commit c45c05f42d5d3baf5d18e648c064788381fcfa1c Author: Ben Hutchings Date: Sun Nov 26 13:50:43 2017 +0000 Linux 3.16.51 commit 9c32447e8a0e624fdc3c01bb013b73d49b11809b Author: Boqun Feng Date: Tue Oct 3 21:36:51 2017 +0800 kvm/x86: Avoid async PF preempting the kernel incorrectly commit a2b7861bb33b2538420bb5d8554153484d3f961f upstream. Currently, in PREEMPT_COUNT=n kernel, kvm_async_pf_task_wait() could call schedule() to reschedule in some cases. This could result in accidentally ending the current RCU read-side critical section early, causing random memory corruption in the guest, or otherwise preempting the currently running task inside between preempt_disable and preempt_enable. The difficulty to handle this well is because we don't know whether an async PF delivered in a preemptible section or RCU read-side critical section for PREEMPT_COUNT=n, since preempt_disable()/enable() and rcu_read_lock/unlock() are both no-ops in that case. To cure this, we treat any async PF interrupting a kernel context as one that cannot be preempted, preventing kvm_async_pf_task_wait() from choosing the schedule() path in that case. To do so, a second parameter for kvm_async_pf_task_wait() is introduced, so that we know whether it's called from a context interrupting the kernel, and the parameter is set properly in all the callsites. Cc: "Paul E. McKenney" Cc: Peter Zijlstra Cc: Wanpeng Li Signed-off-by: Boqun Feng Signed-off-by: Radim Krčmář [bwh: Backported to 3.16: - Use user_mode_vm() as equivalent to upstream user_mode() - Adjust filename, context] Signed-off-by: Ben Hutchings commit 6e461f01995fd592bbbd82fe1b71e2e2ca5a8baf Author: Boqun Feng Date: Fri Sep 29 19:01:45 2017 +0800 kvm/x86: Handle async PF in RCU read-side critical sections commit b862789aa5186d5ea3a024b7cfe0f80c3a38b980 upstream. Sasha Levin reported a WARNING: | WARNING: CPU: 0 PID: 6974 at kernel/rcu/tree_plugin.h:329 | rcu_preempt_note_context_switch kernel/rcu/tree_plugin.h:329 [inline] | WARNING: CPU: 0 PID: 6974 at kernel/rcu/tree_plugin.h:329 | rcu_note_context_switch+0x16c/0x2210 kernel/rcu/tree.c:458 ... | CPU: 0 PID: 6974 Comm: syz-fuzzer Not tainted 4.13.0-next-20170908+ #246 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS | 1.10.1-1ubuntu1 04/01/2014 | Call Trace: ... | RIP: 0010:rcu_preempt_note_context_switch kernel/rcu/tree_plugin.h:329 [inline] | RIP: 0010:rcu_note_context_switch+0x16c/0x2210 kernel/rcu/tree.c:458 | RSP: 0018:ffff88003b2debc8 EFLAGS: 00010002 | RAX: 0000000000000001 RBX: 1ffff1000765bd85 RCX: 0000000000000000 | RDX: 1ffff100075d7882 RSI: ffffffffb5c7da20 RDI: ffff88003aebc410 | RBP: ffff88003b2def30 R08: dffffc0000000000 R09: 0000000000000001 | R10: 0000000000000000 R11: 0000000000000000 R12: ffff88003b2def08 | R13: 0000000000000000 R14: ffff88003aebc040 R15: ffff88003aebc040 | __schedule+0x201/0x2240 kernel/sched/core.c:3292 | schedule+0x113/0x460 kernel/sched/core.c:3421 | kvm_async_pf_task_wait+0x43f/0x940 arch/x86/kernel/kvm.c:158 | do_async_page_fault+0x72/0x90 arch/x86/kernel/kvm.c:271 | async_page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1069 | RIP: 0010:format_decode+0x240/0x830 lib/vsprintf.c:1996 | RSP: 0018:ffff88003b2df520 EFLAGS: 00010283 | RAX: 000000000000003f RBX: ffffffffb5d1e141 RCX: ffff88003b2df670 | RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffb5d1e140 | RBP: ffff88003b2df560 R08: dffffc0000000000 R09: 0000000000000000 | R10: ffff88003b2df718 R11: 0000000000000000 R12: ffff88003b2df5d8 | R13: 0000000000000064 R14: ffffffffb5d1e140 R15: 0000000000000000 | vsnprintf+0x173/0x1700 lib/vsprintf.c:2136 | sprintf+0xbe/0xf0 lib/vsprintf.c:2386 | proc_self_get_link+0xfb/0x1c0 fs/proc/self.c:23 | get_link fs/namei.c:1047 [inline] | link_path_walk+0x1041/0x1490 fs/namei.c:2127 ... This happened when the host hit a page fault, and delivered it as in an async page fault, while the guest was in an RCU read-side critical section. The guest then tries to reschedule in kvm_async_pf_task_wait(), but rcu_preempt_note_context_switch() would treat the reschedule as a sleep in RCU read-side critical section, which is not allowed (even in preemptible RCU). Thus the WARN. To cure this, make kvm_async_pf_task_wait() go to the halt path if the PF happens in a RCU read-side critical section. Reported-by: Sasha Levin Cc: "Paul E. McKenney" Cc: Peter Zijlstra Signed-off-by: Boqun Feng Signed-off-by: Paolo Bonzini [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 5210f3963b60a4878790644572a3c7d16127593a Author: Jorgen Hansen Date: Tue Apr 5 01:59:32 2016 -0700 VSOCK: Detach QP check should filter out non matching QPs. commit 8ab18d71de8b07d2c4d6f984b718418c09ea45c5 upstream. The check in vmci_transport_peer_detach_cb should only allow a detach when the qp handle of the transport matches the one in the detach message. Testing: Before this change, a detach from a peer on a different socket would cause an active stream socket to register a detach. Reviewed-by: George Zhang Signed-off-by: Jorgen Hansen Signed-off-by: David S. Miller Signed-off-by: Michal Hocko Signed-off-by: Ben Hutchings commit 72a9cc313da8f4d5ad541901ecf2b0d549257c30 Author: Jorgen Hansen Date: Thu Oct 22 08:25:25 2015 -0700 VSOCK: Fix lockdep issue. commit 8566b86ab9f0f45bc6f7dd422b21de9d0cf5415a upstream. The recent fix for the vsock sock_put issue used the wrong initializer for the transport spin_lock causing an issue when running with lockdep checking. Testing: Verified fix on kernel with lockdep enabled. Reviewed-by: Thomas Hellstrom Signed-off-by: Jorgen Hansen Signed-off-by: David S. Miller Signed-off-by: Michal Hocko Signed-off-by: Ben Hutchings commit 58be2c16ad7d4a0259d6ccb7c799c0df63505d7d Author: Jorgen Hansen Date: Wed Oct 21 04:53:56 2015 -0700 VSOCK: sock_put wasn't safe to call in interrupt context commit 4ef7ea9195ea73262cd9730fb54e1eb726da157b upstream. In the vsock vmci_transport driver, sock_put wasn't safe to call in interrupt context, since that may call the vsock destructor which in turn calls several functions that should only be called from process context. This change defers the callling of these functions to a worker thread. All these functions were deallocation of resources related to the transport itself. Furthermore, an unused callback was removed to simplify the cleanup. Multiple customers have been hitting this issue when using VMware tools on vSphere 2015. Also added a version to the vmci transport module (starting from 1.0.2.0-k since up until now it appears that this module was sharing version with vsock that is currently at 1.0.1.0-k). Reviewed-by: Aditya Asarwade Reviewed-by: Thomas Hellstrom Signed-off-by: Jorgen Hansen Signed-off-by: David S. Miller Signed-off-by: Michal Hocko Signed-off-by: Ben Hutchings commit 72e255417eae9602276b19f673eb42464a9b1870 Author: Johannes Berg Date: Tue Oct 24 21:12:13 2017 +0200 mac80211: don't compare TKIP TX MIC key in reinstall prevention commit cfbb0d90a7abb289edc91833d0905931f8805f12 upstream. For the reinstall prevention, the code I had added compares the whole key. It turns out though that iwlwifi firmware doesn't provide the TKIP TX MIC key as it's not needed in client mode, and thus the comparison will always return false. For client mode, thus always zero out the TX MIC key part before doing the comparison in order to avoid accepting the reinstall of the key with identical encryption and RX MIC key, but not the same TX MIC key (since the supplicant provides the real one.) Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings commit d8588937f7e47797e47430fee7603e76af6901b4 Author: Jason A. Donenfeld Date: Tue Oct 17 20:32:07 2017 +0200 mac80211: use constant time comparison with keys commit 2bdd713b92a9cade239d3c7d15205a09f556624d upstream. Otherwise we risk leaking information via timing side channel. Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") Signed-off-by: Jason A. Donenfeld Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings commit 4a14bd934b40b1a9f7fe3e0546f9873bb55e5b61 Author: Bjørn Mork Date: Mon Nov 6 15:32:18 2017 +0100 net: qmi_wwan: fix divide by 0 on bad descriptors commit 7fd078337201cf7468f53c3d9ef81ff78cb6df3b upstream. A CDC Ethernet functional descriptor with wMaxSegmentSize = 0 will cause a divide error in usbnet_probe: divide error: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc8-44453-g1fdc1a82c34f #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event task: ffff88006bef5c00 task.stack: ffff88006bf60000 RIP: 0010:usbnet_update_max_qlen+0x24d/0x390 drivers/net/usb/usbnet.c:355 RSP: 0018:ffff88006bf67508 EFLAGS: 00010246 RAX: 00000000000163c8 RBX: ffff8800621fce40 RCX: ffff8800621fcf34 RDX: 0000000000000000 RSI: ffffffff837ecb7a RDI: ffff8800621fcf34 RBP: ffff88006bf67520 R08: ffff88006bef5c00 R09: ffffed000c43f881 R10: ffffed000c43f880 R11: ffff8800621fc406 R12: 0000000000000003 R13: ffffffff85c71de0 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88006ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe9c0d6dac CR3: 00000000614f4000 CR4: 00000000000006f0 Call Trace: usbnet_probe+0x18b5/0x2790 drivers/net/usb/usbnet.c:1783 qmi_wwan_probe+0x133/0x220 drivers/net/usb/qmi_wwan.c:1338 usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x522/0x740 drivers/base/dd.c:557 Fix by simply ignoring the bogus descriptor, as it is optional for QMI devices anyway. Fixes: 423ce8caab7e ("net: usb: qmi_wwan: New driver for Huawei QMI based WWAN devices") Reported-by: Andrey Konovalov Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit fac4f4657e16d3457963d4c8ee6a356103155141 Author: Bjørn Mork Date: Mon Nov 6 15:37:22 2017 +0100 net: cdc_ether: fix divide by 0 on bad descriptors commit 2cb80187ba065d7decad7c6614e35e07aec8a974 upstream. Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. Signed-off-by: Bjørn Mork Acked-by: Oliver Neukum Signed-off-by: David S. Miller [bwh: Backported to 3.16: parsing code is organised differently] Signed-off-by: Ben Hutchings commit 9d399eba105c6e311db9ec78ce62579ffc403c0d Author: Dmitry Torokhov Date: Mon Oct 23 16:46:00 2017 -0700 Input: gtco - fix potential out-of-bound access commit a50829479f58416a013a4ccca791336af3c584c7 upstream. parse_hid_report_descriptor() has a while (i < length) loop, which only guarantees that there's at least 1 byte in the buffer, but the loop body can read multiple bytes which causes out-of-bounds access. Reported-by: Andrey Konovalov Reviewed-by: Andrey Konovalov Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit 7f3ca02c7ed55f7d524fb5c06e2de36ab65f5e20 Author: Arvind Yadav Date: Mon Oct 9 20:14:48 2017 +0200 media: imon: Fix null-ptr-deref in imon_probe commit 58fd55e838276a0c13d1dc7c387f90f25063cbf3 upstream. It seems that the return value of usb_ifnum_to_if() can be NULL and needs to be checked. Signed-off-by: Arvind Yadav Tested-by: Andrey Konovalov Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit 99a3c1bb0ed332c64cfcd53a84fea2468ab9e11e Author: Johan Hovold Date: Thu Sep 21 05:40:18 2017 -0300 cx231xx-cards: fix NULL-deref on missing association descriptor commit 6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 upstream. Make sure to check that we actually have an Interface Association Descriptor before dereferencing it during probe to avoid dereferencing a NULL-pointer. Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") Reported-by: Andrey Konovalov Signed-off-by: Johan Hovold Tested-by: Andrey Konovalov Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 96b62489bc4200803cb77a0ca69aa3d179c7e9f5 Author: Johan Hovold Date: Wed Oct 4 11:01:13 2017 +0200 USB: serial: console: fix use-after-free after failed setup commit 299d7572e46f98534033a9e65973f13ad1ce9047 upstream. Make sure to reset the USB-console port pointer when console setup fails in order to avoid having the struct usb_serial be prematurely freed by the console code when the device is later disconnected. Fixes: 73e487fdb75f ("[PATCH] USB console: fix disconnection issues") Acked-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings commit 7adde0289baa8d51c2bd072d80cb82a278d24363 Author: Xin Long Date: Tue Oct 17 23:26:10 2017 +0800 sctp: do not peel off an assoc from one netns to another one commit df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 upstream. Now when peeling off an association to the sock in another netns, all transports in this assoc are not to be rehashed and keep use the old key in hashtable. As a transport uses sk->net as the hash key to insert into hashtable, it would miss removing these transports from hashtable due to the new netns when closing the sock and all transports are being freeed, then later an use-after-free issue could be caused when looking up an asoc and dereferencing those transports. This is a very old issue since very beginning, ChunYu found it with syzkaller fuzz testing with this series: socket$inet6_sctp() bind$inet6() sendto$inet6() unshare(0x40000000) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST() getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF() This patch is to block this call when peeling one assoc off from one netns to another one, so that the netns of all transport would not go out-sync with the key in hashtable. Note that this patch didn't fix it by rehashing transports, as it's difficult to handle the situation when the tuple is already in use in the new netns. Besides, no one would like to peel off one assoc to another netns, considering ipaddrs, ifaces, etc. are usually different. Reported-by: ChunYu Wang Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Acked-by: Neil Horman Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 5e46deccf2ac60588510e5d69866a72a0c583216 Author: Kai-Heng Feng Date: Fri Sep 15 09:36:16 2017 -0700 Input: i8042 - add Gigabyte P57 to the keyboard reset table commit 697c5d8a36768b36729533fb44622b35d56d6ad0 upstream. Similar to other Gigabyte laptops, the touchpad on P57 requires a keyboard reset to detect Elantech touchpad correctly. BugLink: https://bugs.launchpad.net/bugs/1594214 Signed-off-by: Kai-Heng Feng Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit 71538193870b30eb37720087f64da2d702f549c1 Author: Wanpeng Li Date: Thu Sep 14 03:54:16 2017 -0700 KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously commit 9a6e7c39810e4a8bc7fc95056cefb40583fe07ef upstream. qemu-system-x86-8600 [004] d..1 7205.687530: kvm_entry: vcpu 2 qemu-system-x86-8600 [004] .... 7205.687532: kvm_exit: reason EXCEPTION_NMI rip 0xffffffffa921297d info ffffeb2c0e44e018 80000b0e qemu-system-x86-8600 [004] .... 7205.687532: kvm_page_fault: address ffffeb2c0e44e018 error_code 0 qemu-system-x86-8600 [004] .... 7205.687620: kvm_try_async_get_page: gva = 0xffffeb2c0e44e018, gfn = 0x427e4e qemu-system-x86-8600 [004] .N.. 7205.687628: kvm_async_pf_not_present: token 0x8b002 gva 0xffffeb2c0e44e018 kworker/4:2-7814 [004] .... 7205.687655: kvm_async_pf_completed: gva 0xffffeb2c0e44e018 address 0x7fcc30c4e000 qemu-system-x86-8600 [004] .... 7205.687703: kvm_async_pf_ready: token 0x8b002 gva 0xffffeb2c0e44e018 qemu-system-x86-8600 [004] d..1 7205.687711: kvm_entry: vcpu 2 After running some memory intensive workload in guest, I catch the kworker which completes the GUP too quickly, and queues an "Page Ready" #PF exception after the "Page not Present" exception before the next vmentry as the above trace which will result in #DF injected to guest. This patch fixes it by clearing the queue for "Page not Present" if "Page Ready" occurs before the next vmentry since the GUP has already got the required page and shadow page table has already been fixed by "Page Ready" handler. Cc: Paolo Bonzini Cc: Radim Krčmář Signed-off-by: Wanpeng Li Fixes: 7c90705bf2a3 ("KVM: Inject asynchronous page fault into a PV guest if page is swapped out.") [Changed indentation and added clearing of injected. - Radim] Signed-off-by: Radim Krčmář [bwh: Backported to 3.16: Don't assign to kvm_queued_exception::injected or x86_exception::async_page_fault] Signed-off-by: Ben Hutchings commit 6adb5d103ffbb2319f83a704332afc2a43d3eb7d Author: Arnd Bergmann Date: Wed Sep 13 16:28:26 2017 -0700 IB/mlx4: fix sprintf format warning commit d0dbf771309fecd73f4ac1566c1400cb12807ee2 upstream. gcc-7 points out that a negative port_num value would overflow the string buffer: drivers/infiniband/hw/mlx4/sysfs.c: In function 'mlx4_ib_device_register_sysfs': drivers/infiniband/hw/mlx4/sysfs.c:251:16: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] drivers/infiniband/hw/mlx4/sysfs.c:251:2: note: 'sprintf' output between 2 and 11 bytes into a destination of size 10 drivers/infiniband/hw/mlx4/sysfs.c:303:17: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] drivers/infiniband/hw/mlx4/sysfs.c:303:3: note: 'sprintf' output between 2 and 11 bytes into a destination of size 10 While we should be able to assume that port_num is positive here, making the buffer one byte longer has no downsides and avoids the warning. Fixes: c1e7e466120b ("IB/mlx4: Add iov directory in sysfs under the ib device") Link: http://lkml.kernel.org/r/20170714120720.906842-23-arnd@arndb.de Signed-off-by: Arnd Bergmann Reviewed-by: Leon Romanovsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit e19e92401d877b32b5f7ec8ad07768c5beb40713 Author: Jan H. Schönherr Date: Tue Sep 5 23:58:44 2017 +0200 KVM: SVM: Add a missing 'break' statement commit 49a8afca386ee1775519a4aa80f8e121bd227dd4 upstream. Signed-off-by: Jan H. Schönherr Fixes: f6511935f424 ("KVM: SVM: Add checks for IO instructions") Reviewed-by: David Hildenbrand Signed-off-by: Radim Krčmář Signed-off-by: Ben Hutchings commit e2b3f8b72be85ddf6efa426c7a5ede0f26f3cedf Author: Nisar Sayed Date: Mon Sep 11 17:43:11 2017 +0000 smsc95xx: Configure pause time to 0xffff when tx flow control enabled commit 9c0827317f235865ae421293f8aecf6cb327a63e upstream. Configure pause time to 0xffff when tx flow control enabled Set pause time to 0xffff in the pause frame to indicate the partner to stop sending the packets. When RX buffer frees up, the device sends pause frame with pause time zero for partner to resume transmission. Fixes: 2f7ca802bdae ("Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") Signed-off-by: Nisar Sayed Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 253a96943c00e781d8706e6fc7897c1491f00c09 Author: Cameron Gutman Date: Tue Sep 12 11:27:44 2017 -0700 Input: xpad - validate USB endpoint type during probe commit 122d6a347329818419b032c5a1776e6b3866d9b9 upstream. We should only see devices with interrupt endpoints. Ignore any other endpoints that we find, so we don't send try to send them interrupt URBs and trigger a WARN down in the USB stack. Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit 24aa11bc563162f37ad2fe76fdfb324626b5ad01 Author: Cameron Gutman Date: Tue Jan 3 22:40:38 2017 -0800 Input: xpad - don't depend on endpoint order commit c01b5e7464f0cf20936d7467c7528163c4e2782d upstream. The order of endpoints is well defined on official Xbox pads, but we have found at least one 3rd-party pad that doesn't follow the standard ("Titanfall 2 Xbox One controller" 0e6f:0165). Fortunately, we get lucky with this specific pad because it uses endpoint addresses that differ only by direction. We know that there are other pads out where this is not true, so let's go ahead and fix this. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov [bwh: Backported to 3.16: - Use 'fail3' label in case of failure - Adjust context] Signed-off-by: Ben Hutchings commit 29e34f883fd53d3d2b4a5cb7095c21e1b50a47ae Author: Ted Mielczarek Date: Fri Aug 8 11:21:59 2014 -0700 Input: xpad - add support for Xbox One controllers commit 1a48ff81b3912be5fadae3fafde6c2f632246a4c upstream. Xbox One controllers require an initialization message to start sending data, so xpad_init_output becomes a required function. The Xbox One controller does not have LEDs like the Xbox 360 controller, so that functionality is not implemented. The format of messages controlling rumble is currently undocumented, so rumble support is not yet implemented. Note that Xbox One controller advertises three interfaces with the same interface class, subclass and protocol, so we have to also match against interface number. Signed-off-by: Ted Mielczarek Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit f966d4c54e1c1e3769c297fc9899ed8a82326061 Author: Dmitry Torokhov Date: Thu Aug 31 18:23:11 2017 -0700 Input: ucb1400_ts - fix suspend and resume handling commit 39467fc1054a91efa697162a94e5b0e1a4b7b580 upstream. Instead of stopping the touchscreen we were starting it in suspend, and disabling it in resume. Fixes: c899afedf168 ("Input: ucb1400_ts - convert to threaded IRQ") Reported-by: Anton Volkov Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit 6209a85b83e6d966345a29bd7684f4e88976f0a4 Author: Eric Dumazet Date: Fri Sep 8 15:48:47 2017 -0700 ipv6: fix typo in fib6_net_exit() commit 32a805baf0fb70b6dbedefcd7249ac7f580f9e3b upstream. IPv6 FIB should use FIB6_TABLE_HASHSZ, not FIB_TABLE_HASHSZ. Fixes: ba1cc08d9488 ("ipv6: fix memory leak with multiple tables during netns destruction") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 4014046083dd8c1212f75e78f56c4c34ac4ccfce Author: Sabrina Dubroca Date: Fri Sep 8 10:26:19 2017 +0200 ipv6: fix memory leak with multiple tables during netns destruction commit ba1cc08d9488c94cb8d94f545305688b72a2a300 upstream. fib6_net_exit only frees the main and local tables. If another table was created with fib6_alloc_table, we leak it when the netns is destroyed. Fix this in the same way ip_fib_net_exit cleans up tables, by walking through the whole hashtable of fib6_table's. We can get rid of the special cases for local and main, since they're also part of the hashtable. Reproducer: ip netns add x ip -net x -6 rule add from 6003:1::/64 table 100 ip netns del x Reported-by: Jianlin Shi Fixes: 58f09b78b730 ("[NETNS][IPV6] ip6_fib - make it per network namespace") Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit dced151ef8d41f776d668fd954b8e51b37b862e0 Author: Tang Junhui Date: Thu Sep 7 01:28:53 2017 +0800 bcache: initialize dirty stripes in flash_dev_run() commit 175206cf9ab63161dec74d9cd7f9992e062491f5 upstream. bcache uses a Proportion-Differentiation Controller algorithm to control writeback rate to cached devices. In the PD controller algorithm, dirty stripes of thin flash device should not be counted in, because flash only volumes never write back dirty data. Currently dirty stripe counter for thin flash device is not initialized when the thin flash device starts. Which means the following calculation in PD controller will reference an undefined dirty stripes number, and all cached devices attached to the same cache set where the thin flash device lies on may have an inaccurate writeback rate. This patch calles bch_sectors_dirty_init() in flash_dev_run(), to correctly initialize dirty stripe counter when the thin flash device starts to run. This patch also does following parameter data type change, -void bch_sectors_dirty_init(struct cached_dev *dc); +void bch_sectors_dirty_init(struct bcache_device *); to call this function conveniently in flash_dev_run(). (Commit log is composed by Coly Li) Signed-off-by: Tang Junhui Reviewed-by: Coly Li Signed-off-by: Jens Axboe [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 3701842ee539995194f89801ff5b116e09357683 Author: Thomas Gleixner Date: Tue Sep 5 10:12:20 2017 +0200 genirq: Make sparse_irq_lock protect what it should protect commit 12ac1d0f6c3e95732d144ffa65c8b20fbd9aa462 upstream. for_each_active_irq() iterates the sparse irq allocation bitmap. The caller must hold sparse_irq_lock. Several code pathes expect that an active bit in the sparse bitmap also has a valid interrupt descriptor. Unfortunately that's not true. The (de)allocation is a two step process, which holds the sparse_irq_lock only across the queue/remove from the radix tree and the set/clear in the allocation bitmap. If a iteration locks sparse_irq_lock between the two steps, then it might see an active bit but the corresponding irq descriptor is NULL. If that is dereferenced unconditionally, then the kernel oopses. Of course, all iterator sites could be audited and fixed, but.... There is no reason why the sparse_irq_lock needs to be dropped between the two steps, in fact the code becomes simpler when the mutex is held across both and the semantics become more straight forward, so future problems of missing NULL pointer checks in the iteration are avoided and all existing sites are fixed in one go. Expand the lock held sections so both operations are covered and the bitmap and the radixtree are in sync. Fixes: a05a900a51c7 ("genirq: Make sparse_lock a mutex") Reported-and-tested-by: Huang Ying Signed-off-by: Thomas Gleixner [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 1b79dbf84947bf77cc437f6a45b4286765b23ebe Author: Baohong Liu Date: Tue Sep 5 16:57:19 2017 -0500 tracing: Apply trace_clock changes to instance max buffer commit 170b3b1050e28d1ba0700e262f0899ffa4fccc52 upstream. Currently trace_clock timestamps are applied to both regular and max buffers only for global trace. For instance trace, trace_clock timestamps are applied only to regular buffer. But, regular and max buffers can be swapped, for example, following a snapshot. So, for instance trace, bad timestamps can be seen following a snapshot. Let's apply trace_clock timestamps to instance max buffer as well. Link: http://lkml.kernel.org/r/ebdb168d0be042dcdf51f81e696b17fabe3609c1.1504642143.git.tom.zanussi@linux.intel.com Fixes: 277ba0446 ("tracing: Add interface to allow multiple trace buffers") Signed-off-by: Baohong Liu Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Ben Hutchings commit c2e3874897cd88cdc88b732df78ec92c03670473 Author: Michael Lyle Date: Wed Sep 6 14:26:02 2017 +0800 bcache: fix bch_hprint crash and improve output commit 9276717b9e297a62d1151a43d1cd286213f68eb7 upstream. Most importantly, solve a crash where %llu was used to format signed numbers. This would cause a buffer overflow when reading sysfs writeback_rate_debug, as only 20 bytes were allocated for this and %llu writes 20 characters plus a null. Always use the units mechanism rather than having different output paths for simplicity. Also, correct problems with display output where 1.10 was a larger number than 1.09, by multiplying by 10 and then dividing by 1024 instead of dividing by 100. (Remainders of >= 1000 would print as .10). Minor changes: Always display the decimal point instead of trying to omit it based on number of digits shown. Decide what units to use based on 1000 as a threshold, not 1024 (in other words, always print at most 3 digits before the decimal point). Signed-off-by: Michael Lyle Reported-by: Dmitry Yu Okunev Acked-by: Kent Overstreet Reviewed-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit c7584c095b02eee50c311e1a17afb228c391a1ba Author: Tang Junhui Date: Wed Sep 6 14:25:59 2017 +0800 bcache: fix for gc and write-back race commit 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 upstream. gc and write-back get raced (see the email "bcache get stucked" I sended before): gc thread write-back thread | |bch_writeback_thread() |bch_gc_thread() | | |==>read_dirty() |==>bch_btree_gc() | |==>btree_root() //get btree root | | //node write locker | |==>bch_btree_gc_root() | | |==>read_dirty_submit() | |==>write_dirty() | |==>continue_at(cl, | | write_dirty_finish, | | system_wq); | |==>write_dirty_finish()//excute | | //in system_wq | |==>bch_btree_insert() | |==>bch_btree_map_leaf_nodes() | |==>__bch_btree_map_nodes() | |==>btree_root //try to get btree | | //root node read | | //lock | |-----stuck here |==>bch_btree_set_root() |==>bch_journal_meta() |==>bch_journal() |==>journal_try_write() |==>journal_write_unlocked() //journal_full(&c->journal) | //condition satisfied |==>continue_at(cl, journal_write, system_wq); //try to excute | //journal_write in system_wq | //but work queue is excuting | //write_dirty_finish() |==>closure_sync(); //wait journal_write execute | //over and wake up gc, |-------------stuck here |==>release root node write locker This patch alloc a separate work-queue for write-back thread to avoid such race. (Commit log re-organized by Coly Li to pass checkpatch.pl checking) Signed-off-by: Tang Junhui Acked-by: Coly Li Signed-off-by: Jens Axboe [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit cf066ae652c6a1c460248b1a92525cdf35ba3336 Author: Slava Pestov Date: Tue May 20 12:20:28 2014 -0700 bcache: fix crash on shutdown in passthrough mode commit a664d0f05a2ec02c8f042db536d84d15d6e19e81 upstream. We never started the writeback thread in this case, so don't stop it. Signed-off-by: Ben Hutchings commit 966bdee67c17bb741838b4e627ae7329e25a8114 Author: Tony Asleson Date: Wed Sep 6 14:25:57 2017 +0800 bcache: Correct return value for sysfs attach errors commit 77fa100f27475d08a569b9d51c17722130f089e7 upstream. If you encounter any errors in bch_cached_dev_attach it will return a negative error code. The variable 'v' which stores the result is unsigned, thus user space sees a very large value returned for bytes written which can cause incorrect user space behavior. Utilize 1 signed variable to use throughout the function to preserve error return capability. Signed-off-by: Tony Asleson Acked-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit 94625d422095b7d28a024923d47fa4901d6bb0a3 Author: Tang Junhui Date: Wed Sep 6 14:25:56 2017 +0800 bcache: correct cache_dirty_target in __update_writeback_rate() commit a8394090a9129b40f9d90dcb7f4a49d60c727ca6 upstream. __update_write_rate() uses a Proportion-Differentiation Controller algorithm to control writeback rate. A dirty target number is used in this PD controller to control writeback rate. A larger target number will make the writeback rate smaller, on the versus, a smaller target number will make the writeback rate larger. bcache uses the following steps to calculate the target number, 1) cache_sectors = all-buckets-of-cache-set * buckets-size 2) cache_dirty_target = cache_sectors * cached-device-writeback_percent 3) target = cache_dirty_target * (sectors-of-cached-device/sectors-of-all-cached-devices-of-this-cache-set) The calculation at step 1) for cache_sectors is incorrect, which does not consider dirty blocks occupied by flash only volume. A flash only volume can be took as a bcache device without cached device. All data sectors allocated for it are persistent on cache device and marked dirty, they are not touched by bcache writeback and garbage collection code. So data blocks of flash only volume should be ignore when calculating cache_sectors of cache set. Current code does not subtract dirty sectors of flash only volume, which results a larger target number from the above 3 steps. And in sequence the cache device's writeback rate is smaller then a correct value, writeback speed is slower on all cached devices. This patch fixes the incorrect slower writeback rate by subtracting dirty sectors of flash only volumes in __update_writeback_rate(). (Commit log composed by Coly Li to pass checkpatch.pl checking) Signed-off-by: Tang Junhui Reviewed-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit f1f2d73bab02e551627fea150ca3edfb1016057c Author: Tang Junhui Date: Wed Sep 6 14:25:53 2017 +0800 bcache: do not subtract sectors_to_gc for bypassed IO commit 69daf03adef5f7bc13e0ac86b4b8007df1767aab upstream. Since bypassed IOs use no bucket, so do not subtract sectors_to_gc to trigger gc thread. Signed-off-by: tang.junhui Acked-by: Coly Li Reviewed-by: Eric Wheeler Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit d1550aa7f5c100e6269afbf58acbcd3abfb5dcc6 Author: Tang Junhui Date: Wed Sep 6 14:25:52 2017 +0800 bcache: fix sequential large write IO bypass commit c81ffa32a214c84b08900fbc9d432187bd948eba upstream. Sequential write IOs were tested with bs=1M by FIO in writeback cache mode, these IOs were expected to be bypassed, but actually they did not. We debug the code, and find in check_should_bypass(): if (!congested && mode == CACHE_MODE_WRITEBACK && op_is_write(bio_op(bio)) && (bio->bi_opf & REQ_SYNC)) goto rescale that means, If in writeback mode, a write IO with REQ_SYNC flag will not be bypassed though it is a sequential large IO, It's not a correct thing to do actually, so this patch remove these codes. Signed-off-by: tang.junhui Reviewed-by: Kent Overstreet Reviewed-by: Eric Wheeler Signed-off-by: Jens Axboe [bwh: Backported to 3.16: deleted code is slightly different] Signed-off-by: Ben Hutchings commit 66d2774a1664c759083d2a214bea9bd56a7ab47e Author: Jan Kara Date: Wed Sep 6 14:25:51 2017 +0800 bcache: Fix leak of bdev reference commit 4b758df21ee7081ab41448d21d60367efaa625b3 upstream. If blkdev_get_by_path() in register_bcache() fails, we try to lookup the block device using lookup_bdev() to detect which situation we are in to properly report error. However we never drop the reference returned to us from lookup_bdev(). Fix that. Signed-off-by: Jan Kara Acked-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit 17fd33a0202a0e9185ee30f92d6f4c86104d3f6f Author: Matt Redfearn Date: Tue Aug 8 13:22:34 2017 +0100 MIPS: Stacktrace: Fix microMIPS stack unwinding on big endian systems commit 41885b02127c7ae169dc94542de4a8eed175495a upstream. The stack unwinding code uses the mips_instuction union to decode the instructions it finds. That union uses the __BITFIELD_FIELD macro to reorder depending on endianness. The stack unwinding code always places 16bit instructions in halfword 1 of the union. This makes the union accesses correct for little endian systems. Similarly, 32bit instructions are reordered such that they are correct for little endian systems. This handling leaves unwinding the stack on big endian systems broken, as the mips_instruction union will then look for the fields in the wrong halfword. To fix this, use a logical shift to place the 16bit instruction into the correct position in the word field of the union. Use the same shifting to order the 2 halfwords of 32bit instuctions. Then replace accesses to the halfword with accesses to the shifted word. In the case of the ADDIUS5 instruction, switch to using the mm16_r5_format union member to avoid the need for a 16bit shift. Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") Signed-off-by: Matt Redfearn Reviewed-by: James Hogan Cc: Marcin Nowakowski Cc: Ingo Molnar Cc: Paul Burton Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16956/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit da5a7a6da5f4b433642cf39cd4f0039569f98d71 Author: Matt Redfearn Date: Tue Aug 8 13:22:33 2017 +0100 MIPS: microMIPS: Fix decoding of swsp16 instruction commit cea8cd498f4f1c30ea27e3664b3c671e495c4fce upstream. When the immediate encoded in the instruction is accessed, it is sign extended due to being a signed value being assigned to a signed integer. The ISA specifies that this operation is an unsigned operation. The sign extension leads us to incorrectly decode: 801e9c8e: cbf1 sw ra,68(sp) As having an immediate of 1073741809. Since the instruction format does not specify signed/unsigned, and this is currently the only location to use this instuction format, change it to an unsigned immediate. Fixes: bb9bc4689b9c ("MIPS: Calculate microMIPS ra properly when unwinding the stack") Suggested-by: Paul Burton Signed-off-by: Matt Redfearn Reviewed-by: James Hogan Cc: Marcin Nowakowski Cc: Miodrag Dinic Cc: Ingo Molnar Cc: David Daney Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16957/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit bbe0e8379947af45b6e4c79060e508ebce5bd7af Author: Matt Redfearn Date: Tue Aug 8 13:22:32 2017 +0100 MIPS: microMIPS: Fix decoding of addiusp instruction commit a0ae2b08331a9882150618e0c81ea837e4a37ace upstream. Commit 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") added handling of microMIPS instructions to manipulate the stack pointer. Unfortunately the decoding of the addiusp instruction was incorrect, and performed a left shift by 2 bits to the raw immediate, rather than decoding the immediate and then performing the shift, as documented in the ISA. This led to incomplete stack traces, due to incorrect frame sizes being calculated. For example the instruction: 801faee0 : 801faee0: 4e25 addiu sp,sp,-952 As decoded by objdump, would be interpreted by the existing code as having manipulated the stack pointer by +1096. Fix this by changing the order of decoding the immediate and applying the left shift. Also change to accessing the instuction through the union to avoid the endianness problem of accesing halfword[0], which will fail on big endian systems. Cope with the special behaviour of immediates 0x0, 0x1, 0x1fe and 0x1ff by XORing with 0x100 again if mod(immediate) < 4. This logic was tested with the following test code: int main(int argc, char **argv) { unsigned int enc; int imm; for (enc = 0; enc < 512; ++enc) { int tmp = enc << 2; imm = -(signed short)(tmp | ((tmp & 0x100) ? 0xfe00 : 0)); unsigned short tmp = enc; tmp = (tmp ^ 0x100) - 0x100; if ((unsigned short)(tmp + 2) < 4) tmp ^= 0x100; imm = -(signed short)(tmp << 2); printf("%#x\t%d\t->\t(%#x\t%d)\t%#x\t%d\n", enc, enc, (short)tmp, (short)tmp, imm, imm); } return EXIT_SUCCESS; } Which generates the table: input encoding -> tmp (matching manual) frame size ----------------------------------------------------------------------- 0 0 -> (0x100 256) 0xfffffc00 -1024 0x1 1 -> (0x101 257) 0xfffffbfc -1028 0x2 2 -> (0x2 2) 0xfffffff8 -8 0x3 3 -> (0x3 3) 0xfffffff4 -12 ... 0xfe 254 -> (0xfe 254) 0xfffffc08 -1016 0xff 255 -> (0xff 255) 0xfffffc04 -1020 0x100 256 -> (0xffffff00 -256) 0x400 1024 0x101 257 -> (0xffffff01 -255) 0x3fc 1020 ... 0x1fc 508 -> (0xfffffffc -4) 0x10 16 0x1fd 509 -> (0xfffffffd -3) 0xc 12 0x1fe 510 -> (0xfffffefe -258) 0x408 1032 0x1ff 511 -> (0xfffffeff -257) 0x404 1028 Thanks to James Hogan for the test code & verifying the logic. Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") Suggested-by: James Hogan Signed-off-by: Matt Redfearn Cc: Marcin Nowakowski Cc: Ingo Molnar Cc: Paul Burton Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16955/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit ad0fa9970ba9ac5746c10d1c5c44143742e59c97 Author: Matt Redfearn Date: Tue Aug 8 13:22:31 2017 +0100 MIPS: microMIPS: Fix detection of addiusp instruction commit b332fec0489295ee7a0aab4a89bd7257cd126f7f upstream. The addiusp instruction uses the pool16d opcode, with bit 0 of the immediate set. The test for the addiusp opcode erroneously did a logical and of the immediate with mm_addiusp_func, which has value 1, so this test always passes when the immediate is non-zero. Fix the test by replacing the logical and with a bitwise and. Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") Signed-off-by: Matt Redfearn Cc: Marcin Nowakowski Cc: Ingo Molnar Cc: Paul Burton Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16954/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit f501a7822c36a0dad5142c0780c7f3135681e232 Author: Matt Redfearn Date: Tue Aug 8 13:22:30 2017 +0100 MIPS: Handle non word sized instructions when examining frame commit 11887ed172a6960673f130dad8f8fb42778f64d7 upstream. Commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") added fairly broken support for handling 16bit microMIPS instructions in get_frame_info(). It adjusts the instruction pointer by 16bits in the case of a 16bit sp move instruction, but not any other 16bit instruction. Commit b6c7a324df37 ("MIPS: Fix get_frame_info() handling of microMIPS function size") goes some way to fixing get_frame_info() to iterate over microMIPS instuctions, but the instruction pointer is still manipulated using a postincrement, and is of union mips_instruction type. Since the union is sized to the largest member (a word), but microMIPS instructions are a mix of halfword and word sizes, the function does not always iterate correctly, ending up misaligned with the instruction stream and interpreting it incorrectly. Since the instruction modifying the stack pointer is usually the first in the function, that one is usually handled correctly. But the instruction which saves the return address to the sp is some variable number of instructions into the frame and is frequently missed due to not being on a word boundary, leading to incomplete walking of the stack. Fix this by incrementing the instruction pointer based on the size of the previously decoded instruction (& remove the hack introduced by commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") which adjusts the instruction pointer in the case of a 16bit sp move instruction, but not any other). Fixes: 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") Signed-off-by: Matt Redfearn Cc: Marcin Nowakowski Cc: James Hogan Cc: Ingo Molnar Cc: Paul Burton Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16953/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit 7af8ed38b626b255939f43884438b14435515cfb Author: Jonas Gorski Date: Tue Jul 18 12:17:29 2017 +0200 MIPS: ralink: allow NULL clock for clk_get_rate commit a18097b7676bf5fb2677bf5e6cc24e721d7c2596 upstream. Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise. Fixes: 3f0a06b0368d ("MIPS: ralink: adds clkdev code") Reported-by: Mathias Kresin Signed-off-by: Jonas Gorski Cc: John Crispin Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16778/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit 66956fdad6e881cae3444a0335c682dbb83b5180 Author: Jonas Gorski Date: Tue Jul 18 12:17:28 2017 +0200 MIPS: Loongson 2F: allow NULL clock for clk_get_rate commit 386787b1fcab2dd3d16ca3f46729aaafdef306e3 upstream. Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter, as some device drivers rely on this. Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise. Fixes: f8ede0f700f5 ("MIPS: Loongson 2F: Add CPU frequency scaling support") Reported-by: Mathias Kresin Signed-off-by: Jonas Gorski Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16777/ Signed-off-by: Ralf Baechle [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit c591fa1b2f2364cc677b824e79416c1301593b11 Author: Jonas Gorski Date: Tue Jul 18 12:17:27 2017 +0200 MIPS: BCM63XX: allow NULL clock for clk_get_rate commit 1b495faec231980b6c719994b24044ccc04ae06c upstream. Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise. Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs.") Reported-by: Mathias Kresin Signed-off-by: Jonas Gorski Reviewed-by: Florian Fainelli Cc: bcm-kernel-feedback-list@broadcom.com Cc: James Hogan Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16776/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit 285014c8e18f51bf89de3f39b08c95044edbe935 Author: Jonas Gorski Date: Tue Jul 18 12:17:26 2017 +0200 MIPS: AR7: allow NULL clock for clk_get_rate commit 585e0e9d02a690c29932b2fc0789835c7b91d448 upstream. Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise. Fixes: 780019ddf02f ("MIPS: AR7: Implement clock API") Signed-off-by: Jonas Gorski Reported-by: Mathias Kresin Cc: Paul Gortmaker Cc: James Hogan Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16775/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings commit 7b7b5b48e5902f9e07d76d9607ddb9d0b15c8619 Author: Martin Schwidefsky Date: Thu Aug 17 08:15:16 2017 +0200 s390/mm: fix race on mm->context.flush_mm commit 60f07c8ec5fae06c23e9fd7bab67dabce92b3414 upstream. The order in __tlb_flush_mm_lazy is to flush TLB first and then clear the mm->context.flush_mm bit. This can lead to missed flushes as the bit can be set anytime, the order needs to be the other way aronud. But this leads to a different race, __tlb_flush_mm_lazy may be called on two CPUs concurrently. If mm->context.flush_mm is cleared first then another CPU can bypass __tlb_flush_mm_lazy although the first CPU has not done the flush yet. In a virtualized environment the time until the flush is finally completed can be arbitrarily long. Add a spinlock to serialize __tlb_flush_mm_lazy and use the function in finish_arch_post_lock_switch as well. Reviewed-by: Heiko Carstens Signed-off-by: Martin Schwidefsky [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 88d49828970d53d9f58fb7a5bb0ee8b3a3b7e738 Author: Avraham Stern Date: Fri Aug 18 15:33:57 2017 +0300 mac80211: flush hw_roc_start work before cancelling the ROC commit 6e46d8ce894374fc135c96a8d1057c6af1fef237 upstream. When HW ROC is supported it is possible that after the HW notified that the ROC has started, the ROC was cancelled and another ROC was added while the hw_roc_start worker is waiting on the mutex (since cancelling the ROC and adding another one also holds the same mutex). As a result, the hw_roc_start worker will continue to run after the new ROC is added but before it is actually started by the HW. This may result in notifying userspace that the ROC has started before it actually does, or in case of management tx ROC, in an attempt to tx while not on the right channel. In addition, when the driver will notify mac80211 that the second ROC has started, mac80211 will warn that this ROC has already been notified. Fix this by flushing the hw_roc_start work before cancelling an ROC. Signed-off-by: Avraham Stern Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit d987f7e0044e73806b55247873724516c3150680 Author: Beni Lev Date: Tue Jul 25 11:25:25 2017 +0300 mac80211_hwsim: Use proper TX power commit 9de981f507474f326e42117858dc9a9321331ae5 upstream. In struct ieee80211_tx_info, control.vif pointer and rate_driver_data[0] falls on the same place, depending on the union usage. During the whole TX process, the union is referred to as a control struct, which holds the vif that is later used in the tx flow, especially in order to derive the used tx power. Referring direcly to rate_driver_data[0] and assigning a value to it, overwrites the vif pointer, hence making all later references irrelevant. Moreover, rate_driver_data[0] isn't used later in the flow in order to retrieve the channel that it is pointing to. Signed-off-by: Beni Lev Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit d554bf6ee1dc83a824a1a3521702d8af2f63eea0 Author: Arnd Bergmann Date: Wed Aug 23 16:44:51 2017 +0200 mfd: omap-usb-tll: Fix register offsets commit 993dc737c0996c163325961fb62a0ed9fd0308b4 upstream. gcc-8 notices that the register number calculation is wrong when the offset is an 'u8' but the number is larger than 256: drivers/mfd/omap-usb-tll.c: In function 'omap_tll_init': drivers/mfd/omap-usb-tll.c:90:46: error: overflow in conversion from 'int' to 'u8 {aka unsigned char}' chages value from 'i * 256 + 2070' to '22' [-Werror=overflow] This addresses it by always using a 32-bit offset number for the register. This is apparently an old problem that previous compilers did not find. Fixes: 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver") Signed-off-by: Arnd Bergmann Signed-off-by: Lee Jones Signed-off-by: Ben Hutchings commit 73e5038418ec03f887e97c0b5cb55c629f8fb61a Author: Christophe JAILLET Date: Wed Jul 5 07:50:54 2017 +0200 mfd: max8998: Fix potential NULL pointer dereference commit 2042f3c29f2f11129434de8a610878e8a15b4174 upstream. if 'max8998_i2c_parse_dt_pdata() fails (when out of memory), a NULL pointer dereference will occur in the error handling code. Return directly instead. Fixes: ee999fb3f17f("mfd: max8998: Add support for Device Tree") Signed-off-by: Christophe JAILLET Signed-off-by: Lee Jones Signed-off-by: Ben Hutchings commit 0b3ca265e81f5e1d9f7f66ad416cbabecca914cf Author: Guillaume Nault Date: Fri Sep 1 17:58:51 2017 +0200 l2tp: pass tunnel pointer to ->session_create() commit f026bc29a8e093edfbb2a77700454b285c97e8ad upstream. Using l2tp_tunnel_find() in pppol2tp_session_create() and l2tp_eth_create() is racy, because no reference is held on the returned session. These functions are only used to implement the ->session_create callback which is run by l2tp_nl_cmd_session_create(). Therefore searching for the parent tunnel isn't necessary because l2tp_nl_cmd_session_create() already has a pointer to it and holds a reference. This patch modifies ->session_create()'s prototype to directly pass the the parent tunnel as parameter, thus avoiding searching for it in pppol2tp_session_create() and l2tp_eth_create(). Since we have to touch the ->session_create() call in l2tp_nl_cmd_session_create(), let's also remove the useless conditional: we know that ->session_create isn't NULL at this point because it's already been checked earlier in this same function. Finally, one might be tempted to think that the removed l2tp_tunnel_find() calls were harmless because they would return the same tunnel as the one held by l2tp_nl_cmd_session_create() anyway. But that tunnel might be removed and a new one created with same tunnel Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find() would return the new tunnel which wouldn't be protected by the reference held by l2tp_nl_cmd_session_create(). Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 5b216e8dcda2333addd923d698b71ba8b8fc65c2 Author: Guillaume Nault Date: Fri Sep 1 17:58:48 2017 +0200 l2tp: prevent creation of sessions on terminated tunnels commit f3c66d4e144a0904ea9b95d23ed9f8eb38c11bfb upstream. l2tp_tunnel_destruct() sets tunnel->sock to NULL, then removes the tunnel from the pernet list and finally closes all its sessions. Therefore, it's possible to add a session to a tunnel that is still reachable, but for which tunnel->sock has already been reset. This can make l2tp_session_create() dereference a NULL pointer when calling sock_hold(tunnel->sock). This patch adds the .acpt_newsess field to struct l2tp_tunnel, which is used by l2tp_tunnel_closeall() to prevent addition of new sessions to tunnels. Resetting tunnel->sock is done after l2tp_tunnel_closeall() returned, so that l2tp_session_add_to_tunnel() can safely take a reference on it when .acpt_newsess is true. The .acpt_newsess field is modified in l2tp_tunnel_closeall(), rather than in l2tp_tunnel_destruct(), so that it benefits all tunnel removal mechanisms. E.g. on UDP tunnels, a session could be added to a tunnel after l2tp_udp_encap_destroy() proceeded. This would prevent the tunnel from being removed because of the references held by this new session on the tunnel and its socket. Even though the session could be removed manually later on, this defeats the purpose of commit 9980d001cec8 ("l2tp: add udp encap socket destroy handler"). Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit d19c3d91d1cf33fb8eae304f396317542d1c12fa Author: Jesper Dangaard Brouer Date: Fri Sep 1 11:26:08 2017 +0200 Revert "net: use lib/percpu_counter API for fragmentation mem accounting" commit fb452a1aa3fd4034d7999e309c5466ff2d7005aa upstream. This reverts commit 6d7b857d541ecd1d9bd997c97242d4ef94b19de2. There is a bug in fragmentation codes use of the percpu_counter API, that can cause issues on systems with many CPUs. The frag_mem_limit() just reads the global counter (fbc->count), without considering other CPUs can have upto batch size (130K) that haven't been subtracted yet. Due to the 3MBytes lower thresh limit, this become dangerous at >=24 CPUs (3*1024*1024/130000=24). The correct API usage would be to use __percpu_counter_compare() which does the right thing, and takes into account the number of (online) CPUs and batch size, to account for this and call __percpu_counter_sum() when needed. We choose to revert the use of the lib/percpu_counter API for frag memory accounting for several reasons: 1) On systems with CPUs > 24, the heavier fully locked __percpu_counter_sum() is always invoked, which will be more expensive than the atomic_t that is reverted to. Given systems with more than 24 CPUs are becoming common this doesn't seem like a good option. To mitigate this, the batch size could be decreased and thresh be increased. 