulator
when switching to UHS modes and therefore, the Tegra SDHCI host
controller should only advertise the UHS modes as being supported if the
regulator for the IO voltage is present. Fortunately, Tegra has a vendor
specific register which can be used to control which modes are
advertised via the SDHCI_CAPABILITIES register. Hence, if there is no IO
voltage regulator available for the Tegra SDHCI host, then don't
advertise the UHS modes.
Note that if the regulator is not available, we also don't advertise that
the SDHCI is compatible with v3.0 of the SDHCI specification because
this will read the SDHCI_CAPABILITIES_1 register which will enable other
UHS modes.
This fixes commit 7ad2ed1dfcbe ("mmc: tegra: enable UHS-I modes") which
enables UHS mode without checking if the board can support them.
Fixes: 7ad2ed1dfcbe ("mmc: tegra: enable UHS-I modes")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6bbeeaf13d27b68303e5e1663139faa144200c8d
Author: Will Deacon <will.deacon@arm.com>
Date: Wed Aug 24 10:07:14 2016 +0100
perf/core: Use this_cpu_ptr() when stopping AUX events
commit 8b6a3fe8fab97716990a3abde1a01fb5a34552a3 upstream.
When tearing down an AUX buf for an event via perf_mmap_close(),
__perf_event_output_stop() is called on the event's CPU to ensure that
trace generation is halted before the process of unmapping and
freeing the buffer pages begins.
The callback is performed via cpu_function_call(), which ensures that it
runs with interrupts disabled and is therefore not preemptible.
Unfortunately, the current code grabs the per-cpu context pointer using
get_cpu_ptr(), which unnecessarily disables preemption and doesn't pair
the call with put_cpu_ptr(), leading to a preempt_count() imbalance and
a BUG when freeing the AUX buffer later on:
WARNING: CPU: 1 PID: 2249 at kernel/events/ring_buffer.c:539 __rb_free_aux+0x10c/0x120
Modules linked in:
[...]
Call Trace:
[<ffffffff813379dd>] dump_stack+0x4f/0x72
[<ffffffff81059ff6>] __warn+0xc6/0xe0
[<ffffffff8105a0c8>] warn_slowpath_null+0x18/0x20
[<ffffffff8112761c>] __rb_free_aux+0x10c/0x120
[<ffffffff81128163>] rb_free_aux+0x13/0x20
[<ffffffff8112515e>] perf_mmap_close+0x29e/0x2f0
[<ffffffff8111da30>] ? perf_iterate_ctx+0xe0/0xe0
[<ffffffff8115f685>] remove_vma+0x25/0x60
[<ffffffff81161796>] exit_mmap+0x106/0x140
[<ffffffff8105725c>] mmput+0x1c/0xd0
[<ffffffff8105cac3>] do_exit+0x253/0xbf0
[<ffffffff8105e32e>] do_group_exit+0x3e/0xb0
[<ffffffff81068d49>] get_signal+0x249/0x640
[<ffffffff8101c273>] do_signal+0x23/0x640
[<ffffffff81905f42>] ? _raw_write_unlock_irq+0x12/0x30
[<ffffffff81905f69>] ? _raw_spin_unlock_irq+0x9/0x10
[<ffffffff81901896>] ? __schedule+0x2c6/0x710
[<ffffffff810022a4>] exit_to_usermode_loop+0x74/0x90
[<ffffffff81002a56>] prepare_exit_to_usermode+0x26/0x30
[<ffffffff81906d1b>] retint_user+0x8/0x10
This patch uses this_cpu_ptr() instead of get_cpu_ptr(), since preemption is
already disabled by the caller.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Reviewed-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 95ff4ca26c49 ("perf/core: Free AUX pages in unmap path")
Link: http://lkml.kernel.org/r/20160824091905.GA16944@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 23cdcc018feb4dfb2be32a4b8890d558eeb37a1c
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date: Sat Aug 27 16:19:49 2016 +0000
drivers/perf: arm_pmu: Fix leak in error path
commit 753246840d012ae34ea80a1d40bc1546c62fb957 upstream.
In case of a IRQ type mismatch in of_pmu_irq_cfg() the
device node for interrupt affinity isn't freed. So fix this
issue by calling of_node_put().
Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Fixes: fa8ad7889d83 ("arm: perf: factor arm_pmu core out to drivers")
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 376c711bb7f9049ac447608ebe964068508114af
Author: Boqun Feng <boqun.feng@gmail.com>
Date: Wed May 25 09:25:33 2016 +0800
rcuperf: Don't treat gp_exp mis-setting as a WARN
commit af06d4f74a7d2132c805339bfd5ab771b5706f42 upstream.
