commit 5d7d2e03e0f01a992e3521b180c3d3e67905f269 Author: Greg Kroah-Hartman Date: Wed Sep 13 14:18:03 2017 -0700 Linux 4.12.13 commit 9f7df0bca168528aba20794f400be134495551b8 Author: Richard Wareing Date: Wed Sep 13 09:09:35 2017 +1000 xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present commit b31ff3cdf540110da4572e3e29bd172087af65cc upstream. If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on a directory in a filesystem that does not have a realtime device and create a new file in that directory, it gets marked as a real time file. When data is written and a fsync is issued, the filesystem attempts to flush a non-existent rt device during the fsync process. This results in a crash dereferencing a null buftarg pointer in xfs_blkdev_issue_flush(): BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xfs_blkdev_issue_flush+0xd/0x20 ..... Call Trace: xfs_file_fsync+0x188/0x1c0 vfs_fsync_range+0x3b/0xa0 do_fsync+0x3d/0x70 SyS_fsync+0x10/0x20 do_syscall_64+0x4d/0xb0 entry_SYSCALL64_slow_path+0x25/0x25 Setting RT inode flags does not require special privileges so any unprivileged user can cause this oops to occur. To reproduce, confirm kernel is compiled with CONFIG_XFS_RT=y and run: # mkfs.xfs -f /dev/pmem0 # mount /dev/pmem0 /mnt/test # mkdir /mnt/test/foo # xfs_io -c 'chattr +t' /mnt/test/foo # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait. Kernels built with CONFIG_XFS_RT=n are not exposed to this bug. Fixes: f538d4da8d52 ("[XFS] write barrier support") Signed-off-by: Richard Wareing Signed-off-by: Dave Chinner Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit da0f4931ec5264146fa7377e07ab10c582737cff Author: Trond Myklebust Date: Sat Aug 19 10:10:34 2017 -0400 NFSv4: Fix up mirror allocation commit 14abcb0bf59a30cf65a74f6c6f53974cd7224bc6 upstream. There are a number of callers of nfs_pageio_complete() that want to continue using the nfs_pageio_descriptor without needing to call nfs_pageio_init() again. Examples include nfs_pageio_resend() and nfs_pageio_cond_complete(). The problem is that nfs_pageio_complete() also calls nfs_pageio_cleanup_mirroring(), which frees up the array of mirrors. This can lead to writeback errors, in the next call to nfs_pageio_setup_mirroring(). Fix by simply moving the allocation of the mirrors to nfs_pageio_setup_mirroring(). Link: https://bugzilla.kernel.org/show_bug.cgi?id=196709 Reported-by: JianhongYin Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 3307d5f5099c186d1ae43205eb23c29fabc6f5b8 Author: tarangg@amazon.com Date: Thu Sep 7 09:29:23 2017 -0400 NFS: Sync the correct byte range during synchronous writes commit e973b1a5999e57da677ab50da5f5479fdc0f0c31 upstream. Since commit 18290650b1c8 ("NFS: Move buffered I/O locking into nfs_file_write()") nfs_file_write() has not flushed the correct byte range during synchronous writes. generic_write_sync() expects that iocb->ki_pos points to the right edge of the range rather than the left edge. To replicate the problem, open a file with O_DSYNC, have the client write at increasing offsets, and then print the successful offsets. Block port 2049 partway through that sequence, and observe that the client application indicates successful writes in advance of what the server received. Fixes: 18290650b1c8 ("NFS: Move buffered I/O locking into nfs_file_write()") Signed-off-by: Jacob Strauss Signed-off-by: Tarang Gupta Tested-by: Tarang Gupta Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 6f50e3a1b8c3c08c6c45522c30a0f16f37b8efb8 Author: Trond Myklebust Date: Fri Sep 8 21:28:11 2017 -0400 NFS: Fix 2 use after free issues in the I/O code commit 196639ebbe63a037fe9a80669140bd292d8bcd80 upstream. The writeback code wants to send a commit after processing the pages, which is why we want to delay releasing the struct path until after that's done. Also, the layout code expects that we do not free the inode