2) The add_frag_mem_limit+sub_frag_mem_limit pairs happen on the RX CPU, before SKBs are pushed into sockets on remote CPUs. Given NICs can only hash on L2 part of the IP-header, the NIC-RXq's will likely be limited. Thus, a fair chance that atomic add+dec happen on the same CPU. Revert note that commit 1d6119baf061 ("net: fix percpu memory leaks") removed init_frag_mem_limit() and instead use inet_frags_init_net(). After this revert, inet_frags_uninit_net() becomes empty. Fixes: 6d7b857d541e ("net: use lib/percpu_counter API for fragmentation mem accounting") Fixes: 1d6119baf061 ("net: fix percpu memory leaks") Signed-off-by: Jesper Dangaard Brouer Acked-by: Florian Westphal Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 7a7d12848f889f13fa1b40eef04c47caf946108d Author: Amir Goldstein Date: Wed Aug 30 09:23:12 2017 -0700 xfs: fix incorrect log_flushed on fsync commit 47c7d0b19502583120c3f396c7559e7a77288a68 upstream. When calling into _xfs_log_force{,_lsn}() with a pointer to log_flushed variable, log_flushed will be set to 1 if: 1. xlog_sync() is called to flush the active log buffer AND/OR 2. xlog_wait() is called to wait on a syncing log buffers xfs_file_fsync() checks the value of log_flushed after _xfs_log_force_lsn() call to optimize away an explicit PREFLUSH request to the data block device after writing out all the file's pages to disk. This optimization is incorrect in the following sequence of events: Task A Task B ------------------------------------------------------- xfs_file_fsync() _xfs_log_force_lsn() xlog_sync() [submit PREFLUSH] xfs_file_fsync() file_write_and_wait_range() [submit WRITE X] [endio WRITE X] _xfs_log_force_lsn() xlog_wait() [endio PREFLUSH] The write X is not guarantied to be on persistent storage when PREFLUSH request in completed, because write A was submitted after the PREFLUSH request, but xfs_file_fsync() of task A will be notified of log_flushed=1 and will skip explicit flush. If the system crashes after fsync of task A, write X may not be present on disk after reboot. This bug was discovered and demonstrated using Josef Bacik's dm-log-writes target, which can be used to record block io operations and then replay a subset of these operations onto the target device. The test goes something like this: - Use fsx to execute ops of a file and record ops on log device - Every now and then fsync the file, store md5 of file and mark the location in the log - Then replay log onto device for each mark, mount fs and compare md5 of file to stored value Cc: Christoph Hellwig Cc: Josef Bacik Signed-off-by: Amir Goldstein Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit bc516127009476c0aa6523796b312d6dfc2a463a Author: Jose Abreu Date: Fri Sep 1 17:00:23 2017 +0100 ARC: Re-enable MMU upon Machine Check exception commit 1ee55a8f7f6b7ca4c0c59e0b4b4e3584a085c2d3 upstream. I recently came upon a scenario where I would get a double fault machine check exception tiriggered by a kernel module. However the ensuing crash stacktrace (ksym lookup) was not working correctly. Turns out that machine check auto-disables MMU while modules are allocated in kernel vaddr spapce. This patch re-enables the MMU before start printing the stacktrace making stacktracing of modules work upon a fatal exception. Signed-off-by: Jose Abreu Reviewed-by: Alexey Brodkin Signed-off-by: Vineet Gupta [vgupta: moved code into low level handler to avoid in 2 places] Signed-off-by: Ben Hutchings commit 63a84635e1b3b25394d7a6d1d0a1046189349620 Author: Steven Rostedt (VMware) Date: Fri Sep 1 12:04:09 2017 -0400 ftrace: Fix selftest goto location on error commit 46320a6acc4fb58f04bcf78c4c942cc43b20f986 upstream. In the second iteration of trace_selftest_ops(), the error goto label is wrong in the case where trace_selftest_test_global_cnt is off. In the case of error, it leaks the dynamic ops that was allocated. Fixes: 95950c2e ("ftrace: Add self-tests for multiple function trace users") Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Ben Hutchings commit a09dbb488f1ee347771a971e9398d047d4f59344 Author: NeilBrown Date: Thu Aug 31 10:23:25 2017 +1000 md/bitmap: disable bitmap_resize for file-backed bitmaps. commit e8a27f836f165c26f867ece7f31eb5c811692319 upstream. bitmap_resize() does not work for file-backed bitmaps. The buffer_heads are allocated and initialized when the bitmap is read from the file, but resize doesn't read from the file, it loads from the internal bitmap. When it comes time to write the new bitmap, the bh is non-existent and we crash. The common case when growing an array involves making the array larger, and that normally means making the bitmap larger. Doing that inside the kernel is possible, but would need more code. It is probably easier to require people who use file-backed bitmaps to remove them and re-add after a reshape. So this patch disables the resizing of arrays which have file-backed bitmaps. This is better than crashing. Reported-by: Zhilong Liu Fixes: d60b479d177a ("md/bitmap: add bitmap_resize function to allow bitmap resizing.") Signed-off-by: NeilBrown Signed-off-by: Shaohua Li Signed-off-by: Ben Hutchings commit 92baf719d42b4dc28a25081ef0819ffb47ff5bd7 Author: Christophe JAILLET Date: Tue Aug 29 21:23:49 2017 +0200 driver core: bus: Fix a potential double free commit 0f9b011d3321ca1079c7a46c18cb1956fbdb7bcb upstream. The .release function of driver_ktype is 'driver_release()'. This function frees the container_of this kobject. So, this memory must not be freed explicitly in the error handling path of 'bus_add_driver()'. Otherwise a double free will occur. Signed-off-by: Christophe JAILLET Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit f5f4e4b8350e62fc490b2f20f4c3f7e81e77a6ea Author: Julien Grall Date: Thu Aug 17 17:14:52 2017 +0100 xen/events: events_fifo: Don't use {get,put}_cpu() in xen_evtchn_fifo_init() commit 22f12f0df802cea865672d8f39fbebdc03981050 upstream. When booting Linux as Xen guest with CONFIG_DEBUG_ATOMIC, the following splat appears: [ 0.002323] Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes) [ 0.019717] ASID allocator initialised with 65536 entries [ 0.020019] xen:grant_table: Grant tables using version 1 layout [ 0.020051] Grant table initialized [ 0.020069] BUG: sleeping function called from invalid context at /data/src/linux/mm/page_alloc.c:4046 [ 0.020100] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0 [ 0.020123] no locks held by swapper/0/1. [ 0.020143] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.13.0-rc5 #598 [ 0.020166] Hardware name: FVP Base (DT) [ 0.020182] Call trace: [ 0.020199] [] dump_backtrace+0x0/0x270 [ 0.020222] [] show_stack+0x24/0x30 [ 0.020244] [] dump_stack+0xb8/0xf0 [ 0.020267] [] ___might_sleep+0x1c8/0x1f8 [ 0.020291] [] __might_sleep+0x58/0x90 [ 0.020313] [] __alloc_pages_nodemask+0x1c0/0x12e8 [ 0.020338] [] alloc_page_interleave+0x38/0x88 [ 0.020363] [] alloc_pages_current+0xdc/0xf0 [ 0.020387] [] __get_free_pages+0x28/0x50 [ 0.020411] [] evtchn_fifo_alloc_control_block+0x2c/0xa0 [ 0.020437] [] xen_evtchn_fifo_init+0x38/0xb4 [ 0.020461] [] xen_init_IRQ+0x44/0xc8 [ 0.020484] [] xen_guest_init+0x250/0x300 [ 0.020507] [] do_one_initcall+0x44/0x130 [ 0.020531] [] kernel_init_freeable+0x120/0x288 [ 0.020556] [] kernel_init+0x18/0x110 [ 0.020578] [] ret_from_fork+0x10/0x40 [ 0.020606] xen:events: Using FIFO-based ABI [ 0.020658] Xen: initializing cpu0 [ 0.027727] Hierarchical SRCU implementation. [ 0.036235] EFI services will not be available. [ 0.043810] smp: Bringing up secondary CPUs ... This is because get_cpu() in xen_evtchn_fifo_init() will disable preemption, but __get_free_page() might sleep (GFP_ATOMIC is not set). xen_evtchn_fifo_init() will always be called before SMP is initialized, so {get,put}_cpu() could be replaced by a simple smp_processor_id(). This also avoid to modify evtchn_fifo_alloc_control_block that will be called in other context. Signed-off-by: Julien Grall Reported-by: Andre Przywara Reviewed-by: Boris Ostrovsky Fixes: 1fe565517b57 ("xen/events: use the FIFO-based ABI if available") Signed-off-by: Boris Ostrovsky [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 649aef79868a4d84a41f97824167ceaaa281a610 Author: Paul Mackerras Date: Wed Aug 30 14:12:24 2017 +1000 powerpc: Correct instruction code for xxlor instruction commit 93b2d3cf3733b4060d3623161551f51ea1ab5499 upstream. The instruction code for xxlor that commit 0016a4cf5582 ("powerpc: Emulate most Book I instructions in emulate_step()", 2010-06-15) added is actually the code for xxlnor. It is used in get_vsr() and put_vsr() and the effect of the error is that if emulate_step is used to emulate a VSX load or store from any register other than vsr0, the bitwise complement of the correct value will be loaded or stored. This corrects the error. Fixes: 0016a4cf5582 ("powerpc: Emulate most Book I instructions in emulate_step()") Signed-off-by: Paul Mackerras Signed-off-by: Michael Ellerman [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 69c1c9a6ffe1c1ad16ced61bd66843506dfaba7d Author: Michael Ellerman Date: Thu Aug 24 20:49:57 2017 +1000 powerpc: Fix DAR reporting when alignment handler faults commit f9effe925039cf54489b5c04e0d40073bb3a123d upstream. Anton noticed that if we fault part way through emulating an unaligned instruction, we don't update the DAR to reflect that. The DAR value is eventually reported back to userspace as the address in the SEGV signal, and if userspace is using that value to demand fault then it can be confused by us not setting the value correctly. This patch is ugly as hell, but is intended to be the minimal fix and back ports easily. Signed-off-by: Michael Ellerman Reviewed-by: Paul Mackerras Signed-off-by: Ben Hutchings commit 33c57233b431f8b72c6802520059373a5f335146 Author: Dan Carpenter Date: Fri Aug 25 13:33:40 2017 +0300 powerpc/44x: Fix mask and shift to zero bug commit 8d046759f6ad75824fdf7b9c9a3da0272ea9ea92 upstream. My static checker complains that 0x00001800 >> 13 is zero. Looking at the context, it seems like a copy and paste bug from the line below and probably 0x3 << 13 or 0x00006000 was intended. Fixes: 2af59f7d5c3e ("[POWERPC] 4xx: Add 405GPr and 405EP support in boot wrapper") Signed-off-by: Dan Carpenter Acked-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings commit 71ee8480093a46d245f61e2c2c5cfb0d5a6bc61d Author: Dan Carpenter Date: Wed Aug 30 16:30:35 2017 +0300 scsi: qla2xxx: Fix an integer overflow in sysfs code commit e6f77540c067b48dee10f1e33678415bfcc89017 upstream. The value of "size" comes from the user. When we add "start + size" it could lead to an integer overflow bug. It means we vmalloc() a lot more memory than we had intended. I believe that on 64 bit systems vmalloc() can succeed even if we ask it to allocate huge 4GB buffers. So we would get memory corruption and likely a crash when we call ha->isp_ops->write_optrom() and ->read_optrom(). Only root can trigger this bug. Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061 Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.") Reported-by: shqking Signed-off-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit bfae480e5e23f8db4e0282c656f0b5bf071f0cba Author: Dan Carpenter Date: Wed Aug 30 17:03:58 2017 +0300 regulator: da9063: Return an error code on probe failure commit b6615659827839f3031c6bd4c1599c3c705778ac upstream. If "regl_pdata->n_regulators == 0" is true then we accidentally return PTR_ERR() instead of an error code. I've changed it to return -ENODEV instead. Fixes: 69ca3e58d178 ("regulator: da9063: Add Dialog DA9063 voltage regulators support.") Signed-off-by: Dan Carpenter Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit 91fafc569c9cae6feff94060f0400472d3ccb545 Author: David Spinadel Date: Thu Aug 17 17:28:22 2017 +0300 iwlwifi: mvm: Avoid deferring non bufferable frames commit eb045e6e0389eabfd704dd7a76d8b2a892970e85 upstream. Use bcast station for all non bufferable frames on AP and AD-HOC. The host is no longer aware of STAs PS status because of buffer station offload, so we can't rely on mac80211 to toggle on IEEE80211_TX_CTL_NO_PS_BUFFER bit. A possible issue with buffering such frames, beside the obvious spec violation, is when a station disconnects while in PS but the AP isn't aware of that. In such scenarios the AP won't be able to send probe responses or auth frames so the STA won't be able to reconnect and the AP will have a queue hang. Fixes: 3e56eadfb6a1 ("iwlwifi: mvm: implement AP/GO uAPSD support") Signed-off-by: David Spinadel Signed-off-by: Luca Coelho Signed-off-by: Ben Hutchings commit 8f4d41d1e62bdf83027c993be9c499d81b32a150 Author: Johannes Berg Date: Tue Jun 20 11:22:07 2017 +0200 iwlwifi: mvm: simplify bufferable MMPDU check commit 7426ee33a29b3215357986378c77bb9949518154 upstream. There's no need to spell out the cases when we can just use ieee80211_is_bufferable_mmpdu(). Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit e329f6b9482903930408553a53a96ff6d54a20af Author: Maciej S. Szmigiero Date: Tue Aug 29 21:50:03 2017 +0200 USB: serial: option: add support for D-Link DWM-157 C1 commit 169e86546f5712179709de23cd64bbb15f199fab upstream. This commit adds support (an ID, really) for D-Link DWM-157 hardware version C1 USB modem to option driver. According to manufacturer-provided Windows INF file the device has four serial ports: "D-Link HSPA+DataCard Diagnostics Interface" (interface 2; modem port), "D-Link HSPA+DataCard NMEA Device" (interface 3), "D-Link HSPA+DataCard Speech Port" (interface 4), "D-Link HSPA+DataCard Debug Port" (interface 5). usb-devices output: T: Bus=05 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2001 ProdID=7d0e Rev=03.00 S: Manufacturer=D-Link,Inc S: Product=D-Link DWM-157 C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=02 Prot=01 Driver=option I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage Signed-off-by: Maciej S. Szmigiero Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings commit f39d255966130f6f04acdb0081c52da14f9c3ce8 Author: Brian King Date: Tue Aug 29 10:00:29 2017 -0500 scsi: aacraid: Fix command send race condition commit 1ae948fa4f00f3a2823e7cb19a3049ef27dd6947 upstream. This fixes a potential race condition observed on Power systems. Several places throughout the aacraid driver call aac_fib_send or similar to send a command to the aacraid adapter, then check the return code to determine if the command was actually sent to the adapter, then update the phase field in the scsi command scratch pad area to track that the firmware now owns this command. However, there is nothing that ensures that by the time the aac_fib_send function returns and we go to write to the scsi command, that the command hasn't already completed and the scsi command has been freed. This was causing random crashes in the TCP stack which was tracked down to be caused by memory that had been a struct request + scsi_cmnd being now used for an skbuff. Memory poisoning was enabled in the kernel to debug this which showed that the last owner of the memory that had been freed was aacraid and that it was a struct request. The memory that was corrupted was the exact data pattern of AAC_OWNER_FIRMWARE and it was at the same offset that aacraid writes, which is scsicmd->SCp.phase. The patch below resolves this issue. Signed-off-by: Brian King Tested-by: Wen Xiong Reviewed-by: Dave Carroll Signed-off-by: Martin K. Petersen [bwh: Backported to 3.16: - Drop changes to aac_send_hba_fib() - Adjust context] Signed-off-by: Ben Hutchings commit 19b41af111f3701e758efe355aeae5813a3c2d71 Author: Leon Romanovsky Date: Mon Aug 28 16:38:21 2017 +0300 net/mlx4_core: Make explicit conversion to 64bit value commit 187782eb58a89ea030731114c6ae37842a4472fe upstream. The "lg" variable is declared as int so in all places where this variable is used as a shift operand, the output will be int too. This produces the following smatch warning: drivers/net/ethernet/mellanox/mlx4/fw.c:1532 mlx4_map_cmd() warn: should '1 << lg' be a 64 bit type? Simple declaration of "1" to be "1ULL" will fix the issue. Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") Signed-off-by: Leon Romanovsky Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 576484dd7cdb14dd7236ade9e3fce5b7e1cadd91 Author: Mark Rutland Date: Tue Aug 22 11:36:17 2017 +0100 ARM: 8692/1: mm: abort uaccess retries upon fatal signal commit 746a272e44141af24a02f6c9b0f65f4c4598ed42 upstream. When there's a fatal signal pending, arm's do_page_fault() implementation returns 0. The intent is that we'll return to the faulting userspace instruction, delivering the signal on the way. However, if we take a fatal signal during fixing up a uaccess, this results in a return to the faulting kernel instruction, which will be instantly retried, resulting in the same fault being taken forever. As the task never reaches userspace, the signal is not delivered, and the task is left unkillable. While the task is stuck in this state, it can inhibit the forward progress of the system. To avoid this, we must ensure that when a fatal signal is pending, we apply any necessary fixup for a faulting kernel instruction. Thus we will return to an error path, and it is up to that code to make forward progress towards delivering the fatal signal. Signed-off-by: Mark Rutland Reviewed-by: Steve Capper Signed-off-by: Russell King Signed-off-by: Ben Hutchings commit d86195952181af2d1af4cb6be53cedae35396886 Author: Dan Carpenter Date: Fri Aug 25 11:43:59 2017 +0300 IB/usnic: check for allocation failure commit d518a44d317d92f4c297ea26a308b1ac1a980d33 upstream. usnic_uiom_get_dev_list() can return ERR_PTR(-ENOMEM) so we should check for that. Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") Signed-off-by: Dan Carpenter Reviewed-by: Yuval Shaia Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit 5f250ed5f469ce7b000b4fcc67965195ca499d08 Author: Mike Marciniszyn Date: Mon Aug 21 18:26:20 2017 -0700 IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation commit 5b0ef650bd0f820e922fcc42f1985d4621ae19cf upstream. Section 9.7.7.2.5 of the 1.3 IBTA spec clearly says that receive credits should never apply to RDMA write. qib and hfi1 were doing that. The following situation will result in a QP hang: - A prior SEND or RDMA_WRITE with immmediate consumed the last credit for a QP using RC receive buffer credits - The prior op is acked so there are no more acks - The peer ULP fails to post receive for some reason - An RDMA write sees that the credits are exhausted and waits - The peer ULP posts receive buffers - The ULP posts a send or RDMA write that will be hung The fix is to avoid the credit test for the RDMA write operation. Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford [bwh: Backported to 3.16: - Drop changes to hfi1 - Adjust context] Signed-off-by: Ben Hutchings commit 638b42cdd3fef8e876fd08d67a88230631bda6e6 Author: Yazen Ghannam Date: Mon Aug 28 13:13:14 2017 -0500 ACPI, APEI, EINJ: Subtract any matching Register Region from Trigger resources commit 1d5d820b8fe83b5f859d1ebb028a09ada426447e upstream. ACPI defines a number of instructions to use for triggering errors. However we are currently removing the address resources from the trigger resources for only the WRITE_REGISTER_VALUE instruction. This leads to a resource conflict for any other valid instruction. Check that the instruction is less than or equal to the WRITE_REGISTER_VALUE instruction. This allows all valid memory access instructions and protects against invalid instructions. Fixes: b4e008dc53a3 (ACPI, APEI, EINJ, Refine the fix of resource conflict) Signed-off-by: Yazen Ghannam Acked-by: Tony Luck Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings commit fabafeee5a9d4aebe93542d128bece34a1e2e392 Author: Sandeep Singh Date: Thu Aug 24 09:57:15 2017 +0530 usb:xhci:Fix regression when ATI chipsets detected commit e6b422b88b46353cf596e0db6dc0e39d50d90d6e upstream. The following commit cause a regression on ATI chipsets. 