0day found a boot warning triggered in rcu_perf_writer() on !SMP kernel:
WARN_ON(rcu_gp_is_normal() && gp_exp);
, the root cause of which is trying to measure expedited grace
periods(by setting gp_exp to true by default) when all the grace periods
are normal(TINY RCU only has normal grace periods).
However, such a mis-setting would only result in failing to measure the
performance for a specific kind of grace periods, therefore using a
WARN_ON to check this is a little overkilling. We could handle this
inside rcuperf module via some error messages to tell users about the
mis-settings.
Therefore this patch removes the WARN_ON in rcu_perf_writer() and
handles those checkings in rcu_perf_init() with plain if() code.
Moreover, this patch changes the default value of gp_exp to 1) align
with rcutorture tests and 2) make the default setting work for all RCU
implementations by default.
Suggested-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Fixes: http://lkml.kernel.org/r/57411b10.mFvG0+AgcrMXGtcj%fengguang.wu@intel.com
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3ecddadad311dded57e1b4196a3975fd9c6f5817
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date: Tue Aug 23 17:28:03 2016 +0200
i2c: mux: demux-pinctrl: run properly with multiple instances
commit e35478eac030990e23a56bf11dc074c5a069124a upstream.
We can't use a static property for all the changesets, so we now create
dynamic ones for each changeset.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Fixes: 50a5ba87690814 ("i2c: mux: demux-pinctrl: add driver")
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c1015241fe999b129a59bbad95ef9d8821e1a187
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date: Tue Jun 21 01:40:48 2016 +0300
pinctrl: Flag strict is a field in struct pinmux_ops
commit 7440926ed9623dceca3310c5f437d06c859dc02b upstream.
Documentation incorrectly refers to struct pinctrl_desc, where no such flag is
available. Replace the name of the struct.
Fixes: commit 8c4c2016345f ("pinctrl: move strict option to pinmux_ops")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9b692449ef425c042cc4dbc075eed9c4fbe48cf6
Author: Masahiro Yamada <yamada.masahiro@socionext.com>
Date: Tue May 31 15:30:10 2016 +0900
pinctrl: uniphier: fix .pin_dbg_show() callback
commit 10ef8277ec658bf6619da9b3fd65c2db7353c2a4 upstream.
Without this, reading the "pins" in the debugfs causes kernel BUG.
Fixes: 6e9088920258 ("pinctrl: UniPhier: add UniPhier pinctrl core support")
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bb3c678900a3511e54ff51a6f75aef96932ffbdf
Author: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Tue May 17 22:41:33 2016 +0200
i40e: avoid null pointer dereference
commit cd956722167ba4fdba9c1ce3eed251b04ea2e10f upstream.
In function i40e_debug_aq parameter desc is assumed to be
possibly NULL. Do not dereference it before checking the
value.
Fixes: f905dd62be88 ("i40e/i40evf: add max buf len to aq debug print helper")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0ce2f1882681c7a843970e050963ba45fc9d3cd9
Author: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Wed May 18 01:01:58 2016 +0200
mwifiex: illegal assignment
commit 3fdbda446fbcd7fb750179c01338e81cf04e46c7 upstream.
Variable adapter is incorrectly initialized.
Fixes: bf00dc22bc7a ("mwifiex: AMSDU Rx frame handling in AP mode")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bd56b7e2a7a89b49631a6ae3a23d214cae5eafa3
Author: Roger Quadros <rogerq@ti.com>
Date: Thu Sep 29 08:32:55 2016 +0100
ARM: 8617/1: dma: fix dma_max_pfn()
commit d248220f0465b818887baa9829e691fe662b2c5e upstream.
Since commit 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation"),
dma_to_pfn() already returns the PFN with the physical memory start offset
so we don't need to add it again.
This fixes USB mass storage lock-up problem on systems that can't do DMA
over the entire physical memory range (e.g.) Keystone 2 systems with 4GB RAM
can only do DMA over the first 2GB. [K2E-EVM].
What happens there is that without this patch SCSI layer sets a wrong
bounce buffer limit in scsi_calculate_bounce_limit() for the USB mass
storage device. dma_max_pfn() evaluates to 0x8fffff and bounce_limit
is set to 0x8fffff000 whereas maximum DMA'ble physical memory on Keystone 2
is 0x87fffffff. This results in non DMA'ble pages being given to the
USB controller and hence the lock-up.
NOTE: in the above case, USB-SCSI-device's dma_pfn_offset was showing as 0.
This should have really been 0x780000 as on K2e, LOWMEM_START is 0x80000000
and HIGHMEM_START is 0x800000000. DMA zone is 2GB so dma_max_pfn should be
0x87ffff. The incorrect dma_pfn_offset for the USB storage device is because
USB devices are not correctly inheriting the dma_pfn_offset from the
USB host controller. This will be fixed by a separate patch.
Fixes: 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation")
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Olof Johansson <olof@lixom.net>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fd327b36443b37301a5632a341a17ae622b5618e
Author: Robin Murphy <robin.murphy@arm.com>
Date: Mon Sep 26 16:50:55 2016 +0100
ARM: 8616/1: dt: Respect property size when parsing CPUs
commit ba6dea4f7cedb4b1c17e36f4087675d817c2e24b upstream.
Whilst MPIDR values themselves are less than 32 bits, it is still
perfectly valid for a DT to have #address-cells > 1 in the CPUs node,
resulting in the "reg" property having leading zero cell(s). In that
situation, the big-endian nature of the data conspires with the current
behaviour of only reading the first cell to cause the kernel to think
all CPUs have ID 0, and become resoundingly unhappy as a consequence.
Take the full property length into account when parsing CPUs so as to
be correct under any circumstances.
Cc: Russell King <linux@armlinux.org.uk>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e2fa543722d3edaa226d45d2abaf0a8f932c1a8a
Author: Alex Deucher <alexander.deucher@amd.com>
Date: Mon Sep 26 15:32:50 2016 -0400
drm/radeon/si/dpm: add workaround for for Jet parts
commit 670bb4fd21c966d0d2a59ad4a99bb4889f9a2987 upstream.
Add clock quirks for Jet parts.
Reviewed-by: Sonny Jiang <sonny.jiang@amd.com>
Tested-by: Sonny Jiang <sonny.jiang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b5a7c19d4a86b3c1db1810289c7a0beae26383b5
Author: Ilia Mirkin <imirkin@alum.mit.edu>
Date: Fri Sep 9 22:34:02 2016 -0400
drm/nouveau/fifo/nv04: avoid ramht race against cookie insertion
commit 666ca3d8f19082f40745d75f3cc7cc0200ee87e3 upstream.
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6eb34f668e471583ea00b0afd24f90b56fcf60b8
Author: David Herrmann <dh.herrmann@gmail.com>
Date: Fri Sep 23 12:36:02 2016 +0200
drm/udl: fix line iterator in damage handling
commit 90fd68dcf9a763f7e575c8467415bd8a66d073f4 upstream.
The udl damage handler is supposed to render 'height' lines, but its
iterator has an obvious typo that makes it miss most lines if the
rectangle does not cover 0/0.
Fix the damage handler to correctly render all lines.
This is a fallout from:
commit e375882406d0cc24030746638592004755ed4ae0
Author: Noralf Trønnes <noralf@tronnes.org>
Date: Thu Apr 28 17:18:37 2016 +0200
drm/udl: Use drm_fb_helper deferred_io support
Tested-by: poma <poma@gmail.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9a69d3a64f6aee907a22eacc02cf0ca0b89682da
Author: Andy Lutomirski <luto@kernel.org>
Date: Wed Sep 28 16:06:33 2016 -0700
x86/boot: Initialize FPU and X86_FEATURE_ALWAYS even if we don't have CPUID
commit 05fb3c199bb09f5b85de56cc3ede194ac95c5e1f upstream.
Otherwise arch_task_struct_size == 0 and we die. While we're at it,
set X86_FEATURE_ALWAYS, too.
Reported-by: David Saggiorato <david@saggiorato.net>
Tested-by: David Saggiorato <david@saggiorato.net>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86")
Link: http://lkml.kernel.org/r/8de723afbf0811071185039f9088733188b606c9.1475103911.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit da672896df6bdfddba579b44643869132e6b755d
Author: Andy Lutomirski <luto@kernel.org>
Date: Wed Sep 28 12:34:14 2016 -0700
x86/init: Fix cr4_init_shadow() on CR4-less machines
commit e1bfc11c5a6f40222a698a818dc269113245820e upstream.
cr4_init_shadow() will panic on 486-like machines without CR4. Fix
it using __read_cr4_safe().
Reported-by: david@saggiorato.net
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 1e02ce4cccdc ("x86: Store a per-cpu shadow copy of CR4")
Link: http://lkml.kernel.org/r/43a20f81fb504013bf613913dc25574b45336a61.1475091074.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e7e706f6fa5acde7f9a055c460782b7287bae192
Author: Sergei Miroshnichenko <sergeimir@emcraft.com>
Date: Wed Sep 7 16:51:12 2016 +0300
can: dev: fix deadlock reported after bus-off
commit 9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8 upstream.
A timer was used to restart after the bus-off state, leading to a
relatively large can_restart() executed in an interrupt context,
which in turn sets up pinctrl. When this happens during system boot,
there is a high probability of grabbing the pinctrl_list_mutex,
which is locked already by the probe() of other device, making the
kernel suspect a deadlock condition [1].
To resolve this issue, the restart_timer is replaced by a delayed
work.
[1] https://github.com/victronenergy/venus/issues/24
Signed-off-by: Sergei Miroshnichenko <sergeimir@emcraft.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8ff4f41e715a833f8adc90b5c625007d6f027921
Author: zhong jiang <zhongjiang@huawei.com>
Date: Wed Sep 28 15:22:30 2016 -0700
mm,ksm: fix endless looping in allocating memory when ksm enable
commit 5b398e416e880159fe55eefd93c6588fa072cd66 upstream.
I hit the following hung task when runing a OOM LTP test case with 4.1
kernel.
Call trace:
[<ffffffc000086a88>] __switch_to+0x74/0x8c
[<ffffffc000a1bae0>] __schedule+0x23c/0x7bc
[<ffffffc000a1c09c>] schedule+0x3c/0x94
[<ffffffc000a1eb84>] rwsem_down_write_failed+0x214/0x350
[<ffffffc000a1e32c>] down_write+0x64/0x80
[<ffffffc00021f794>] __ksm_exit+0x90/0x19c
[<ffffffc0000be650>] mmput+0x118/0x11c
[<ffffffc0000c3ec4>] do_exit+0x2dc/0xa74
[<ffffffc0000c46f8>] do_group_exit+0x4c/0xe4
[<ffffffc0000d0f34>] get_signal+0x444/0x5e0
[<ffffffc000089fcc>] do_signal+0x1d8/0x450
[<ffffffc00008a35c>] do_notify_resume+0x70/0x78
The oom victim cannot terminate because it needs to take mmap_sem for
write while the lock is held by ksmd for read which loops in the page
allocator
ksm_do_scan
scan_get_next_rmap_item
down_read
get_next_rmap_item
alloc_rmap_item #ksmd will loop permanently.
There is no way forward because the oom victim cannot release any memory
in 4.1 based kernel. Since 4.6 we have the oom reaper which would solve
this problem because it would release the memory asynchronously.
Nevertheless we can relax alloc_rmap_item requirements and use
__GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan
would just retry later after the lock got dropped.
Such a patch would be also easy to backport to older stable kernels which
do not have oom_reaper.
While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed
by the allocation failure.
Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Suggested-by: Hugh Dickins <hughd@google.com>
Suggested-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3bdf4858de8d830089f77b3dc49f66b92e424484
Author: Karl Beldan <kbeldan@baylibre.com>
Date: Mon Aug 29 07:45:49 2016 +0000
mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl
commit f6d7c1b5598b6407c3f1da795dd54acf99c1990c upstream.
This fixes subpage writes when using 4-bit HW ECC.
There has been numerous reports about ECC errors with devices using this
driver for a while. Also the 4-bit ECC has been reported as broken with
subpages in [1] and with 16 bits NANDs in the driver and in mach* board
files both in mainline and in the vendor BSPs.
What I saw with 4-bit ECC on a 16bits NAND (on an LCDK) which got me to
try reinitializing the ECC engine:
- R/W on whole pages properly generates/checks RS code
- try writing the 1st subpage only of a blank page, the subpage is well
written and the RS code properly generated, re-reading the same page
the HW detects some ECC error, reading the same page again no ECC
error is detected
Note that the ECC engine is already reinitialized in the 1-bit case.
Tested on my LCDK with UBI+UBIFS using subpages.
This could potentially get rid of the issue workarounded in [1].
[1] 28c015a9daab ("mtd: davinci-nand: disable subpage write for keystone-nand")
Fixes: 6a4123e581b3 ("mtd: nand: davinci_nand, 4-bit ECC for smallpage")
Signed-off-by: Karl Beldan <kbeldan@baylibre.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0e7d2322ab1ab8561b142052bbd0b01b78de921e
Author: Dmitry Vyukov <dvyukov@google.com>
Date: Wed Sep 28 15:22:36 2016 -0700
scripts/recordmcount.c: account for .softirqentry.text
commit e436fd61a8f62cb7a16310a42b95ab076ff72eff upstream.
be7635e7287e ("arch, ftrace: for KASAN put hard/soft IRQ entries into
separate sections") added .softirqentry.text section, but it was not added
to recordmcount. So functions in the section are untracable. Add the
section to scripts/recordmcount.c and scripts/recordmcount.pl.
Fixes: be7635e7287e ("arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections")
Link: http://lkml.kernel.org/r/1474902626-73468-1-git-send-email-dvyukov@google.com
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Steve Rostedt <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fef79fb7f4434f191a506104df71a6a11c51c0db
Author: Tejun Heo <tj@kernel.org>
Date: Fri Sep 23 16:55:49 2016 -0400
cgroup: fix invalid controller enable rejections with cgroup namespace
commit 9157056da8f8c4a6305f15619e269f164b63a6de upstream.
On the v2 hierarchy, "cgroup.subtree_control" rejects controller
enables if the cgroup has processes in it. The enforcement of this
logic assumes that the cgroup wouldn't have any css_sets associated
with it if there are no tasks in the cgroup, which is no longer true
since a79a908fd2b0 ("cgroup: introduce cgroup namespaces").
When a cgroup namespace is created, it pins the css_set of the
creating task to use it as the root css_set of the namespace. This
extra reference stays as long as the namespace is around and makes
"cgroup.subtree_control" think that the namespace root cgroup is not
empty even when it is and thus reject controller enables.
Fix it by making cgroup_subtree_control() walk and test emptiness of
each css_set instead of testing whether the list_head is empty.
While at it, update the comment of cgroup_task_count() to indicate
that the returned value may be higher than the number of tasks, which
has always been true due to temporary references and doesn't break
anything.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
Cc: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Cc: Aditya Kali <adityakali@google.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces")
Link: https://github.com/systemd/systemd/pull/3589#issuecomment-249089541
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0ec4bc23c454f675a1ca3d3155e8ad1bfde4841f
Author: Joonwoo Park <joonwoop@codeaurora.org>
Date: Sun Sep 11 21:14:58 2016 -0700
cpuset: handle race between CPU hotplug and cpuset_hotplug_work
commit 28b89b9e6f7b6c8fef7b3af39828722bca20cfee upstream.
A discrepancy between cpu_online_mask and cpuset's effective_cpus
mask is inevitable during hotplug since cpuset defers updating of
effective_cpus mask using a workqueue, during which time nothing
prevents the system from more hotplug operations. For that reason
guarantee_online_cpus() walks up the cpuset hierarchy until it finds
an intersection under the assumption that top cpuset's effective_cpus
mask intersects with cpu_online_mask even with such a race occurring.
However a sequence of CPU hotplugs can open a time window, during which
none of the effective CPUs in the top cpuset intersect with
cpu_online_mask.
For example when there are 4 possible CPUs 0-3 and only CPU0 is online:
======================== ===========================
cpu_online_mask top_cpuset.effective_cpus
======================== ===========================
echo 1 > cpu2/online.
CPU hotplug notifier woke up hotplug work but not yet scheduled.
[0,2] [0]
echo 0 > cpu0/online.
The workqueue is still runnable.
[2] [0]
======================== ===========================
Now there is no intersection between cpu_online_mask and
top_cpuset.effective_cpus. Thus invoking sys_sched_setaffinity() at
this moment can cause following:
Unable to handle kernel NULL pointer dereference at virtual address 000000d0
------------[ cut here ]------------
Kernel BUG at ffffffc0001389b0 [verbose debug info unavailable]
Internal error: Oops - BUG: 96000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 PID: 1420 Comm: taskset Tainted: G W 4.4.8+ #98
task: ffffffc06a5c4880 ti: ffffffc06e124000 task.ti: ffffffc06e124000
PC is at guarantee_online_cpus+0x2c/0x58
LR is at cpuset_cpus_allowed+0x4c/0x6c
<snip>
Process taskset (pid: 1420, stack limit = 0xffffffc06e124020)
Call trace:
[<ffffffc0001389b0>] guarantee_online_cpus+0x2c/0x58
[<ffffffc00013b208>] cpuset_cpus_allowed+0x4c/0x6c
[<ffffffc0000d61f0>] sched_setaffinity+0xc0/0x1ac
[<ffffffc0000d6374>] SyS_sched_setaffinity+0x98/0xac
[<ffffffc000085cb0>] el0_svc_naked+0x24/0x28
The top cpuset's effective_cpus are guaranteed to be identical to
cpu_online_mask eventually. Hence fall back to cpu_online_mask when
there is no intersection between top cpuset's effective_cpus and
cpu_online_mask.
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
Acked-by: Li Zefan <lizefan@huawei.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: cgroups@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>