before we've put the layout segments in pnfs_writehdr_free() and pnfs_readhdr_free() Fixes: 919e3bd9a875 ("NFS: Ensure we commit after writeback is complete") Fixes: 4714fb51fd03 ("nfs: remove pgio_header refcount, related cleanup") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 7714f302294de71ce847b4c3b7dda3f885a08b7a Author: Mark Rutland Date: Tue Aug 22 11:36:17 2017 +0100 ARM: 8692/1: mm: abort uaccess retries upon fatal signal commit 746a272e44141af24a02f6c9b0f65f4c4598ed42 upstream. When there's a fatal signal pending, arm's do_page_fault() implementation returns 0. The intent is that we'll return to the faulting userspace instruction, delivering the signal on the way. However, if we take a fatal signal during fixing up a uaccess, this results in a return to the faulting kernel instruction, which will be instantly retried, resulting in the same fault being taken forever. As the task never reaches userspace, the signal is not delivered, and the task is left unkillable. While the task is stuck in this state, it can inhibit the forward progress of the system. To avoid this, we must ensure that when a fatal signal is pending, we apply any necessary fixup for a faulting kernel instruction. Thus we will return to an error path, and it is up to that code to make forward progress towards delivering the fatal signal. Signed-off-by: Mark Rutland Reviewed-by: Steve Capper Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit b9a489e1d4a32936bc4a8f80a38222358a19ae89 Author: Marc Zyngier Date: Sat Jul 1 15:16:34 2017 +0100 ARM64: dts: marvell: armada-37xx: Fix GIC maintenance interrupt commit 95696d292e204073433ed2ef3ff4d3d8f42a8248 upstream. The GIC-500 integrated in the Armada-37xx SoCs is compliant with the GICv3 architecture, and thus provides a maintenance interrupt that is required for hypervisors to function correctly. With the interrupt provided in the DT, KVM now works as it should. Tested on an Espressobin system. Fixes: adbc3695d9e4 ("arm64: dts: add the Marvell Armada 3700 family and a development board") Signed-off-by: Marc Zyngier Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 8329b5e8c6cfe8af86344eb849c06ed69c0d868d Author: Ben Seri Date: Sat Sep 9 23:15:59 2017 +0200 Bluetooth: Properly check L2CAP config option output buffer length commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream. Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. Signed-off-by: Ben Seri Signed-off-by: Marcel Holtmann Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 99dc1296b47c69c3967afb0d96bcc92f78974c00 Author: Stanislaw Gruszka Date: Fri Aug 25 17:04:15 2017 +0200 rt2800: fix TX_PIN_CFG setting for non MT7620 chips commit 83ec489193894e52bd395eec470f4f7c4286d4a5 upstream. Since commit 41977e86c984 ("rt2x00: add support for MT7620") we do not initialize TX_PIN_CFG setting. This cause breakage at least on some RT3573 devices. To fix the problem patch restores previous behaviour for non MT7620 chips. Fixes: 41977e86c984 ("rt2x00: add support for MT7620") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1480829 Reported-and-tested-by: Jussi Eloranta Cc: Daniel Golle Signed-off-by: Stanislaw Gruszka Acked-by: Daniel Golle Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 2bce0fe7d0cd0d45d78815487706b52e290abb33 Author: Brijesh Singh Date: Mon Aug 7 14:11:30 2017 -0500 KVM: SVM: Limit PFERR_NESTED_GUEST_PAGE error_code check to L1 guest commit 64531a3b70b17c8d3e77f2e49e5e1bb70f571266 upstream. Commit 147277540bbc ("kvm: svm: Add support for additional SVM NPF error codes", 2016-11-23) added a new error code to aid nested page fault handling. The commit unprotects (kvm_mmu_unprotect_page) the page when we get a NPF due to guest page table walk where the page was marked RO. However, if an L0->L2 shadow nested page table can also be marked read-only when a page is read only in L1's nested page table. If