commit 72d391fefcd4729206d2e17f557e7a918de9b6d8 Author: Sasha Levin Date: Tue May 5 12:39:05 2015 -0400 Linux 3.18.13 Signed-off-by: Sasha Levin commit ad931555388824fb12bc8f555e6fb6ee57ad4352 Author: Naoya Horiguchi Date: Thu Feb 12 15:00:25 2015 -0800 mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page() [ Upstream commit 9ab3b598d2dfbdb0153ffa7e4b1456bbff59a25d ] A race condition starts to be visible in recent mmotm, where a PG_hwpoison flag is set on a migration source page *before* it's back in buddy page poo= l. This is problematic because no page flag is supposed to be set when freeing (see __free_one_page().) So the user-visible effect of this race is that it could trigger the BUG_ON() when soft-offlining is called. The root cause is that we call lru_add_drain_all() to make sure that the page is in buddy, but that doesn't work because this function just schedule= s a work item and doesn't wait its completion. drain_all_pages() does drainin= g directly, so simply dropping lru_add_drain_all() solves this problem. Fixes: f15bdfa802bf ("mm/memory-failure.c: fix memory leak in successful soft offlining") Signed-off-by: Naoya Horiguchi Cc: Andi Kleen Cc: Tony Luck Cc: Chen Gong Cc: [3.11+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 3e16c7f2f05592c9dc7c337623786d875035dcdf Author: Janne Heikkinen Date: Tue Dec 9 07:44:51 2014 +0200 Bluetooth: Add USB device 04ca:3010 as Atheros AR3012 [ Upstream commit 134d3b3550f050b9bec37111824452064d1ed928 ] Asus X553MA has USB device 04ca:3010 that is Atheros AR3012 or compatible. Device from /sys/kernel/debug/usb/devices: T: Bus=01 Lev=02 Prnt=02 Port=03 Cnt=02 Dev#= 27 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=04ca ProdID=3010 Rev= 0.02 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms Signed-off-by: Janne Heikkinen Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 6a64bf941b85ab49c00f5c61321c4322b509e891 Author: Anantha Krishnan Date: Mon Oct 6 16:31:49 2014 +0530 Bluetooth: Add support for Acer [0489:e078] [ Upstream commit 4b552bc9edfdc947862af225a0e2521edb5d37a0 ] Add support for the QCA6174 chip. T: Bus=06 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e078 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Anantha Krishnan Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit d94e38ae7d787367a70638e0ee28f0bd9d28ec44 Author: Marcel Holtmann Date: Mon Jul 21 14:02:33 2014 +0200 Bluetooth: Add support for Broadcom device of Asus Z97-DELUXE motherboard [ Upstream commit c2aef6e8cbebd60f79555baeb9266e220f135a44 ] The Asus Z97-DELUXE motherboard contains a Broadcom based Bluetooth controller on the USB bus. However vendor and product ID are listed as ASUSTek Computer. T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0b05 ProdID=17cf Rev= 1.12 S: Manufacturer=Broadcom Corp S: Product=BCM20702A0 S: SerialNumber=54271E910064 C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) Reported-by: Jerome Leclanche Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg Signed-off-by: Sasha Levin commit 33c9cfd8cb9e2c81c9756f6aaf14aa6a6b80cc8a Author: Jeremiah Mahler Date: Sun Jan 11 05:42:06 2015 -0800 usb: serial: silence all non-critical read errors [ Upstream commit aa8e22128b40590b291cd13512098bf258a7e6c5 ] If a USB serial device is unplugged while there is an active program using the device it may spam the logs with -EPROTO (71) messages as it attempts to retry. Most serial usb drivers (metro-usb, pl2303, mos7840, ...) only output these messages for debugging. The generic driver treats these as errors. Change the default output for the generic serial driver from error to debug to silence these non-critical errors. Signed-off-by: Jeremiah Mahler Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 2ca6349bd05914e0b61355d10df5134f7e4c67f3 Author: Bo Yan Date: Fri Apr 24 10:30:52 2015 -0700 arm64: fix midr range for Cortex-A57 erratum 832075 Register MIDR_EL1 is masked to get variant and revision fields, then compared against midr_range_min and midr_range_max when checking whether CPU is affected by any particular erratum. However, variant and revision fields in MIDR_EL1 are separated by 16 bits, so the min and max of midr range should be constructed accordingly, otherwise the patch will not be applied when variant field is non-0. Acked-by: Andre Przywara Reviewed-by: Paul Walmsley Signed-off-by: Bo Yan [will: use MIDR_VARIANT_SHIFT to construct upper bound] Signed-off-by: Will Deacon Cc: # v3.18.y (cherry picked from commit 6d1966dfd6e0ad2f8aa4b664ae1a62e33abe1998) Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 5430a02112fc962e5dff5feee6e3fcdacc00357f Author: Will Deacon Date: Fri Apr 24 10:30:51 2015 -0700 arm64: errata: add workaround for cortex-a53 erratum #845719 When running a compat (AArch32) userspace on Cortex-A53, a load at EL0 from a virtual address that matches the bottom 32 bits of the virtual address used by a recent load at (AArch64) EL1 might return incorrect data. This patch works around the issue by writing to the contextidr_el1 register on the exception return path when returning to a 32-bit task. This workaround is patched in at runtime based on the MIDR value of the processor. Reviewed-by: Marc Zyngier Tested-by: Mark Rutland Signed-off-by: Will Deacon Cc: # v3.18.y (cherry picked from commit 905e8c5dcaa147163672b06fe9dcb5abaacbc711) Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 62ef31e125604cd61363f33eeffbb17edfbc8c97 Author: Andre Przywara Date: Fri Apr 24 10:30:50 2015 -0700 arm64: protect alternatives workarounds with Kconfig options Not all of the errata we have workarounds for apply necessarily to all SoCs, so people compiling a kernel for one very specific SoC may not need to patch the kernel. Introduce a new submenu in the "Platform selection" menu to allow people to turn off certain bugs if they are not affected. By default all of them are enabled. Normal users or distribution kernels shouldn't bother to deselect any bugs here, since the alternatives framework will take care of patching them in only if needed. Signed-off-by: Andre Przywara [will: moved kconfig menu under `Kernel Features'] Signed-off-by: Will Deacon Cc: # v3.18.y (cherry picked from commit c0a01b84b1fdbd98bff5bca5b201fe73fda7e9d9) Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit e51ce83faf4fd6560d1279733e51154b10a3d09e Author: Andre Przywara Date: Fri Apr 24 10:30:49 2015 -0700 arm64: add Cortex-A57 erratum 832075 workaround The ARM erratum 832075 applies to certain revisions of Cortex-A57, one of the workarounds is to change device loads into using load-aquire semantics. This is achieved using the alternatives framework. Signed-off-by: Andre Przywara Signed-off-by: Will Deacon Cc: # v3.18.y (cherry picked from commit 5afaa1fc1b320cec48affa7e6949f2493f875c12) Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 4d817d3de61d2697e40ae4c69d23aeaf919319d2 Author: Andre Przywara Date: Fri Apr 24 10:30:48 2015 -0700 arm64: add Cortex-A53 cache errata workaround The ARM errata 819472, 826319, 827319 and 824069 define the same workaround for these hardware issues in certain Cortex-A53 parts. Use the new alternatives framework and the CPU MIDR detection to patch "cache clean" into "cache clean and invalidate" instructions if an affected CPU is detected at runtime. Signed-off-by: Andre Przywara [will: add __maybe_unused to squash gcc warning] Signed-off-by: Will Deacon Cc: # v3.18.y (cherry picked from commit 301bcfac42897dbd1b0b3c1be49f24654a1bc49e) Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit da767e54e365f4816ffbbf1403e5f7735d363bc3 Author: Andre Przywara Date: Fri Apr 24 10:30:47 2015 -0700 arm64: detect silicon revisions and set cap bits accordingly After each CPU has been started, we iterate through a list of CPU features or bugs to detect CPUs which need (or could benefit from) kernel code patches. For each feature/bug there is a function which checks if that particular CPU is affected. We will later provide some more generic functions for common things like testing for certain MIDR ranges. We do this for every CPU to cover big.LITTLE systems properly as well. If a certain feature/bug has been detected, the capability bit will be set, so that later the call to apply_alternatives() will trigger the actual code patching. Signed-off-by: Andre Przywara Signed-off-by: Will Deacon Cc: # v3.18.y (cherry picked from commit e116a375423393cdb94714e90a96857005d58428) Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 6a5a8112e8423ce3b941427b823107765ea7ce6a Author: Andre Przywara Date: Fri Apr 24 10:30:46 2015 -0700 arm64: add alternative runtime patching With a blatant copy of some x86 bits we introduce the alternative runtime patching "framework" to arm64. This is quite basic for now and we only provide the functions we need at this time. This is connected to the newly introduced feature bits. Signed-off-by: Andre Przywara Signed-off-by: Will Deacon Cc: # v3.18.y (cherry picked from commit e039ee4ee3fcf174736f2cb0a2eed6cb908348a6) Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 9a21c96c4672f02cc195c69ec083b3e664bd2221 Author: Andre Przywara Date: Fri Apr 24 10:30:45 2015 -0700 arm64: add cpu_capabilities bitmap For taking note if at least one CPU in the system needs a bug workaround or would benefit from a code optimization, we create a new bitmap to hold (artificial) feature bits. Since elf_hwcap is part of the userland ABI, we keep it alone and introduce a new data structure for that (along with some accessors). Signed-off-by: Andre Przywara Signed-off-by: Will Deacon Cc: # v3.18.y (cherry picked from commit 930da09f5e50dd22fb0a8600388da8677d62d671) Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit dd6903432858c88c0b277f936352af248da9fe7e Author: Jun'ichi Nomura \\\\(NEC\\\\) Date: Thu Feb 12 01:26:24 2015 +0000 tg3: Hold tp->lock before calling tg3_halt() from tg3_init_one() [ Upstream commit d0af71a3573f1217b140c60b66f1a9b335fb058b ] tg3_init_one() calls tg3_halt() without tp->lock despite its assumption and causes deadlock. If lockdep is enabled, a warning like this shows up before the stall: [ BUG: bad unlock balance detected! ] 3.19.0test #3 Tainted: G E ------------------------------------- insmod/369 is trying to release lock (&(&tp->lock)->rlock) at: [] tg3_chip_reset+0x14d/0x780 [tg3] but there are no more locks to release! tg3_init_one() doesn't call tg3_halt() under normal situation but during kexec kdump I hit this problem. Fixes: 932f19de ("tg3: Release tp->lock before invoking synchronize_irq()") Signed-off-by: Jun'ichi Nomura Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e083cde25c210e1960a3fbfe71c9ada4f9148a26 Author: Ben Hutchings Date: Wed Mar 25 21:41:33 2015 +0100 usbnet: Fix tx_bytes statistic running backward in cdc_ncm [ Upstream commit 7a1e890e2168e33fb62d84528e996b8b4b478fea ] cdc_ncm disagrees with usbnet about how much framing overhead should be counted in the tx_bytes statistics, and tries 'fix' this by decrementing tx_bytes on the transmit path. But statistics must never be decremented except due to roll-over; this will thoroughly confuse user-space. Also, tx_bytes is only incremented by usbnet in the completion path. Fix this by requiring drivers that set FLAG_MULTI_FRAME to set a tx_bytes delta along with the tx_packets count. Fixes: beeecd42c3b4 ("net: cdc_ncm/cdc_mbim: adding NCM protocol statistics") Signed-off-by: Ben Hutchings Signed-off-by: Bjørn Mork Signed-off-by: Sasha Levin commit d0f6e5cf80894ada0f9143be5e4a0d24a803c3f0 Author: Ben Hutchings Date: Thu Feb 26 19:34:37 2015 +0000 usbnet: Fix tx_packets stat for FLAG_MULTI_FRAME drivers [ Upstream commit 1e9e39f4a29857a396ac7b669d109f697f66695e ] Currently the usbnet core does not update the tx_packets statistic for drivers with FLAG_MULTI_PACKET and there is no hook in the TX completion path where they could do this. cdc_ncm and dependent drivers are bumping tx_packets stat on the transmit path while asix and sr9800 aren't updating it at all. Add a packet count in struct skb_data so these drivers can fill it in, initialise it to 1 for other drivers, and add the packet count to the tx_packets statistic on completion. Signed-off-by: Ben Hutchings Tested-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 218aa70e49b61fd49691a688309bdee22608c9bb Author: Jesse Gross Date: Thu Apr 9 11:19:14 2015 -0700 udptunnels: Call handle_offloads after inserting vlan tag. [ Upstream commit b736a623bd099cdf5521ca9bd03559f3bc7fa31c ] handle_offloads() calls skb_reset_inner_headers() to store the layer pointers to the encapsulated packet. However, we currently push the vlag tag (if there is one) onto the packet afterwards. This changes the MAC header for the encapsulated packet but it is not reflected in skb->inner_mac_header, which breaks GSO and drivers which attempt to use this for encapsulation offloads. Fixes: 1eaa8178 ("vxlan: Add tx-vlan offload support.") Signed-off-by: Jesse Gross Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 754a19948ec440acc781d3870d48329c802a6eb7 Author: Pravin B Shelar Date: Tue Dec 23 16:20:36 2014 -0800 vxlan: Fix double free of skb. [ Upstream commit 74f47278cb056ffe1d261df3e094d608c3569829 ] In case of error vxlan_xmit_one() can free already freed skb. Also fixes memory leak of dst-entry. Fixes: acbf74a7630 ("vxlan: Refactor vxlan driver to make use of the common UDP tunnel functions"). Signed-off-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a67e2e88342accd49587d9bad72f6dabd7673f7c Author: Jiri Pirko Date: Wed Nov 19 14:04:59 2014 +0100 vlan: introduce *vlan_hwaccel_push_inside helpers [ Upstream commit 5968250c868ceee680aa77395b24e6ddcae17d36 ] Use them to push skb->vlan_tci into the payload and avoid code duplication. Signed-off-by: Jiri Pirko Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d329729a26406301996d4ae63b3d7d489bd2f361 Author: Jiri Pirko Date: Wed Nov 19 14:04:58 2014 +0100 vlan: rename __vlan_put_tag to vlan_insert_tag_set_proto [ Upstream commit 62749e2cb3c4a7da3eaa5c01a7e787aebeff8536 ] Name fits better. Plus there's going to be introduced __vlan_insert_tag later on. Signed-off-by: Jiri Pirko Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c01a1cb6848c9b399cd4471cdd7d2393c46a56e8 Author: Jiri Pirko Date: Wed Nov 19 14:04:57 2014 +0100 vlan: kill vlan_put_tag helper [ Upstream commit b4bef1b57544b18899eb15569e3bafd8d2eeeff6 ] Since both tx and rx paths work with skb->vlan_tci, there's no need for this function anymore. Switch users directly to __vlan_hwaccel_put_tag. Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ca7c7b9059e329fc3780d12deb5797e8ca03a73d Author: Herbert Xu Date: Thu Apr 16 09:03:27 2015 +0800 skbuff: Do not scrub skb mark within the same name space [ Upstream commit 213dd74aee765d4e5f3f4b9607fef0cf97faa2af ] On Wed, Apr 15, 2015 at 05:41:26PM +0200, Nicolas Dichtel wrote: > Le 15/04/2015 15:57, Herbert Xu a écrit : > >On Wed, Apr 15, 2015 at 06:22:29PM +0800, Herbert Xu wrote: > [snip] > >Subject: skbuff: Do not scrub skb mark within the same name space > > > >The commit ea23192e8e577dfc51e0f4fc5ca113af334edff9 ("tunnels: > Maybe add a Fixes tag? > Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") > > >harmonize cleanup done on skb on rx path") broke anyone trying to > >use netfilter marking across IPv4 tunnels. While most of the > >fields that are cleared by skb_scrub_packet don't matter, the > >netfilter mark must be preserved. > > > >This patch rearranges skb_scurb_packet to preserve the mark field. > nit: s/scurb/scrub > > Else it's fine for me. Sure. PS I used the wrong email for James the first time around. So let me repeat the question here. Should secmark be preserved or cleared across tunnels within the same name space? In fact, do our security models even support name spaces? ---8<--- The commit ea23192e8e577dfc51e0f4fc5ca113af334edff9 ("tunnels: harmonize cleanup done on skb on rx path") broke anyone trying to use netfilter marking across IPv4 tunnels. While most of the fields that are cleared by skb_scrub_packet don't matter, the netfilter mark must be preserved. This patch rearranges skb_scrub_packet to preserve the mark field. Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") Signed-off-by: Herbert Xu Acked-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit efca6fa3f967cdadda3da28eb049df8291a7e85e Author: Herbert Xu Date: Thu Apr 16 16:12:53 2015 +0800 Revert "net: Reset secmark when scrubbing packet" [ Upstream commit 4c0ee414e877b899f7fc80aafb98d9425c02797f ] This patch reverts commit b8fb4e0648a2ab3734140342002f68fb0c7d1602 because the secmark must be preserved even when a packet crosses namespace boundaries. The reason is that security labels apply to the system as a whole and is not per-namespace. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6ee16f4a033f21a9a41d60a8d93f9663ec269913 Author: Alexei Starovoitov Date: Tue Apr 14 15:57:13 2015 -0700 bpf: fix verifier memory corruption [ Upstream commit c3de6317d748e23b9e46ba36e10483728d00d144 ] Due to missing bounds check the DAG pass of the BPF verifier can corrupt the memory which can cause random crashes during program loading: [8.449451] BUG: unable to handle kernel paging request at ffffffffffffffff [8.451293] IP: [] kmem_cache_alloc_trace+0x8d/0x2f0 [8.452329] Oops: 0000 [#1] SMP [8.452329] Call Trace: [8.452329] [] bpf_check+0x852/0x2000 [8.452329] [] bpf_prog_load+0x1e4/0x310 [8.452329] [] ? might_fault+0x5f/0xb0 [8.452329] [] SyS_bpf+0x806/0xa30 Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier") Signed-off-by: Alexei Starovoitov Acked-by: Hannes Frederic Sowa Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0a50f4197fe67d3d9273728640bc8d4e19e33bbc Author: Eric Dumazet Date: Tue Apr 14 18:45:00 2015 -0700 bnx2x: Fix busy_poll vs netpoll [ Upstream commit 074975d0374333f656c48487aa046a21a9b9d7a1 ] Commit 9a2620c877454 ("bnx2x: prevent WARN during driver unload") switched the napi/busy_lock locking mechanism from spin_lock() into spin_lock_bh(), breaking inter-operability with netconsole, as netpoll disables interrupts prior to calling our napi mechanism. This switches the driver into using atomic assignments instead of the spinlock mechanisms previously employed. Based on initial patch from Yuval Mintz & Ariel Elior I basically added softirq starvation avoidance, and mixture of atomic operations, plain writes and barriers. Note this slightly reduces the overhead for this driver when no busy_poll sockets are in use. Fixes: 9a2620c877454 ("bnx2x: prevent WARN during driver unload") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 73b4de2b9d32bdddd3b9d304cdc448b7ea2e0ee3 Author: Eric Dumazet Date: Thu Apr 9 13:31:56 2015 -0700 tcp: tcp_make_synack() should clear skb->tstamp [ Upstream commit b50edd7812852d989f2ef09dcfc729690f54a42d ] I noticed tcpdump was giving funky timestamps for locally generated SYNACK messages on loopback interface. 11:42:46.938990 IP 127.0.0.1.48245 > 127.0.0.2.23850: S 945476042:945476042(0) win 43690 20:28:58.502209 IP 127.0.0.2.23850 > 127.0.0.1.48245: S 3160535375:3160535375(0) ack 945476043 win 43690 This is because we need to clear skb->tstamp before entering lower stack, otherwise net_timestamp_check() does not set skb->tstamp. Fixes: 7faee5c0d514 ("tcp: remove TCP_SKB_CB(skb)->when") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit eea274fd0dce7800fe1f1ca20522eb8827a5ddde Author: Jack Morgenstein Date: Sun Apr 5 17:50:48 2015 +0300 net/mlx4_core: Fix error message deprecation for ConnectX-2 cards [ Upstream commit fde913e25496761a4e2a4c81230c913aba6289a2 ] Commit 1daa4303b4ca ("net/mlx4_core: Deprecate error message at ConnectX-2 cards startup to debug") did the deprecation only for port 1 of the card. Need to deprecate for port 2 as well. Fixes: 1daa4303b4ca ("net/mlx4_core: Deprecate error message at ConnectX-2 cards startup to debug") Signed-off-by: Jack Morgenstein Signed-off-by: Amir Vadai Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c8c30b2b17f2133e953850c547e3902c3a3d80e2 Author: hannes@stressinduktion.org Date: Wed Apr 1 17:07:44 2015 +0200 ipv6: protect skb->sk accesses from recursive dereference inside the stack [ Upstream commit f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90 ] We should not consult skb->sk for output decisions in xmit recursion levels > 0 in the stack. Otherwise local socket settings could influence the result of e.g. tunnel encapsulation process. ipv6 does not conform with this in three places: 1) ip6_fragment: we do consult ipv6_npinfo for frag_size 2) sk_mc_loop in ipv6 uses skb->sk and checks if we should loop the packet back to the local socket 3) ip6_skb_dst_mtu could query the settings from the user socket and force a wrong MTU Furthermore: In sk_mc_loop we could potentially land in WARN_ON(1) if we use a PF_PACKET socket ontop of an IPv6-backed vxlan device. Reuse xmit_recursion as we are currently only interested in protecting tunnel devices. Cc: Jiri Pirko Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6ef8d55c805fd995474a264ec4e371cad513890d Author: Neal Cardwell Date: Wed Apr 1 20:26:46 2015 -0400 tcp: fix FRTO undo on cumulative ACK of SACKed range [ Upstream commit 666b805150efd62f05810ff0db08f44a2370c937 ] On processing cumulative ACKs, the FRTO code was not checking the SACKed bit, meaning that there could be a spurious FRTO undo on a cumulative ACK of a previously SACKed skb. The FRTO code should only consider a cumulative ACK to indicate that an original/unretransmitted skb is newly ACKed if the skb was not yet SACKed. The effect of the spurious FRTO undo would typically be to make the connection think that all previously-sent packets were in flight when they really weren't, leading to a stall and an RTO. Signed-off-by: Neal Cardwell Signed-off-by: Yuchung Cheng Fixes: e33099f96d99c ("tcp: implement RFC5682 F-RTO") Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 01c30913ab04fd9c30d78a6580cbe5555dfce525 Author: Jonathan Davies Date: Tue Mar 31 11:05:15 2015 +0100 xen-netfront: transmit fully GSO-sized packets [ Upstream commit 0c36820e2ab7d943ab1188230fdf2149826d33c0 ] xen-netfront limits transmitted skbs to be at most 44 segments in size. However, GSO permits up to 65536 bytes, which means a maximum of 45 segments of 1448 bytes each. This slight reduction in the size of packets means a slight loss in efficiency. Since c/s 9ecd1a75d, xen-netfront sets gso_max_size to XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER, where XEN_NETIF_MAX_TX_SIZE is 65535 bytes. The calculation used by tcp_tso_autosize (and also tcp_xmit_size_goal since c/s 6c09fa09d) in determining when to split an skb into two is sk->sk_gso_max_size - 1 - MAX_TCP_HEADER. So the maximum permitted size of an skb is calculated to be (XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER) - 1 - MAX_TCP_HEADER. Intuitively, this looks like the wrong formula -- we don't need two TCP headers. Instead, there is no need to deviate from the default gso_max_size of 65536 as this already accommodates the size of the header. Currently, the largest skb transmitted by netfront is 63712 bytes (44 segments of 1448 bytes each), as observed via tcpdump. This patch makes netfront send skbs of up to 65160 bytes (45 segments of 1448 bytes each). Similarly, the maximum allowable mtu does not need to subtract MAX_TCP_HEADER as it relates to the size of the whole packet, including the header. Fixes: 9ecd1a75d977 ("xen-netfront: reduce gso_max_size to account for max TCP header") Signed-off-by: Jonathan Davies Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 98ec7a5e47f46ea601dd4a8175ee6681f4b8a79a Author: Anton Nayshtut Date: Sun Mar 29 14:20:25 2015 +0300 bonding: Bonding Overriding Configuration logic restored. [ Upstream commit f5e2dc5d7fe78fe4d8748d217338f4f7b6a5d7ea ] Before commit 3900f29021f0bc7fe9815aa32f1a993b7dfdd402 ("bonding: slight optimizztion for bond_slave_override()") the override logic was to send packets with non-zero queue_id through the slave with corresponding queue_id, under two conditions only - if the slave can transmit and it's up. The above mentioned commit changed this logic by introducing an additional condition - whether the bond is active (indirectly, using the slave_can_tx and later - bond_is_active_slave), that prevents the user from implementing more complex policies according to the Documentation/networking/bonding.txt. Signed-off-by: Anton Nayshtut Signed-off-by: Alexey Bogoslavsky Signed-off-by: Andy Gospodarek Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 65b7ff47a780ec95012bdbf1441056a62cbf27c5 Author: Alexey Kodanev Date: Fri Mar 27 12:24:22 2015 +0300 net: tcp6: fix double call of tcp_v6_fill_cb() [ Upstream commit 4ad19de8774e2a7b075b3e8ea48db85adcf33fa6 ] tcp_v6_fill_cb() will be called twice if socket's state changes from TCP_TIME_WAIT to TCP_LISTEN. That can result in control buffer data corruption because in the second tcp_v6_fill_cb() call it's not copying IP6CB(skb) anymore, but 'seq', 'end_seq', etc., so we can get weird and unpredictable results. Performance loss of up to 1200% has been observed in LTP/vxlan03 test. This can be fixed by copying inet6_skb_parm to the beginning of 'cb' only if xfrm6_policy_check() and tcp_v6_fill_cb() are going to be called again. Fixes: 2dc49d1680b53 ("tcp6: don't move IP6CB before xfrm6_policy_check()") Signed-off-by: Alexey Kodanev Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c85b2d7e9fa44286feaac33031db1dd0e4c9ed3b Author: D.S. Ljungmark Date: Wed Mar 25 09:28:15 2015 +0100 ipv6: Don't reduce hop limit for an interface [ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ] A local route may have a lower hop_limit set than global routes do. RFC 3756, Section 4.2.7, "Parameter Spoofing" > 1. The attacker includes a Current Hop Limit of one or another small > number which the attacker knows will cause legitimate packets to > be dropped before they reach their destination. > As an example, one possible approach to mitigate this threat is to > ignore very small hop limits. The nodes could implement a > configurable minimum hop limit, and ignore attempts to set it below > said limit. Signed-off-by: D.S. Ljungmark Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e1a2b75979c7f3ff1df8f8a57c5a26067964592c Author: Ido Shamay Date: Tue Mar 24 15:18:38 2015 +0200 net/mlx4_en: Call register_netdevice in the proper location [ Upstream commit e5eda89d97ec256ba14e7e861387cc0468259c18 ] Netdevice registration should be performed a the end of the driver initialization flow. If we don't do that, after calling register_netdevice, device callbacks may be issued by higher layers of the stack before final configuration of the device is done. For example (VXLAN configuration race), mlx4_SET_PORT_VXLAN was issued after the register_netdev command. System network scripts may configure the interface (UP) right after the registration, which also attach unicast VXLAN steering rule, before mlx4_SET_PORT_VXLAN was called, causing the firmware to fail the rule attachment. Fixes: 837052d0ccc5 ("net/mlx4_en: Add netdev support for TCP/IP offloads of vxlan tunneling") Signed-off-by: Ido Shamay Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b9a91574adb307476738fc991d6fbc2c0ac04779 Author: Michal Kubeček Date: Mon Mar 23 15:14:00 2015 +0100 tcp: prevent fetching dst twice in early demux code [ Upstream commit d0c294c53a771ae7e84506dfbd8c18c30f078735 ] On s390x, gcc 4.8 compiles this part of tcp_v6_early_demux() struct dst_entry *dst = sk->sk_rx_dst; if (dst) dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie); to code reading sk->sk_rx_dst twice, once for the test and once for the argument of ip6_dst_check() (dst_check() is inline). This allows ip6_dst_check() to be called with null first argument, causing a crash. Protect sk->sk_rx_dst access by READ_ONCE() both in IPv4 and IPv6 TCP early demux code. Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.") Fixes: c7109986db3c ("ipv6: Early TCP socket demux") Signed-off-by: Michal Kubecek Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1ba15e10857b9186b491d3ee20cb98fe675034b5 Author: Christian Borntraeger Date: Tue Jan 13 10:46:42 2015 +0100 kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val) [ Upstream commit 43239cbe79fc369f5d2160bd7f69e28b5c50a58c ] Feedback has shown that WRITE_ONCE(x, val) is easier to use than ASSIGN_ONCE(val,x). There are no in-tree users yet, so lets change it for 3.19. Signed-off-by: Christian Borntraeger Acked-by: Peter Zijlstra Acked-by: Davidlohr Bueso Acked-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 63787890ec2624b97dd499050519781f346458b2 Author: Christian Borntraeger Date: Tue Nov 25 10:01:16 2014 +0100 kernel: Provide READ_ONCE and ASSIGN_ONCE [ Upstream commit 230fa253df6352af12ad0a16128760b5cb3f92df ] ACCESS_ONCE does not work reliably on non-scalar types. For example gcc 4.6 and 4.7 might remove the volatile tag for such accesses during the SRA (scalar replacement of aggregates) step https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145) Let's provide READ_ONCE/ASSIGN_ONCE that will do all accesses via scalar types as suggested by Linus Torvalds. Accesses larger than the machines word size cannot be guaranteed to be atomic. These macros will use memcpy and emit a build warning. Signed-off-by: Christian Borntraeger Signed-off-by: Sasha Levin commit b94e91cc2225ea311e6bb8500f492702e319b348 Author: Igor Mammedov Date: Fri Mar 20 12:21:37 2015 +0000 kvm: avoid page allocation failure in kvm_set_memory_region() [ Upstream commit 744961341d472db6272ed9b42319a90f5a2aa7c4 ] KVM guest can fail to startup with following trace on host: qemu-system-x86: page allocation failure: order:4, mode:0x40d0 Call Trace: dump_stack+0x47/0x67 warn_alloc_failed+0xee/0x150 __alloc_pages_direct_compact+0x14a/0x150 __alloc_pages_nodemask+0x776/0xb80 alloc_kmem_pages+0x3a/0x110 kmalloc_order+0x13/0x50 kmemdup+0x1b/0x40 __kvm_set_memory_region+0x24a/0x9f0 [kvm] kvm_set_ioapic+0x130/0x130 [kvm] kvm_set_memory_region+0x21/0x40 [kvm] kvm_vm_ioctl+0x43f/0x750 [kvm] Failure happens when attempting to allocate pages for 'struct kvm_memslots', however it doesn't have to be present in physically contiguous (kmalloc-ed) address space, change allocation to kvm_kvzalloc() so that it will be vmalloc-ed when its size is more then a page. Signed-off-by: Igor Mammedov Signed-off-by: Marcelo Tosatti Signed-off-by: Sasha Levin commit 48ca7d78ff4efccbf3d670774d29dd52b7af912d Author: Dave Chinner Date: Mon Feb 23 22:37:08 2015 +1100 xfs: ensure truncate forces zeroed blocks to disk [ Upstream commit 5885ebda878b47c4b4602d4b0410cb4b282af024 ] A new fsync vs power fail test in xfstests indicated that XFS can have unreliable data consistency when doing extending truncates that require block zeroing. The blocks beyond EOF get zeroed in memory, but we never force those changes to disk before we run the transaction that extends the file size and exposes those blocks to userspace. This can result in the blocks not being correctly zeroed after a crash. Because in-memory behaviour is correct, tools like fsx don't pick up any coherency problems - it's not until the filesystem is shutdown or the system crashes after writing the truncate transaction to the journal but before the zeroed data in the page cache is flushed that the issue is exposed. Fix this by also flushing the dirty data in memory region between the old size and new size when we've found blocks that need zeroing in the truncate process. Reported-by: Liu Bo cc: Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Signed-off-by: Sasha Levin commit a69957362258b8932fe4df1433b1fdea8072ba04 Author: Omar Sandoval Date: Sat Feb 14 20:08:51 2015 -0500 ext4: fix indirect punch hole corruption [ Upstream commit 6f30b7e37a8239f9d27db626a1d3427bc7951908 ] Commit 4f579ae7de56 (ext4: fix punch hole on files with indirect mapping) rewrote FALLOC_FL_PUNCH_HOLE for ext4 files with indirect mapping. However, there are bugs in several corner cases. This fixes 5 distinct bugs: 1. When there is at least one entire level of indirection between the start and end of the punch range and the end of the punch range is the first block of its level, we can't return early; we have to free the intervening levels. 2. When the end is at a higher level of indirection than the start and ext4_find_shared returns a top branch for the end, we still need to free the rest of the shared branch it returns; we can't decrement partial2. 3. When a punch happens within one level of indirection, we need to converge on an indirect block that contains the start and end. However, because the branches returned from ext4_find_shared do not necessarily start at the same level (e.g., the partial2 chain will be shallower if the last block occurs at the beginning of an indirect group), the walk of the two chains can end up "missing" each other and freeing a bunch of extra blocks in the process. This mismatch can be handled by first making sure that the chains are at the same level, then walking them together until they converge. 4. When the punch happens within one level of indirection and ext4_find_shared returns a top branch for the start, we must free it, but only if the end does not occur within that branch. 5. When the punch happens within one level of indirection and ext4_find_shared returns a top branch for the end, then we shouldn't free the block referenced by the end of the returned chain (this mirrors the different levels case). Signed-off-by: Omar Sandoval Signed-off-by: Sasha Levin commit b27b4b79d535672a19e9d0fe1256ad1016cc9e7f Author: Preeti U Murthy Date: Wed Mar 18 16:19:27 2015 +0530 timers/tick/broadcast-hrtimer: Fix suspicious RCU usage in idle loop [ Upstream commit a127d2bcf1fbc8c8e0b5cf0dab54f7d3ff50ce47 ] The hrtimer mode of broadcast queues hrtimers in the idle entry path so as to wakeup cpus in deep idle states. The associated call graph is : cpuidle_idle_call() |____ clockevents_notify(CLOCK_EVT_NOTIFY_BROADCAST_ENTER, ....)) |_____tick_broadcast_set_event() |____clockevents_program_event() |____bc_set_next() The hrtimer_{start/cancel} functions call into tracing which uses RCU. But it is not legal to call into RCU in cpuidle because it is one of the quiescent states. Hence protect this region with RCU_NONIDLE which informs RCU that the cpu is momentarily non-idle. As an aside it is helpful to point out that the clock event device that is programmed here is not a per-cpu clock device; it is a pseudo clock device, used by the broadcast framework alone. The per-cpu clock device programming never goes through bc_set_next(). Signed-off-by: Preeti U Murthy Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Paul E. McKenney Cc: linuxppc-dev@ozlabs.org Cc: mpe@ellerman.id.au Cc: tglx@linutronix.de Link: http://lkml.kernel.org/r/20150318104705.17763.56668.stgit@preeti.in.ibm.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 02d51afc23e02e580e872cfc57d043c7a018505b Author: Majd Dibbiny Date: Wed Mar 18 16:51:37 2015 +0200 IB/mlx4: Saturate RoCE port PMA counters in case of overflow [ Upstream commit 61a3855bb726cbb062ef02a31a832dea455456e0 ] For RoCE ports, we set the u32 PMA values based on u64 HCA counters. In case of overflow, according to the IB spec, we have to saturate a counter to its max value, do that. Fixes: c37791349cc7 ('IB/mlx4: Support PMA counters for IBoE') Signed-off-by: Majd Dibbiny Signed-off-by: Eran Ben Elisha Signed-off-by: Hadar Hen Zion Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit aaa2bf750a05c56aafaa3cf51214d4bd59610f8d Author: Uwe Kleine-König Date: Sat Feb 21 11:40:23 2015 +0100 clk: divider: fix calculation of maximal parent rate for a given divider [ Upstream commit da321133b53caf7889ed3ca1dabe4cc368db2604 ] The rate provided at the output of a clk-divider is calculated as: DIV_ROUND_UP(parent_rate, div) since commit b11d282dbea2 (clk: divider: fix rate calculation for fractional rates). So to yield a rate not bigger than r parent_rate must be <= r * div. The effect of choosing a parent rate that is too big as was done before this patch results in wrongly ruling out good dividers. Note that this is not a complete fix as __clk_round_rate might return a value >= its 2nd parameter. Also for dividers with CLK_DIVIDER_ROUND_CLOSEST set the calculation is not accurate. But this fixes the test case by Sascha Hauer that uses a chain of three dividers under a fixed clock. Fixes: b11d282dbea2 (clk: divider: fix rate calculation for fractional rates) Suggested-by: Sascha Hauer Signed-off-by: Uwe Kleine-König Acked-by: Sascha Hauer Signed-off-by: Michael Turquette Signed-off-by: Sasha Levin commit 5cd223ea7e47bffef3678605f763a392cbe2623a Author: Uwe Kleine-König Date: Sat Feb 21 11:40:24 2015 +0100 clk: divider: fix selection of divider when rounding to closest [ Upstream commit 26bac95aa88c2b1747808c0b885abe7814c0165d ] It's an invalid approach to assume that among two divider values the one nearer the exact divider is the better one. Assume a parent rate of 1000 Hz, a divider with CLK_DIVIDER_POWER_OF_TWO and a target rate of 89 Hz. The exact divider is ~ 11.236 so 8 and 16 are the candidates to choose from yielding rates 125 Hz and 62.5 Hz respectivly. While 8 is nearer to 11.236 than 16 is, the latter is still the better divider as 62.5 is nearer to 89 than 125 is. Fixes: 774b514390b1 (clk: divider: Add round to closest divider) Signed-off-by: Uwe Kleine-König Acked-by: Sascha Hauer Acked-by: Maxime Coquelin Signed-off-by: Michael Turquette Signed-off-by: Sasha Levin commit c6aa7146f15eb11c635dbbf48274db04a02241de Author: Hans Verkuil Date: Mon Feb 16 07:49:07 2015 -0300 [media] vb2: fix 'UNBALANCED' warnings when calling vb2_thread_stop() [ Upstream commit 0e661006370b7e7fb9ac9d94f9c3500a62cd559b ] Stopping the vb2 thread (as used by several DVB devices) can result in an 'UNBALANCED' warning such as this: vb2: counters for queue ffff880407ee9828: UNBALANCED! vb2: setup: 1 start_streaming: 1 stop_streaming: 1 vb2: wait_prepare: 249333 wait_finish: 249334 This is due to a race condition between stopping the thread and calling vb2_internal_streamoff(). While I have not been able to deduce the exact mechanism how this race condition can produce this warning, I can see that the way the stream is stopped is likely to lead to a race somewhere. This patch simplifies how this is done by first ensuring that the thread is completely stopped before cleaning up the vb2 queue. It does that by setting threadio->stop to true, followed by a call to vb2_queue_error() which will wake up the thread. The thread sees that 'stop' is true and it will exit. The call to kthread_stop() waits until the thread has exited, and only then is the queue cleaned up by calling __vb2_cleanup_fileio(). This is a much cleaner sequence and the warning has now disappeared. Reported-by: Jurgen Kramer Tested-by: Jurgen Kramer Signed-off-by: Hans Verkuil Cc: # for v3.18 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 71871e8982c315c0fe3ba54c5b385f321135be7e Author: Geert Uytterhoeven Date: Thu Feb 19 06:47:16 2015 -0300 [media] soc-camera: Fix devm_kfree() in soc_of_bind() [ Upstream commit 8e48a2d54c5d74ea3e9dc4c3b9037786bb447f36 ] Unlike scan_async_group(), soc_of_bind() doesn't allocate its soc_camera_async_client structure using devm_kzalloc(), but has it embedded inside the soc_of_info structure. Hence on failure, it must free the whole soc_of_info structure, and not just the embedded soc_camera_async_client structure, as the latter causes a warning, and may cause slab corruption: soc-camera-pdrv soc-camera-pdrv.0: Probing soc-camera-pdrv.0 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at drivers/base/devres.c:887 devm_kfree+0x30/0x40() CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.19.0-shmobile-08386-g37feb0d093cb2d8e #128 Hardware name: Generic R8A7791 (Flattened Device Tree) Backtrace: [] (dump_backtrace) from [] (show_stack+0x18/0x1c) r6:c05a923b r5:00000009 r4:00000000 r3:00204140 [] (show_stack) from [] (dump_stack+0x78/0x94) [] (dump_stack) from [] (warn_slowpath_common+0x8c/0xb8) r4:00000000 r3:00000000 [] (warn_slowpath_common) from [] (warn_slowpath_null+0x24/0x2c) r8:ee7d8214 r7:ed83b810 r6:ed83bc20 r5:fffffffa r4:ed83e510 [] (warn_slowpath_null) from [] (devm_kfree+0x30/0x40) [] (devm_kfree) from [] (soc_of_bind.isra.14+0x194/0x1d4) [] (soc_of_bind.isra.14) from [] (soc_camera_host_register+0x208/0x31c) r9:00000070 r8:ee7e05d0 r7:ee153210 r6:00000000 r5:ee7e0218 r4:ed83bc20 [] (soc_camera_host_register) from [] (rcar_vin_probe+0x1f4/0x238) r8:ee153200 r7:00000008 r6:ee153210 r5:ed83bc10 r4:c066319c r3:000000c0 [] (rcar_vin_probe) from [] (platform_drv_probe+0x50/0xa0) r10:00000000 r9:c0662fa8 r8:00000000 r7:c06a3700 r6:c0662fa8 r5:ee153210 r4:00000000 [] (platform_drv_probe) from [] (driver_probe_device+0xc4/0x208) r6:c06a36f4 r5:00000000 r4:ee153210 r3:c025c2e4 [] (driver_probe_device) from [] (__driver_attach+0x70/0x94) r9:c066f9c0 r8:c0624a98 r7:c065b790 r6:c0662fa8 r5:ee153244 r4:ee153210 [] (__driver_attach) from [] (bus_for_each_dev+0x74/0x98) r6:c025b098 r5:c0662fa8 r4:00000000 r3:00000001 [] (bus_for_each_dev) from [] (driver_attach+0x20/0x28) r6:ed83c200 r5:00000000 r4:c0662fa8 [] (driver_attach) from [] (bus_add_driver+0xdc/0x1c4) [] (bus_add_driver) from [] (driver_register+0xa4/0xe8) r7:c0624a98 r6:00000000 r5:c060b010 r4:c0662fa8 [] (driver_register) from [] (__platform_driver_register+0x50/0x64) r5:c060b010 r4:ed8394c0 [] (__platform_driver_register) from [] (rcar_vin_driver_init+0x18/0x20) [] (rcar_vin_driver_init) from [] (do_one_initcall+0x108/0x1b8) [] (do_one_initcall) from [] (kernel_init_freeable+0x11c/0x1e4) r9:c066f9c0 r8:c066f9c0 r7:c062eab0 r6:c06252c4 r5:000000ad r4:00000006 [] (kernel_init_freeable) from [] (kernel_init+0x10/0xec) r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c048c3c0 r4:00000000 [] (kernel_init) from [] (ret_from_fork+0x14/0x34) r4:00000000 r3:ee04e000 ---[ end trace e3a984cc0335c8a0 ]--- rcar_vin e6ef1000.video: group probe failed: -6 Fixes: 1ddc6a6caa94e1e1 ("[media] soc_camera: add support for dt binding soc_camera drivers") Cc: # 3.17+ Signed-off-by: Geert Uytterhoeven Signed-off-by: Guennadi Liakhovetski Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9785703f29f13b04e70dfa179fe8918f8c8747fc Author: Marek Szyprowski Date: Wed Mar 4 05:55:21 2015 -0800 [media] media: s5p-mfc: fix mmap support for 64bit arch [ Upstream commit 05b676ab42f624425d5f6519276e506b812fa058 ] TASK_SIZE is depends on the systems architecture (32 or 64 bits) and it should not be used for defining offset boundary for mmaping buffers for CAPTURE and OUTPUT queues. This patch fixes support for MMAP calls on the CAPTURE queue on 64bit architectures (like ARM64). Cc: stable@vger.kernel.org Signed-off-by: Marek Szyprowski Signed-off-by: Kamil Debski Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 632f8dff8476d9f481bdfa66e0bfe591003382cc Author: Hans Verkuil Date: Wed Dec 10 12:35:34 2014 -0300 [media] sh_veu: v4l2_dev wasn't set [ Upstream commit ab3120300be067a2d41a027c41db0b2c662ab200 ] The v4l2_dev field of struct video_device must be set correctly. This was never done for this driver, so no video nodes were created anymore. Signed-off-by: Hans Verkuil Cc: # for v3.11 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a7c014143800a306ee4ee247481d453986cb82c8 Author: Mike Christie Date: Fri Apr 10 02:47:27 2015 -0500 iscsi target: fix oops when adding reject pdu [ Upstream commit b815fc12d4dd2b5586184fb4f867caff05a810d4 ] This fixes a oops due to a double list add when adding a reject PDU for iscsit_allocate_iovecs allocation failures. The cmd has already been added to the conn_cmd_list in iscsit_setup_scsi_cmd, so this has us call iscsit_reject_cmd. Note that for ERL0 the reject PDU is not actually sent, so this patch is not completely tested. Just verified we do not oops. The problem is the add reject functions return -1 which is returned all the way up to iscsi_target_rx_thread which for ERL0 will drop the connection. Signed-off-by: Mike Christie Cc: # v3.10+ Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit fe4a6fceff3949a6389c582ccedc393670355469 Author: Al Viro Date: Mon Apr 6 17:57:44 2015 -0400 ioctx_alloc(): fix vma (and file) leak on failure [ Upstream commit deeb8525f9bcea60f5e86521880c1161de7a5829 ] If we fail past the aio_setup_ring(), we need to destroy the mapping. We don't need to care about anybody having found ctx, or added requests to it, since the last failure exit is exactly the failure to make ctx visible to lookups. Reproducer (based on one by Joe Mario ): void count(char *p) { char s[80]; printf("%s: ", p); fflush(stdout); sprintf(s, "/bin/cat /proc/%d/maps|/bin/fgrep -c '/[aio] (deleted)'", getpid()); system(s); } int main() { io_context_t *ctx; int created, limit, i, destroyed; FILE *f; count("before"); if ((f = fopen("/proc/sys/fs/aio-max-nr", "r")) == NULL) perror("opening aio-max-nr"); else if (fscanf(f, "%d", &limit) != 1) fprintf(stderr, "can't parse aio-max-nr\n"); else if ((ctx = calloc(limit, sizeof(io_context_t))) == NULL) perror("allocating aio_context_t array"); else { for (i = 0, created = 0; i < limit; i++) { if (io_setup(1000, ctx + created) == 0) created++; } for (i = 0, destroyed = 0; i < created; i++) if (io_destroy(ctx[i]) == 0) destroyed++; printf("created %d, failed %d, destroyed %d\n", created, limit - created, destroyed); count("after"); } } Found-by: Joe Mario Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 67041680ff381e6e5ba8f9620695e79b512a01be Author: Al Viro Date: Wed Apr 8 17:00:32 2015 -0400 ocfs2: _really_ sync the right range [ Upstream commit 64b4e2526d1cf6e6a4db6213d6e2b6e6ab59479a ] "ocfs2 syncs the wrong range" had been broken; prior to it the code was doing the wrong thing in case of O_APPEND, all right, but _after_ it we were syncing the wrong range in 100% cases. *ppos, aka iocb->ki_pos is incremented prior to that point, so we are always doing sync on the area _after_ the one we'd written to. Spotted by Joseph Qi back in January; unfortunately, I'd missed his mail back then ;-/ Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit a260abd13313bc7b44e18c7ad8176d55b773ab38 Author: John Soni Jose Date: Thu Feb 12 06:45:47 2015 +0530 be2iscsi: Fix kernel panic when device initialization fails [ Upstream commit 2e7cee027b26cbe7e6685a7a14bd2850bfe55d33 ] Kernel panic was happening as iscsi_host_remove() was called on a host which was not yet added. Signed-off-by: John Soni Jose Reviewed-by: Mike Christie Cc: Signed-off-by: James Bottomley Signed-off-by: Sasha Levin commit 862158f2bba6497650cc441e3f97aeda07bf7071 Author: Rafael J. Wysocki Date: Tue Apr 7 01:07:39 2015 +0200 Revert "PM / hibernate: avoid unsafe pages in e820 reserved regions" [ Upstream commit f82daee49c09cf6a99c28303d93438a2566e5552 ] Commit 84c91b7ae07c (PM / hibernate: avoid unsafe pages in e820 reserved regions) is reported to make resume from hibernation on Lenovo x230 unreliable, so revert it. We will revisit the issue the commit in question was supposed to fix in the future. Link: https://bugzilla.kernel.org/show_bug.cgi?id=96111 Reported-by: rhn Cc: 3.17+ # 3.17+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 0bc444b17344e40fec8c3c050189b5d99b7ca56c Author: Benjamin Herrenschmidt Date: Mon Mar 23 14:16:38 2015 +1100 drivers/of: Add empty ranges quirk for PA-Semi [ Upstream commit 41d9489319f28f06cf51731131bc353d5a6bce59 ] The "sdc" node is missing the ranges property, it needs to be treated as having an empty one otherwise translation fails for its children. Fixes 746c9e9f92dd, "of/base: Fix PowerPC address parsing hack" Tested-by: Steven Rostedt Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Grant Likely Cc: Stable # v3.18+ Signed-off-by: Sasha Levin commit 19d240f78b05816ce801b1ed65b9aa2582cec95b Author: Larry Finger Date: Sat Mar 21 15:16:05 2015 -0500 rtlwifi: Fix IOMMU mapping leak in AP mode [ Upstream commit be0b5e635883678bfbc695889772fed545f3427d ] Transmission of an AP beacon does not call the TX interrupt service routine, which usually does the cleanup. Instead, cleanup is handled in a tasklet completion routine. Unfortunately, this routine has a serious bug in that it does not release the DMA mapping before it frees the skb, thus one IOMMU mapping is leaked for each beacon. The test system failed with no free IOMMU mapping slots approximately one hour after hostapd was used to start an AP. This issue was reported and tested at https://github.com/lwfinger/rtlwifi_new/issues/30. Reported-and-tested-by: Kevin Mullican Cc: Kevin Mullican Signed-off-by: Shao Fu Signed-off-by: Larry Finger Cc: Stable [3.18+] Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit d29425669acc0d163a67fc8a19227599f772d22f Author: Alex Williamson Date: Wed Mar 4 11:30:10 2015 -0700 iommu/vt-d: Detach domain *only* from attached iommus [ Upstream commit 71684406905f98f86a85e008b51f5c4c5d83af5a ] Device domains never span IOMMU hardware units, which allows the domain ID space for each IOMMU to be an independent address space. Therefore we can have multiple, independent domains, each with the same domain->id, but attached to different hardware units. This is also why we need to do a heavy-weight search for VM domains since they can span multiple IOMMUs hardware units and we don't require a single global ID to use for all hardware units. Therefore, if we call iommu_detach_domain() across all active IOMMU hardware units for a non-VM domain, the result is that we clear domain IDs that are not associated with our domain, allowing them to be re-allocated and causing apparent coherency issues when the device cannot access IOVAs for the intended domain. This bug was introduced in commit fb170fb4c548 ("iommu/vt-d: Introduce helper functions to make code symmetric for readability"), but is significantly exacerbated by the more recent commit 62c22167dd70 ("iommu/vt-d: Fix dmar_domain leak in iommu_attach_device") which calls domain_exit() more frequently to resolve a domain leak. Fixes: fb170fb4c548 ("iommu/vt-d: Introduce helper functions to make code symmetric for readability") Signed-off-by: Alex Williamson Cc: Jiang Liu Cc: stable@vger.kernel.org # v3.17+ Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit e9c75e69d6f20cc14dd86eeab712226fd191015b Author: David Disseldorp Date: Fri Mar 13 14:20:29 2015 +0100 cifs: fix use-after-free bug in find_writable_file [ Upstream commit e1e9bda22d7ddf88515e8fe401887e313922823e ] Under intermittent network outages, find_writable_file() is susceptible to the following race condition, which results in a user-after-free in the cifs_writepages code-path: Thread 1 Thread 2 ======== ======== inv_file = NULL refind = 0 spin_lock(&cifs_file_list_lock) // invalidHandle found on openFileList inv_file = open_file // inv_file->count currently 1 cifsFileInfo_get(inv_file) // inv_file->count = 2 spin_unlock(&cifs_file_list_lock); cifs_reopen_file() cifs_close() // fails (rc != 0) ->cifsFileInfo_put() spin_lock(&cifs_file_list_lock) // inv_file->count = 1 spin_unlock(&cifs_file_list_lock) spin_lock(&cifs_file_list_lock); list_move_tail(&inv_file->flist, &cifs_inode->openFileList); spin_unlock(&cifs_file_list_lock); cifsFileInfo_put(inv_file); ->spin_lock(&cifs_file_list_lock) // inv_file->count = 0 list_del(&cifs_file->flist); // cleanup!! kfree(cifs_file); spin_unlock(&cifs_file_list_lock); spin_lock(&cifs_file_list_lock); ++refind; // refind = 1 goto refind_writable; At this point we loop back through with an invalid inv_file pointer and a refind value of 1. On second pass, inv_file is not overwritten on openFileList traversal, and is subsequently dereferenced. Signed-off-by: David Disseldorp Reviewed-by: Jeff Layton CC: Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 6bb88677e8e9a47b643ae03959f3a216d22432ac Author: Sachin Prabhu Date: Wed Feb 4 13:10:26 2015 +0000 cifs: smb2_clone_range() - exit on unhandled error [ Upstream commit 2477bc58d49edb1c0baf59df7dc093dce682af2b ] While attempting to clone a file on a samba server, we receive a STATUS_INVALID_DEVICE_REQUEST. This is mapped to -EOPNOTSUPP which isn't handled in smb2_clone_range(). We end up looping in the while loop making same call to the samba server over and over again. The proposed fix is to exit and return the error value when encountered with an unhandled error. Cc: Signed-off-by: Sachin Prabhu Signed-off-by: Steve French Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 465dd8c0516a59cefe851ee4c57d53d54f7ef79a Author: Stefan Agner Date: Fri Mar 13 14:51:51 2015 +0100 tty: serial: fsl_lpuart: clear receive flag on FIFO flush [ Upstream commit 8e4934c6d6c659e22b1b746af4196683e77ce6ca ] When the receiver was enabled during startup, a character could have been in the FIFO when the UART get initially used. The driver configures the (receive) watermark level, and flushes the FIFO. However, the receive flag (RDRF) could still be set at that stage (as mentioned in the register description of UARTx_RWFIFO). This leads to an interrupt which won't be handled properly in interrupt mode: The receive interrupt function lpuart_rxint checks the FIFO count, which is 0 at that point (due to the flush during initialization). The problem does not manifest when using DMA to receive characters. Fix this situation by explicitly read the status register, which leads to clearing of the RDRF flag. Due to the flush just after the status flag read, a explicit data read is not to required. Signed-off-by: Stefan Agner Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit eed8dd7be5887f2715f22461dd3847dbe66843cb Author: Stefan Agner Date: Fri Mar 13 14:51:50 2015 +0100 tty: serial: fsl_lpuart: specify transmit FIFO size [ Upstream commit 4e8f245937091b2c9eebf3d4909c9ceda4f0a78e ] Specify transmit FIFO size which might be different depending on LPUART instance. This makes sure uart_wait_until_sent in serial core getting called, which in turn waits and checks if the FIFO is really empty on shutdown by using the tx_empty callback. Without the call of this callback, the last several characters might not yet be transmitted when closing the serial port. This can be reproduced by simply using echo and redirect the output to a ttyLP device. Signed-off-by: Stefan Agner Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3372538a5a104689aef9c9352c886aa7ea6ef7f4 Author: Lu Baolu Date: Mon Mar 23 18:27:42 2015 +0200 usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers [ Upstream commit 227a4fd801c8a9fa2c4700ab98ec1aec06e3b44d ] When a device with an isochronous endpoint is plugged into the Intel xHCI host controller, and the driver submits multiple frames per URB, the xHCI driver will set the Block Event Interrupt (BEI) flag on all but the last TD for the URB. This causes the host controller to place an event on the event ring, but not send an interrupt. When the last TD for the URB completes, BEI is cleared, and we get an interrupt for the whole URB. However, under Intel xHCI host controllers, if the event ring is full of events from transfers with BEI set, an "Event Ring is Full" event will be posted to the last entry of the event ring, but no interrupt is generated. Host will cease all transfer and command executions and wait until software completes handling the pending events in the event ring. That means xHC stops, but event of "event ring is full" is not notified. As the result, the xHC looks like dead to user. This patch is to apply XHCI_AVOID_BEI quirk to Intel xHC devices. And it should be backported to kernels as old as 3.0, that contains the commit 69e848c2090a ("Intel xhci: Support EHCI/xHCI port switching."). Signed-off-by: Lu Baolu Tested-by: Alistair Grant Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 83961c5495b591d4d6409b119f67c596a6bd6193 Author: Lu Baolu Date: Mon Mar 23 18:27:41 2015 +0200 usb: xhci: handle Config Error Change (CEC) in xhci driver [ Upstream commit 9425183d177aa4a2f09d01a74925124f0778b595 ] Linux xHCI driver doesn't report and handle port cofig error change. If Port Configure Error for root hub port occurs, CEC bit in PORTSC would be set by xHC and remains 1. This happends when the root port fails to configure its link partner, e.g. the port fails to exchange port capabilities information using Port Capability LMPs. Then the Port Status Change Events will be blocked until all status change bits(CEC is one of the change bits) are cleared('0') (refer to xHCI spec 4.19.2). Otherwise, the port status change event for this root port will not be generated anymore, then root port would look like dead for user and can't be recovered until a Host Controller Reset(HCRST). This patch is to check CEC bit in PORTSC in xhci_get_port_status() and set a Config Error in the return status if CEC is set. This will cause a ClearPortFeature request, where CEC bit is cleared in xhci_clear_port_change_bit(). [The commit log is based on initial Marvell patch posted at http://marc.info/?l=linux-kernel&m=142323612321434&w=2] Reported-by: Gregory CLEMENT Signed-off-by: Lu Baolu Cc: stable # v3.2+ Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ae0f5de3bbd931e0046f505f39daff158d0faa75 Author: Thomas Schlichter Date: Tue Mar 31 20:24:39 2015 +0200 cpuidle: ACPI: do not overwrite name and description of C0 [ Upstream commit c7e8bdf5872c5a8f5a6494e16fe839c38a0d3d3d ] Fix a bug that leads to showing the name and description of C-state C0 as "" in sysfs after the ACPI C-states changed (e.g. after AC->DC or DC->AC transition). The function poll_idle_init() in drivers/cpuidle/driver.c initializes the state 0 during cpuidle_register_driver(), so we better do not overwrite it again with '\0' during acpi_processor_cst_has_changed(). Signed-off-by: Thomas Schlichter Reviewed-by: Bartlomiej Zolnierkiewicz Cc: 3.13+ # 3.13+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 8711912370919b58fdb61d6b47cee1b30926b489 Author: Bartlomiej Zolnierkiewicz Date: Tue Mar 31 20:15:09 2015 +0200 cpuidle: remove state_count field from struct cpuidle_device [ Upstream commit d75e4af14e228bbe3f86e29bcecb8e6be98d4e04 ] Thomas Schlichter reports the following issue on his Samsung NC20: "The C-states C1 and C2 to the OS when connected to AC, and additionally provides the C3 C-state when disconnected from AC. However, the number of C-states shown in sysfs is fixed to the number of C-states present at boot. If I boot with AC connected, I always only see the C-states up to C2 even if I disconnect AC. The reason is commit 130a5f692425 (ACPI / cpuidle: remove dev->state_count setting). It removes the update of dev->state_count, but sysfs uses exactly this variable to show the C-states. The fix is to use drv->state_count in sysfs. As this is currently the last user of dev->state_count, this variable can be completely removed." Remove dev->state_count as per the above. Reported-by: Thomas Schlichter Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Kyungmin Park Acked-by: Daniel Lezcano Cc: 3.14+ # 3.14+ [ rjw: Changelog ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit a32d3f403401705e40cacd8ca2a4eb7ff8d8fb69 Author: Andreas Werner Date: Sun Mar 22 17:35:52 2015 +0100 can: flexcan: Deferred on Regulator return EPROBE_DEFER [ Upstream commit 555828ef45f825d6ee06559f0304163550eed380 ] Return EPROBE_DEFER if Regulator returns EPROBE_DEFER If the Flexcan driver is built into kernel and a regulator is used to enable the CAN transceiver, the Flexcan driver may not use the regulator. When initializing the Flexcan device with a regulator defined in the device tree, but not initialized, the regulator subsystem returns EPROBE_DEFER, hence the Flexcan init fails. The solution for this is to return EPROBE_DEFER if regulator is not initialized and wait until the regulator is initialized. Signed-off-by: Andreas Werner Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 44d8cbece7820e5baa1c88dec45be400bfee42c7 Author: Stefan Lippers-Hollmann Date: Mon Mar 30 22:44:27 2015 +0200 x86/reboot: Add ASRock Q1900DC-ITX mainboard reboot quirk [ Upstream commit 80313b3078fcd2ca51970880d90757f05879a193 ] The ASRock Q1900DC-ITX mainboard (Baytrail-D) hangs randomly in both BIOS and UEFI mode while rebooting unless reboot=pci is used. Add a quirk to reboot via the pci method. The problem is very intermittent and hard to debug, it might succeed rebooting just fine 40 times in a row - but fails half a dozen times the next day. It seems to be slightly less common in BIOS CSM mode than native UEFI (with the CSM disabled), but it does happen in either mode. Since I've started testing this patch in late january, rebooting has been 100% reliable. Most of the time it already hangs during POST, but occasionally it might even make it through the bootloader and the kernel might even start booting, but then hangs before the mode switch. The same symptoms occur with grub-efi, gummiboot and grub-pc, just as well as (at least) kernel 3.16-3.19 and 4.0-rc6 (I haven't tried older kernels than 3.16). Upgrading to the most current mainboard firmware of the ASRock Q1900DC-ITX, version 1.20, does not improve the situation. ( Searching the web seems to suggest that other Bay Trail-D mainboards might be affected as well. ) -- Signed-off-by: Stefan Lippers-Hollmann Cc: Cc: Matt Fleming Link: http://lkml.kernel.org/r/20150330224427.0fb58e42@mir Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 7f67673653b889d7953cfd0cf95e91d6eed2e5d9 Author: Felix Fietkau Date: Thu Mar 12 17:17:18 2015 +0100 ath9k: fix tracking of enabled AP beacons [ Upstream commit 1cf48f22c98ae24a49a3f1b6900e4c9a9a0fcc62 ] sc->nbcnvifs tracks assigned beacon slots, not enabled beacons. Therefore, it cannot be used to decide if cur_conf->enable_beacon (bool) should be updated, or if beacons have been enabled already. With the current code (depending on the order of calls), beacons often do not get enabled in an AP+STA setup. To fix tracking of enabled beacons, convert cur_conf->enable_beacon to a bitmask of enabled beacon slots. Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 9786bf2b3aae9e17ca706d4357fe2bc169aa41dd Author: Peter Ujfalusi Date: Fri Mar 27 13:35:52 2015 +0200 dmaengine: omap-dma: Fix memory leak when terminating running transfer [ Upstream commit 02d88b735f5a60f04dbf6d051b76e1877a0d0844 ] In omap_dma_start_desc the vdesc->node is removed from the virt-dma framework managed lists (to be precise from the desc_issued list). If a terminate_all comes before the transfer finishes the omap_desc will not be freed up because it is not in any of the lists and we stopped the DMA channel so the transfer will not going to complete. There is no special sequence for leaking memory when using cyclic (audio) transfer: with every start and stop of a cyclic transfer the driver leaks struct omap_desc worth of memory. Free up the allocated memory directly in omap_dma_terminate_all() since the framework will not going to do that for us. Signed-off-by: Peter Ujfalusi CC: CC: Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ba1d2d92c3dae111c25824f0f44405df455c9e4f Author: Petr Kulhavy Date: Fri Mar 27 13:35:51 2015 +0200 dmaengine: edma: fix memory leak when terminating running transfers [ Upstream commit 5ca9e7ce6eebec53362ff779264143860ccf68cd ] If edma_terminate_all() was called while a transfer was running (i.e. after edma_execute() but before edma_callback()) the echan->edesc was not freed. This was due to the fact that a running transfer is on none of the vchan lists: desc_submitted, desc_issued, desc_completed (edma_execute() removes it from the desc_issued list), so the vchan_dma_desc_free_list() called at the end of edma_terminate_all() didn't find it and didn't free it. This bug was found on an AM1808 based hardware (very similar to da850evm, however using the second MMC/SD controller), where intense operations on the SD card wasted the device 128MB RAM within a couple of days. Peter Ujfalusi: The issue is even more severe since it affects cyclic (audio) transfers as well. In this case starting/stopping audio will results memory leak. Signed-off-by: Petr Kulhavy Signed-off-by: Peter Ujfalusi CC: CC: Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit cfb769a843e50fd6d930a6655cdf2afd9bc0b0ab Author: Darshana Padmadas Date: Sat Mar 28 12:07:14 2015 +0530 iio: imu: Use iio_trigger_get for indio_dev->trig assignment [ Upstream commit 4ce7ca89d6e8eae9e201cd0e972ba323f33e2fb4 ] This patch uses iio_trigger_get to increment the reference count of trigger device, to avoid incorrect assignment. Can result in a null pointer dereference during removal if the trigger has been changed before removal. This patch refers to a similar situation encountered through the following discussion: http://www.spinics.net/lists/linux-iio/msg13669.html Signed-off-by: Darshana Padmadas Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit dcf72cd6133cd00f2cbdaf97a535187c222745c1 Author: Stefan Agner Date: Tue Mar 24 13:47:47 2015 +0100 iio: adc: vf610: use ADC clock within specification [ Upstream commit f54e9f2be312a4e71b54aea865b2e33ccb95ef0c ] Depending on conversion mode used, the ADC clock (ADCK) needs to be below a maximum frequency. According to Vybrid's data sheet this is 20MHz for the low power conversion mode. The ADC clock is depending on input clock, which is the bus clock by default. Vybrid SoC are typically clocked at at 400MHz or 500MHz, which leads to 66MHz or 83MHz bus clock respectively. Hence, a divider of 8 is required to stay below the specified maximum clock of 20MHz. Due to the different bus clock speeds, the resulting sampling frequency is not static. Hence use the ADC clock and calculate the actual available sampling frequency dynamically. This fixes bogous values observed on some 500MHz clocked Vybrid SoC. The resulting value usually showed Bit 9 being stuck at 1, or 0, which lead to a value of +/-512. Signed-off-by: Stefan Agner Acked-by: Fugang Duan Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 1930ba06ce4e609ffb57f8edb5e67c263ba629cf Author: Sathyanarayanan Kuppuswamy Date: Tue Mar 3 18:17:56 2015 +0200 iio: bmc150: change sampling frequency [ Upstream commit 0ba8da961bd868c67a8dae3dbbee145514515e9c ] Currently driver reports device bandwidth list as available sampling frequency. But sampling frequency is actually twice the device bandwidth. This patch fixes this issue. Signed-off-by: Sathyanarayanan Kuppuswamy Signed-off-by: Octavian Purdila Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 42ec319b4475d48340aedfd8ff9f14d5ae70c009 Author: Martin Fuzzey Date: Thu Feb 19 15:17:44 2015 +0100 iio: core: Fix double free. [ Upstream commit c1b03ab5e886760bdd38c9c7a27af149046ffe01 ] When an error occurred during event registration memory was freed twice resulting in kernel memory corruption and a crash in unrelated code. The problem was caused by iio_device_unregister_eventset() iio_device_unregister_sysfs() being called twice, once on the error path and then again via iio_dev_release(). Fix this by making these two functions idempotent so they may be called multiple times. The problem was observed before applying 78b33216 iio:core: Handle error when mask type is not separate Signed-off-by: Martin Fuzzey Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 382fd035e6c1eff2b807663bc5d4672408d31c53 Author: Viorel Suman Date: Wed Feb 18 20:05:21 2015 +0200 iio: inv_mpu6050: Clear timestamps fifo while resetting hardware fifo [ Upstream commit 4dac0a8eefd55bb1f157d1a5a084531334a2d74c ] A hardware fifo reset always imply an invalidation of the existing timestamps, so we'll clear timestamps fifo on successfull hardware fifo reset. Signed-off-by: Viorel Suman Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit f37f8f40ba52cd90084dcc476c5a1a53fc9569c3 Author: Bart Van Assche Date: Wed Mar 4 10:31:47 2015 +0100 Defer processing of REQ_PREEMPT requests for blocked devices [ Upstream commit bba0bdd7ad4713d82338bcd9b72d57e9335a664b ] SCSI transport drivers and SCSI LLDs block a SCSI device if the transport layer is not operational. This means that in this state no requests should be processed, even if the REQ_PREEMPT flag has been set. This patch avoids that a rescan shortly after a cable pull sporadically triggers the following kernel oops: BUG: unable to handle kernel paging request at ffffc9001a6bc084 IP: [] mlx4_ib_post_send+0xd2/0xb30 [mlx4_ib] Process rescan-scsi-bus (pid: 9241, threadinfo ffff88053484a000, task ffff880534aae100) Call Trace: [] srp_post_send+0x65/0x70 [ib_srp] [] srp_queuecommand+0x1cf/0x3e0 [ib_srp] [] scsi_dispatch_cmd+0x101/0x280 [scsi_mod] [] scsi_request_fn+0x411/0x4d0 [scsi_mod] [] __blk_run_queue+0x27/0x30 [] blk_execute_rq_nowait+0x82/0x110 [] blk_execute_rq+0x62/0xf0 [] scsi_execute+0xe8/0x190 [scsi_mod] [] scsi_execute_req+0xa3/0x130 [scsi_mod] [] scsi_probe_lun+0x17a/0x450 [scsi_mod] [] scsi_probe_and_add_lun+0x156/0x480 [scsi_mod] [] __scsi_scan_target+0xdf/0x1f0 [scsi_mod] [] scsi_scan_host_selected+0x183/0x1c0 [scsi_mod] [] scsi_scan+0xdb/0xe0 [scsi_mod] [] store_scan+0x13/0x20 [scsi_mod] [] sysfs_write_file+0xcb/0x160 [] vfs_write+0xce/0x140 [] sys_write+0x53/0xa0 [] system_call_fastpath+0x16/0x1b [<00007f611c9d9300>] 0x7f611c9d92ff Reported-by: Max Gurtuvoy Signed-off-by: Bart Van Assche Reviewed-by: Mike Christie Cc: Signed-off-by: James Bottomley Signed-off-by: Sasha Levin commit 4893f8b26f9e28f62ea04b835a412c662d98ceff Author: Doug Goldstein Date: Mon Mar 23 20:34:48 2015 -0500 USB: ftdi_sio: Use jtag quirk for SNAP Connect E10 [ Upstream commit b229a0f840f774d29d8fedbf5deb344ca36b7f1a ] This patch uses the existing CALAO Systems ftdi_8u2232c_probe in order to avoid attaching a TTY to the JTAG port as this board is based on the CALAO Systems reference design and needs the same fix up. Signed-off-by: Doug Goldstein CC: stable [johan: clean up probe logic ] Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 5134850530503210f980e8bf0116803bc6fcaf08 Author: Doug Goldstein Date: Sun Mar 15 21:56:04 2015 -0500 USB: ftdi_sio: Added custom PID for Synapse Wireless product [ Upstream commit 4899c054a90439477b24da8977db8d738376fe90 ] Synapse Wireless uses the FTDI VID with a custom PID of 0x9090 for their SNAP Stick 200 product. Signed-off-by: Doug Goldstein Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit b8cfabf90cf958f189e13393a93ed5065d172c1b Author: Nathaniel W Filardo Date: Mon Mar 16 11:19:55 2015 -0400 USB: keyspan_pda: add new device id [ Upstream commit 5e71fc8629cefae5f3c1a4f498de3fe4f631924a ] Add USB VID/PID for Xircom PGMFHUB USB/serial component. (The hub and SCSI bridge on that hardware are recognized out of the box by existing drivers.) Tested VID/PID using new_id and loopback connection and was met with success, but that's all the testing done. Signed-off-by: Nathaniel Wesley Filardo Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit fde250a51c287ddcbc6dbdcca70ae00c5b7180fd Author: David Miller Date: Wed Mar 18 23:18:40 2015 -0400 radeon: Do not directly dereference pointers to BIOS area. [ Upstream commit f2c9e560b406f2f6b14b345c7da33467dee9cdf2 ] Use readb() and memcpy_fromio() accessors instead. Reviewed-by: Christian König Signed-off-by: David S. Miller Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 51e17d281aa79b433584d5617365f60c44cee193 Author: Tejun Heo Date: Mon Mar 23 00:18:48 2015 -0400 writeback: fix possible underflow in write bandwidth calculation [ Upstream commit c72efb658f7c8b27ca3d0efb5cfd5ded9fcac89e ] From 1ebf33901ecc75d9496862dceb1ef0377980587c Mon Sep 17 00:00:00 2001 From: Tejun Heo Date: Mon, 23 Mar 2015 00:08:19 -0400 2f800fbd777b ("writeback: fix dirtied pages accounting on redirty") introduced account_page_redirty() which reverts stat updates for a redirtied page, making BDI_DIRTIED no longer monotonically increasing. bdi_update_write_bandwidth() uses the delta in BDI_DIRTIED as the basis for bandwidth calculation. While unlikely, since the above patch, the newer value may be lower than the recorded past value and underflow the bandwidth calculation leading to a wild result. Fix it by subtracing min of the old and new values when calculating delta. AFAIK, there hasn't been any report of it happening but the resulting erratic behavior would be non-critical and temporary, so it's possible that the issue is happening without being reported. The risk of the fix is very low, so tagged for -stable. Signed-off-by: Tejun Heo Cc: Jens Axboe Cc: Jan Kara Cc: Wu Fengguang Cc: Greg Thelen Fixes: 2f800fbd777b ("writeback: fix dirtied pages accounting on redirty") Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 5988107861deabd508d34e293ca67102a4718cd1 Author: Tejun Heo Date: Wed Mar 4 10:37:43 2015 -0500 writeback: add missing INITIAL_JIFFIES init in global_update_bandwidth() [ Upstream commit 7d70e15480c0450d2bfafaad338a32e884fc215e ] global_update_bandwidth() uses static variable update_time as the timestamp for the last update but forgets to initialize it to INITIALIZE_JIFFIES. This means that global_dirty_limit will be 5 mins into the future on 32bit and some large amount jiffies into the past on 64bit. This isn't critical as the only effect is that global_dirty_limit won't be updated for the first 5 mins after booting on 32bit machines, especially given the auxiliary nature of global_dirty_limit's role - protecting against global dirty threshold's sudden dips; however, it does lead to unintended suboptimal behavior. Fix it. Fixes: c42843f2f0bb ("writeback: introduce smoothed global dirty limit") Signed-off-by: Tejun Heo Acked-by: Jan Kara Cc: Wu Fengguang Cc: Jens Axboe Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 5f44e3971fd6c83677a844f396a9e57b179e266f Author: Viresh Kumar Date: Thu Apr 2 10:21:33 2015 +0530 cpufreq: Schedule work for the first-online CPU on resume [ Upstream commit c75de0ac0756d4b442f460e10461720c7c2412c2 ] All CPUs leaving the first-online CPU are hotplugged out on suspend and and cpufreq core stops managing them. On resume, we need to call cpufreq_update_policy() for this CPU's policy to make sure its frequency is in sync with cpufreq's cached value, as it might have got updated by hardware during suspend/resume. The policies are always added to the top of the policy-list. So, in normal circumstances, CPU 0's policy will be the last one in the list. And so the code checks for the last policy. But there are cases where it will fail. Consider quad-core system, with policy-per core. If CPU0 is hotplugged out and added back again, the last policy will be on CPU1 :( To fix this in a proper way, always look for the policy of the first online CPU. That way we will be sure that we are calling cpufreq_update_policy() for the only CPU that wasn't hotplugged out. Cc: 3.15+ # 3.15+ Fixes: 2f0aea936360 ("cpufreq: suspend governors on system suspend/hibernate") Reported-by: Saravana Kannan Signed-off-by: Viresh Kumar Acked-by: Saravana Kannan Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 42d921d36be6e0d315d1354921eaf0813544267c Author: Brian Silverman Date: Wed Feb 18 16:23:56 2015 -0800 sched: Fix RLIMIT_RTTIME when PI-boosting to RT [ Upstream commit 746db9443ea57fd9c059f62c4bfbf41cf224fe13 ] When non-realtime tasks get priority-inheritance boosted to a realtime scheduling class, RLIMIT_RTTIME starts to apply to them. However, the counter used for checking this (the same one used for SCHED_RR timeslices) was not getting reset. This meant that tasks running with a non-realtime scheduling class which are repeatedly boosted to a realtime one, but never block while they are running realtime, eventually hit the timeout without ever running for a time over the limit. This patch resets the realtime timeslice counter when un-PI-boosting from an RT to a non-RT scheduling class. I have some test code with two threads and a shared PTHREAD_PRIO_INHERIT mutex which induces priority boosting and spins while boosted that gets killed by a SIGXCPU on non-fixed kernels but doesn't with this patch applied. It happens much faster with a CONFIG_PREEMPT_RT kernel, and does happen eventually with PREEMPT_VOLUNTARY kernels. Signed-off-by: Brian Silverman Signed-off-by: Peter Zijlstra (Intel) Cc: austin@peloton-tech.com Cc: Link: http://lkml.kernel.org/r/1424305436-6716-1-git-send-email-brian@peloton-tech.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit a38edfb21325d2397dc08c76258682a8b7a51028 Author: Laura Abbott Date: Wed Mar 25 15:55:26 2015 -0700 mm/page_alloc.c: call kernel_map_pages in unset_migrateype_isolate [ Upstream commit cfa869438282be84ad4110bba5027ef1fbbe71e4 ] Commit 3c605096d315 ("mm/page_alloc: restrict max order of merging on isolated pageblock") changed the logic of unset_migratetype_isolate to check the buddy allocator and explicitly call __free_pages to merge. The page that is being freed in this path never had prep_new_page called so set_page_refcounted is called explicitly but there is no call to kernel_map_pages. With the default kernel_map_pages this is mostly harmless but if kernel_map_pages does any manipulation of the page tables (unmapping or setting pages to read only) this may trigger a fault: alloc_contig_range test_pages_isolated(ceb00, ced00) failed Unable to handle kernel paging request at virtual address ffffffc0cec00000 pgd = ffffffc045fc4000 [ffffffc0cec00000] *pgd=0000000000000000 Internal error: Oops: 9600004f [#1] PREEMPT SMP Modules linked in: exfatfs CPU: 1 PID: 23237 Comm: TimedEventQueue Not tainted 3.10.49-gc72ad36-dirty #1 task: ffffffc03de52100 ti: ffffffc015388000 task.ti: ffffffc015388000 PC is at memset+0xc8/0x1c0 LR is at kernel_map_pages+0x1ec/0x244 Fix this by calling kernel_map_pages to ensure the page is set in the page table properly Fixes: 3c605096d315 ("mm/page_alloc: restrict max order of merging on isolated pageblock") Signed-off-by: Laura Abbott Cc: Naoya Horiguchi Cc: Mel Gorman Acked-by: Rik van Riel Cc: Yasuaki Ishimatsu Cc: Zhang Yanfei Cc: Xishi Qiu Cc: Vladimir Davydov Acked-by: Joonsoo Kim Cc: Gioh Kim Cc: Michal Nazarewicz Cc: Marek Szyprowski Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ec4db2665afe7cf1f903fa9bc4e924164813cc2d Author: Gu Zheng Date: Wed Mar 25 15:55:20 2015 -0700 mm/memory hotplug: postpone the reset of obsolete pgdat [ Upstream commit b0dc3a342af36f95a68fe229b8f0f73552c5ca08 ] Qiu Xishi reported the following BUG when testing hot-add/hot-remove node under stress condition: BUG: unable to handle kernel paging request at 0000000000025f60 IP: next_online_pgdat+0x1/0x50 PGD 0 Oops: 0000 [#1] SMP ACPI: Device does not support D3cold Modules linked in: fuse nls_iso8859_1 nls_cp437 vfat fat loop dm_mod coretemp mperf crc32c_intel ghash_clmulni_intel aesni_intel ablk_helper cryptd lrw gf128mul glue_helper aes_x86_64 pcspkr microcode igb dca i2c_algo_bit ipv6 megaraid_sas iTCO_wdt i2c_i801 i2c_core iTCO_vendor_support tg3 sg hwmon ptp lpc_ich pps_core mfd_core acpi_pad rtc_cmos button ext3 jbd mbcache sd_mod crc_t10dif scsi_dh_alua scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh ahci libahci libata scsi_mod [last unloaded: rasf] CPU: 23 PID: 238 Comm: kworker/23:1 Tainted: G O 3.10.15-5885-euler0302 #1 Hardware name: HUAWEI TECHNOLOGIES CO.,LTD. Huawei N1/Huawei N1, BIOS V100R001 03/02/2015 Workqueue: events vmstat_update task: ffffa800d32c0000 ti: ffffa800d32ae000 task.ti: ffffa800d32ae000 RIP: 0010: next_online_pgdat+0x1/0x50 RSP: 0018:ffffa800d32afce8 EFLAGS: 00010286 RAX: 0000000000001440 RBX: ffffffff81da53b8 RCX: 0000000000000082 RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000000 RBP: ffffa800d32afd28 R08: ffffffff81c93bfc R09: ffffffff81cbdc96 R10: 00000000000040ec R11: 00000000000000a0 R12: ffffa800fffb3440 R13: ffffa800d32afd38 R14: 0000000000000017 R15: ffffa800e6616800 FS: 0000000000000000(0000) GS:ffffa800e6600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000025f60 CR3: 0000000001a0b000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: refresh_cpu_vm_stats+0xd0/0x140 vmstat_update+0x11/0x50 process_one_work+0x194/0x3d0 worker_thread+0x12b/0x410 kthread+0xc6/0xd0 ret_from_fork+0x7c/0xb0 The cause is the "memset(pgdat, 0, sizeof(*pgdat))" at the end of try_offline_node, which will reset all the content of pgdat to 0, as the pgdat is accessed lock-free, so that the users still using the pgdat will panic, such as the vmstat_update routine. process A: offline node XX: vmstat_updat() refresh_cpu_vm_stats() for_each_populated_zone() find online node XX cond_resched() offline cpu and memory, then try_offline_node() node_set_offline(nid), and memset(pgdat, 0, sizeof(*pgdat)) zone = next_zone(zone) pg_data_t *pgdat = zone->zone_pgdat; // here pgdat is NULL now next_online_pgdat(pgdat) next_online_node(pgdat->node_id); // NULL pointer access So the solution here is postponing the reset of obsolete pgdat from try_offline_node() to hotadd_new_pgdat(), and just resetting pgdat->nr_zones and pgdat->classzone_idx to be 0 rather than the memset 0 to avoid breaking pointer information in pgdat. Signed-off-by: Gu Zheng Reported-by: Xishi Qiu Suggested-by: KAMEZAWA Hiroyuki Cc: David Rientjes Cc: Yasuaki Ishimatsu Cc: Taku Izumi Cc: Tang Chen Cc: Xie XiuQi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 5bc650f06fd2d90c03c42e2b48089b6d79cf1422 Author: Leon Yu Date: Wed Mar 25 15:55:11 2015 -0700 mm: fix anon_vma->degree underflow in anon_vma endless growing prevention [ Upstream commit 3fe89b3e2a7bbf3e97657104b9b33a9d81b950b3 ] I have constantly stumbled upon "kernel BUG at mm/rmap.c:399!" after upgrading to 3.19 and had no luck with 4.0-rc1 neither. So, after looking into new logic introduced by commit 7a3ef208e662 ("mm: prevent endless growth of anon_vma hierarchy"), I found chances are that unlink_anon_vmas() is called without incrementing dst->anon_vma->degree in anon_vma_clone() due to allocation failure. If dst->anon_vma is not NULL in error path, its degree will be incorrectly decremented in unlink_anon_vmas() and eventually underflow when exiting as a result of another call to unlink_anon_vmas(). That's how "kernel BUG at mm/rmap.c:399!" is triggered for me. This patch fixes the underflow by dropping dst->anon_vma when allocation fails. It's safe to do so regardless of original value of dst->anon_vma because dst->anon_vma doesn't have valid meaning if anon_vma_clone() fails. Besides, callers don't care dst->anon_vma in such case neither. Also suggested by Michal Hocko, we can clean up vma_adjust() a bit as anon_vma_clone() now does the work. [akpm@linux-foundation.org: tweak comment] Fixes: 7a3ef208e662 ("mm: prevent endless growth of anon_vma hierarchy") Signed-off-by: Leon Yu Signed-off-by: Konstantin Khlebnikov Reviewed-by: Michal Hocko Acked-by: Rik van Riel Acked-by: David Rientjes Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f94faaaa99294f0165dc08dcc8b1e20e9f87a8d8 Author: Konstantin Khlebnikov Date: Sun Jan 11 16:54:06 2015 +0300 mm: fix corner case in anon_vma endless growing prevention [ Upstream commit b800c91a0517071156e772d4fb329ad33590da62 ] Fix for BUG_ON(anon_vma->degree) splashes in unlink_anon_vmas() ("kernel BUG at mm/rmap.c:399!") caused by commit 7a3ef208e662 ("mm: prevent endless growth of anon_vma hierarchy") Anon_vma_clone() is usually called for a copy of source vma in destination argument. If source vma has anon_vma it should be already in dst->anon_vma. NULL in dst->anon_vma is used as a sign that it's called from anon_vma_fork(). In this case anon_vma_clone() finds anon_vma for reusing. Vma_adjust() calls it differently and this breaks anon_vma reusing logic: anon_vma_clone() links vma to old anon_vma and updates degree counters but vma_adjust() overrides vma->anon_vma right after that. As a result final unlink_anon_vmas() decrements degree for wrong anon_vma. This patch assigns ->anon_vma before calling anon_vma_clone(). Signed-off-by: Konstantin Khlebnikov Reported-and-tested-by: Chris Clayton Reported-and-tested-by: Oded Gabbay Reported-and-tested-by: Chih-Wei Huang Acked-by: Rik van Riel Acked-by: Vlastimil Babka Cc: Daniel Forrest Cc: Michal Hocko Cc: stable@vger.kernel.org # to match back-porting of 7a3ef208e662 Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 3f1618006bca4f51fd1f6766cab88bb499af06b7 Author: Konstantin Khlebnikov Date: Thu Jan 8 14:32:15 2015 -0800 mm: prevent endless growth of anon_vma hierarchy [ Upstream commit 7a3ef208e662f4b63d43a23f61a64a129c525bbc ] Constantly forking task causes unlimited grow of anon_vma chain. Each next child allocates new level of anon_vmas and links vma to all previous levels because pages might be inherited from any level. This patch adds heuristic which decides to reuse existing anon_vma instead of forking new one. It adds counter anon_vma->degree which counts linked vmas and directly descending anon_vmas and reuses anon_vma if counter is lower than two. As a result each anon_vma has either vma or at least two descending anon_vmas. In such trees half of nodes are leafs with alive vmas, thus count of anon_vmas is no more than two times bigger than count of vmas. This heuristic reuses anon_vmas as few as possible because each reuse adds false aliasing among vmas and rmap walker ought to scan more ptes when it searches where page is might be mapped. Link: http://lkml.kernel.org/r/20120816024610.GA5350@evergreen.ssec.wisc.edu Fixes: 5beb49305251 ("mm: change anon_vma linking to fix multi-process server scalability issue") [akpm@linux-foundation.org: fix typo, per Rik] Signed-off-by: Konstantin Khlebnikov Reported-by: Daniel Forrest Tested-by: Michal Hocko Tested-by: Jerome Marchand Reviewed-by: Michal Hocko Reviewed-by: Rik van Riel Cc: [2.6.34+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f68391eb9bfd80cc898b07e71ed400d7e0c0f91a Author: Johannes Berg Date: Wed Apr 1 14:20:42 2015 +0200 mac80211: fix RX A-MPDU session reorder timer deletion [ Upstream commit 788211d81bfdf9b6a547d0530f206ba6ee76b107 ] There's an issue with the way the RX A-MPDU reorder timer is deleted that can cause a kernel crash like this: * tid_rx is removed - call_rcu(ieee80211_free_tid_rx) * station is destroyed * reorder timer fires before ieee80211_free_tid_rx() runs, accessing the station, thus potentially crashing due to the use-after-free The station deletion is protected by synchronize_net(), but that isn't enough -- ieee80211_free_tid_rx() need not have run when that returns (it deletes the timer.) We could use rcu_barrier() instead of synchronize_net(), but that's much more expensive. Instead, to fix this, add a field tracking that the session is being deleted. In this case, the only re-arming of the timer happens with the reorder spinlock held, so make that code not rearm it if the session is being deleted and also delete the timer after setting that field. This ensures the timer cannot fire after ___ieee80211_stop_rx_ba_session() returns, which fixes the problem. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 4f33d5001b3e25e89e29277c85b954f9a2f75248 Author: Sudip Mukherjee Date: Tue Jan 27 18:08:22 2015 +0530 nbd: fix possible memory leak [ Upstream commit ff6b8090e26ef7649ef0cc6b42389141ef48b0cf ] we have already allocated memory for nbd_dev, but we were not releasing that memory and just returning the error value. Signed-off-by: Sudip Mukherjee Acked-by: Paul Clements Cc: Signed-off-by: Markus Pargmann Signed-off-by: Sasha Levin commit 43d9ca6b598118b0257180f6fa36b7486eef057f Author: Paul Clarke Date: Fri Feb 20 11:13:33 2015 -0600 powerpc: Re-enable dynticks [ Upstream commit fea559f303567e558bfab9c8ba4a2af5b309205a ] Implement arch_irq_work_has_interrupt() for powerpc Commit 9b01f5bf3 introduced a dependency on "IRQ work self-IPIs" for full dynamic ticks to be enabled, by expecting architectures to implement a suitable arch_irq_work_has_interrupt() routine. Several arches have implemented this routine, including x86 (3010279f) and arm (09f6edd4), but powerpc was omitted. This patch implements this routine for powerpc. The symptom, at boot (on powerpc systems) with "nohz_full=" is displayed: NO_HZ: Can't run full dynticks because arch doesn't support irq work self-IPIs after this patch: NO_HZ: Full dynticks CPUs: . Tested against 3.19. powerpc implements "IRQ work self-IPIs" by setting the decrementer to 1 in arch_irq_work_raise(), which causes a decrementer exception on the next timebase tick. We then handle the work in __timer_interrupt(). CC: Frederic Weisbecker Signed-off-by: Paul A. Clarke Reviewed-by: Paul E. McKenney [mpe: Flesh out change log, fix ws & include guards, remove include of processor.h] Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 70213cdd6bf259a1844a7498e360cc1adbd5c306 Author: Jan Stancek Date: Tue Mar 31 18:11:46 2015 +0200 powerpc: fix memory corruption by pnv_alloc_idle_core_states [ Upstream commit d52356e7f48e400ca258c6763a232a92fa82ff68 ] Space allocated for paca is based off nr_cpu_ids, but pnv_alloc_idle_core_states() iterates paca with cpu_nr_cores()*threads_per_core, which is using NR_CPUS. This causes pnv_alloc_idle_core_states() to write over memory, which is outside of paca array and may later lead to various panics. Fixes: 7cba160ad789 (powernv/cpuidle: Redesign idle states management) Signed-off-by: Jan Stancek Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 604696d8b5d9ebf2f5af9bf46ac76519b831435f Author: J. Bruce Fields Date: Mon Mar 23 11:02:30 2015 -0400 nfsd: return correct lockowner when there is a race on hash insert [ Upstream commit 340f0ba1c6c8412aa35fd6476044836b84361ea6 ] alloc_init_lock_stateowner can return an already freed entry if there is a race to put openowners in the hashtable. Noticed by inspection after Jeff Layton fixed the same bug for open owners. Depending on client behavior, this one may be trickier to trigger in practice. Fixes: c58c6610ec24 "nfsd: Protect adding/removing lock owners using client_lock" Cc: Cc: Trond Myklebust Acked-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 5a472b11c0afd6457e4f4222083efa1536562496 Author: Jeff Layton Date: Mon Mar 23 10:53:42 2015 -0400 nfsd: return correct openowner when there is a race to put one in the hash [ Upstream commit c5952338bfc234e54deda45b7228f610a545e28a ] alloc_init_open_stateowner can return an already freed entry if there is a race to put openowners in the hashtable. In commit 7ffb588086e9, we changed it so that we allocate and initialize an openowner, and then check to see if a matching one got stuffed into the hashtable in the meantime. If it did, then we free the one we just allocated and take a reference on the one already there. There is a bug here though. The code will then return the pointer to the one that was allocated (and has now been freed). This wasn't evident before as this race almost never occurred. The Linux kernel client used to serialize requests for a single openowner. That has changed now with v4.0 kernels, and this race can now easily occur. Fixes: 7ffb588086e9 Cc: # v3.17+ Cc: Trond Myklebust Reported-by: Christoph Hellwig Reviewed-by: Christoph Hellwig Signed-off-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 76569d5333ee28b64ea5f772b24adecba952c047 Author: Juergen Gross Date: Fri Mar 20 13:55:39 2015 +0100 xen/balloon: before adding hotplugged memory, set frames to invalid [ Upstream commit 3c56b3a12ce52f361468cbdd2f79b2f3b8da0ea6 ] Commit 25b884a83d487fd62c3de7ac1ab5549979188482 ("x86/xen: set regions above the end of RAM as 1:1") introduced a regression. To be able to add memory pages which were added via memory hotplug to a pv domain, the pages must be "invalid" instead of "identity" in the p2m list before they can be added. Suggested-by: David Vrabel Signed-off-by: Juergen Gross Cc: # 3.16+ Reviewed-by: Daniel Kiper Signed-off-by: David Vrabel Signed-off-by: Sasha Levin commit 3b73092996411f0e4c4507f412b56e2974799194 Author: Emmanuel Grumbach Date: Mon Mar 16 09:08:07 2015 +0200 iwlwifi: dvm: run INIT firmware again upon .start() [ Upstream commit 9c8928f5176766bec79f272bd47b7124e11cccbd ] The assumption before this patch was that we don't need to run again the INIT firmware after the system booted. The INIT firmware runs calibrations which impact the physical layer's behavior. Users reported that it may be helpful to run these calibrations again every time the interface is brought up. The penatly is minimal, since the calibrations run fast. This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=94341 CC: Signed-off-by: Emmanuel Grumbach Signed-off-by: Sasha Levin commit 9b233a2fb7823cbbf0adeaf50586cef471da6bc7 Author: Shachar Raindel Date: Wed Mar 18 17:39:08 2015 +0000 IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic [ Upstream commit 8494057ab5e40df590ef6ef7d66324d3ae33356b ] Properly verify that the resulting page aligned end address is larger than both the start address and the length of the memory area requested. Both the start and length arguments for ib_umem_get are controlled by the user. A misbehaving user can provide values which will cause an integer overflow when calculating the page aligned end address. This overflow can cause also miscalculation of the number of pages mapped, and additional logic issues. Addresses: CVE-2014-8159 Cc: Signed-off-by: Shachar Raindel Signed-off-by: Jack Morgenstein Signed-off-by: Or Gerlitz Signed-off-by: Roland Dreier Signed-off-by: Sasha Levin commit b3d55b2f8587c96f82878b984383390509dd9a05 Author: David Sterba Date: Fri Jan 2 19:12:57 2015 +0100 btrfs: simplify insert_orphan_item [ Upstream commit 9c4f61f01d269815bb7c37be3ede59c5587747c6 ] We can search and add the orphan item in one go, btrfs_insert_orphan_item will find out if the item already exists. Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 171c32b52ffc589df108ea24de1a07ade16e7195 Author: Daniel Vetter Date: Tue Feb 10 23:12:27 2015 +0100 drm/i915: Align initial plane backing objects correctly [ Upstream commit f37b5c2be8979993efee2da50b51126e3908eb8b ] Some bios really like to joke and start the planes at an offset ... hooray! Align start and end to fix this. v2: Fixup calculation of size, spotted by Chris Wilson. v3: Fix serious fumble I've just spotted. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86883 Cc: stable@vger.kernel.org Cc: Johannes W Cc: Chris Wilson Cc: Jani Nikula Reported-and-tested-by: Johannes W Signed-off-by: Daniel Vetter [Jani: split WARN_ONs, rebase on v4.0-rc1] Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit fea8f8a4c5978ad2881f18786436f8891df942aa Author: Jesse Barnes Date: Wed Apr 1 14:22:58 2015 -0700 drm/i915/vlv: remove wait for previous GFX clk disable request [ Upstream commit 5df0582bf036bb5f9a8ad8db5884fe13a55347d1 ] Looks like it was introduced in: commit 650ad970a39f8b6164fe8613edc150f585315289 Author: Imre Deak Date: Fri Apr 18 16:35:02 2014 +0300 drm/i915: vlv: factor out vlv_force_gfx_clock and check for pending force-of but I'm not sure why. It has caused problems for us in the past (see 85250ddff7a6 "drm/i915/chv: Remove Wait for a previous gfx force-off" and 8d4eee9cd7a1 "drm/i915: vlv: increase timeout when forcing on the GFX clock") and doesn't seem to be required, so let's just drop it. References: https://bugs.freedesktop.org/show_bug.cgi?id=89611 Signed-off-by: Jesse Barnes Tested-by: Darren Hart Reviewed-by: Deepak S Cc: stable@vger.kernel.org # c9c52e24194a: drm/i915/chv: Remove Wait ... Cc: stable@vger.kernel.org Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit 498ddc6f734ac5c5ff6dba058f8544cd3607400e Author: Jesse Barnes Date: Wed Apr 1 14:22:57 2015 -0700 drm/i915/vlv: save/restore the power context base reg [ Upstream commit 9c25210fd30991e68f93e2ec0857de2d967b5766 ] Some BIOSes (e.g. the one on the Minnowboard) don't save/restore this reg. If it's unlocked, we can just restore the previous value, and if it's locked (in case the BIOS re-programmed it for us) the write will be ignored and we'll still have "did it move" sanity check in the PM code to warn us if something is still amiss. References: https://bugs.freedesktop.org/show_bug.cgi?id=89611 Signed-off-by: Jesse Barnes Tested-by: Darren Hart Cc: stable@vger.kernel.org Reviewed-by: Imre Deak Reviewed-by: Deepak S Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit a8c89064e3140eeee44f0a743acc4719657ceed5 Author: Deepak S Date: Sat Mar 28 15:23:34 2015 +0530 drm/i915/vlv: remove wait for previous GFX clk disable request [ Upstream commit 5df0582bf036bb5f9a8ad8db5884fe13a55347d1 ] Looks like it was introduced in: commit 650ad970a39f8b6164fe8613edc150f585315289 Author: Imre Deak Date: Fri Apr 18 16:35:02 2014 +0300 drm/i915: vlv: factor out vlv_force_gfx_clock and check for pending force-of but I'm not sure why. It has caused problems for us in the past (see 85250ddff7a6 "drm/i915/chv: Remove Wait for a previous gfx force-off" and 8d4eee9cd7a1 "drm/i915: vlv: increase timeout when forcing on the GFX clock") and doesn't seem to be required, so let's just drop it. References: https://bugs.freedesktop.org/show_bug.cgi?id=89611 Signed-off-by: Jesse Barnes Tested-by: Darren Hart Reviewed-by: Deepak S Cc: stable@vger.kernel.org # c9c52e24194a: drm/i915/chv: Remove Wait ... Cc: stable@vger.kernel.org Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit 642069bc2effc27ac9396e1bfd30a8d8893b1501 Author: Christian König Date: Tue Mar 31 17:36:58 2015 +0200 drm/radeon: fix wait in radeon_mn_invalidate_range_start [ Upstream commit 22e2e86560c5fca6f9b9d078f221fcdab9947a5e ] We need to wait for all fences, not just the exclusive one. Signed-off-by: Christian König Cc: Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 529797cb41e19799532231314fdf6b29e43ca892 Author: Christian König Date: Tue Mar 31 17:36:57 2015 +0200 drm/radeon: add extra check in radeon_ttm_tt_unpin_userptr [ Upstream commit 863653fed0f449fb738295255cc834b271cfa088 ] We somehow try to free the SG table twice. Bugs: https://bugs.freedesktop.org/show_bug.cgi?id=89734 Signed-off-by: Christian König Cc: Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2cd4d4120f6d7f49732a27db640771f9d510e476 Author: Alex Deucher Date: Wed Mar 18 17:05:10 2015 -0400 drm/radeon/dpm: fix 120hz handling harder [ Upstream commit 3899ca844b82fb201fb764f56eec483acb59a29c ] Need to expand the check to handle short circuiting if the selected state is the same as current state. bug: https://bugs.freedesktop.org/show_bug.cgi?id=87796 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 19f2e4b1c2dbf24ba0c2cb7e36476fe2a9f3c0b0 Author: Ville Syrjälä Date: Fri Mar 27 19:59:40 2015 +0200 drm/i915: Reject the colorkey ioctls for primary and cursor planes [ Upstream commit 840a1cf0cd533f30da792527ca5ff6a023d4a727 ] The legcy colorkey ioctls are only implemented for sprite planes, so reject the ioctl for primary/cursor planes. If we want to support colorkeying with these planes (assuming we have hw support of course) we should just move ahead with the colorkey property conversion. Testcase: kms_legacy_colorkey Cc: Tommi Rantala Cc: stable@vger.kernel.org Reference: http://mid.gmane.org/CA+ydwtr+bCo7LJ44JFmUkVRx144UDFgOS+aJTfK6KHtvBDVuAw@mail.gmail.com Reported-and-tested-by: Tommi Rantala Signed-off-by: Ville Syrjälä Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit ed40507c15a3c67d51d38970717f53e22ecb1e42 Author: Jani Nikula Date: Thu Mar 26 10:42:00 2015 +0200 drm/edid: set ELD for firmware and debugfs override EDIDs [ Upstream commit ad692b46dbf122ef90aadce3b389ef64c90e861d ] If the user supplies EDID through firmware or debugfs override, the driver callbacks are bypassed and the connector ELD does not get updated, and audio fails. Set ELD for firmware and debugfs EDIDs too. There should be no harm in gratuitously doing this for non HDMI/DP connectors, as it's still up to the driver to use the ELD, if any. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=82349 Reference: https://bugs.freedesktop.org/show_bug.cgi?id=80691 Reported-by: Emil Reported-by: Rob Engle Tested-by: Jolan Luff Reviewed-by: Daniel Vetter Cc: stable@vger.kernel.org Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit aa8c34007442353281bb3a6f7372efc2556e3867 Author: Daniel Vetter Date: Fri Feb 27 12:58:13 2015 +0100 drm: Fixup racy refcounting in plane_force_disable [ Upstream commit 8218c3f4df3bb1c637c17552405039a6dd3c1ee1 ] Originally it was impossible to be dropping the last refcount in this function since there was always one around still from the idr. But in commit 83f45fc360c8e16a330474860ebda872d1384c8c Author: Daniel Vetter Date: Wed Aug 6 09:10:18 2014 +0200 drm: Don't grab an fb reference for the idr we've switched to weak references, broke that assumption but forgot to fix it up. Since we still force-disable planes it's only possible to hit this when racing multiple rmfb with fbdev restoring or similar evil things. As long as userspace is nice it's impossible to hit the BUG_ON. But the BUG_ON would most likely be hit from fbdev code, which usually invovles the console_lock besides all modeset locks. So very likely we'd never get the bug reports if this was hit in the wild, hence better be safe than sorry and backport. Spotted by Matt Roper while reviewing other patches. [airlied: pull this back into 4.0 - the oops happens there] Cc: stable@vger.kernel.org Cc: Matt Roper Reviewed-by: Matt Roper Signed-off-by: Daniel Vetter Signed-off-by: Dave Airlie Signed-off-by: Sasha Levin commit ff06e6e533db84a5cbce79d1b4866e8258b563c9 Author: Wenbo Wang Date: Fri Mar 20 01:04:54 2015 -0400 Fix bug in blk_rq_merge_ok [ Upstream commit 7ee8e4f3983c4ff700958a6099c8fd212ea67b94 ] Use the right array index to reference the last element of rq->biotail->bi_io_vec[] Signed-off-by: Wenbo Wang Reviewed-by: Chong Yuan Fixes: 66cb45aa41315 ("block: add support for limiting gaps in SG lists") Cc: stable@kernel.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 06767df2716dd228bc94696862f165d14e5cc756 Author: Mike Snitzer Date: Thu Mar 12 23:53:26 2015 -0400 blk-mq: fix use of incorrect goto label in blk_mq_init_queue error path [ Upstream commit 9a30b096b543932de218dd3501b5562e00a8792d ] If percpu_ref_init() fails the allocated q and hctxs must get cleaned up; using 'err_map' doesn't allow that to happen. Signed-off-by: Mike Snitzer Reviewed-by: Ming Lei Cc: stable@kernel.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9da02d84fe5007faeb7bf9f1fbca93960ecf192c Author: Joe Perches Date: Mon Mar 23 18:01:35 2015 -0700 selinux: fix sel_write_enforce broken return value [ Upstream commit 6436a123a147db51a0b06024a8350f4c230e73ff ] Return a negative error value like the rest of the entries in this function. Cc: Signed-off-by: Joe Perches Acked-by: Stephen Smalley [PM: tweaked subject line] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 5ceacd4db8a7925373427cf6f2cf35dad775f565 Author: Chen-Yu Tsai Date: Mon Feb 9 18:23:20 2015 +0800 ARM: sunxi: Have ARCH_SUNXI select RESET_CONTROLLER for clock driver usage [ Upstream commit fdc0074c5fc8c7adb8186cbb123fe2082d9bd05f ] As the sunxi usb clocks all contain a reset controller, it is not possible to build the sunxi clock driver without RESET_CONTROLLER enabled. Doing so results in an undefined symbol error: drivers/built-in.o: In function `sunxi_gates_clk_setup': linux/drivers/clk/sunxi/clk-sunxi.c:1071: undefined reference to `reset_controller_register' This is possible if building a minimal kernel without PHY_SUN4I_USB. The dependency issue is made visible at compile time instead of link time by the new A80 mmc clocks, which also use a reset control itself. This patch makes ARCH_SUNXI select ARCH_HAS_RESET_CONTROLLER and RESET_CONTROLLER. Fixes: 559482d1f950 ARM: sunxi: Split the various SoCs support in Kconfig Cc: # 3.16+ Reported-by: Lourens Rozema Acked-by: Arnd Bergmann Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 654acb340d5ee5fd6d8af00eb79c35ab4edc9570 Author: Vineet Gupta Date: Thu Mar 26 11:14:41 2015 +0530 ARC: signal handling robustify [ Upstream commit e4140819dadc3624accac8294881bca8a3cba4ed ] A malicious signal handler / restorer can DOS the system by fudging the user regs saved on stack, causing weird things such as sigreturn returning to user mode PC but cpu state still being kernel mode.... Ensure that in sigreturn path status32 always has U bit; any other bogosity (gargbage PC etc) will be taken care of by normal user mode exceptions mechanisms. Reproducer signal handler: void handle_sig(int signo, siginfo_t *info, void *context) { ucontext_t *uc = context; struct user_regs_struct *regs = &(uc->uc_mcontext.regs); regs->scratch.status32 = 0; } Before the fix, kernel would go off to weeds like below: --------->8----------- [ARCLinux]$ ./signal-test Path: /signal-test CPU: 0 PID: 61 Comm: signal-test Not tainted 4.0.0-rc5+ #65 task: 8f177880 ti: 5ffe6000 task.ti: 8f15c000 [ECR ]: 0x00220200 => Invalid Write @ 0x00000010 by insn @ 0x00010698 [EFA ]: 0x00000010 [BLINK ]: 0x2007c1ee [ERET ]: 0x10698 [STAT32]: 0x00000000 : <-------- BTA: 0x00010680 SP: 0x5ffe7e48 FP: 0x00000000 LPS: 0x20003c6c LPE: 0x20003c70 LPC: 0x00000000 ... --------->8----------- Reported-by: Alexey Brodkin Cc: Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit b0864666b2abb45a1441bd2725e77c982ea9c39d Author: Vineet Gupta Date: Thu Mar 26 09:25:44 2015 +0530 ARC: SA_SIGINFO ucontext regs off-by-one [ Upstream commit 6914e1e3f63caa829431160f0f7093292daef2d5 ] The regfile provided to SA_SIGINFO signal handler as ucontext was off by one due to pt_regs gutter cleanups in 2013. Before handling signal, user pt_regs are copied onto user_regs_struct and copied back later. Both structs are binary compatible. This was all fine until commit 2fa919045b72 (ARC: pt_regs update #2) which removed the empty stack slot at top of pt_regs (corresponding to first pad) and made the corresponding fixup in struct user_regs_struct (the pad in there was moved out of @scratch - not removed altogether as it is part of ptrace ABI) struct user_regs_struct { + long pad; struct { - long pad; long bta, lp_start, lp_end,.... } scratch; ... } This meant that now user_regs_struct was off by 1 reg w.r.t pt_regs and signal code needs to user_regs_struct.scratch to reflect it as pt_regs, which is what this commit does. This problem was hidden for 2 years, because both save/restore, despite using wrong location, were using the same location. Only an interim inspection (reproducer below) exposed the issue. void handle_segv(int signo, siginfo_t *info, void *context) { ucontext_t *uc = context; struct user_regs_struct *regs = &(uc->uc_mcontext.regs); printf("regs %x %x\n", <=== prints 7 8 (vs. 8 9) regs->scratch.r8, regs->scratch.r9); } int main() { struct sigaction sa; sa.sa_sigaction = handle_segv; sa.sa_flags = SA_SIGINFO; sigemptyset(&sa.sa_mask); sigaction(SIGSEGV, &sa, NULL); asm volatile( "mov r7, 7 \n" "mov r8, 8 \n" "mov r9, 9 \n" "mov r10, 10 \n" :::"r7","r8","r9","r10"); *((unsigned int*)0x10) = 0; } Fixes: 2fa919045b72ec892e "ARC: pt_regs update #2: Remove unused gutter at start of pt_regs" CC: Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit a78cff341ce3c7085f574e266f88306deca54dc4 Author: Matwey V. Kornilov Date: Thu Feb 19 20:41:48 2015 +0300 PCI: spear: Drop __initdata from spear13xx_pcie_driver [ Upstream commit a43f32d647273023edddb0dc8f91c4c6378b252b ] Struct spear13xx_pcie_driver was in initdata, but we passed a pointer to it to platform_driver_register(), which can use the pointer at arbitrary times in the future, even after the initdata is freed. That leads to crashes. Move spear13xx_pcie_driver and things referenced by it (spear13xx_pcie_probe() and dw_pcie_host_init()) out of initdata. [bhelgaas: changelog] Fixes: 6675ef212dac ("PCI: spear: Fix Section mismatch compilation warning for probe()") Signed-off-by: Matwey V. Kornilov Signed-off-by: Bjorn Helgaas Acked-by: Viresh Kumar CC: stable@vger.kernel.org # v3.17+ Signed-off-by: Sasha Levin commit f31d6097a87dc1355df5a8527e86570caf1df539 Author: Bjorn Helgaas Date: Tue Mar 24 11:12:45 2015 -0500 PCI: Don't look for ACPI hotplug parameters if ACPI is disabled [ Upstream commit 8647ca9ad5a0065ad53a2ad7e39163592b6ed35e ] Booting a v3.18 or newer Xen domU kernel with PCI devices passed through results in an oops (this is a 32-bit 3.13.11 dom0 with a 64-bit 4.4.0 hypervisor and 32-bit domU): BUG: unable to handle kernel paging request at 0030303e IP: [] acpi_ns_validate_handle+0x12/0x1a Call Trace: [] ? acpi_evaluate_object+0x31/0x1fc [] ? pci_get_hp_params+0x111/0x4e0 [] ? xen_force_evtchn_callback+0x17/0x30 [] ? xen_restore_fl_direct_reloc+0x4/0x4 [] ? pci_device_add+0x24/0x450 Don't look for ACPI configuration information if ACPI has been disabled. I don't think this is the best fix, because we can boot plain Linux (no Xen) with "acpi=off", and we don't need this check in pci_get_hp_params(). There should be a better fix that would make Xen domU work the same way. The domU kernel has ACPI support but it has no AML. There should be a way to initialize the ACPI data structures so things fail gracefully rather than oopsing. This is an interim fix to address the regression. Fixes: 6cd33649fa83 ("PCI: Add pci_configure_device() during enumeration") Link: https://bugzilla.kernel.org/show_bug.cgi?id=96301 Reported-by: Michael D Labriola Tested-by: Michael D Labriola Signed-off-by: Bjorn Helgaas CC: stable@vger.kernel.org # v3.18+ Signed-off-by: Sasha Levin commit 5a3edbcd6205ed320df53bae338761cf5ba98b94 Author: Dan Carpenter Date: Wed Feb 25 16:23:22 2015 +0300 PCI: cpcihp: Add missing curly braces in cpci_configure_slot() [ Upstream commit bc3b5b47c80da8838758731d423179262c9c36ec ] I don't have this hardware but it looks like we weren't adding bridge devices as intended. Maybe the bridge is always the last device? Fixes: 05b125004815 ("PCI: cpcihp: Iterate over all devices in slot, not functions 0-7") Signed-off-by: Dan Carpenter Signed-off-by: Bjorn Helgaas Acked-by: Yijing Wang CC: stable@vger.kernel.org # v3.9+ Signed-off-by: Sasha Levin commit 02e0fab6a0bc9c941a896b608368cc009efc9ccc Author: Rasmus Villemoes Date: Thu Feb 26 09:55:03 2015 +0100 PCI/AER: Avoid info leak in __print_tlp_header() [ Upstream commit a1b7f2f6367944d445c6853035830a35c6343939 ] Commit fab4c256a58b ("PCI/AER: Add a TLP header print helper") introduced the helper function __print_tlp_header(), but contrary to the intention, the behaviour did change: Since we're taking the address of the parameter t, the first 4 or 8 bytes printed will be the value of the pointer t itself, and the remaining 12 or 8 bytes will be who-knows-what (something from the stack). We want to show the values of the four members of the struct aer_header_log_regs; that can be done without ugly and error-prone casts. On little-endian this should produce the same output as originally intended, and since no-one has complained about getting garbage output so far, I think big-endian should be ok too. Fixes: fab4c256a58b ("PCI/AER: Add a TLP header print helper") Signed-off-by: Rasmus Villemoes Signed-off-by: Bjorn Helgaas Acked-by: Borislav Petkov CC: stable@vger.kernel.org # v3.14+ Signed-off-by: Sasha Levin commit e045a4c5987e398e48add806436d47645c222949 Author: Takashi Iwai Date: Wed Apr 8 20:47:55 2015 +0200 ALSA: hda - Fix headphone pin config for Lifebook T731 [ Upstream commit cc7016ab1a22fb26f388c2fb2b692b89897cbc3e ] Some BIOS version of Fujitsu Lifebook T731 seems to set up the headphone pin (0x21) without the assoc number 0x0f while it's set only to the output on the docking port (0x1a). With the recent commit [03ad6a8c93b6: ALSA: hda - Fix "PCM" name being used on one DAC when there are two DACs], this resulted in the weird mixer element mapping where the headphone on the laptop is assigned as a shared volume with the speaker and the docking port is assigned as an individual headphone. This patch improves the situation by correcting the headphone pin config to the more appropriate value. Reported-and-tested-by: Taylor Smock Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 432b1f9b275f1e6640212323d24fae779e2e7f55 Author: Kailang Yang Date: Wed Apr 8 16:34:00 2015 +0800 ALSA: hda/realtek - Make more stable to get pin sense for ALC283 [ Upstream commit a59d7199f62b8336570972dcc288321d0ec999fe ] Pin sense will active when power pin is wake up. Power pin will not wake up immediately during resume state. Add some delay to wait for power pin activated. Signed-off-by: Kailang Yang Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 8c54c7cb6fa1ddfc53b280c8be8ef3888a0245df Author: Takashi Sakamoto Date: Thu Apr 9 01:15:03 2015 +0900 ALSA: bebob: fix to processing in big-endian machine for sending cue [ Upstream commit a053fc318bc5d28cd25168c948255fd48a29ea26 ] Some M-Audio devices require to receive bootup command just after powering on, while codes in BeBoB driver doesn't work properly in big-endian machine because the command should be aligned by little-endian. This commit fixes this bug. This fix should go to stable kernel. Cc: Takayuki Shiroma Signed-off-by: Takashi Sakamoto Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 1f1c12d2d46fb4208510ed13a85103951fd2de08 Author: Dmitry M. Fedin Date: Thu Apr 9 17:37:03 2015 +0300 ALSA: usb - Creative USB X-Fi Pro SB1095 volume knob support [ Upstream commit 3dc8523fa7412e731441c01fb33f003eb3cfece1 ] Adds an entry for Creative USB X-Fi to the rc_config array in mixer_quirks.c to allow use of volume knob on the device. Adds support for newer X-Fi Pro card, known as "Model No. SB1095" with USB ID "041e:3237" Signed-off-by: Dmitry M. Fedin Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e85435779e6eae34b65c5ad7647ef95a8487b172 Author: Hui Wang Date: Thu Mar 26 17:14:55 2015 +0800 ALSA: hda - Add one more node in the EAPD supporting candidate list [ Upstream commit af95b41426e0b58279f8ff0ebe420df49a4e96b8 ] We have a HP machine which use the codec node 0x17 connecting the internal speaker, and from the node capability, we saw the EAPD, if we don't set the EAPD on for this node, the internal speaker can't output any sound. Cc: BugLink: https://bugs.launchpad.net/bugs/1436745 Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit fc9a2d469ce14e11d4480caf47837d7ed4f857fb Author: Sebastian Wicki Date: Mon Mar 23 17:23:11 2015 +0100 ALSA: hda - Add dock support for Thinkpad T450s (17aa:5036) [ Upstream commit 80b311d3118842eb681397233faa0d588df13f92 ] This model uses the same dock port as the previous generation. Signed-off-by: Sebastian Wicki Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 49118e2296e09735dc863ef5e6e35f794a0efbd2 Author: Peter Hurley Date: Thu Apr 16 14:57:27 2015 -0400 n_tty: Fix read buffer overwrite when no newline [ Upstream commit fb5ef9e7da39968fec6d6f37f20a23d23740c75e ] BugLink: http://bugs.launchpad.net/bugs/1381005 In canon mode, the read buffer head will advance over the buffer tail if the input > 4095 bytes without receiving a line termination char. Discard additional input until a line termination is received. Before evaluating for overflow, the 'room' value is normalized for I_PARMRK and 1 byte is reserved for line termination (even in !icanon mode, in case the mode is switched). The following table shows the transform: actual buffer | 'room' value before overflow calc space avail | !I_PARMRK | I_PARMRK -------------------------------------------------- 0 | -1 | -1 1 | 0 | 0 2 | 1 | 0 3 | 2 | 0 4+ | 3 | 1 When !icanon or when icanon and the read buffer contains newlines, normalized 'room' values of -1 and 0 are clamped to 0, and 'overflow' is 0, so read_head is not adjusted and the input i/o loop exits (setting no_room if called from flush_to_ldisc()). No input is discarded since the reader does have input available to read which ensures forward progress. When icanon and the read buffer does not contain newlines and the normalized 'room' value is 0, then overflow and room are reset to 1, so that the i/o loop will process the next input char normally (except for parity errors which are ignored). Thus, erasures, signalling chars, 7-bit mode, etc. will continue to be handled properly. If the input char processed was not a line termination char, then the canon_head index will not have advanced, so the normalized 'room' value will now be -1 and 'overflow' will be set, which indicates the read_head can safely be reset, effectively erasing the last char processed. If the input char processed was a line termination, then the canon_head index will have advanced, so 'overflow' is cleared to 0, the read_head is not reset, and 'room' is cleared to 0, which exits the i/o loop (because the reader now have input available to read which ensures forward progress). Note that it is possible for a line termination to be received, and for the reader to copy the line to the user buffer before the input i/o loop is ready to process the next input char. This is why the i/o loop recomputes the room/overflow state with every input char while handling overflow. Finally, if the input data was processed without receiving a line termination (so that overflow is still set), the pty driver must receive a write wakeup. A pty writer may be waiting to write more data in n_tty_write() but without unthrottling here that wakeup will not arrive, and forward progress will halt. (Normally, the pty writer is woken when the reader reads data out of the buffer and more space become available). Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman (backported from commit fb5ef9e7da39968fec6d6f37f20a23d23740c75e) Signed-off-by: Joseph Salisbury