'commit e788787ef4f9 ("usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume")' This causes pinfo->smbus_dev to be wrongly set to NULL on systems with the ATI chipset that this function checks for first. Added conditional check for AMD chipsets to avoid the overwriting pinfo->smbus_dev. Reported-by: Ben Hutchings Fixes: e788787ef4f9 ("usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume") cc: Nehal Shah Signed-off-by: Sandeep Singh Signed-off-by: Shyam Sundar S K Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit fc8bf8019ed9a84f0e35c3e12ec6fa41cd128c9e Author: Dmitry Fleytman Date: Fri Aug 25 10:38:35 2017 +0300 usb: Add device quirk for Logitech HD Pro Webcam C920-C commit a1279ef74eeeb5f627f091c71d80dd7ac766c99d upstream. Commit e0429362ab15 ("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e") introduced quirk to workaround an issue with some Logitech webcams. Apparently model C920-C has the same issue so applying the same quirk as well. See aforementioned commit message for detailed explanation of the problem. Signed-off-by: Dmitry Fleytman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit f51f7d4051d6de7d8c785873edec64fa6c4c7436 Author: Kai-Heng Feng Date: Wed Aug 16 10:53:20 2017 +0800 usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard commit de3af5bf259d7a0bfaac70441c8568ab5998d80c upstream. Corsair Strafe RGB keyboard has trouble to initialize: [ 1.679455] usb 3-6: new full-speed USB device number 4 using xhci_hcd [ 6.871136] usb 3-6: unable to read config index 0 descriptor/all [ 6.871138] usb 3-6: can't read configurations, error -110 [ 6.991019] usb 3-6: new full-speed USB device number 5 using xhci_hcd [ 12.246642] usb 3-6: unable to read config index 0 descriptor/all [ 12.246644] usb 3-6: can't read configurations, error -110 [ 12.366555] usb 3-6: new full-speed USB device number 6 using xhci_hcd [ 17.622145] usb 3-6: unable to read config index 0 descriptor/all [ 17.622147] usb 3-6: can't read configurations, error -110 [ 17.742093] usb 3-6: new full-speed USB device number 7 using xhci_hcd [ 22.997715] usb 3-6: unable to read config index 0 descriptor/all [ 22.997716] usb 3-6: can't read configurations, error -110 Although it may work after several times unpluging/pluging: [ 68.195240] usb 3-6: new full-speed USB device number 11 using xhci_hcd [ 68.337459] usb 3-6: New USB device found, idVendor=1b1c, idProduct=1b20 [ 68.337463] usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 68.337466] usb 3-6: Product: Corsair STRAFE RGB Gaming Keyboard [ 68.337468] usb 3-6: Manufacturer: Corsair [ 68.337470] usb 3-6: SerialNumber: 0F013021AEB8046755A93ED3F5001941 Tried three quirks: USB_QUIRK_DELAY_INIT, USB_QUIRK_NO_LPM and USB_QUIRK_DEVICE_QUALIFIER, user confirmed that USB_QUIRK_DELAY_INIT alone can workaround this issue. Hence add the quirk for Corsair Strafe RGB. BugLink: https://bugs.launchpad.net/bugs/1678477 Signed-off-by: Kai-Heng Feng Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 4e7edc3ae531708e7cfec41ad10adb671a01d5ef Author: Douglas Anderson Date: Thu Aug 10 15:42:22 2017 -0700 USB: core: Avoid race of async_completed() w/ usbdev_release() commit ed62ca2f4f51c17841ea39d98c0c409cb53a3e10 upstream. While running reboot tests w/ a specific set of USB devices (and slub_debug enabled), I found that once every few hours my device would be crashed with a stack that looked like this: [ 14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091 [ 14.012460] lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu [ 14.012460] /1025536097, .owner_cpu: 0 [ 14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352 [ 14.012468] Hardware name: Google Kevin (DT) [ 14.012471] Call trace: [ 14.012483] [<....>] dump_backtrace+0x0/0x160 [ 14.012487] [<....>] show_stack+0x20/0x28 [ 14.012494] [<....>] dump_stack+0xb4/0xf0 [ 14.012500] [<....>] spin_dump+0x8c/0x98 [ 14.012504] [<....>] spin_bug+0x30/0x3c [ 14.012508] [<....>] do_raw_spin_lock+0x40/0x164 [ 14.012515] [<....>] _raw_spin_lock_irqsave+0x64/0x74 [ 14.012521] [<....>] __wake_up+0x2c/0x60 [ 14.012528] [<....>] async_completed+0x2d0/0x300 [ 14.012534] [<....>] __usb_hcd_giveback_urb+0xc4/0x138 [ 14.012538] [<....>] usb_hcd_giveback_urb+0x54/0xf0 [ 14.012544] [<....>] xhci_irq+0x1314/0x1348 [ 14.012548] [<....>] usb_hcd_irq+0x40/0x50 [ 14.012553] [<....>] handle_irq_event_percpu+0x1b4/0x3f0 [ 14.012556] [<....>] handle_irq_event+0x4c/0x7c [ 14.012561] [<....>] handle_fasteoi_irq+0x158/0x1c8 [ 14.012564] [<....>] generic_handle_irq+0x30/0x44 [ 14.012568] [<....>] __handle_domain_irq+0x90/0xbc [ 14.012572] [<....>] gic_handle_irq+0xcc/0x18c Investigation using kgdb() found that the wait queue that was passed into wake_up() had been freed (it was filled with slub_debug poison). I analyzed and instrumented the code and reproduced. My current belief is that this is happening: 1. async_completed() is called (from IRQ). Moves "as" onto the completed list. 2. On another CPU, proc_reapurbnonblock_compat() calls async_getcompleted(). Blocks on spinlock. 3. async_completed() releases the lock; keeps running; gets blocked midway through wake_up(). 4. proc_reapurbnonblock_compat() => async_getcompleted() gets the lock; removes "as" from completed list and frees it. 5. usbdev_release() is called. Frees "ps". 6. async_completed() finally continues running wake_up(). ...but wake_up() has a pointer to the freed "ps". The instrumentation that led me to believe this was based on adding some trace_printk() calls in a select few functions and then using kdb's "ftdump" at crash time. The trace follows (NOTE: in the trace below I cheated a little bit and added a udelay(1000) in async_completed() after releasing the spinlock because I wanted it to trigger quicker): <...>-2104 0d.h2 13759034us!: async_completed at start: as=ffffffc0cc638200 mtpd-2055 3.... 13759356us : async_getcompleted before spin_lock_irqsave mtpd-2055 3d..1 13759362us : async_getcompleted after list_del_init: as=ffffffc0cc638200 mtpd-2055 3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200) mtpd-2055 3.... 13759422us+: async_getcompleted before spin_lock_irqsave mtpd-2055 3.... 13759479us : usbdev_release at start: ps=ffffffc0cc042080 mtpd-2055 3.... 13759487us : async_getcompleted before spin_lock_irqsave mtpd-2055 3.... 13759497us!: usbdev_release after kfree(ps): ps=ffffffc0cc042080 <...>-2104 0d.h2 13760294us : async_completed before wake_up(): as=ffffffc0cc638200 To fix this problem we can just move the wake_up() under the ps->lock. There should be no issues there that I'm aware of. Signed-off-by: Douglas Anderson Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit ddee76d516bf4fe103a9a31f9655a4a4ae01e11d Author: Dan Carpenter Date: Sat Aug 26 09:04:18 2017 +0300 staging: lustre: obdclass: return -EFAULT if copy_from_user() fails commit 092c3def24bb68a00ff58c76ed67b9ff448387ce upstream. The copy_from_user() function returns the number of bytes which we weren't able to copy. We don't want to return that to the user but instead we want to return -EFAULT. Fixes: d7e09d0397e8 ("staging: add Lustre file system client support") Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 1ba4b6f74df71d2058a591e6a8011a8e35c7fa41 Author: Jonas Gorski Date: Tue Jul 18 12:17:25 2017 +0200 m68k: allow NULL clock for clk_get_rate commit 94b282267c2f3af725b154c91275ed374c1f11de upstream. Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise. Fixes: facdf0ed4f59 ("m68knommu: introduce basic clk infrastructure") Cc: Greg Ungerer Cc: Geert Uytterhoeven Cc: linux-m68k@lists.linux-m68k.org Cc: linux-kernel@vger.kernel.org Reported-by: Mathias Kresin Signed-off-by: Jonas Gorski Signed-off-by: Greg Ungerer [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit 754d79a022c54a745437f01631e319511126015b Author: Colin Ian King Date: Tue Aug 22 10:21:20 2017 -0400 media: em28xx: calculate left volume level correctly commit 801e3659bf2c87c31b7024087d61e89e172b5651 upstream. The calculation of the left volume looks suspect, the value of 0x1f - ((val << 8) & 0x1f) is always 0x1f. The debug prior to the assignment of value[1] prints the left volume setting using the calculation 0x1f - (val >> 8) & 0x1f which looks correct to me. Fix the left volume by using the correct expression as used in the debug. Detected by CoverityScan, CID#146140 ("Wrong operator used") Fixes: 850d24a5a861 ("[media] em28xx-alsa: add mixer support for AC97 volume controls") Signed-off-by: Colin Ian King Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit c633946a19e4a415ad81609048355fad01d36f74 Author: Ilya Lesokhin Date: Thu Aug 17 15:52:32 2017 +0300 IB/mlx5: Fix integer overflow when page_shift == 31 commit 7b4cdaae73ee833975a767cf54a3354d355b3f8d upstream. Fix a bug where MR registration fails when mlx5_ib_cont_pages indicates that the MR can be mapped using 2GB pages (page_shift == 31). Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Ilya Lesokhin Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 23c0278aeb78faa2d2ec65cf4397200385555aa1 Author: Leon Romanovsky Date: Thu Aug 17 15:50:41 2017 +0300 RDMA/usnic: Fix remove address space warning commit 5d50f400e56fbc7a14ef3f8d42ba47710e455881 upstream. Sparse tool complains with the following error: drivers/infiniband/hw/usnic/usnic_ib_main.c:445:16: warning: cast removes address space of expression Fix it by doing casting on correct field and convert function helper which sets ifaddr to be void, because there are no users who are interested in returned value. Fixes: c7845bcafe4d ("IB/usnic: Add UDP support in u*verbs.c, u*main.c and u*util.h") Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit cbccd19bd16d5e5131714586f71bfda4e139a2f5 Author: Alexandre Belloni Date: Mon Aug 21 18:00:38 2017 +0200 rtc: sa1100: fix unbalanced clk_prepare_enable/clk_disable_unprepare commit 1cf85b2327a9b03bde5266e72ee64a38d085256d upstream. In the error path of sa1100_rtc_open(), info->clk is disabled which will happen again in sa1100_rtc_remove() when the module is removed whereas it is only enabled once in sa1100_rtc_init(). Fixes: 0cc0c38e9139 ("drivers/rtc/rtc-sa1100.c: move clock enable/disable to probe/remove") Acked-by: Robert Jarzmik Signed-off-by: Alexandre Belloni Signed-off-by: Ben Hutchings commit 8c2e625dbe2d85a4a34d48e77d536c1c532f8114 Author: Konstantin Khlebnikov Date: Sun Aug 20 14:39:13 2017 +0300 perf tools: Really install manpages via 'make install-man' commit 2826478a6660158d261bc49ad8954a8f5c39be07 upstream. Target install-man builds them but forget to install. Signed-off-by: Konstantin Khlebnikov Cc: Alexander Shishkin Cc: Borislav Petkov Cc: Peter Zijlstra Fixes: af3df2cf17f5 ("perf tools: Try to build Documentation when installing") Link: http://lkml.kernel.org/r/150322915300.129715.13645857235229756834.stgit@buzz Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ben Hutchings commit 00ca597d8561c126dc9d97eedfe07bec111d2ab3 Author: Jaegeuk Kim Date: Sat Aug 12 21:33:23 2017 -0700 f2fs: check hot_data for roll-forward recovery commit 125c9fb1ccb53eb2ea9380df40f3c743f3fb2fed upstream. We need to check HOT_DATA to truncate any previous data block when doing roll-forward recovery. Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Ben Hutchings commit 2496cf83ff1b8fe099920430f2f6586ac9372171 Author: Johan Hovold Date: Thu Jul 20 12:48:17 2017 +0200 pwm: tiehrpwm: fix clock imbalance in probe error path commit e2b5602af76dec75f474e4173afb4215007ecfa5 upstream. Make sure to unprepare the clock before returning on late probe errors. Fixes: b388f15fd14c ("pwm: pwm-tiehrpwm: Use clk_enable/disable instead clk_prepare/unprepare.") Signed-off-by: Johan Hovold Signed-off-by: Thierry Reding [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 486256792807573924b73d1e9203ee303d382978 Author: Johan Hovold Date: Thu Jul 20 12:48:16 2017 +0200 pwm: tiehrpwm: Fix runtime PM imbalance at unbind commit c7fdd3f52944b81d807ce7a5fde7d1ca8a2a0919 upstream. Remove unbalanced RPM put at driver unbind which resulted in a negative usage count. Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM") Signed-off-by: Johan Hovold Signed-off-by: Thierry Reding Signed-off-by: Ben Hutchings commit 790599d78a22183a94157402a6a412fd080fda43 Author: Colin Ian King Date: Fri Aug 18 14:34:16 2017 +0100 staging/rts5208: fix incorrect shift to extract upper nybble commit 34ff1bf4920471cff66775dc39537b15c5f0feff upstream. The mask of sns_key_info1 suggests the upper nybble is being extracted however the following shift of 8 bits is too large and always results in 0. Fix this by shifting only by 4 bits to correctly get the upper nybble. Detected by CoverityScan, CID#142891 ("Operands don't affect result") Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288") Signed-off-by: Colin Ian King Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 5c3bd83c33085d5b54c6f8634d9710bac908c6d7 Author: Sean Young Date: Thu Aug 3 17:42:28 2017 -0400 media: lirc_zilog: driver only sends LIRCCODE commit 89d8a2cc51d1f29ea24a0b44dde13253141190a0 upstream. This driver cannot send pulse, it only accepts driver-dependent codes. Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit a5f9c8992ea254dc7a80d24257083a666dd600f2 Author: Guenter Roeck Date: Tue Aug 8 08:56:21 2017 -0400 media: uvcvideo: Prevent heap overflow when accessing mapped controls commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba upstream. The size of uvc_control_mapping is user controlled leading to a potential heap overflow in the uvc driver. This adds a check to verify the user provided size fits within the bounds of the defined buffer size. Originally-from: Richard Simmons Signed-off-by: Guenter Roeck Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit ed3286ed5ee31f024c86ce1bd0a8e4c2087c4c67 Author: stephen hemminger Date: Fri Aug 18 13:46:19 2017 -0700 net: don't decrement kobj reference count on init failure commit d0d6683716791b2a2761a1bb025c613eb73da6c3 upstream. If kobject_init_and_add failed, then the failure path would decrement the reference count of the queue kobject whose reference count was already zero. Fixes: 114cf5802165 ("bql: Byte queue limits") Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 8bc93b8fa6680dfe51761edac4f78b0052708ac0 Author: Bart Van Assche Date: Thu Aug 17 13:12:46 2017 -0700 skd: Submit requests to firmware before triggering the doorbell commit 5fbd545cd3fd311ea1d6e8be4cedddd0ee5684c7 upstream. Ensure that the members of struct skd_msg_buf have been transferred to the PCIe adapter before the doorbell is triggered. This patch avoids that I/O fails sporadically and that the following error message is reported: (skd0:STM000196603:[0000:00:09.0]): Completion mismatch comp_id=0x0000 skreq=0x0400 new=0x0000 Signed-off-by: Bart Van Assche Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Johannes Thumshirn Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit 5d209e7bf61e09f8bbc646b38c7d70bc0f4ec0c3 Author: Bart Van Assche Date: Thu Aug 17 13:12:45 2017 -0700 skd: Avoid that module unloading triggers a use-after-free commit 7277cc67b3916eed47558c64f9c9c0de00a35cda upstream. Since put_disk() triggers a disk_release() call and since that last function calls blk_put_queue() if disk->queue != NULL, clear the disk->queue pointer before calling put_disk(). This avoids that unloading the skd kernel module triggers the following use-after-free: WARNING: CPU: 8 PID: 297 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80 refcount_t: underflow; use-after-free. CPU: 8 PID: 297 Comm: kworker/8:1 Not tainted 4.11.10-300.fc26.x86_64 #1 Workqueue: events work_for_cpu_fn Call Trace: dump_stack+0x63/0x84 __warn+0xcb/0xf0 warn_slowpath_fmt+0x5a/0x80 refcount_sub_and_test+0x70/0x80 refcount_dec_and_test+0x11/0x20 kobject_put+0x1f/0x50 blk_put_queue+0x15/0x20 disk_release+0xae/0xf0 device_release+0x32/0x90 kobject_release+0x67/0x170 kobject_put+0x2b/0x50 put_disk+0x17/0x20 skd_destruct+0x5c/0x890 [skd] skd_pci_probe+0x124d/0x13a0 [skd] local_pci_probe+0x42/0xa0 work_for_cpu_fn+0x14/0x20 process_one_work+0x19e/0x470 worker_thread+0x1dc/0x4a0 kthread+0x125/0x140 ret_from_fork+0x25/0x30 Signed-off-by: Bart Van Assche Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Johannes Thumshirn Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit 873ae9976c056a962c2ce4678b93b84bf7c7f25f Author: Bart Van Assche Date: Thu Aug 17 13:12:44 2017 -0700 block: Relax a check in blk_start_queue() commit 4ddd56b003f251091a67c15ae3fe4a5c5c5e390a upstream. Calling blk_start_queue() from interrupt context with the queue lock held and without disabling IRQs, as the skd driver does, is safe. This patch avoids that loading the skd driver triggers the following warning: WARNING: CPU: 11 PID: 1348 at block/blk-core.c:283 blk_start_queue+0x84/0xa0 RIP: 0010:blk_start_queue+0x84/0xa0 Call Trace: skd_unquiesce_dev+0x12a/0x1d0 [skd] skd_complete_internal+0x1e7/0x5a0 [skd] skd_complete_other+0xc2/0xd0 [skd] skd_isr_completion_posted.isra.30+0x2a5/0x470 [skd] skd_isr+0x14f/0x180 [skd] irq_forced_thread_fn+0x2a/0x70 irq_thread+0x144/0x1a0 kthread+0x125/0x140 ret_from_fork+0x2a/0x40 Fixes: commit a038e2536472 ("[PATCH] blk_start_queue() must be called with irq disabled - add warning") Signed-off-by: Bart Van Assche Cc: Paolo 'Blaisorblade' Giarrusso Cc: Andrew Morton Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Johannes Thumshirn Signed-off-by: Jens Axboe [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 82e3efeb41415aaf2b9fe43e8e985f0f7889b50d Author: Luca Coelho Date: Wed Aug 16 08:47:38 2017 +0300 iwlwifi: pci: add new PCI ID for 7265D commit 3f7a5e13e85026b6e460bbd6e87f87379421d272 upstream. We have a new PCI subsystem ID for 7265D. Add it to the list. Signed-off-by: Luca Coelho [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings commit 167e359037d6553337342bc780ee7cd88472c85f Author: Xiangliang.Yu Date: Wed Aug 16 14:25:51 2017 +0800 drm/ttm: Fix accounting error when fail to get pages for pool commit 9afae2719273fa1d406829bf3498f82dbdba71c7 upstream. When fail to get needed page for pool, need to put allocated pages into pool. But current code has a miscalculation of allocated pages, correct it. Signed-off-by: Xiangliang.Yu Reviewed-by: Christian König Reviewed-by: Monk Liu Signed-off-by: Alex Deucher Signed-off-by: Ben Hutchings commit 607fc3dc95fa69e8b4cf531718c3d90f513a9361 Author: Arnaldo Carvalho de Melo Date: Thu Aug 17 14:22:50 2017 -0300 perf events parse: Use just one parse events state struct commit d17d0878f456c8227345b6c76b918ec068fa0abd upstream. Andi reported problems when parse errors were detected with vendor events (json), because in the yyparse/parse_events_parse function we dereferenced the _data parameter to two different structs, with different layouts, which ended up making parse_events_evlist->error to point to random stack addresses. Fix it by making _data to always be struct parse_events_state, changing the only place where 'struct parse_events_term' was used in parse_events.y. Reported-by: Andi Kleen Cc: Adrian Hunter Cc: David Ahern Cc: Jiri Olsa Cc: Namhyung Kim Cc: Wang Nan Link: http://lkml.kernel.org/n/tip-bc27lshz823hxl8n9nkelcgh@git.kernel.org Fixes: 90e2b22dee90 ("perf/tool: Add support to reuse event grammar to parse out terms") Signed-off-by: Arnaldo Carvalho de Melo [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 97330896a76dc0a44209361233b38e9eb4a0f637 Author: Arnaldo Carvalho de Melo Date: Thu Aug 17 14:13:25 2017 -0300 perf events parse: Rename parsing state struct to clearer name commit 5d369a75eda5855d64981668a1d60cfac00d52e9 upstream. Rename it from 'parse_events_evlist' to 'parse_events_state' to better state that this is parsing state that has to be passed around. Cc: Adrian Hunter Cc: David Ahern Cc: Jiri Olsa Cc: Namhyung Kim Cc: Wang Nan Link: http://lkml.kernel.org/n/tip-dursqtg2h2w98ztaa297u43x@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo [bwh: Backported to 3.16: change all uses of the name in this version] Signed-off-by: Ben Hutchings commit 7c3274b3c4131299a459216e55821f0e54a4686e Author: Aleksa Sarai Date: Tue Jul 4 21:49:06 2017 +1000 btrfs: resume qgroup rescan on rw remount commit 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 upstream. Several distributions mount the "proper root" as ro during initrd and then remount it as rw before pivot_root(2). Thus, if a rescan had been aborted by a previous shutdown, the rescan would never be resumed. This issue would manifest itself as several btrfs ioctl(2)s causing the entire machine to hang when btrfs_qgroup_wait_for_completion was hit (due to the fs_info->qgroup_rescan_running flag being set but the rescan itself not being resumed). Notably, Docker's btrfs storage driver makes regular use of BTRFS_QUOTA_CTL_DISABLE and BTRFS_IOC_QUOTA_RESCAN_WAIT (causing this problem to be manifested on boot for some machines). Cc: Jeff Mahoney Fixes: b382a324b60f ("Btrfs: fix qgroup rescan resume on mount") Signed-off-by: Aleksa Sarai Reviewed-by: Nikolay Borisov Tested-by: Nikolay Borisov Signed-off-by: David Sterba [bwh: Backported to 3.16: add #include "qgroup.h"] Signed-off-by: Ben Hutchings commit c23c045d17003108600173074da08c70bd5c78a0 Author: Lorenzo Bianconi Date: Fri Aug 11 21:44:14 2017 +0200 iio: accel: st_accel: fix data-ready line configuration commit 4303741f99d617c1fc3c9069195d3d620c2f88c4 upstream. Remove int2 configuration parameter for LIS3DH, LSM303DLHC, LSM330D, LSM330DL, LSM330DLC, LSM303AGR, LIS2DH12 and LNG2DM since these devices export just int1 as data-ready line Fixes: 23cde4d65cc7 (iio: Added platform data to select the DRDY pin) Fixes: dcdb0a78cab3 (iio: accel: st_accel: add support to lng2dm) Signed-off-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron [bwh: Backported to 3.16: - Update the macro used to fill in this field - Drop change for LNG2DM] Signed-off-by: Ben Hutchings commit 4c49404dce7203677cdac4a0fa578ff1d140d660 Author: Lorenzo Bianconi Date: Fri Aug 11 21:44:13 2017 +0200 iio: pressure: st_pressure: fix drdy configuration for LPS22HB and LPS25H commit ef0bc2e83966b5aed055acb6d16a3788de5205f4 upstream. Remove int2 configuration parameter for LPS22HB and LPS25H since these devices export just int1 as data-ready line Fixes: 931878405b86 (iio:pressure: Add support for LPS25H pressure sensor) Fixes: e039e2f5b4da (iio:st_pressure:initial lps22hb sensor support) Signed-off-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron [bwh: Backported to 3.16: - Update the macro used to fill in this field - Drop change for LPS22HB] Signed-off-by: Ben Hutchings commit cd038ef0bc5818685397df24bdef29e413966e39 Author: Andrey Korolyov Date: Thu Aug 10 13:21:14 2017 +0300 cs5536: add support for IDE controller variant commit 591b6bb605785c12a21e8b07a08a277065b655a5 upstream. Several legacy devices such as Geode-based Cisco ASA appliances and DB800 development board do possess CS5536 IDE controller with different PCI id than existing one. Using pata_generic is not always feasible as at least DB800 requires MSR quirk from pata_cs5536 to be used with vendor firmware. Signed-off-by: Andrey Korolyov Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit c544e82f72f28a49fa3889ff485d7795f3865494 Author: Finn Thain Date: Fri Aug 4 01:43:19 2017 -0400 scsi: mac_esp: Fix PIO transfers for MESSAGE IN phase commit 7640d91d285893a5cf1e62b2cd00f0884c401d93 upstream. When in MESSAGE IN phase, the ESP device does not automatically acknowledge each byte that is transferred by PIO. The mac_esp driver neglects to explicitly ack them, which causes a timeout during messages larger than one byte (e.g. tag bytes during reconnect). Fix this with an ESP_CMD_MOK command after each byte. The MESSAGE IN phase is also different in that each byte transferred raises ESP_INTR_FDONE. So don't exit the transfer loop for this interrupt, for this phase. That resolves the "Reconnect IRQ2 timeout" error on those Macs which use PIO transfers instead of PDMA. This patch also improves on the weak tests for unexpected interrupts and phase changes during PIO transfers. Tested-by: Stan Johnson Fixes: 02507a80b35e ("[PATCH] [SCSI] mac_esp: fix PIO mode, take 2") Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 3f99ccd12bcdb89f0e0093fd939119a35f8e7aea Author: Steffen Maier Date: Fri Jul 28 12:30:57 2017 +0200 scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response commit fdb7cee3b9e3c561502e58137a837341f10cbf8b upstream. At the default trace level, we only trace unsuccessful events including FSF responses. zfcp_dbf_hba_fsf_response() only used protocol status and FSF status to decide on an unsuccessful response. However, this is only one of multiple possible sources determining a failed struct zfcp_fsf_req. An FSF request can also "fail" if its response runs into an ERP timeout or if it gets dismissed because a higher level recovery was triggered [trace tags "erscf_1" or "erscf_2" in zfcp_erp_strategy_check_fsfreq()]. FSF requests with ERP timeout are: FSF_QTCB_EXCHANGE_CONFIG_DATA, FSF_QTCB_EXCHANGE_PORT_DATA, FSF_QTCB_OPEN_PORT_WITH_DID or FSF_QTCB_CLOSE_PORT or FSF_QTCB_CLOSE_PHYSICAL_PORT for target ports, FSF_QTCB_OPEN_LUN, FSF_QTCB_CLOSE_LUN. One example is slow queue processing which can cause follow-on errors, e.g. FSF_PORT_ALREADY_OPEN after FSF_QTCB_OPEN_PORT_WITH_DID timed out. In order to see the root cause, we need to see late responses even if the channel presented them successfully with FSF_PROT_GOOD and FSF_GOOD. Example trace records formatted with zfcpdbf from the s390-tools package: Timestamp : ... Area : REC Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : ... Record ID : 1 Tag : fcegpf1 LUN : 0xffffffffffffffff WWPN : 0x D_ID : 0x00 Adapter status : 0x5400050b Port status : 0x41200000 LUN status : 0x00000000 Ready count : 0x00000001 Running count : 0x... ERP want : 0x02 ZFCP_ERP_ACTION_REOPEN_PORT ERP need : 0x02 ZFCP_ERP_ACTION_REOPEN_PORT | Timestamp : ... 30 seconds later Area : REC Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : ... Record ID : 2 Tag : erscf_2 LUN : 0xffffffffffffffff WWPN : 0x D_ID : 0x00 Adapter status : 0x5400050b Port status : 0x41200000 LUN status : 0x00000000 Request ID : 0x ERP status : 0x10000000 ZFCP_STATUS_ERP_TIMEDOUT ERP step : 0x0800 ZFCP_ERP_STEP_PORT_OPENING ERP action : 0x02 ZFCP_ERP_ACTION_REOPEN_PORT ERP count : 0x00 | Timestamp : ... later than previous record Area : HBA Subarea : 00 Level : 5 > default level => 3 <= default level Exception : - CPU ID : 00 Caller : ... Record ID : 1 Tag : fs_qtcb => fs_rerr Request ID : 0x Request status : 0x00001010 ZFCP_STATUS_FSFREQ_DISMISSED | ZFCP_STATUS_FSFREQ_CLEANUP FSF cmnd : 0x00000005 FSF sequence no: 0x... FSF issued : ... > 30 seconds ago FSF stat : 0x00000000 FSF_GOOD FSF stat qual : 00000000 00000000 00000000 00000000 Prot stat : 0x00000001 FSF_PROT_GOOD Prot stat qual : 00000000 00000000 00000000 00000000 Port handle : 0x... LUN handle : 0x00000000 QTCB log length: ... QTCB log info : ... In case of problems detecting that new responses are waiting on the input queue, we sooner or later trigger adapter recovery due to an FSF request timeout (trace tag "fsrth_1"). FSF requests with FSF request timeout are: typically FSF_QTCB_ABORT_FCP_CMND; but theoretically also FSF_QTCB_EXCHANGE_CONFIG_DATA or FSF_QTCB_EXCHANGE_PORT_DATA via sysfs, FSF_QTCB_OPEN_PORT_WITH_DID or FSF_QTCB_CLOSE_PORT for WKA ports, FSF_QTCB_FCP_CMND for task management function (LUN / target reset). One or more pending requests can meanwhile have FSF_PROT_GOOD and FSF_GOOD because the channel filled in the response via DMA into the request's QTCB. In a theroretical case, inject code can create an erroneous FSF request on purpose. If data router is enabled, it uses deferred error reporting. A READ SCSI command can succeed with FSF_PROT_GOOD, FSF_GOOD, and SAM_STAT_GOOD. But on writing the read data to host memory via DMA, it can still fail, e.g. if an intentionally wrong scatter list does not provide enough space. Rather than getting an unsuccessful response, we get a QDIO activate check which in turn triggers adapter recovery. One or more pending requests can meanwhile have FSF_PROT_GOOD and FSF_GOOD because the channel filled in the response via DMA into the request's QTCB. Example trace records formatted with zfcpdbf from the s390-tools package: Timestamp : ... Area : HBA Subarea : 00 Level : 6 > default level => 3 <= default level Exception : - CPU ID : .. Caller : ... Record ID : 1 Tag : fs_norm => fs_rerr Request ID : 0x Request status : 0x00001010 ZFCP_STATUS_FSFREQ_DISMISSED | ZFCP_STATUS_FSFREQ_CLEANUP FSF cmnd : 0x00000001 FSF sequence no: 0x... FSF issued : ... FSF stat : 0x00000000 FSF_GOOD FSF stat qual : 00000000 00000000 00000000 00000000 Prot stat : 0x00000001 FSF_PROT_GOOD Prot stat qual : ........ ........ 00000000 00000000 Port handle : 0x... LUN handle : 0x... | Timestamp : ... Area : SCSI Subarea : 00 Level : 3 Exception : - CPU ID : .. Caller : ... Record ID : 1 Tag : rsl_err Request ID : 0x SCSI ID : 0x... SCSI LUN : 0x... SCSI result : 0x000e0000 DID_TRANSPORT_DISRUPTED SCSI retries : 0x00 SCSI allowed : 0x05 SCSI scribble : 0x SCSI opcode : 28... Read(10) FCP rsp inf cod: 0x00 FCP rsp IU : 00000000 00000000 00000000 00000000 ^^ SAM_STAT_GOOD 00000000 00000000 Only with luck in both above cases, we could see a follow-on trace record of an unsuccesful event following a successful but late FSF response with FSF_PROT_GOOD and FSF_GOOD. Typically this was the case for I/O requests resulting in a SCSI trace record "rsl_err" with DID_TRANSPORT_DISRUPTED [On ZFCP_STATUS_FSFREQ_DISMISSED, zfcp_fsf_protstatus_eval() sets ZFCP_STATUS_FSFREQ_ERROR seen by the request handler functions as failure]. However, the reason for this follow-on trace was invisible because the corresponding HBA trace record was missing at the default trace level (by default hidden records with tags "fs_norm", "fs_qtcb", or "fs_open"). On adapter recovery, after we had shut down the QDIO queues, we perform unsuccessful pseudo completions with flag ZFCP_STATUS_FSFREQ_DISMISSED for each pending FSF request in zfcp_fsf_req_dismiss_all(). In order to find the root cause, we need to see all pseudo responses even if the channel presented them successfully with FSF_PROT_GOOD and FSF_GOOD. Therefore, check zfcp_fsf_req.status for ZFCP_STATUS_FSFREQ_DISMISSED or ZFCP_STATUS_FSFREQ_ERROR and trace with a new tag "fs_rerr". It does not matter that there are numerous places which set ZFCP_STATUS_FSFREQ_ERROR after the location where we trace an FSF response early. These cases are based on protocol status != FSF_PROT_GOOD or == FSF_PROT_FSF_STATUS_PRESENTED and are thus already traced by default as trace tag "fs_perr" or "fs_ferr" respectively. NB: The trace record with tag "fssrh_1" for status read buffers on dismiss all remains. zfcp_fsf_req_complete() handles this and returns early. All other FSF request types are handled separately and as described above. Signed-off-by: Steffen Maier Fixes: 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features") Fixes: 2e261af84cdb ("[SCSI] zfcp: Only collect FSF/HBA debug data for matching trace levels") Reviewed-by: Benjamin Block Signed-off-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit 1d97aa5325f579f1055b7c6bc9b2332e231c1dd9 Author: Steffen Maier Date: Fri Jul 28 12:30:56 2017 +0200 scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records commit 12c3e5754c8022a4f2fd1e9f00d19e99ee0d3cc1 upstream. If the FCP_RSP UI has optional parts (FCP_SNS_INFO or FCP_RSP_INFO) and thus does not fit into the fsp_rsp field built into a SCSI trace record, trace the full FCP_RSP UI with all optional parts as payload record instead of just FCP_SNS_INFO as payload and a 1 byte RSP_INFO_CODE part of FCP_RSP_INFO built into the SCSI record. That way we would also get the full FCP_SNS_INFO in case a target would ever send more than min(SCSI_SENSE_BUFFERSIZE==96, ZFCP_DBF_PAY_MAX_REC==256)==96. The mandatory part of FCP_RSP IU is only 24 bytes. PAYload costs at least one full PAY record of 256 bytes anyway. We cap to the hardware response size which is only FSF_FCP_RSP_SIZE==128. So we can just put the whole FCP_RSP IU with any optional parts into PAYload similarly as we do for SAN PAY since v4.9 commit aceeffbb59bb ("zfcp: trace full payload of all SAN records (req,resp,iels)"). This does not cause any additional trace records wasting memory. Decoded trace records were confusing because they showed a hard-coded sense data length of 96 even if the FCP_RSP_IU field FCP_SNS_LEN showed actually less. Since the same commit, we set pl_len for SAN traces to the full length of a request/response even if we cap the corresponding trace. In contrast, here for SCSI traces we set pl_len to the pre-computed length of FCP_RSP IU considering SNS_LEN or RSP_LEN if valid. Nonetheless we trace a hardcoded payload of length FSF_FCP_RSP_SIZE==128 if there were optional parts. This makes it easier for the zfcpdbf tool to format only the relevant part of the long FCP_RSP UI buffer. And any trailing information is still available in the payload trace record just in case. Rename the payload record tag from "fcp_sns" to "fcp_riu" to make the new content explicit to zfcpdbf which can then pick a suitable field name such as "FCP rsp IU all:" instead of "Sense info :" Also, the same zfcpdbf can still be backwards compatible with "fcp_sns". Old example trace record before this fix, formatted with the tool zfcpdbf from s390-tools: Timestamp : ... Area : SCSI Subarea : 00 Level : 3 Exception : - CPU id : .. Caller : 0x... Record id : 1 Tag : rsl_err Request id : 0x SCSI ID : 0x... SCSI LUN : 0x... SCSI result : 0x00000002 SCSI retries : 0x00 SCSI allowed : 0x05 SCSI scribble : 0x SCSI opcode : 00000000 00000000 00000000 00000000 FCP rsp inf cod: 0x00 FCP rsp IU : 00000000 00000000 00000202 00000000 ^^==FCP_SNS_LEN_VALID 00000020 00000000 ^^^^^^^^==FCP_SNS_LEN==32 Sense len : 96 <==min(SCSI_SENSE_BUFFERSIZE,ZFCP_DBF_PAY_MAX_REC) Sense info : 70000600 00000018 00000000 29000000 00000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000<==superfluous 00000000 00000000 00000000 00000000<==superfluous 00000000 00000000 00000000 00000000<==superfluous 00000000 00000000 00000000 00000000<==superfluous New example trace records with this fix: Timestamp : ... Area : SCSI Subarea : 00 Level : 3 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : rsl_err Request ID : 0x SCSI ID : 0x... SCSI LUN : 0x... SCSI result : 0x00000002 SCSI retries : 0x00 SCSI allowed : 0x03 SCSI scribble : 0x SCSI opcode : a30c0112 00000000 02000000 00000000 FCP rsp inf cod: 0x00 FCP rsp IU : 00000000 00000000 00000a02 00000200 00000020 00000000 FCP rsp IU len : 56 FCP rsp IU all : 00000000 00000000 00000a02 00000200 ^^=FCP_RESID_UNDER|FCP_SNS_LEN_VALID 00000020 00000000 70000500 00000018 ^^^^^^^^==FCP_SNS_LEN ^^^^^^^^^^^^^^^^^ 00000000 240000cb 00011100 00000000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 00000000 00000000 ^^^^^^^^^^^^^^^^^==FCP_SNS_INFO Timestamp : ... Area : SCSI Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : lr_okay Request ID : 0x SCSI ID : 0x... SCSI LUN : 0x... SCSI result : 0x00000000 SCSI retries : 0x00 SCSI allowed : 0x05 SCSI scribble : 0x SCSI opcode : FCP rsp inf cod: 0x00 FCP rsp IU : 00000000 00000000 00000100 00000000 00000000 00000008 FCP rsp IU len : 32 FCP rsp IU all : 00000000 00000000 00000100 00000000 ^^==FCP_RSP_LEN_VALID 00000000 00000008 00000000 00000000 ^^^^^^^^==FCP_RSP_LEN ^^^^^^^^^^^^^^^^^==FCP_RSP_INFO Signed-off-by: Steffen Maier Fixes: 250a1352b95e ("[SCSI] zfcp: Redesign of the debug tracing for SCSI records.") Reviewed-by: Benjamin Block Signed-off-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit 361fb360a9883881887f45e320e2db3db8cfe1d0 Author: Steffen Maier Date: Fri Jul 28 12:30:55 2017 +0200 scsi: zfcp: fix missing trace records for early returns in TMF eh handlers commit 1a5d999ebfc7bfe28deb48931bb57faa8e4102b6 upstream. For problem determination we need to see that we were in scsi_eh as well as whether and why we were successful or not. The following commits introduced new early returns without adding a trace record: v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh") on fc_block_scsi_eh() returning != 0 which is FAST_IO_FAIL, v2.6.30 commit 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp") on not having gotten an FSF request after the maximum number of retry attempts and thus could not issue a TMF and has to return FAILED. Signed-off-by: Steffen Maier Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh") Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp") Reviewed-by: Benjamin Block Signed-off-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit 62841f88524c0e018dadb036f821bcdc1ab4abe8 Author: Steffen Maier Date: Fri Jul 28 12:30:54 2017 +0200 scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA commit 9fe5d2b2fd30aa8c7827ec62cbbe6d30df4fe3e3 upstream. Without this fix we get SCSI trace records on task management functions which cannot be correlated to HBA trace records because all fields related to the FSF request are empty (zero). Also, the FCP_RSP_IU is missing as well as any sense data if available. This was caused by v2.6.14 commit 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features") introducing trace records for TMFs but hard coding NULL for a possibly existing TMF FSF request. The scsi_cmnd scribble is also zero or unrelated for the TMF request so it also could not lookup a suitable FSF request from there. A broken example trace record formatted with zfcpdbf from the s390-tools package: Timestamp : ... Area : SCSI Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : lr_fail Request ID : 0x0000000000000000 ^^^^^^^^^^^^^^^^ no correlation to HBA record SCSI ID : 0x SCSI LUN : 0x SCSI result : 0x000e0000 SCSI retries : 0x00 SCSI allowed : 0x05 SCSI scribble : 0x0000000000000000 SCSI opcode : 2a000017 3bb80000 08000000 00000000 FCP rsp inf cod: 0x00 ^^ no TMF response FCP rsp IU : 00000000 00000000 00000000 00000000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 00000000 00000000 ^^^^^^^^^^^^^^^^^ no interesting FCP_RSP_IU Sense len : ... ^^^^^^^^^^^^^^^^^^^^ no sense data length Sense info : ... ^^^^^^^^^^^^^^^^^^^^ no sense data content, even if present There are some true cases where we really do not have an FSF request: "rsl_fai" from zfcp_dbf_scsi_fail_send() called for early returns / completions in zfcp_scsi_queuecommand(), "abrt_or", "abrt_bl", "abrt_ru", "abrt_ar" from zfcp_scsi_eh_abort_handler() where we did not get as far, "lr_nres", "tr_nres" from zfcp_task_mgmt_function() where we're successful and do not need to do anything because adapter stopped. For these cases it's correct to pass NULL for fsf_req to _zfcp_dbf_scsi(). Signed-off-by: Steffen Maier Fixes: 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features") Reviewed-by: Benjamin Block Signed-off-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit 639906631d2fec04aff9d4aaa53603f5c2fb0ead Author: Steffen Maier Date: Fri Jul 28 12:30:53 2017 +0200 scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records commit 975171b4461be296a35e83ebd748946b81cf0635 upstream. v4.9 commit aceeffbb59bb ("zfcp: trace full payload of all SAN records (req,resp,iels)") fixed trace data loss of 2.6.38 commit 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.") necessary for problem determination, e.g. to see the currently active zone set during automatic port scan. While it already saves space by not dumping any empty residual entries of the large successful GPN_FT response (4 pages), there are seldom cases where the GPN_FT response is unsuccessful and likely does not have FC_NS_FID_LAST set in fp_flags so we did not cap the trace record. We typically see such case for an initiator WWPN, which is not in any zone. Cap unsuccessful responses to at least the actual basic CT_IU response plus whatever fits the SAN trace record built-in "payload" buffer just in case there's trailing information of which we would at least see the existence and its beginning. In order not to erroneously cap successful responses, we need to swap calling the trace function and setting the CT / ELS status to success (0). Example trace record pair formatted with zfcpdbf: Timestamp : ... Area : SAN Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : fssct_1 Request ID : 0x Destination ID : 0x00fffffc SAN req short : 01000000 fc020000 01720ffc 00000000 00000008 SAN req length : 20 | Timestamp : ... Area : SAN Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 2 Tag : fsscth2 Request ID : 0x Destination ID : 0x00fffffc SAN resp short : 01000000 fc020000 80010000 00090700 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] SAN resp length: 16384 San resp info : 01000000 fc020000 80010000 00090700 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] The fix saves all but one of the previously associated 64 PAYload trace record chunks of size 256 bytes each. Signed-off-by: Steffen Maier Fixes: aceeffbb59bb ("zfcp: trace full payload of all SAN records (req,resp,iels)") Fixes: 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.") Reviewed-by: Benjamin Block Signed-off-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit fb97148535bda8e190a2be32914c758f7a2543d5 Author: Benjamin Block Date: Fri Jul 28 12:30:52 2017 +0200 scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path commit a099b7b1fc1f0418ab8d79ecf98153e1e134656e upstream. Up until now zfcp would just ignore the FCP_RESID_OVER flag in the FCP response IU. When this flag is set, it is possible, in regards to the FCP standard, that the storage-server processes the command normally, up to the point where data is missing and simply ignores those. In this case no CHECK CONDITION would be set, and because we ignored the FCP_RESID_OVER flag we resulted in at least a data loss or even -corruption as a follow-up error, depending on how the applications/layers on top behave. To prevent this, we now set the host-byte of the corresponding scsi_cmnd to DID_ERROR. Other storage-behaviors, where the same condition results in a CHECK CONDITION set in the answer, don't need to be changed as they are handled in the mid-layer already. Following is an example trace record decoded with zfcpdbf from the s390-tools package. We forcefully injected a fc_dl which is one byte too small: Timestamp : ... Area : SCSI Subarea : 00 Level : 3 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : rsl_err Request ID : 0x... SCSI ID : 0x... SCSI LUN : 0x... SCSI result : 0x00070000 ^^DID_ERROR SCSI retries : 0x.. SCSI allowed : 0x.. SCSI scribble : 0x... SCSI opcode : 2a000000 00000000 08000000 00000000 FCP rsp inf cod: 0x00 FCP rsp IU : 00000000 00000000 00000400 00000001 ^^fr_flags==FCP_RESID_OVER ^^fr_status==SAM_STAT_GOOD ^^^^^^^^fr_resid 00000000 00000000 As of now, we don't actively handle to possibility that a response IU has both flags - FCP_RESID_OVER and FCP_RESID_UNDER - set at once. Reported-by: Luke M. Hopkins Reviewed-by: Steffen Maier Fixes: 553448f6c483 ("[SCSI] zfcp: Message cleanup") Fixes: ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter.") (tglx/history.git) Signed-off-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit 413785ee39fb16fe533c7aaa6f140a3b6853fbd6 Author: Steffen Maier Date: Fri Jul 28 12:30:51 2017 +0200 scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled commit 71b8e45da51a7b64a23378221c0a5868bd79da4f upstream. Since commit db007fc5e20c ("[SCSI] Command protection operation"), scsi_eh_prep_cmnd() saves scmd->prot_op and temporarily resets it to SCSI_PROT_NORMAL. Other FCP LLDDs such as qla2xxx and lpfc shield their queuecommand() to only access any of scsi_prot_sg...() if (scsi_get_prot_op(cmd) != SCSI_PROT_NORMAL). Do the same thing for zfcp, which introduced DIX support with commit ef3eb71d8ba4 ("[SCSI] zfcp: Introduce experimental support for DIF/DIX"). Otherwise, TUR SCSI commands as part of scsi_eh likely fail in zfcp, because the regular SCSI command with DIX protection data, that scsi_eh re-uses in scsi_send_eh_cmnd(), of course still has (scsi_prot_sg_count() != 0) and so zfcp sends down bogus requests to the FCP channel hardware. This causes scsi_eh_test_devices() to have (finish_cmds == 0) [not SCSI device is online or not scsi_eh_tur() failed] so regular SCSI commands, that caused / were affected by scsi_eh, are moved to work_q and scsi_eh_test_devices() itself returns false. In turn, it unnecessarily escalates in our case in scsi_eh_ready_devs() beyond host reset to finally scsi_eh_offline_sdevs() which sets affected SCSI devices offline with the following kernel message: "kernel: sd H:0:T:L: Device offlined - not ready after error recovery" Signed-off-by: Steffen Maier Fixes: ef3eb71d8ba4 ("[SCSI] zfcp: Introduce experimental support for DIF/DIX") Reviewed-by: Benjamin Block Signed-off-by: Benjamin Block Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit 1976a61a5fa8d43925cf364e03dd172d2fb44b5b Author: Andy Lutomirski Date: Tue Aug 1 07:11:35 2017 -0700 x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps commit 9584d98bed7a7a904d0702ad06bbcc94703cb5b4 upstream. In ELF_COPY_CORE_REGS, we're copying from the current task, so accessing thread.fsbase and thread.gsbase makes no sense. Just read the values from the CPU registers. In practice, the old code would have been correct most of the time simply because thread.fsbase and thread.gsbase usually matched the CPU registers. Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Borislav Petkov Cc: Brian Gerst Cc: Chang Seok Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 89b5489b5da226ae108481f91cd7b4762c4babf9 Author: Johan Hovold Date: Thu Aug 10 08:06:39 2017 -0700 ARM: OMAP2+: omap_device: drop broken RPM status update from suspend_noirq commit 90de9634a5d57b92d8af4ec23aa2c9b297ec8168 upstream. Since commit a8636c89648a ("PM / Runtime: Don't allow to suspend a device with an active child"), which went into 4.10, it is no longer permitted to set RPM_SUSPENDED state for a device with active children (unless power.ignore_children is set). This specifically means that the attempts to do just that from the omap pm-domain suspend_noirq callback have since been failing whenever a child is active, for example: am335x-usb-childs 47400000.usb: runtime PM trying to suspend device but active child Silence this warning by dropping the broken pm_runtime_set_suspended() call from the omap suspend_noirq callback along with the redundant pm_runtime_set_active() in resume_noirq. This effectively reverts commit 3522bf7bfa24 ("ARM: OMAP2+: omap_device: maintain sane runtime pm status around suspend/resume"), which started updating the RPM state after the runtime_suspend callback (!) for active omap devices had been called during system suspend. The rationale was that a later pm_runtime_get_sync() would then fail (even after runtime pm had been disabled) and that this in turn would avoid any external aborts when accessing registers with clocks disabled. (See also commit 6f3c77b040fc ("PM / Runtime: let rpm_resume() succeed if RPM_ACTIVE, even when disabled, v2"). But during the suspend_noirq phase all children would already have been suspended and their drivers would specifically not attempt any further register accesses. And if this was all just a workaround for random device drivers doing cross-tree calls during system suspend, those drivers should be fixed and updated to explicitly model such dependencies using device-links instead (and either way, any such calls have been causing crashes since 4.10). Fixes: 3522bf7bfa24 ("ARM: OMAP2+: omap_device: maintain sane runtime pm status around suspend/resume") Fixes: a8636c89648a ("PM / Runtime: Don't allow to suspend a device with an active child") Cc: Alan Stern Cc: Dave Gerlach Cc: Kevin Hilman Cc: Nishanth Menon Cc: Rafael J. Wysocki Cc: Tony Lindgren Cc: Ulf Hansson Signed-off-by: Johan Hovold Tested-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Ben Hutchings commit a06856160b29c7b1d28887a03dcc00a007e20f3a Author: Daniel Mentz Date: Wed Aug 2 23:42:17 2017 -0400 media: v4l2-compat-ioctl32: Fix timespec conversion commit 9c7ba1d7634cef490b85bc64c4091ff004821bfd upstream. Certain syscalls like recvmmsg support 64 bit timespec values for the X32 ABI. The helper function compat_put_timespec converts a timespec value to a 32 bit or 64 bit value depending on what ABI is used. The v4l2 compat layer, however, is not designed to support 64 bit timespec values and always uses 32 bit values. Hence, compat_put_timespec must not be used. Without this patch, user space will be provided with bad timestamp values from the VIDIOC_DQEVENT ioctl. Also, fields of the struct v4l2_event32 that come immediately after timestamp get overwritten, namely the field named id. Fixes: 81993e81a994 ("compat: Get rid of (get|put)_compat_time(val|spec)") Cc: H. Peter Anvin Cc: Laurent Pinchart Cc: Tiffany Lin Cc: Ricardo Ribalda Delgado Cc: Sakari Ailus Signed-off-by: Daniel Mentz Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit b40c232687596b14a8b3dcb22422c2674c167f76 Author: Jia-Ju Bai Date: Fri Oct 27 11:12:30 2017 +0300 wcn36xx: Remove unnecessary rcu_read_unlock in wcn36xx_bss_info_changed commit c0d5adc35c0b010120391117cb07be6623cf8940 upstream. No rcu_read_lock is called, but rcu_read_unlock is still called. Thus rcu_read_unlock should be removed. Signed-off-by: Jia-Ju Bai Acked-by: Bjorn Andersson Signed-off-by: Kalle Valo Signed-off-by: Ben Hutchings commit a81434a0cff8124842c182468fdd9fc53a9bfbe0 Author: Bjorn Andersson Date: Wed Aug 2 18:28:00 2017 -0700 wcn36xx: Introduce mutual exclusion of fw configuration commit 39efc7cc7ccf82d1cd946580cdb70760f347305a upstream. As the association status changes the driver needs to configure the hardware. This is done based on information in the "sta" acquired by ieee80211_find_sta(), which requires the caller to ensure that the "sta" is valid while its being used; generally by entering an rcu read section. But the operations acting on the "sta" has to communicate with the firmware and may therefor sleep, resulting in the following report: [ 31.418190] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:238 [ 31.425919] in_atomic(): 0, irqs_disabled(): 0, pid: 34, name: kworker/u8:1 [ 31.434609] CPU: 0 PID: 34 Comm: kworker/u8:1 Tainted: G W 4.12.0-rc4-next-20170607+ #993 [ 31.441002] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) [ 31.450380] Workqueue: phy0 ieee80211_iface_work [ 31.457226] Call trace: [ 31.461830] [] dump_backtrace+0x0/0x260 [ 31.464004] [] show_stack+0x14/0x20 [ 31.469557] [] dump_stack+0x98/0xb8 [ 31.474592] [] ___might_sleep+0xf0/0x118 [ 31.479626] [] __might_sleep+0x50/0x88 [ 31.485010] [] mutex_lock+0x24/0x60 [ 31.490479] [] wcn36xx_smd_set_link_st+0x30/0x130 [ 31.495428] [] wcn36xx_bss_info_changed+0x148/0x448 [ 31.501504] [] ieee80211_bss_info_change_notify+0xbc/0x118 [ 31.508102] [] ieee80211_assoc_success+0x664/0x7f8 [ 31.515220] [] ieee80211_rx_mgmt_assoc_resp+0x144/0x2d8 [ 31.521555] [] ieee80211_sta_rx_queued_mgmt+0x190/0x698 [ 31.528239] [] ieee80211_iface_work+0x234/0x368 [ 31.535011] [] process_one_work+0x1cc/0x340 [ 31.541086] [] worker_thread+0x48/0x430 [ 31.546814] [] kthread+0x108/0x138 [ 31.552195] [] ret_from_fork+0x10/0x50 In order to ensure that the "sta" remains alive (and consistent) for the duration of bss_info_changed() mutual exclusion has to be ensured with sta_remove(). This is done by introducing a mutex to cover firmware configuration changes, which is made to also ensure mutual exclusion between other operations changing the state or configuration of the firmware. With this we can drop the rcu read lock. Signed-off-by: Bjorn Andersson Signed-off-by: Kalle Valo [bwh: Backported to 3.16: - Drop changes in wcn36xx_configure_filter(), which doesn't change state - Adjust context] Signed-off-by: Ben Hutchings commit 1c1d98388c7717bddf7f405c5dae677bb28515ff Author: Edwin Török Date: Thu Aug 3 10:30:06 2017 +0100 dlm: avoid double-free on error path in dlm_device_{register,unregister} commit 55acdd926f6b21a5cdba23da98a48aedf19ac9c3 upstream. Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4): # seq 1 100 | xargs -P0 -n1 dlm_tool join # seq 1 100 | xargs -P0 -n1 dlm_tool leave misc_register fails due to duplicate sysfs entry, which causes dlm_device_register to free ls->ls_device.name. In dlm_device_deregister the name was freed again, causing memory corruption. According to the comment in dlm_device_deregister the name should've been set to NULL when registration fails, so this patch does that. sysfs: cannot create duplicate filename '/dev/char/10:1' ------------[ cut here ]------------ warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70 modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012 task: ffff96b0cbabe140 task.stack: ffffb199027d0000 rip: 0010:sysfs_warn_dup+0x56/0x70 rsp: 0018:ffffb199027d3c58 eflags: 00010282 rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006 rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0 rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721 r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1 r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef fs: 00007f78069c0700(0000) gs:ffff96b15e240000(0000) knlgs:0000000000000000 cs: 0010 ds: 0000 es: 0000 cr0: 0000000080050033 cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0 call trace: sysfs_do_create_link_sd.isra.2+0x9e/0xb0 sysfs_create_link+0x25/0x40 device_add+0x5a9/0x640 device_create_groups_vargs+0xe0/0xf0 device_create_with_groups+0x3f/0x60 ? snprintf+0x45/0x70 misc_register+0x140/0x180 device_write+0x6a8/0x790 [dlm] __vfs_write+0x37/0x160 ? apparmor_file_permission+0x1a/0x20 ? security_file_permission+0x3b/0xc0 vfs_write+0xb5/0x1a0 sys_write+0x55/0xc0 ? sys_fcntl+0x5d/0xb0 entry_syscall_64_fastpath+0x1e/0xa9 rip: 0033:0x7f78083454bd rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001 rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005 rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032 r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00 r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70 code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8 ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89 df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84 ---[ end trace 40412246357cc9e0 ]--- dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group... bug: unable to handle kernel null pointer dereference at 0000000000000001 ip: [] kmem_cache_alloc+0x7a/0x140 pgd 0 oops: 0000 [#1] smp modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6 nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4 hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6 cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1 hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017 task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000 rip: e030:[] [] kmem_cache_alloc+0x7a/0x140 rsp: e02b:ffff88000243fd90 eflags: 00010202 rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00 rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054 r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0 r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2 fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000 cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033 cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660 stack: ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0 ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2 ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90 call trace: [] ? anon_vma_fork+0x60/0x140 [] anon_vma_fork+0x92/0x140 [] copy_process+0xcae/0x1a80 [] _do_fork+0x8b/0x2d0 [] sys_clone+0x19/0x20 [] entry_syscall_64_fastpath+0x12/0x71 ] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80 00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c 06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63 rip [] kmem_cache_alloc+0x7a/0x140 rsp cr2: 0000000000000001 --[ end trace 70cb9fd1b164a0e8 ]-- Signed-off-by: Edwin Török Signed-off-by: David Teigland Signed-off-by: Ben Hutchings commit 47cdbb45c490dbbe2aabec10b9b6583bf52172a7 Author: Aleksandr Bezzubikov Date: Tue Jul 18 17:12:25 2017 +0300 PCI: shpchp: Enable bridge bus mastering if MSI is enabled commit 48b79a14505349a29b3e20f03619ada9b33c4b17 upstream. An SHPC may generate MSIs to notify software about slot or controller events (SHPC spec r1.0, sec 4.7). A PCI device can only generate an MSI if it has bus mastering enabled. Enable bus mastering if the bridge contains an SHPC that uses MSI for event notifications. Signed-off-by: Aleksandr Bezzubikov [bhelgaas: changelog] Signed-off-by: Bjorn Helgaas Reviewed-by: Marcel Apfelbaum Acked-by: Michael S. Tsirkin Signed-off-by: Ben Hutchings commit 8b7527e5df8f749cd84d7f9e7352d1db64335609 Author: Rui Teng Date: Thu Jan 12 17:09:06 2017 +0800 powerpc/mm: Fix check of multiple 16G pages from device tree commit 23493c121912a39f0262e0dbeb236e1d39efa4d5 upstream. The offset of hugepage block will not be 16G, if the expected page is more than one. Calculate the totol size instead of the hardcode value. Fixes: 4792adbac9eb ("powerpc: Don't use a 16G page if beyond mem= limits") Signed-off-by: Rui Teng Tested-by: Anshuman Khandual Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings commit 8be2ac4557f88851605332a56a23c795e93bc672 Author: Dan Carpenter Date: Thu Jul 13 10:43:23 2017 +0300 rtlwifi: rtl8821ae: Fix HW_VAR_NAV_UPPER operation commit d28ac7be15c70343cb270648e252f54d770eca6a upstream. The cast here is wrong. We want to cast the pointer but we accidentally do a no-op cast of the value. We normally want to set us_nav_upper to WIFI_NAV_UPPER_US (30000) but because of this bug we instead set it to 184 on little endian systems and 0 on big endian ones. Fixes: 3c05bedb5fef ("Staging: rtl8812ae: Add Realtek 8821 PCI WIFI driver") Signed-off-by: Dan Carpenter Acked-by: Larry Finger Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename, context, indentation] Signed-off-by: Ben Hutchings commit 8119c0f6a3937c0696286680ac9666a31695e7d0 Author: Matt Redfearn Date: Fri Jul 14 14:51:12 2017 +0200 printk/console: Always disable boot consoles that use init memory before it is freed commit 2b1be689f3aadcfe0a768314c80e43483c784659 upstream. Commit 4c30c6f566c0 ("kernel/printk: do not turn off bootconsole in printk_late_init() if keep_bootcon") added a check on keep_bootcon to ensure that boot consoles were kept around until the real console is registered. This can lead to problems if the boot console data and code are in the init section, since it can be freed before the boot console is unregistered. Commit 81cc26f2bd11 ("printk: only unregister boot consoles when necessary") fixed this a better way. It allowed to keep boot consoles that did not use init data. Unfortunately it did not remove the check of keep_bootcon. This can lead to crashes and weird panics when the bootconsole is accessed after free, especially if page poisoning is in use and the code / data have been overwritten with a poison value. To prevent this, always free the boot console if it is within the init section. In addition, print a warning about that the console is removed prematurely. Finally there is a new comment how to avoid the warning. It replaced an explanation that duplicated a more comprehensive function description few lines above. Fixes: 4c30c6f566c0 ("kernel/printk: do not turn off bootconsole in printk_late_init() if keep_bootcon") Link: http://lkml.kernel.org/r/1500036673-7122-2-git-send-email-pmladek@suse.com Cc: Steven Rostedt Cc: Andrew Morton Cc: Peter Zijlstra Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: "David S. Miller" Cc: Alan Cox Cc: "Fabio M. Di Nitto" Cc: linux-serial@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Matt Redfearn [pmladek@suse.com: print the warning, code and comments clean up] Reviewed-by: Sergey Senozhatsky Signed-off-by: Petr Mladek Signed-off-by: Ben Hutchings commit db7ef84e095a585de8ef1e1cadc65a7edecaccbc Author: Thierry Reding Date: Fri Jan 15 16:58:21 2016 -0800 printk: only unregister boot consoles when necessary commit 81cc26f2bd11ba4421a17a2d5cebe4bba206c239 upstream. Boot consoles are typically replaced by proper consoles during the boot process. This can be problematic if the boot console data is part of the init section that is reclaimed late during boot. If the proper console does not register before this point in time, the boot console will need to be removed (so that the freed memory is not accessed), leaving the system without output for some time. There are various reasons why the proper console may not register early enough, such as deferred probe or the driver being a loadable module. If that happens, there is some amount of time where no console messages are visible to the user, which in turn can mean that they won't see crashes or other potentially useful information. To avoid this situation, only remove the boot console when it resides in the init section. Code exists to replace the boot console by the proper console when it is registered, keeping a seamless transition between the boot and proper consoles. Signed-off-by: Thierry Reding Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 07b9b84604a1e188eed91289f8415338f510e559 Author: Thierry Reding Date: Fri Jan 15 16:58:18 2016 -0800 asm/sections: add helpers to check for section data commit 979559362516bb0f5424505c607210ac054e30ae upstream. Add a helper to check if an object (given an address and a size) is part of a section (given beginning and end addresses). For convenience, also provide a helper that performs this check for __init data using the __init_begin and __init_end limits. Signed-off-by: Thierry Reding Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 6d7b8fbe4ade0f7b56419fb20adcdf4162a9ba04 Author: Eric W. Biederman Date: Thu Jun 29 09:28:50 2017 -0500 fcntl: Don't use ambiguous SIG_POLL si_codes commit d08477aa975e97f1dc64c0ae59cebf98520456ce upstream. We have a weird and problematic intersection of features that when they all come together result in ambiguous siginfo values, that we can not support properly. - Supporting fcntl(F_SETSIG,...) with arbitrary valid signals. - Using positive values for POLL_IN, POLL_OUT, POLL_MSG, ..., etc that imply they are signal specific si_codes and using the aforementioned arbitrary signal to deliver them. - Supporting injection of arbitrary siginfo values for debugging and checkpoint/restore. The result is that just looking at siginfo si_codes of 1 to 6 are ambigious. It could either be a signal specific si_code or it could be a generic si_code. For most of the kernel this is a non-issue but for sending signals with siginfo it is impossible to play back the kernel signals and get the same result. Strictly speaking when the si_code was changed from SI_SIGIO to POLL_IN and friends between 2.2 and 2.4 this functionality was not ambiguous, as only real time signals were supported. Before 2.4 was released the kernel began supporting siginfo with non realtime signals so they could give details of why the signal was sent. The result is that if F_SETSIG is set to one of the signals with signal specific si_codes then user space can not know why the signal was sent. I grepped through a bunch of userspace programs using debian code search to get a feel for how often people choose a signal that results in an ambiguous si_code. I only found one program doing so and it was using SIGCHLD to test the F_SETSIG functionality, and did not appear to be a real world usage. Therefore the ambiguity does not appears to be a real world problem in practice. Remove the ambiguity while introducing the smallest chance of breakage by changing the si_code to SI_SIGIO when signals with signal specific si_codes are targeted. Fixes: v2.3.40 -- Added support for queueing non-rt signals Fixes: v2.3.21 -- Changed the si_code from SI_SIGIO Signed-off-by: "Eric W. Biederman" Signed-off-by: Ben Hutchings commit 1e4a536feedf2f37157db8d54b97a1223fa8cd03 Author: Oleg Nesterov Date: Mon May 23 16:24:02 2016 -0700 signal: move the "sig < SIGRTMIN" check into siginmask(sig) commit 5c8ccefdf46c5f87d87b694c7fbc04941c2c99a5 upstream. All the users of siginmask() must ensure that sig < SIGRTMIN. sig_fatal() doesn't and this is wrong: UBSAN: Undefined behaviour in kernel/signal.c:911:6 shift exponent 32 is too large for 32-bit type 'long unsigned int' the patch doesn't add the neccesary check to sig_fatal(), it moves the check into siginmask() and updates other callers. Link: http://lkml.kernel.org/r/20160517195052.GA15187@redhat.com Reported-by: Meelis Roos Signed-off-by: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 1c40e4aa7d573c7f52c48a46ea789541f6c16a06 Author: Noa Osherovich Date: Mon Jun 12 11:14:02 2017 +0300 IB/core: Fix the validations of a multicast LID in attach or detach operations commit 5236333592244557a19694a51337df6ac018f0a7 upstream. RoCE Annex (A16.9.10/11) declares that during attach (detach) QP to a multicast group, if the QP is associated with a RoCE port, the multicast group MLID is unused and is ignored. During attach or detach multicast, when the QP is associated with a port, it is enough to check the port's link layer and validate the LID only if it is Infiniband. Otherwise, avoid validating the multicast LID. Fixes: 8561eae60ff9 ("IB/core: For multicast functions, verify that LIDs are multicast LIDs") Signed-off-by: Noa Osherovich Reviewed-by: Moni Shoua Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford [bwh: Backported to 3.16: use literal number instead of IB_MULTICAST_LID_BASE] Signed-off-by: Ben Hutchings commit f44b3bf4443e102a591a5e0c321013f52137c6c5 Author: Aneesh Kumar K.V Date: Wed Jun 28 11:39:28 2017 +0530 powerpc/mm: Build fix for non SPARSEMEM_VMEMAP config commit 7e7dc66adcf490a619bc3c7763a8cebadfba73e3 upstream. We can use pfn_to_page() in realmode for other configs. Hence remove the CONFIG_FLATMEM ifdef. Fixes: 8e0861fa3c4e ("powerpc: Prepare to support kernel handling of IOMMU map/unmap") Cc: Alexey Kardashevskiy Signed-off-by: Aneesh Kumar K.V [mpe: Also fix up the #endif comment] Signed-off-by: Michael Ellerman [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit fa1cfd34bab2f766d5df1028d4f25a40bffae42a Author: Sakari Ailus Date: Fri Jul 7 10:17:16 2017 -0400 media: docs-rst: v4l: Fix sink compose selection target documentation commit 74dcb29a38e4419a8e4217caa7e35ccc1b31e5a4 upstream. The rectangle which the sink compose rectangle is related to is documented to be the source compose bounds rectangle. This is in obvious conflict with the ground rule of the format propagation (from sink to source). The reason behind this is that this was always supposed to be the sink compose bounds rectangle. Fix it. Fixes: 955f645aea04 ("[media] v4l: Add subdev selections documentation") Signed-off-by: Sakari Ailus Acked-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings commit 80ddec20b73ec98ae647838c8b3ad09ba1238014 Author: Jiri Olsa Date: Mon Jul 3 16:50:23 2017 +0200 perf tests attr: Fix no-delay test commit 44fed277f81ba22e3f2fbcf1501c3b14aeb9f8e4 upstream. Following commit: commit 509051ea8427 ("perf record: Rename --no-delay to --no-buffering") removed '-D' option and renamed --no-delay into --no-buffering. Fixing that in the attr tests. Signed-off-by: Jiri Olsa Cc: David Ahern Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Thomas Richter Fixes: 509051ea8427 ("perf record: Rename --no-delay to --no-buffering") Link: http://lkml.kernel.org/r/20170703145030.12903-9-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ben Hutchings commit d361b9725e772d168b8c060fc0f6df2b3eb6b29a Author: Bhushan Shah Date: Fri Jun 23 09:24:33 2017 +0530 backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F commit 06168a64b1ae346816fcd0a0c3ea5276c778408b upstream. In the lm3630a_chip_init we try to write to 0x50 register, which is higher value then the max_register value, this resulted in regmap_write return -EIO. Fix this by bumping REG_MAX value to 0x50. This code was introduced with the chip revision in commit 28e64a68a2ef, however setting filter strength was failing silently because it used unsigned int for storing and comparing the return values. Bug related to signedness was fixed in 2a0c316bf3cc, which made it error out correctly instead of failing silently. I found this issue by using this driver on LGE Nexus 5 (hammerhead). After this commit lm3630a_chip_init succeeds instead of failing with -EIO. Fixes: 28e64a68a2ef ("backlight: lm3630: apply chip revision") Fixes: 2a0c316bf3cc ("drivers/video/backlight/lm3630a_bl.c: fix signedness bug in lm3630a_chip_init()") Suggested-by: Bjorn Andersson Signed-off-by: Bhushan Shah Acked-by: Daniel Thompson Signed-off-by: Lee Jones Signed-off-by: Ben Hutchings commit 3ced0efe439f9c3ba28ae592bf725811633d7d1c Author: Lorenzo Bianconi Date: Tue Jun 20 19:42:45 2017 +0200 iio: magnetometer: st_magn_core: enable multiread by default for LIS3MDL commit 13718564167da80b6169809185b4c5a32497d0c1 upstream. Enable multiread by default for LIS3MDL since using I2C interface the subaddr Msb is used to automatically increase the slave address during multiple data read/write. In the same way, using SPI interface, bit 1 in register address is used to enable auto-increment of the slave address in multiple read/write. Fixes: 872e79add756 (iio:magn: Add STMicroelectronics magn driver) Signed-off-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron [bwh: Backported to 3.16: Update the macro used to fill in this field] Signed-off-by: Ben Hutchings commit 28774467448efc6f39aa80c0fa32fe542ab864ce Author: Ravikumar Kattekola Date: Wed Jun 7 15:07:46 2017 +0530 ARM: dts: dra7-evm: Correct the vmmc-supply for mmc2 commit b5ca62a53d2df30432118edeff61acc8717d2515 upstream. On DRA75x EVM, MMC2 vdd/ios are connected to a common supply fixed at 1.8V not 3.3V Fixes: 6cf02dbb4b71 ("ARM: dts: dra7-evm: Add mmc2 node for eMMC support") Signed-off-by: Ravikumar Kattekola Signed-off-by: Sekhar Nori Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Tony Lindgren [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings commit 05eaf1bcf9280190e3001c302a3eab90f2396bfc Author: Peter Ujfalusi Date: Mon Aug 24 10:19:59 2015 +0300 ARM: dts: dra7-evm: Rename mmc2_3v3 supply to evm_3v3_sw commit 27f39e5f5fd1d9eb5ce67507ad57ef5df007f208 upstream. Use the name for the supply as it is in the schematics since the same supply is used for other peripherals than MMC2, like audio. Signed-off-by: Peter Ujfalusi Signed-off-by: Tony Lindgren Signed-off-by: Ben Hutchings