such a page is accessed by L2 while walking page tables it can cause a nested page fault (page table walks are write accesses). However, after kvm_mmu_unprotect_page we may get another page fault, and again in an endless stream. To cover this use case, we qualify the new error_code check with vcpu->arch.mmu_direct_map so that the error_code check would run on L1 guest, and not the L2 guest. This avoids hitting the above scenario. Fixes: 147277540bbc54119172481c8ef6d930cc9fbfc2 Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Thomas Lendacky Signed-off-by: Brijesh Singh Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 9d6412aa06ce75e44fbaf1bfa15454150fd6a803 Author: Takashi Iwai Date: Thu Jul 6 12:34:40 2017 +0200 ALSA: msnd: Optimize / harden DSP and MIDI loops commit 20e2b791796bd68816fa115f12be5320de2b8021 upstream. The ISA msnd drivers have loops fetching the ring-buffer head, tail and size values inside the loops. Such codes are inefficient and fragile. This patch optimizes it, and also adds the sanity check to avoid the endless loops. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196131 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196133 Signed-off-by: Takashi Iwai Signed-off-by: grygorii tertychnyi Signed-off-by: Greg Kroah-Hartman commit 846073130799031e6e1e8a692d96438105c4edf6 Author: Laurent Dufour Date: Fri Sep 8 16:13:12 2017 -0700 mm/memory.c: fix mem_cgroup_oom_disable() call missing commit de0c799bba2610a8e1e9a50d76a28614520a4cd4 upstream. Seen while reading the code, in handle_mm_fault(), in the case arch_vma_access_permitted() is failing the call to mem_cgroup_oom_disable() is not made. To fix that, move the call to mem_cgroup_oom_enable() after calling arch_vma_access_permitted() as it should not have entered the memcg OOM. Link: http://lkml.kernel.org/r/1504625439-31313-1-git-send-email-ldufour@linux.vnet.ibm.com Fixes: bae473a423f6 ("mm: introduce fault_env") Signed-off-by: Laurent Dufour Acked-by: Kirill A. Shutemov Acked-by: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 46791eb9f13e0a092f4814bf23438d79b4259098 Author: David Rientjes Date: Fri Sep 8 16:13:29 2017 -0700 mm/swapfile.c: fix swapon frontswap_map memory leak on error commit b6b1fd2a6bedd533aeed83924d7be0e944fded9f upstream. Free frontswap_map if an error is encountered before enable_swap_info(). Signed-off-by: David Rientjes Reviewed-by: "Huang, Ying" Cc: Darrick J. Wong Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 637f25e5ba949eed56e0b00ca448a79229e9b3a6 Author: Darrick J. Wong Date: Fri Sep 8 16:13:25 2017 -0700 mm: kvfree the swap cluster info if the swap file is unsatisfactory commit 8606a1a94da5c4e49c0fb28af62d2e75c6747716 upstream. If initializing a small swap file fails because the swap file has a problem (holes, etc.) then we need to free the cluster info as part of cleanup. Unfortunately a previous patch changed the code to use kvzalloc but did not change all the vfree calls to use kvfree. Found by running generic/357 from xfstests. Link: http://lkml.kernel.org/r/20170831233515.GR3775@magnolia Fixes: 54f180d3c181 ("mm, swap: use kvzalloc to allocate some swap data structures") Signed-off-by: Darrick J. Wong Reviewed-by: "Huang, Ying" Acked-by: David Rientjes Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 58989dc3af0d970bca52278e922484a53f20184a Author: Andy Lutomirski Date: Tue Aug 1 07:11:36 2017 -0700 selftests/x86/fsgsbase: Test selectors 1, 2, and 3 commit 23d98c204386a98d9ef9f9e744f41443ece4929f upstream. Those are funny cases. Make sure they work. (Something is screwy with signal handling if a selector is 1, 2, or 3. Anyone who wants to dive into that rabbit hole is welcome to do so.) Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Borislav Petkov Cc: Brian Gerst Cc: Chang Seok Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 9ed3dc1c04316d19b56bdcc9794b67d8673ecd81 Author: Eric Dumazet Date: Fri Sep 8 16:15:54 2017 -0700 radix-tree: must check __radix_tree_preload() return value commit bc9ae2247ac92fd4d962507bafa3afffff6660ff upstream. __radix_tree_preload() only disables preemption if no error is returned. So we really need to make sure callers always check the return value. idr_preload() contract is to always disable preemption, so we need to add a missing preempt_disable() if an error happened. Similarly, ida_pre_get() only needs to call preempt_enable() in the case no error happened. Link: http://lkml.kernel.org/r/1504637190.15310.62.camel@edumazet-glaptop3.roam.corp.google.com Fixes: 0a835c4f090a ("Reimplement IDR and IDA using the radix tree") Fixes: 7ad3d4d85c7a ("ida: Move ida_bitmap to a percpu variable") Signed-off-by: Eric Dumazet Cc: Matthew Wilcox Cc: "Kirill A. Shutemov" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0af760ab388227360c0b2ef98468156c3779d41e Author: Larry Finger Date: Mon Sep 4 12:51:33 2017 -0500 rtlwifi: btcoexist: Fix breakage of ant_sel for rtl8723be commit a33fcba6ec01efcca33b1afad91057020f247f15 upstream. In commit bcd37f4a0831 ("rtlwifi: btcoex: 23b 2ant: let bt transmit when hw initialisation done"), there is an additional error when the module parameter ant_sel is used to select the auxilary antenna. The error is that the antenna selection is not checked when writing the antenna selection register. Fixes: bcd37f4a0831 ("rtlwifi: btcoex: 23b 2ant: let bt transmit when hw initialisation done") Signed-off-by: Larry Finger Cc: Ping-Ke Shih Cc: Yan-Hsuan Chuang Cc: Birming Chiu Cc: Shaofu Cc: Steven Ting Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 8004198bb025f1adef13e15ed249e8f7f29a415f Author: Aleksa Sarai Date: Tue Jul 4 21:49:06 2017 +1000 btrfs: resume qgroup rescan on rw remount commit 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 upstream. Several distributions mount the "proper root" as ro during initrd and then remount it as rw before pivot_root(2). Thus, if a rescan had been aborted by a previous shutdown, the rescan would never be resumed. This issue would manifest itself as several btrfs ioctl(2)s causing the entire machine to hang when btrfs_qgroup_wait_for_completion was hit (due to the fs_info->qgroup_rescan_running flag being set but the rescan itself not being resumed). Notably, Docker's btrfs storage driver makes regular use of BTRFS_QUOTA_CTL_DISABLE and BTRFS_IOC_QUOTA_RESCAN_WAIT (causing this problem to be manifested on boot for some machines). Cc: Jeff Mahoney Fixes: b382a324b60f ("Btrfs: fix qgroup rescan resume on mount") Signed-off-by: Aleksa Sarai Reviewed-by: Nikolay Borisov Tested-by: Nikolay Borisov Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 9a5537a76b6290ac8d635c77ce4ff1aaf871f106 Author: Daniel Verkamp Date: Wed Aug 30 15:18:19 2017 -0700 nvme-fabrics: generate spec-compliant UUID NQNs commit 40a5fce495715c48c2e02668144e68a507ac5a30 upstream. The default host NQN, which is generated based on the host's UUID, does not follow the UUID-based NQN format laid out in the NVMe 1.3 specification. Remove the "NVMf:" portion of the NQN to match the spec. Signed-off-by: Daniel Verkamp Reviewed-by: Max Gurtovoy Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 02c54b35cad8146087b6f6fd790428c915e91449 Author: Abhishek Sahu Date: Thu Aug 3 17:56:39 2017 +0200 mtd: nand: qcom: fix config error for BCH commit 10777de570016471fd929869c7830a7772893e39 upstream. The configuration for BCH is not correct in the current driver. The ECC_CFG_ECC_DISABLE bit defines whether to enable or disable the BCH ECC in which 0x1 : BCH_DISABLED 0x0 : BCH_ENABLED But currently host->bch_enabled is being assigned to BCH_DISABLED. Fixes: c76b78d8ec05a ("mtd: nand: Qualcomm NAND controller driver") Signed-off-by: Abhishek Sahu Reviewed-by: Archit Taneja Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit f2339a072e47df1d2197a8a1c047b4f8ab189c0e Author: Abhishek Sahu Date: Fri Aug 11 17:09:16 2017 +0530 mtd: nand: qcom: fix read failure without complete bootchain commit d8a9b320a26c1ea28e51e4f3ecfb593d5aac2910 upstream. The NAND page read fails without complete boot chain since NAND_DEV_CMD_VLD value is not proper. The default power on reset value for this register is 0xe - ERASE_START_VALID | WRITE_START_VALID | READ_STOP_VALID The READ_START_VALID should be enabled for sending PAGE_READ command. READ_STOP_VALID should be cleared since normal NAND page read does not require READ_STOP command. Fixes: c76b78d8ec05a ("mtd: nand: Qualcomm NAND controller driver") Reviewed-by: Archit Taneja Signed-off-by: Abhishek Sahu Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit 71515c37777ded142cb09baca78dbf7e151aa409 Author: Boris Brezillon Date: Fri Nov 25 11:32:32 2016 +0100 mtd: nand: mxc: Fix mxc_v1 ooblayout commit 3bff08dffe3115a25ce04b95ea75f6d868572c60 upstream. Commit a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops") introduced a bug in the OOB layout description. Even if the driver claims that 3 ECC bytes are reserved to protect 512 bytes of data, it's actually 5 ECC bytes to protect 512+6 bytes of data (some OOB bytes are also protected using extra ECC bytes). Fix the mxc_v1_ooblayout_{free,ecc}() functions to reflect this behavior. Signed-off-by: Boris Brezillon Fixes: a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops") Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit c54a318450195c0bd49fe123a96b29198fa46cdb Author: Martin Blumenstingl Date: Sat Aug 5 14:16:24 2017 +0200 mtd: nand: hynix: add support for 20nm NAND chips commit fd213b5bae800dc00a2930dcd07f63ab9bbff3f9 upstream. According to the datasheet of the H27UCG8T2BTR the NAND Technology field (6th byte of the "Device Identifier Description", bits 0-2) the following values are possible: - 0x0 = 48nm - 0x1 = 41nm - 0x2 = 32nm - 0x3 = 26nm - 0x4 = 20nm - (all others are reserved) Fix this by extending the mask for this field to allow detecting value 0x4 (20nm) as valid NAND technology. Without this the detection of the ECC requirements fails, because the code assumes that the device is a 48nm device (0x4 & 0x3 = 0x0) and aborts with "Invalid ECC requirements" because it cannot map the "ECC Level". Extending the mask makes the ECC requirement detection code recognize this chip as <= 26nm and sets up the ECC step size and ECC strength correctly. Signed-off-by: Martin Blumenstingl Fixes: 78f3482d7480 ("mtd: nand: hynix: Rework NAND ID decoding to extract more information") Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit 2b8b46b24217125e3037b9486a956cf02c8db97a Author: Lothar Waßmann Date: Tue Aug 29 12:17:12 2017 +0200 mtd: nand: make Samsung SLC NAND usable again commit 69fc01296c92814b62dbfba1600fe7ed2ed304f5 upstream. commit c51d0ac59f24 ("mtd: nand: Move Samsung specific init/detection logic in nand_samsung.c") introduced a regression for Samsung SLC NAND chips. Prior to this commit chip->bits_per_cell was initialized by calling nand_get_bits_per_cell() before using nand_is_slc(). With the offending commit this call is skipped, leaving chip->bits_per_cell cleared to zero when the manufacturer specific '.detect' function calls nand_is_slc() which in turn interprets bits_per_cell != 1 as indication for an MLC chip. The effect is that e.g. a K9F1G08U0F NAND chip is falsely detected as MLC NAND with 4KiB page size rather than SLC with 2KiB page size. Add a call to nand_get_bits_per_cell() before calling the .detect hook function in nand_manufacturer_detect(), so that the nand_is_slc() calls in the manufacturer specific code will return correct results. Fixes: c51d0ac59f24 ("mtd: nand: Move Samsung specific init/detection logic in nand_samsung.c") Signed-off-by: Lothar Waßmann Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman