commit 0c5c1f1a4f991ee015da85cce6d2d9f9c9380b4f Author: Greg Kroah-Hartman Date: Sun Sep 13 09:12:06 2015 -0700 Linux 4.1.7 commit c84847f370c56509b2bddc357f43bd0dd4ffb404 Author: Nathan Lynch Date: Fri Jul 17 21:40:28 2015 +0100 ARM: 8405/1: VDSO: fix regression with toolchains lacking ld.bfd executable commit 3473f26592c1c365d376aee29433d7db75f14d1e upstream. The Sourcery CodeBench Lite 2014.05 toolchain (gcc 4.8.3, binutils 2.24.51) has a GCC which implements -fuse-ld, and it doesn't include the gold linker, but it lacks an ld.bfd executable in its installation. This means that passing -fuse-ld=bfd fails with: VDSO arch/arm/vdso/vdso.so.raw collect2: fatal error: cannot find 'ld' Arguably this is a deficiency in the toolchain, but I suspect it's commonly used enough that it's worth accommodating: just use cc-ldoption (to cause a link attempt) instead of cc-option to test whether we can use -fuse-ld. So -fuse-ld=bfd won't be used with this toolchain, but the build will rightly succeed, just as it does for toolchains which don't implement -fuse-ld (and don't use gold as the default linker). Note: this will change the failure mode for a corner case I was trying to handle in d2b30cd4b722, where the toolchain defaults to the gold linker and the BFD linker is not found in PATH, from: VDSO arch/arm/vdso/vdso.so.raw collect2: fatal error: cannot find 'ld' i.e. the BFD linker is not found, to: OBJCOPY arch/arm/vdso/vdso.so BFD: arch/arm/vdso/vdso.so: Not enough room for program headers, try linking with -N that is, we fail to prevent gold from being used as the linker, and it produces an object that objcopy can't digest. Reported-by: Baruch Siach Tested-by: Baruch Siach Tested-by: Raphaël Poggi Fixes: d2b30cd4b722 ("ARM: 8384/1: VDSO: force use of BFD linker") Cc: stable@vger.kernel.org Signed-off-by: Nathan Lynch Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e9da4d6ac69af64671ea76662b74a522a6e54dd2 Author: Jisheng Zhang Date: Thu Aug 20 12:54:39 2015 +0800 x86/idle: Restore trace_cpu_idle to mwait_idle() calls commit e43d0189ac02415fe4487f79fc35e8f147e9ea0d upstream. Commit b253149b843f ("sched/idle/x86: Restore mwait_idle() to fix boot hangs, to improve power savings and to improve performance") restores mwait_idle(), but the trace_cpu_idle related calls are missing. This causes powertop on my old desktop powered by Intel Core2 E6550 to report zero wakeups and zero events. Add them back to restore the proper behaviour. Fixes: b253149b843f ("sched/idle/x86: Restore mwait_idle() to ...") Signed-off-by: Jisheng Zhang Cc: Link: http://lkml.kernel.org/r/1440046479-4262-1-git-send-email-jszhang@marvell.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 07a015ad4dd3a5a8651fca4cc1477ed8f69c7393 Author: Thomas Gleixner Date: Sat Aug 22 16:41:17 2015 +0200 x86/apic: Fix fallout from x2apic cleanup commit a57e456a7b28431b55e407e5ab78ebd5b378d19e upstream. In the recent x2apic cleanup I got two things really wrong: 1) The safety check in __disable_x2apic which allows the function to be called unconditionally is backwards. The check is there to prevent access to the apic MSR in case that the machine has no apic. Though right now it returns if the machine has an apic and therefor the disabling of x2apic is never invoked. 2) x2apic_disable() sets x2apic_mode to 0 after registering the local apic. That's wrong, because register_lapic_address() checks x2apic mode and therefor takes the wrong code path. This results in boot failures on machines with x2apic preenabled by BIOS and can also lead to an fatal MSR access on machines without apic. The solutions are simple: 1) Correct the sanity check for apic availability 2) Clear x2apic_mode _before_ calling register_lapic_address() Fixes: 659006bf3ae3 'x86/x2apic: Split enable and setup function' Reported-and-tested-by: Javier Monteagudo Signed-off-by: Thomas Gleixner Link: https://bugzilla.redhat.com/show_bug.cgi?id=1224764 Cc: Laura Abbott Cc: Jiang Liu Cc: Joerg Roedel Cc: Tony Luck Cc: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit 5c9c2d3c9e6fdd7cc94e833b81f950068edfac95 Author: David Vrabel Date: Thu Aug 20 11:33:41 2015 +0100 x86/xen: make CONFIG_XEN depend on CONFIG_X86_LOCAL_APIC commit 87ffd2b9bb74061c120f450e4d0f3409bb603ae0 upstream. Since commit feb44f1f7a4ac299d1ab1c3606860e70b9b89d69 (x86/xen: Provide a "Xen PV" APIC driver to support >255 VCPUs) Xen guests need a full APIC driver and thus should depend on X86_LOCAL_APIC. This fixes an i386 build failure with !SMP && !CONFIG_X86_UP_APIC by disabling Xen support in this configuration. Users needing Xen support in a non-SMP i386 kernel will need to enable CONFIG_X86_UP_APIC. Signed-off-by: David Vrabel Signed-off-by: Greg Kroah-Hartman commit 4925e8b95623c85ed10fbf7263f9f2a4a6eb90ac Author: Shannon Zhao Date: Mon Jun 29 09:02:40 2015 +0100 arm64: perf: fix unassigned cpu_pmu->plat_device when probing PMU PPIs commit b265da5a45ce60bd3d7505cc0eaa6cfba50946a1 upstream. Commit d795ef9aa831 ("arm64: perf: don't warn about missing interrupt-affinity property for PPIs") added a check for PPIs so that we avoid parsing the interrupt-affinity property for these naturally affine interrupts. Unfortunately, this check can trigger an early (successful) return and we will not assign the value of cpu_pmu->plat_device. This patch fixes the issue. Signed-off-by: Shannon Zhao Signed-off-by: Will Deacon Cc: Kefeng Wang Signed-off-by: Greg Kroah-Hartman commit f223ee716ec995fd863e5ba1006150c3ea03defc Author: Marc Zyngier Date: Thu Aug 27 16:10:01 2015 +0100 arm64: KVM: Fix host crash when injecting a fault into a 32bit guest commit 126c69a0bd0e441bf6766a5d9bf20de011be9f68 upstream. When injecting a fault into a misbehaving 32bit guest, it seems rather idiotic to also inject a 64bit fault that is only going to corrupt the guest state. This leads to a situation where we perform an illegal exception return at EL2 causing the host to crash instead of killing the guest. Just fix the stupid bug that has been there from day 1. Reported-by: Russell King Tested-by: Russell King Signed-off-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 6d02086227037e9dea0e15ae0b59cb9910f047e1 Author: Hiral Shah Date: Tue Jul 14 07:08:57 2015 -0700 fnic: Use the local variable instead of I/O flag to acquire io_req_lock in fnic_queuecommand() to avoid deadloack commit db196935d9562abec4510f48d887bc1f1e054fcf upstream. We added changes in fnic driver patch 1.6.0.16 to acquire io_req_lock in fnic_queuecommand() before issuing I/O so that io completion is serialized. But when releasing the lock we check for the I/O flag and this could be modified if IO abort occurs before I/O completion. In this case we wont release the lock and causes deadlock in some scenerios. Using the local variable to check the IO lock status will resolve the problem. Fixes: 41df7b02db82cf6c14f094757bac3830d10a827f Signed-off-by: Hiral Shah Signed-off-by: Sesidhar Baddela Signed-off-by: Anil Chintalapati Reviewed-by: Martin K. Petersen Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit df56874d1424bdc220a8197dbfff59c4a2b529e6 Author: Guillermo A. Amaral Date: Tue Aug 25 23:29:13 2015 -0700 Add factory recertified Crucial M500s to blacklist commit 7a7184b01aa9deb86df661c6f7cbcf69a95b728c upstream. The Crucial M500 is known to have issues with queued TRIM commands, the factory recertified SSDs use a different model number naming convention which causes them to get ignored by the blacklist. The new naming convention boils down to: s/Crucial_/FC/ Signed-off-by: Guillermo A. Amaral Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit cad4bab399358cbcfe3c73f9da69bc05456ffa12 Author: Marc Kleine-Budde Date: Thu Aug 6 09:48:34 2015 +0200 can: pcan_usb: don't provide CAN FD bittimings by non-FD adapters commit 06b23f7fbbf26a025fd68395c7586949db586b47 upstream. The CAN FD data bittiming constants are provided via netlink only when there are valid CAN FD constants available in priv->data_bittiming_const. Due to the indirection of pointer assignments in the peak_usb driver the priv->data_bittiming_const never becomes NULL - not even for non-FD adapters. The data_bittiming_const points to zero'ed data which leads to this result when running 'ip -details link show can0': 35: can0: mtu 16 qdisc noop state DOWN mode DEFAULT group default qlen 10 link/can promiscuity 0 can state STOPPED restart-ms 0 pcan_usb: tseg1 1..16 tseg2 1..8 sjw 1..4 brp 1..64 brp-inc 1 : dtseg1 0..0 dtseg2 0..0 dsjw 1..0 dbrp 0..0 dbrp-inc 0 <== BROKEN! clock 8000000 This patch changes the struct peak_usb_adapter::bittiming_const and struct peak_usb_adapter::data_bittiming_const to pointers to fix the assignemnt problems. Reported-by: Oliver Hartkopp Tested-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit ec970fe98aa5d81215c3ba9729793d166b152966 Author: Alan Stern Date: Mon Aug 17 11:02:42 2015 -0400 SCSI: Fix NULL pointer dereference in runtime PM commit 49718f0fb8c9af192b33d8af3a2826db04025371 upstream. The routines in scsi_rpm.c assume that if a runtime-PM callback is invoked for a SCSI device, it can only mean that the device's driver has asked the block layer to handle the runtime power management (by calling blk_pm_runtime_init(), which among other things sets q->dev). However, this assumption turns out to be wrong for things like the ses driver. Normally ses devices are not allowed to do runtime PM, but userspace can override this setting. If this happens, the kernel gets a NULL pointer dereference when blk_post_runtime_resume() tries to use the uninitialized q->dev pointer. This patch fixes the problem by calling the block layer's runtime-PM routines only if the device's driver really does have a runtime-PM callback routine. Since ses doesn't define any such callbacks, the crash won't occur. This fixes Bugzilla #101371. Signed-off-by: Alan Stern Reported-by: Stanisław Pitucha Reported-by: Ilan Cohen Tested-by: Ilan Cohen Reviewed-by: Johannes Thumshirn Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 0c7e8b8a0a4c216d5f9d1b6115858f70ede814ed Author: Grygorii Strashko Date: Fri Aug 14 15:20:26 2015 +0300 genirq: Introduce irq_chip_set_type_parent() helper commit b7560de198222994374c1340a389f12d5efb244a upstream. This helper is required for irq chips which do not implement a irq_set_type callback and need to call down the irq domain hierarchy for the actual trigger type change. This helper is required to fix further wreckage caused by the conversion of TI OMAP to hierarchical irq domains and therefor tagged for stable. [ tglx: Massaged changelog ] Signed-off-by: Grygorii Strashko Cc: Sudeep Holla Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: stable@vger.kernel.org # 4.1 Link: http://lkml.kernel.org/r/1439554830-19502-3-git-send-email-grygorii.strashko@ti.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 533eb4c087ba86e232ac9b49db9e553e1bdb4c59 Author: Grygorii Strashko Date: Fri Aug 14 15:20:25 2015 +0300 genirq: Don't return ENOSYS in irq_chip_retrigger_hierarchy commit 6d4affea7d5aa5ca5ff4c3e5fbf3ee16801cc527 upstream. irq_chip_retrigger_hierarchy() returns -ENOSYS if it was not able to find at least one .irq_retrigger() callback implemented in the IRQ domain hierarchy. That's wrong, because check_irq_resend() expects a 0 return value from the callback in case that the hardware assisted resend was not possible. If the return value is non zero the core code assumes hardware resend success and the software resend is not invoked. This results in lost interrupts on platforms where none of the parent irq chips in the hierarchy implements the retrigger callback. This is observable on TI OMAP, where the hierarchy is: ARM GIC <- OMAP wakeupgen <- TI Crossbar Return 0 instead so the software resend mechanism gets invoked. [ tglx: Massaged changelog ] Fixes: 85f08c17de26 ('genirq: Introduce helper functions...') Signed-off-by: Grygorii Strashko Reviewed-by: Marc Zyngier Reviewed-by: Jiang Liu Cc: Sudeep Holla Cc: Cc: Cc: Cc: Cc: Cc: Link: http://lkml.kernel.org/r/1439554830-19502-2-git-send-email-grygorii.strashko@ti.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit f683ad037883682204b83185991fbd03282b079b Author: Grygorii Strashko Date: Fri Aug 14 15:20:28 2015 +0300 ARM: OMAP: wakeupgen: Restore the irq_set_type() mechanism commit 63059a272398ef5dc1bd7065a036e8b6e82d1af7 upstream. The conversion of the wakeupgen irqchip to hierarchical irq domains failed to provide a mechanism to properly set the trigger type of an interrupt. The wakeupgen irq chip itself has no mechanism and therefor no irq_set_type() callback. The code before the conversion relayed the trigger configuration directly to the underlying GIC. Restore the correct behaviour by setting the wakeupgen irq_set_type callback to irq_chip_set_type_parent(). This propagates the set_trigger() call to the underlying GIC irqchip. [ tglx: Massaged changelog ] Fixes: 7136d457f365 ('ARM: omap: convert wakeupgen to stacked domains') Signed-off-by: Grygorii Strashko Acked-by: Tony Lindgren Cc: Sudeep Holla Cc: Cc: Cc: Cc: Cc: Cc: Link: http://lkml.kernel.org/r/1439554830-19502-5-git-send-email-grygorii.strashko@ti.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 8e5c21ff49d4f033c102ffd6ff1c76a660f71715 Author: Grygorii Strashko Date: Fri Aug 14 15:20:30 2015 +0300 irqchip/crossbar: Restore set_wake functionality commit 8200fe4347870d4ad6475048bcdf3e7c106c5268 upstream. The TI crossbar irqchip doesn't provides any facility to configure the wakeup sources, but the conversion to hierarchical irqdomains set the irq_set_wake callback to irq_chip_set_wake_parent. The parent chip (OMAP wakeupgen) has no irq_set_wake function either so the call will fail with -ENOSYS. As a result the irq_set_wake() call in the resume path will trigger an 'Unbalanced wake disable' warning. Before the conversion the GIC irqchip was the top level irqchip and correctly flagged with IRQCHIP_SKIP_SET_WAKE. Restore the correct behaviour by removing the irq_set_type callback from the crossbar irqchip and set the IRQCHIP_SKIP_SET_WAKE flag which lets the irq_set_irq_wake() call from the driver succeed. [ tglx: Massaged changelog ] Fixes: 783d31863fb8 ('irqchip: crossbar: Convert dra7 crossbar...') Signed-off-by: Grygorii Strashko Cc: Sudeep Holla Cc: Cc: Cc: Cc: Cc: Cc: Cc: Link: http://lkml.kernel.org/r/1439554830-19502-7-git-send-email-grygorii.strashko@ti.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 0c7ff29d25807ae4be8fbea3b2b1d3d8fef8455d Author: Grygorii Strashko Date: Fri Aug 14 15:20:29 2015 +0300 irqchip/crossbar: Restore the mask on suspend behaviour commit 4fd8f47e7e5b64a74b60f23c2e08ba8234d659d1 upstream. The ARM GIC requires that all interrupts which are not used as a wakeup source have to be masked during suspend. The conversion of the crossbar irqchip to hierarchical irq domains failed to mark the crossbar irqchip with the IRQCHIP_MASK_ON_SUSPEND flag and therefor broke the suspend requirement of the GIC. Before the conversion the flags were visible because the GIC was the top level irqchip. After the conversion the crossbar irqchip is the top level irq chip whose flags are evaluated in suspend_device_irq(). As the flag is not set the masking of the non-wakeup irqs is not invoked which breaks suspend. Add the IRQCHIP_MASK_ON_SUSPEND flag to the crossbar irqchip, so the GIC interrupts get masked properly. [ tglx: Massaged changelog ] Fixes: 783d31863fb8 ('irqchip: crossbar: Convert dra7 crossbar...') Signed-off-by: Grygorii Strashko Cc: Sudeep Holla Cc: Cc: Cc: Cc: Cc: Cc: Cc: Link: http://lkml.kernel.org/r/1439554830-19502-6-git-send-email-grygorii.strashko@ti.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit f10bb883e421d4a35e9849515bdf1926278d8cd8 Author: Grygorii Strashko Date: Fri Aug 14 15:20:27 2015 +0300 irqchip/crossbar: Restore the irq_set_type() mechanism commit e269ec42328783e51be08c191aa935dba56141fc upstream. The conversion of the crossbar irqchip to hierarchical irq domains failed to provide a mechanism to properly set the trigger type of an interrupt. The crossbar irq chip itself has no mechanism and therefor no irq_set_type() callback. The code before the conversion relayed the trigger configuration directly to the underlying GIC. Restore the correct behaviour by setting the crossbar irq_set_type callback to irq_chip_set_type_parent(). This propagates the set_trigger() call to the underlying GIC irqchip. [ tglx: Massaged changelog ] Fixes: 783d31863fb8 ('irqchip: crossbar: Convert dra7 crossbar...') Signed-off-by: Grygorii Strashko Cc: Sudeep Holla Cc: Cc: Cc: Cc: Cc: Cc: Cc: Link: http://lkml.kernel.org/r/1439554830-19502-4-git-send-email-grygorii.strashko@ti.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit e18d264c4e706faf0dcb25abb3ebaa82ff4e8210 Author: Vincent Bernat Date: Sat Aug 15 15:49:13 2015 +0200 9p: ensure err is initialized to 0 in p9_client_read/write commit 999b8b88c6060adf7a9b7907740ae86ace65291e upstream. Some use of those functions were providing unitialized values to those functions. Notably, when reading 0 bytes from an empty file on a 9P filesystem, the return code of read() was not 0. Tested with this simple program: #include #include #include #include #include int main(int argc, const char **argv) { assert(argc == 2); char buffer[256]; int fd = open(argv[1], O_RDONLY|O_NOCTTY); assert(fd >= 0); assert(read(fd, buffer, 0) == 0); return 0; } Signed-off-by: Vincent Bernat Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 5598cbeda80ea71125855e9ffa6777ded745af5c Author: Thulasimani,Sivakumar Date: Tue Aug 18 15:30:37 2015 +0530 drm/i915: Avoid TP3 on CHV commit ed63baaf849e91c84ac3e042b1fd6a0af07c16f3 upstream. This patch removes TP3 support on CHV since there is no support for HBR2 on this platform. v2: rename the function to indicate it checks source rates (Jani) v3: update comment to indicate TP3 dependency on HBR2 supported hardware (Jani) Reviewed-by: Ville Syrjälä Signed-off-by: Sivakumar Thulasimani [Jani: fixed a couple of checkpatch warnings.] Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit d0cd6730fd070442e97dd6bc32fc315dc40f1068 Author: Thulasimani,Sivakumar Date: Tue Aug 18 11:07:57 2015 +0530 drm/i915: remove HBR2 from chv supported list commit 5e86dfe39f54ab13fd8079ac3d6cb100318909a3 upstream. This patch removes 5.4Gbps from supported link rate for CHV since it is not supported in it. v2: change the ordering for better readability (Ville) Reviewed-by: Ville Syrjälä Signed-off-by: Sivakumar Thulasimani Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 8de8663a93eee38e82bcdd511d2b4f9e99de02a0 Author: Chris Wilson Date: Fri Aug 14 12:59:19 2015 +0100 drm/i915: Flag the execlists context object as dirty after every use commit 903ecd0bb970438c3a60c2c33ec9032d6443bf67 upstream. Everytime we use the logical context with execlists it becomes dirty (as the hardware will write the new register values afterwards, as well as the GPU state that will be used). We need to then flag the context as dirty everytime since after a swap-out/swap-in cycle the dirty flag will be cleared, and a further swap-out cycle will then loose the most recent GPU state. Signed-off-by: Chris Wilson Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit c407ed50a8f9d0be5839a7af9a4a6e14aea8cb33 Author: Thierry Reding Date: Fri Aug 14 13:58:20 2015 +0200 drm/atmel-hlcdc: Compile suspend/resume for PM_SLEEP only commit dbb3df2d58754e4df58620e60370d166c2cb6744 upstream. If PM is enabled but PM_SLEEP is disabled, the suspend/resume functions are still unused and produce a compiler warning. Signed-off-by: Thierry Reding Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit ca1868ab9206637d98316a19e56a477b7a69432d Author: Vincent Pelletier Date: Thu Aug 20 12:00:19 2015 -0700 Input: gpio_keys_polled - request GPIO pin as input. commit 1ae5ddb6f8837558928a1a694c7b8af7f09fdd21 upstream. GPIOF_IN flag was lost in: Commit 633a21d80b4a("input: gpio_keys_polled: Add support for GPIO descriptors"). Without this flag, legacy code path (for non-descriptor GPIO declarations) would configure GPIO as output (0 meaning GPIOF_DIR_OUT | GPIOF_INIT_LOW). Signed-off-by: Vincent Pelletier Reviewed-by: Mika Westerberg Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 7aadce453a529fdca8d8e2d4d7d494f9646748c4 Author: Bjorn Helgaas Date: Thu Aug 20 00:08:15 2015 -0500 PCI: Don't use 64-bit bus addresses on PA-RISC commit 45ea2a5fed6dacb9bb0558d8b21eacc1c45d5bb4 upstream. Meelis and Helge reported that 3a9ad0b4fdcd ("PCI: Add pci_bus_addr_t") caused HPMCs on A500 and hangs on rp5470. PA-RISC does not set ARCH_DMA_ADDR_T_64BIT, even for 64-bit kernels, so prior to 3a9ad0b4fdcd, we always used 32-bit PCI addresses. After 3a9ad0b4fdcd, we do use 64-bit PCI addresses in 64-bit kernels, and apparently there's some PA-RISC problem related to them. Fixes: 3a9ad0b4fdcd ("PCI: Add pci_bus_addr_t") Link: http://lkml.kernel.org/r/alpine.LRH.2.11.1507260929000.30065@math.ut.ee Reported-by: Meelis Roos Reported-by: Helge Deller Tested-by: Helge Deller Based-on-idea-by: Yinghai Lu Signed-off-by: Bjorn Helgaas Acked-by: Yinghai Lu Signed-off-by: Greg Kroah-Hartman commit e1768fd6fdba1345321ab350f60ec109cb832c01 Author: Alexei Potashnik Date: Tue Jul 21 15:07:56 2015 -0700 target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT commit 9547308bda296b6f69876c840a0291fcfbeddbb8 upstream. Make sure all non-READ SCSI commands get targ_xfer_tag initialized to 0xffffffff, not just WRITEs. Double-free of a TUR cmd object occurs under the following scenario: 1. TUR received (targ_xfer_tag is uninitialized and left at 0) 2. TUR status sent 3. First unsolicited NOPIN is sent to initiator (gets targ_xfer_tag of 0) 4. NOPOUT for NOPIN (with TTT=0) arrives - its ExpStatSN acks TUR status, TUR is queued for removal - LIO tries to find NOPIN with TTT=0, but finds the same TUR instead, TUR is queued for removal for the 2nd time (Drop unbalanced conditional bracket usage - nab) Signed-off-by: Alexei Potashnik Signed-off-by: Spencer Baugh Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 82cb8352e372319b2fc57bd6ed34c726a37fe24b Author: Adrien Schildknecht Date: Tue Jul 28 10:30:16 2015 +0200 mac80211: fix invalid read in minstrel_sort_best_tp_rates() commit f5eeb5fa191fd7b634cbc4883ac58f3b2184dbc5 upstream. At the last iteration of the loop, j may equal zero and thus tp_list[j - 1] causes an invalid read. Change the logic of the loop so that j - 1 is always >= 0. Signed-off-by: Adrien Schildknecht Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 360c2a1448754b76fbf742b6270f5da1d4db3700 Author: Markus Osterhoff Date: Mon Aug 24 14:11:39 2015 +0200 ALSA: hda: fix possible NULL dereference commit c7e69ae6b4ff49edf50180c0a32f3dd9d7967e31 upstream. After a for-loop was replaced by list_for_each_entry, see Commit bbbc7e8502c9 ("ALSA: hda - Allocate hda_pcm objects dynamically"), Commit 751e2216899c ("ALSA: hda: fix possible null dereference"), a possible NULL pointer dereference has been introduced; this patch adds the NULL check on pcm->pcm, while leaving a potentially superfluous check on pcm itself untouched. Signed-off-by: Markus Osterhoff Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ac44e50e61aaa6ef939970ad1532ce7a274a0ca5 Author: Takashi Iwai Date: Mon Aug 24 10:52:06 2015 +0200 ALSA: hda - Fix path power activation commit c7cd0ef66aade29e37ee08821a0e195ee776c6e6 upstream. The widget power-saving code tries to turn up/down the power of each widget in the I/O paths that are modified at each jack plug/unplug. The recent report revealed that the power activation leaves some widgets unpowered after plugging. This is because snd_hda_activate_path() turns on path->active flag at the end of the function while the path power management is done before that. Then it's regarded as if nothing is active, and the driver turns off the power. The fix is simply to set the flag at the beginning of the function, before trying to power up. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=102521 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 93bebe57621df3753f8b533dbfbd055438d52534 Author: Takashi Iwai Date: Mon Aug 24 10:45:27 2015 +0200 ALSA: hda - Check all inputs for is_active_nid_for_any() commit 9d2b48f7304aafaefbf0794a556ab4e307929d24 upstream. The is_active_nid_for_any() function in the generic parser is supposed to check all connections from/to the given widget, but the current code checks only the first input connection (index = 0). This patch corrects the code to check all inputs by passing -1 to index argument. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=102521 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f27db157e2bfc330e7e6599b9427c7e9821d646f Author: David Henningsson Date: Fri Aug 21 09:42:35 2015 +0200 ALSA: hda - Shutdown CX20722 on reboot/free to avoid spurious noises commit f6b28e4ded45bb91bc4cd115d55e35badedfce5f upstream. On shutdown/reboot of CX20722, first shut down all EAPDs, then shut down the afg node to D3. Failure to do so can lead to spurious noises from the internal speaker directly after reboot (and before the codec is reinitialized again, i e in BIOS setup or GRUB menus). BugLink: https://bugs.launchpad.net/bugs/1487345 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e6212cca33e130cf5c5222a3f5b3608564c2cd49 Author: Jurgen Kramer Date: Fri Aug 21 09:48:35 2015 +0200 ALSA: usb: Add native DSD support for Gustard DAC-X20U commit 9544f8b6e2ee9ed02d2322ff018837b185f51d45 upstream. This patch adds native DSD support for the Gustard DAC-X20U. Signed-off-by: Jurgen Kramer Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2e4728c6359824fcbd46dad5a3acc85f441ecf6f Author: Woodrow Shen Date: Thu Aug 13 11:20:40 2015 +0800 ALSA: hda - Fix the white noise on Dell laptop commit 7ccb0a9917a511de1d5f92980f26885484d9a914 upstream. Dell laptop causes the white noise by login screen and headphone, and the fixup function ALC292_FIXUP_DISABLE_AAMIX can eliminate this noise. Codec: Realtek ALC3235 Vendor Id: 0x10ec0293 Subsystem Id: 0x102806db BugLink: https://bugs.launchpad.net/bugs/1484334 Signed-off-by: Woodrow Shen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 56577410e1e08afcc1a37d0b75d529e8be2f03d0 Author: Takashi Iwai Date: Wed Aug 19 07:20:14 2015 +0200 ALSA: usb-audio: Fix runtime PM unbalance commit 9003ebb13f61e8c78a641e0dda7775183ada0625 upstream. The fix for deadlock in PM in commit [1ee23fe07ee8: ALSA: usb-audio: Fix deadlocks at resuming] introduced a new check of in_pm flag. However, the brainless patch author evaluated it in a wrong way (logical AND instead of logical OR), thus usb_autopm_get_interface() is wrongly called at probing, leading to unbalance of runtime PM refcount. This patch fixes it by correcting the logic. Reported-by: Hans Yang Fixes: 1ee23fe07ee8 ('ALSA: usb-audio: Fix deadlocks at resuming') Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2f9de0cc23d064bcae6756976a7560a55290514e Author: Alban Crequy Date: Thu Aug 6 16:21:05 2015 +0200 cpuset: use trialcs->mems_allowed as a temp variable commit 24ee3cf89bef04e8bc23788aca4e029a3f0f06d9 upstream. The comment says it's using trialcs->mems_allowed as a temp variable but it didn't match the code. Change the code to match the comment. This fixes an issue when writing in cpuset.mems when a sub-directory exists: we need to write several times for the information to persist: | root@alban:/sys/fs/cgroup/cpuset# mkdir footest9 | root@alban:/sys/fs/cgroup/cpuset# cd footest9 | root@alban:/sys/fs/cgroup/cpuset/footest9# mkdir aa | root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems | | root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > cpuset.mems | root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems | | root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > cpuset.mems | root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems | 0 | root@alban:/sys/fs/cgroup/cpuset/footest9# cat aa/cpuset.mems | | root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > aa/cpuset.mems | root@alban:/sys/fs/cgroup/cpuset/footest9# cat aa/cpuset.mems | 0 | root@alban:/sys/fs/cgroup/cpuset/footest9# This should help to fix the following issue in Docker: https://github.com/opencontainers/runc/issues/133 In some conditions, a Docker container needs to be started twice in order to work. Signed-off-by: Alban Crequy Tested-by: Iago López Galeiras Acked-by: Li Zefan Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 4cd8e7b8c016b3ba1104341fa86c000af33850aa Author: Tejun Heo Date: Mon Aug 3 11:46:39 2015 -0400 Revert "libata: Implement NCQ autosense" commit 74a80d67b8316eb3fbeb73dafc060a5a0a708587 upstream. This reverts commit 42b966fbf35da9c87f08d98f9b8978edf9e717cf. As implemented, ACS-4 sense reporting for ATA devices bypasses error diagnosis and handling in libata degrading EH behavior significantly. Revert the related changes for now. Signed-off-by: Tejun Heo Cc: Hannes Reinecke Signed-off-by: Greg Kroah-Hartman commit 0a72deb0923c023b3e84087a5ae2a94fd4daf43c Author: Tejun Heo Date: Mon Aug 3 11:45:34 2015 -0400 Revert "libata: Implement support for sense data reporting" commit 84ded2f8e7dda336fc2fb3570726ceb3b3b3590f upstream. This reverts commit fe7173c206de63fc28475ee6ae42ff95c05692de. As implemented, ACS-4 sense reporting for ATA devices bypasses error diagnosis and handling in libata degrading EH behavior significantly. Revert the related changes for now. ATA_ID_COMMAND_SET_3/4 constants are not reverted as they're used by later changes. Signed-off-by: Tejun Heo Cc: Hannes Reinecke Signed-off-by: Greg Kroah-Hartman commit e344b9213af5de206f78bf5b8789351dc4cbabef Author: Tejun Heo Date: Mon Aug 3 11:41:33 2015 -0400 Revert "libata-eh: Set 'information' field for autosense" commit fe16d4f202c59a560533a223bc6375739ee30944 upstream. This reverts commit a1524f226a02aa6edebd90ae0752e97cfd78b159. As implemented, ACS-4 sense reporting for ATA devices bypasses error diagnosis and handling in libata degrading EH behavior significantly. Revert the related changes for now. Signed-off-by: Tejun Heo Cc: Hannes Reinecke Signed-off-by: Greg Kroah-Hartman commit 47c47104b9908154a09565122f3dc6cf82182ee2 Author: Horia Geant? Date: Tue Aug 11 20:19:20 2015 +0300 crypto: caam - fix memory corruption in ahash_final_ctx commit b310c178e6d897f82abb9da3af1cd7c02b09f592 upstream. When doing pointer operation for accessing the HW S/G table, a value representing number of entries (and not number of bytes) must be used. Fixes: 045e36780f115 ("crypto: caam - ahash hmac support") Signed-off-by: Horia Geant? Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 686cb03a4e6bf3aef1dd46bf29ebb20866dbbd12 Author: Jan Stancek Date: Sat Aug 8 08:47:28 2015 +0200 crypto: nx - respect sg limit bounds when building sg lists for SHA commit d3392f41f6d3cd0a034bd0aca47fabea2b47218e upstream. Commit 000851119e80 changed sha256/512 update functions to pass more data to nx_build_sg_list(), which ends with sg list overflows and usually with update functions failing for data larger than max_sg_len * NX_PAGE_SIZE. This happens because: - both "total" and "to_process" are updated, which leads to "to_process" getting overflowed for some data lengths For example: In first iteration "total" is 50, and let's assume "to_process" is 30 due to sg limits. At the end of first iteration "total" is set to 20. At start of 2nd iteration "to_process" overflows on: to_process = total - to_process; - "in_sg" is not reset to nx_ctx->in_sg after each iteration - nx_build_sg_list() is hitting overflow because the amount of data passed to it would require more than sgmax elements - as consequence of previous item, data stored in overflowed sg list may no longer be aligned to SHA*_BLOCK_SIZE This patch changes sha256/512 update functions so that "to_process" respects sg limits and never tries to pass more data to nx_build_sg_list() to avoid overflows. "to_process" is calculated as minimum of "total" and sg limits at start of every iteration. Fixes: 000851119e80 ("crypto: nx - Fix SHA concurrence issue and sg limit bounds") Signed-off-by: Jan Stancek Cc: Leonidas Da Silva Barbosa Cc: Marcelo Henrique Cerri Cc: Fionnuala Gunter Cc: "David S. Miller" Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 2a51c43d1d6824c3fce1511e0f30db51274e7cd7 Author: Martin K. Petersen Date: Tue Jun 23 12:13:59 2015 -0400 sd: Fix maximum I/O size for BLOCK_PC requests commit 4f258a46346c03fa0bbb6199ffaf4e1f9f599660 upstream. Commit bcdb247c6b6a ("sd: Limit transfer length") clamped the maximum size of an I/O request to the MAXIMUM TRANSFER LENGTH field in the BLOCK LIMITS VPD. This had the unfortunate effect of also limiting the maximum size of non-filesystem requests sent to the device through sg/bsg. Avoid using blk_queue_max_hw_sectors() and set the max_sectors queue limit directly. Also update the comment in blk_limits_max_hw_sectors() to clarify that max_hw_sectors defines the limit for the I/O controller only. Signed-off-by: Martin K. Petersen Reported-by: Brian King Tested-by: Brian King Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 71b6a23ea944c6a30958bd15a69211e1fd521e1e Author: John Soni Jose Date: Wed Jun 24 06:41:58 2015 +0530 libiscsi: Fix host busy blocking during connection teardown commit 660d0831d1494a6837b2f810d08b5be092c1f31d upstream. In case of hw iscsi offload, an host can have N-number of active connections. There can be IO's running on some connections which make host->host_busy always TRUE. Now if logout from a connection is tried then the code gets into an infinite loop as host->host_busy is always TRUE. iscsi_conn_teardown(....) { ......... /* * Block until all in-progress commands for this connection * time out or fail. */ for (;;) { spin_lock_irqsave(session->host->host_lock, flags); if (!atomic_read(&session->host->host_busy)) { /* OK for ERL == 0 */ spin_unlock_irqrestore(session->host->host_lock, flags); break; } spin_unlock_irqrestore(session->host->host_lock, flags); msleep_interruptible(500); iscsi_conn_printk(KERN_INFO, conn, "iscsi conn_destroy(): " "host_busy %d host_failed %d\n", atomic_read(&session->host->host_busy), session->host->host_failed); ................ ............... } } This is not an issue with software-iscsi/iser as each cxn is a separate host. Fix: Acquiring eh_mutex in iscsi_conn_teardown() before setting session->state = ISCSI_STATE_TERMINATE. Signed-off-by: John Soni Jose Reviewed-by: Mike Christie Reviewed-by: Chris Leech Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 6829ed43ba4fb8b4957bc6a6915e8372ad848d97 Author: Markos Chandras Date: Thu Aug 13 08:47:59 2015 +0100 MIPS: Fix seccomp syscall argument for MIPS64 commit 9f161439e4104b641a7bfb9b89581d801159fec8 upstream. Commit 4c21b8fd8f14 ("MIPS: seccomp: Handle indirect system calls (o32)") fixed indirect system calls on O32 but it also introduced a bug for MIPS64 where it erroneously modified the v0 (syscall) register with the assumption that the sycall offset hasn't been taken into consideration. This breaks seccomp on MIPS64 n64 and n32 ABIs. We fix this by replacing the addition with a move instruction. Fixes: 4c21b8fd8f14 ("MIPS: seccomp: Handle indirect system calls (o32)") Reviewed-by: James Hogan Signed-off-by: Markos Chandras Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/10951/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit fd1090c256f53c12d3840056a15112264ee26c0a Author: Guenter Roeck Date: Sun Jul 26 21:34:50 2015 -0700 regmap: regcache-rbtree: Clean new present bits on present bitmap resize commit 8ef9724bf9718af81cfc5132253372f79c71b7e2 upstream. When inserting a new register into a block, the present bit map size is increased using krealloc. krealloc does not clear the additionally allocated memory, leaving it filled with random values. Result is that some registers are considered cached even though this is not the case. Fix the problem by clearing the additionally allocated memory. Also, if the bitmap size does not increase, do not reallocate the bitmap at all to reduce overhead. Fixes: 3f4ff561bc88 ("regmap: rbtree: Make cache_present bitmap per node") Signed-off-by: Guenter Roeck Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1cc4bf08d789b5daf679244d93f4adebb19ff64d Author: Linus Torvalds Date: Thu Aug 13 08:25:20 2015 -0700 Revert x86 sigcontext cleanups commit ed596cde9425509ec6ce88e19f03e9b13b6f518b upstream. This reverts commits 9a036b93a344 ("x86/signal/64: Remove 'fs' and 'gs' from sigcontext") and c6f2062935c8 ("x86/signal/64: Fix SS handling for signals delivered to 64-bit programs"). They were cleanups, but they break dosemu by changing the signal return behavior (and removing 'fs' and 'gs' from the sigcontext struct - while not actually changing any behavior - causes build problems). Reported-and-tested-by: Stas Sergeev Acked-by: Andy Lutomirski Cc: Ingo Molnar Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e8dd540d01845c634350182e3a5489ff95a130a0 Author: Charles Keepax Date: Sun Jun 14 15:41:50 2015 +0100 mfd: arizona: Fix initialisation of the PM runtime commit 72e43164fd472f6c2659c8313b87da962322dbcf upstream. The PM runtime core by default assumes a chip is suspended when runtime PM is enabled. Currently the arizona driver enables runtime PM when the chip is fully active and then disables the DCVDD regulator at the end of arizona_dev_init. This however has several problems, firstly the if we reach the end of arizona_dev_init, we did not properly follow all the proceedures for shutting down the chip, and most notably we never marked the chip as cache only so any writes occurring between then and the next PM runtime resume will be lost. Secondly, if we are already resumed when we reach the end of dev_init, then at best we get unbalanced regulator enable/disables at work we lose DCVDD whilst we need it. Additionally, since the commit 4f0216409f7c ("mfd: arizona: Add better support for system suspend"), the PM runtime operations may disable/enable the IRQ, so the IRQs must now be enabled before we call any PM operations. This patch adds a call to pm_runtime_set_active to inform the PM core that the device is starting up active and moves the PM enabling to around the IRQ initialisation to avoid any PM callbacks happening until the IRQs are initialised. Signed-off-by: Charles Keepax Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 3a9570eadcc10d5952c94ff3180da66c0a0c685e Author: Russell King Date: Thu Jul 9 00:30:24 2015 +0100 ARM: invalidate L1 before enabling coherency commit bac51ad9d14f6baed3730ef53bedc1eb2238563a upstream. We must invalidate the L1 cache before enabling coherency, otherwise secondary CPUs can inject invalid cache lines into the coherent CPU cluster, which could then be migrated to other CPUs. This fixes a recent regression with SoCFPGA randomly failing to boot. Fixes: 02b4e2756e01 ("ARM: v7 setup function should invalidate L1 cache") Signed-off-by: Russell King Cc: Alexander Kochetkov Signed-off-by: Greg Kroah-Hartman commit a3595b864a2d64cf5084cbd822be622a4b0f5664 Author: Russell King Date: Tue May 19 17:06:44 2015 +0100 ARM: v7 setup function should invalidate L1 cache commit 02b4e2756e01c623cc4dbceae4b07be75252db5b upstream. All ARMv5 and older CPUs invalidate their caches in the early assembly setup function, prior to enabling the MMU. This is because the L1 cache should not contain any data relevant to the execution of the kernel at this point; all data should have been flushed out to memory. This requirement should also be true for ARMv6 and ARMv7 CPUs - indeed, these typically do not search their caches when caching is disabled (as it needs to be when the MMU is disabled) so this change should be safe. ARMv7 allows there to be CPUs which search their caches while caching is disabled, and it's permitted that the cache is uninitialised at boot; for these, the architecture reference manual requires that an implementation specific code sequence is used immediately after reset to ensure that the cache is placed into a sane state. Such functionality is definitely outside the remit of the Linux kernel, and must be done by the SoC's firmware before _any_ CPU gets to the Linux kernel. Changing the data cache clean+invalidate to a mere invalidate allows us to get rid of a lot of platform specific hacks around this issue for their secondary CPU bringup paths - some of which were buggy. Reviewed-by: Florian Fainelli Tested-by: Florian Fainelli Tested-by: Heiko Stuebner Tested-by: Dinh Nguyen Acked-by: Sebastian Hesselbarth Tested-by: Sebastian Hesselbarth Acked-by: Shawn Guo Tested-by: Thierry Reding Acked-by: Thierry Reding Tested-by: Geert Uytterhoeven Tested-by: Michal Simek Tested-by: Wei Xu Signed-off-by: Russell King Cc: Alexander Kochetkov Signed-off-by: Greg Kroah-Hartman commit 5211aabc75f8173cc0d9b0c990737756eae7f6c6 Author: Nathan Lynch Date: Wed Jun 3 00:41:15 2015 +0100 ARM: 8384/1: VDSO: force use of BFD linker commit d2b30cd4b7223a96e606dfc8120626f66d81e091 upstream. When using a toolchain with gold as the default linker, the VDSO build fails: VDSO arch/arm/vdso/vdso.so.raw HOSTCC arch/arm/vdso/vdsomunge MUNGE arch/arm/vdso/vdso.so.dbg OBJCOPY arch/arm/vdso/vdso.so BFD: arch/arm/vdso/vdso.so: Not enough room for program headers, try linking with -N For whatever reason, ld.gold is omitting an exidx program header that ld.bfd emits, and even when I work around that, I don't get a working VDSO. For now, instead of supporting gold (which will fail to link the kernel anyway since it does not implement --pic-veneer), direct the compiler to use the traditional bfd linker. This is accomplished by using -fuse-ld, which is implemented in GCC 4.8 and later. Note: one limitation of this is that if the toolchain is configured to use gold by default, and the bfd linker is not in $PATH, the VDSO build will fail: VDSO arch/arm/vdso/vdso.so.raw collect2: fatal error: cannot find 'ld' This will happen if CROSS_COMPILE begins with a path such as /opt/bin/arm-linux-gnu- but /opt/bin is not in $PATH. This is considered an acceptable corner-case limitation and is easily worked around. Additonal note: we use cc-option instead of cc-ldoption so that -fuse-ld=bfd is placed in the command line if the compiler recognizes the option. Using cc-ldoption results in an attempt to link, which fails in the situation just described, causing -fuse-ld=bfd to be omitted and gold to be used for the VDSO link, which is what we're trying to prevent. Reported-by: Stefan Agner Signed-off-by: Nathan Lynch Signed-off-by: Russell King Cc: Alexander Kochetkov Signed-off-by: Greg Kroah-Hartman commit 2f9204986c71763ea48ad02882b3db805357907a Author: Nathan Lynch Date: Wed Jun 3 00:46:04 2015 +0100 ARM: 8385/1: VDSO: group link options commit d33ce23b2160d26b27a47092da5d556b5b11a12a upstream. Currently the VDSO's link options are kind of a mess spread between ccflags-y and cmd_vdsold. Collect linker directives into one variable, VDSO_LDFLAGS, and use that in cmd_vdsold. Signed-off-by: Nathan Lynch Signed-off-by: Russell King Cc: Alexander Kochetkov Signed-off-by: Greg Kroah-Hartman commit a6040ad81032cc6d90e761eeb81d65a6880b73c7 Author: Kishon Vijay Abraham I Date: Mon Jul 27 17:46:40 2015 +0530 ARM: dts: OMAP5: Fix broken pbias device creation commit 70caac3f25291cf715cf8f2d8c7db46f6cbefe7c upstream. commit ("ARM: dts: omap5: add minimal l4 bus layout with control module support") moved pbias_regulator dt node from being a child node of ocp to be the child node of omap5_padconf_global. After this device for pbias_regulator is not created. Fix it by adding "simple-bus" compatible property to omap5_padconf_global dt node. Fixes: ed8509edddeb ("ARM: dts: omap5: add minimal l4 bus layout with control module support") Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 1d38be7b2c53fb4ac2af60bd137ea66541dfdecd Author: Kishon Vijay Abraham I Date: Mon Jul 27 17:46:39 2015 +0530 ARM: dts: OMAP4: Fix broken pbias device creation commit 89a898df87e114952191ab0e061aa18e3c617880 upstream. commit <7415b0b4c645> ("ARM: dts: omap4: add minimal l4 bus layout with control module support") moved pbias_regulator dt node from being a child node of ocp to be the child node of omap4_padconf_global. After this device for pbias_regulator is not created. Fix it by adding "simple-bus" compatible property to omap4_padconf_global dt node. Fixes: 7415b0b4c645 ("ARM: dts: omap4: add minimal l4 bus layout with control module support") Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 12fd9b8085a741711e1cb1a5375b307ea6c779e1 Author: Kishon Vijay Abraham I Date: Mon Jul 27 17:46:41 2015 +0530 ARM: dts: dra7: Fix broken pbias device creation commit cd4556733b30cc363adc7b1cea3bffa7e2dd0c7c upstream. commit ("ARM: dts: dra7: add minimal l4 bus layout with control module support") moved pbias_regulator dt node from being a child node of ocp to be the child node of scm_conf. After this device for pbias_regulator is not created. Fix it by adding "simple-bus" compatible property to scm_conf dt node. Fixes: d919501feffa ("ARM: dts: dra7: add minimal l4 bus layout with control module support") Suggested-by: Tero Kristo Signed-off-by: Kishon Vijay Abraham I Tested-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 374f87fdfece43a29dd8bf7ced27a16a2de36dff Author: Kishon Vijay Abraham I Date: Mon Jul 27 17:46:38 2015 +0530 ARM: dts: omap243x: Fix broken pbias device creation commit 4317c8c9121e4685561422ac267b292df8e80806 upstream. commit <72b10ac00eb1> ("ARM: dts: omap24xx: add minimal l4 bus layout with control module support") moved pbias_regulator dt node from being a child node of ocp to be the child node of scm_conf. After this device for pbias_regulator is not created. Fix it by adding "simple-bus" compatible property to scm_conf dt node. Fixes: 72b10ac00eb1 ("ARM: dts: omap24xx: add minimal l4 bus layout with control module support") Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit cdda95937ec1f62e29f6e89c87600555594f3dec Author: Lucas Stach Date: Wed Aug 5 18:54:37 2015 +0200 ARM: imx6: correct i.MX6 PCIe interrupt routing commit 1a9fa190956f45c1e58c4d8bfa5ac051691ea590 upstream. The PCIe interrupts are also routed through the GPC. This has been missed from the conversion to stacked IRQ domains as the PCIe controller uses an explicit interrupt map and thus doesn't inherit the SoC global interrupt parent. Signed-off-by: Lucas Stach Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 1070185064814a5e9807fd5f2639f7bd2698502f Author: Bart Van Assche Date: Fri Jun 5 14:20:51 2015 -0700 libfc: Fix fc_fcp_cleanup_each_cmd() commit 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 upstream. Since fc_fcp_cleanup_cmd() can sleep this function must not be called while holding a spinlock. This patch avoids that fc_fcp_cleanup_each_cmd() triggers the following bug: BUG: scheduling while atomic: sg_reset/1512/0x00000202 1 lock held by sg_reset/1512: #0: (&(&fsp->scsi_pkt_lock)->rlock){+.-...}, at: [] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc] Preemption disabled at:[] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc] Call Trace: [] dump_stack+0x4f/0x7b [] __schedule_bug+0x6c/0xd0 [] __schedule+0x71a/0xa10 [] schedule+0x32/0x80 [] fc_seq_set_resp+0xac/0x100 [libfc] [] fc_exch_done+0x41/0x60 [libfc] [] fc_fcp_cleanup_each_cmd.isra.21+0xcf/0x150 [libfc] [] fc_eh_device_reset+0x1c3/0x270 [libfc] [] scsi_try_bus_device_reset+0x29/0x60 [] scsi_ioctl_reset+0x258/0x2d0 [] scsi_ioctl+0x150/0x440 [] sd_ioctl+0xad/0x120 [] blkdev_ioctl+0x1b6/0x810 [] block_ioctl+0x38/0x40 [] do_vfs_ioctl+0x2f8/0x530 [] SyS_ioctl+0x81/0xa0 [] system_call_fastpath+0x16/0x7a Signed-off-by: Bart Van Assche Signed-off-by: Vasu Dev Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 9ddd673ff000280299c0ae654f33c519aa52789b Author: Bart Van Assche Date: Fri Jun 5 14:20:46 2015 -0700 libfc: Fix fc_exch_recv_req() error path commit f6979adeaab578f8ca14fdd32b06ddee0d9d3314 upstream. Due to patch "libfc: Do not invoke the response handler after fc_exch_done()" (commit ID 7030fd62) the lport_recv() call in fc_exch_recv_req() is passed a dangling pointer. Avoid this by moving the fc_frame_free() call from fc_invoke_resp() to its callers. This patch fixes the following crash: general protection fault: 0000 [#3] PREEMPT SMP RIP: fc_lport_recv_req+0x72/0x280 [libfc] Call Trace: fc_exch_recv+0x642/0xde0 [libfc] fcoe_percpu_receive_thread+0x46a/0x5ed [fcoe] kthread+0x10a/0x120 ret_from_fork+0x42/0x70 Signed-off-by: Bart Van Assche Signed-off-by: Vasu Dev Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3f52099b9579b39c8e6bfbbd1a92edc303c6d9fd Author: Thomas Hellstrom Date: Tue Aug 11 22:31:17 2015 -0700 drm/vmwgfx: Fix execbuf locking issues commit 3e04e2fe6d87807d27521ad6ebb9e7919d628f25 upstream. This addresses two issues that cause problems with viewperf maya-03 in situation with memory pressure. The first issue causes attempts to unreserve buffers if batched reservation fails due to, for example, a signal pending. While previously the ttm_eu api was resistant against this type of error, it is no longer and the lockdep code will complain about attempting to unreserve buffers that are not reserved. The issue is resolved by avoid calling ttm_eu_backoff_reservation in the buffer reserve error path. The second issue is that the binding_mutex may be held when user-space fence objects are created and hence during memory reclaims. This may cause recursive attempts to grab the binding mutex. The issue is resolved by not holding the binding mutex across fence creation and submission. Signed-off-by: Thomas Hellstrom Reviewed-by: Sinclair Yeh Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 39d202573c4d5ec3b3a3930b31dc0c621e771414 Author: Alex Deucher Date: Mon Aug 10 15:28:49 2015 -0400 drm/radeon: add new OLAND pci id commit e037239e5e7b61007763984aa35a8329596d8c88 upstream. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit e0a829ebdcc4732ceec327fc00c300430257b8f8 Author: Dan Carpenter Date: Wed Jul 29 13:16:06 2015 +0300 HID: uclogic: fix limit in uclogic_tablet_enable() commit 4a8e70f5d0d80675fc17b9ba1e62db8ca6b91775 upstream. The limit should be ARRAY_SIZE(params) (5 elements) here instead of sizeof(params) (20 bytes). Fixes: 08177f40bd00 ('HID: uclogic: merge hid-huion driver in hid-uclogic') Signed-off-by: Dan Carpenter Reviewed-by: Nikolai Kondrashov Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 731fedc9a4c9192e0250e8615d2db08134749b3d Author: Krzysztof Kozlowski Date: Mon Aug 3 14:57:30 2015 +0900 HID: hid-input: Fix accessing freed memory during device disconnect commit 0621809e37936e7c2b3eac9165cf2aad7f9189eb upstream. During unbinding the driver was dereferencing a pointer to memory already freed by power_supply_unregister(). Driver was freeing its internal description of battery through pointers stored in power_supply structure. However, because the core owns the power supply instance, after calling power_supply_unregister() this memory is freed and the driver cannot access these members. Fix this by storing the pointer to internal description of battery in a local variable before calling power_supply_unregister(), so the pointer remains valid. Signed-off-by: Krzysztof Kozlowski Reported-by: H.J. Lu Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") Reviewed-by: Dmitry Torokhov Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 0d2808f59028f624b18529bc445a1dcdcec56ae9 Author: Michael Walle Date: Tue Jul 21 11:00:53 2015 +0200 EDAC, ppc4xx: Access mci->csrows array elements properly commit 5c16179b550b9fd8114637a56b153c9768ea06a5 upstream. The commit de3910eb79ac ("edac: change the mem allocation scheme to make Documentation/kobject.txt happy") changed the memory allocation for the csrows member. But ppc4xx_edac was forgotten in the patch. Fix it. Signed-off-by: Michael Walle Cc: linux-edac Cc: Mauro Carvalho Chehab Link: http://lkml.kernel.org/r/1437469253-8611-1-git-send-email-michael@walle.cc Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit c329597eab7c6bb451d4a8f7e53906248d4e0411 Author: Richard Weinberger Date: Mon Jul 27 00:06:55 2015 +0200 localmodconfig: Use Kbuild files too commit c0ddc8c745b7f89c50385fd7aa03c78dc543fa7a upstream. In kbuild it is allowed to define objects in files named "Makefile" and "Kbuild". Currently localmodconfig reads objects only from "Makefile"s and misses modules like nouveau. Link: http://lkml.kernel.org/r/1437948415-16290-1-git-send-email-richard@nod.at Reported-and-tested-by: Leonidas Spyropoulos Signed-off-by: Richard Weinberger Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 32d063ab015630c0fe3d0d7de6eaaf095f87cc22 Author: Joe Thornber Date: Wed Aug 12 15:10:21 2015 +0100 dm thin metadata: delete btrees when releasing metadata snapshot commit 7f518ad0a212e2a6fd68630e176af1de395070a7 upstream. The device details and mapping trees were just being decremented before. Now btree_del() is called to do a deep delete. Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit eb63f85afac03722b2229d61c39fec3083fcfa53 Author: Julien Grall Date: Mon Aug 10 19:10:38 2015 +0100 xen/xenbus: Don't leak memory when unmapping the ring on HVM backend commit c22fe519e7e2b94ad173e0ea3b89c1a7d8be8d00 upstream. The commit ccc9d90a9a8b5c4ad7e9708ec41f75ff9e98d61d "xenbus_client: Extend interface to support multi-page ring" removes the call to free_xenballooned_pages() in xenbus_unmap_ring_vfree_hvm(), leaking a page for every shared ring. Only with backends running in HVM domains were affected. Signed-off-by: Julien Grall Reviewed-by: Boris Ostrovsky Reviewed-by: Wei Liu Signed-off-by: David Vrabel Signed-off-by: Greg Kroah-Hartman commit 0733a428056a18a6fbb1b57664a98cee4761d634 Author: Jason A. Donenfeld Date: Mon Aug 10 15:40:27 2015 +0200 x86/xen: build "Xen PV" APIC driver for domU as well commit fc5fee86bdd3d720e2d1d324e4fae0c35845fa63 upstream. It turns out that a PV domU also requires the "Xen PV" APIC driver. Otherwise, the flat driver is used and we get stuck in busy loops that never exit, such as in this stack trace: (gdb) target remote localhost:9999 Remote debugging using localhost:9999 __xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56 56 while (native_apic_mem_read(APIC_ICR) & APIC_ICR_BUSY) (gdb) bt #0 __xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56 #1 __default_send_IPI_shortcut (shortcut=, dest=, vector=) at ./arch/x86/include/asm/ipi.h:75 #2 apic_send_IPI_self (vector=246) at arch/x86/kernel/apic/probe_64.c:54 #3 0xffffffff81011336 in arch_irq_work_raise () at arch/x86/kernel/irq_work.c:47 #4 0xffffffff8114990c in irq_work_queue (work=0xffff88000fc0e400) at kernel/irq_work.c:100 #5 0xffffffff8110c29d in wake_up_klogd () at kernel/printk/printk.c:2633 #6 0xffffffff8110ca60 in vprintk_emit (facility=0, level=, dict=0x0 , dictlen=, fmt=, args=) at kernel/printk/printk.c:1778 #7 0xffffffff816010c8 in printk (fmt=) at kernel/printk/printk.c:1868 #8 0xffffffffc00013ea in ?? () #9 0x0000000000000000 in ?? () Mailing-list-thread: https://lkml.org/lkml/2015/8/4/755 Signed-off-by: Jason A. Donenfeld Signed-off-by: David Vrabel Signed-off-by: Greg Kroah-Hartman commit 6d61ce6dc7c831e690a3d44228b38d155db441fc Author: Luis Felipe Dominguez Vega Date: Wed Jul 29 21:11:20 2015 -0500 rtlwifi: Fix NULL dereference when PCI driver used as an AP commit 7c62940165e9ae4004ce4e6b5117330bab94df68 upstream. In commit 33511b157bbcebaef853cc1811992b664a2e5862 ("rtlwifi: add support to send beacon frame"), the mechanism for sending beacons was established. That patch works correctly for rtl8192cu, but there is a possibility of getting the following warnings in the PCI drivers: WARNING: CPU: 1 PID: 2439 at net/mac80211/driver-ops.h:12 ieee80211_bss_info_change_notify+0x179/0x1d0 [mac80211]() wlp5s0: Failed check-sdata-in-driver check, flags: 0x0 The warning is followed by a NULL pointer dereference as follows: BUG: unable to handle kernel NULL pointer dereference at 0000000000000006 IP: [] rtl_get_tcb_desc+0x5e/0x760 [rtlwifi] This problem was reported at http://thread.gmane.org/gmane.linux.kernel.wireless.general/138645, but no solution was found at that time. The problem was also reported at https://bugzilla.kernel.org/show_bug.cgi?id=9744 and this solution was developed and tested there. The USB driver works with a NULL final argument in the adapter_tx() callback; however, the PCI drivers need a struct rtl_tcb_desc in that position. Fixes: 33511b157bbc ("rtlwifi: add support to send beacon frame.") Signed-off-by: Luis Felipe Dominguez Vega Signed-off-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit c9557ae624bdb05c44b12a42195076a3191455e6 Author: Larry Finger Date: Sun Aug 2 13:24:13 2015 -0500 rtlwifi: rtl8723be: Add module parameter for MSI interrupts commit 741e3b9902d11585e18bfc7f8d47e913616bb070 upstream. The driver code allows for the disabling of MSI interrupts; however the module_parm line was missed and the option fails to show with modinfo. Signed-off-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit c82f14951c4d67eb6f6bcb28e5cf5a85ae242e64 Author: Emmanuel Grumbach Date: Mon Jul 20 12:14:39 2015 +0300 iwlwifi: pcie: fix prepare card flow commit c9fdec9f3970eeaa1b176422f46167f5f5158804 upstream. When the card is not owned by the PCIe bus, we need to acquire ownership first. This flow is implemented in iwl_pcie_prepare_card_hw. Because of a hardware bug, we need to disable link power management before we can request ownership otherwise the other user of the device won't get notified that we are requesting the device which will prevent us from acquire ownership. Same holds for the down flow where we need to make sure that any other potential user is notified that the driver is going down. Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 58b9cca673e06a9f98a902d95ff4cda951a7f234 Author: Peter Zijlstra Date: Tue Aug 4 19:22:49 2015 +0200 perf: Fix PERF_EVENT_IOC_PERIOD migration race commit c7999c6f3fed9e383d3131474588f282ae6d56b9 upstream. I ran the perf fuzzer, which triggered some WARN()s which are due to trying to stop/restart an event on the wrong CPU. Use the normal IPI pattern to ensure we run the code on the correct CPU. Signed-off-by: Peter Zijlstra (Intel) Cc: Vince Weaver Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: bad7192b842c ("perf: Fix PERF_EVENT_IOC_PERIOD to force-reset the period") Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit db8d87e1cd13809687f39a3da567cb823e1b7576 Author: Ben Hutchings Date: Mon Jul 27 00:31:08 2015 +0100 perf: Fix double-free of the AUX buffer commit ee9397a6fb9bc4e52677f5e33eed4abee0f515e6 upstream. If rb->aux_refcount is decremented to zero before rb->refcount, __rb_free_aux() may be called twice resulting in a double free of rb->aux_pages. Fix this by adding a check to __rb_free_aux(). Signed-off-by: Ben Hutchings Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 57ffc5ca679f ("perf: Fix AUX buffer refcounting") Link: http://lkml.kernel.org/r/1437953468.12842.17.camel@decadent.org.uk Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit b8cae722c4afc4c116dc34e013c82cd5bbc68bb8 Author: Peter Zijlstra Date: Mon Jul 27 10:35:07 2015 +0200 perf: Fix running time accounting commit 00a2916f7f82c348a2a94dbb572874173bc308a3 upstream. A recent fix to the shadow timestamp inadvertly broke the running time accounting. We must not update the running timestamp if we fail to schedule the event, the event will not have ran. This can (and did) result in negative total runtime because the stopped timestamp was before the running timestamp (we 'started' but never stopped the event -- because it never really started we didn't have to stop it either). Reported-and-Tested-by: Vince Weaver Fixes: 72f669c0086f ("perf: Update shadow timestamp before add event") Signed-off-by: Peter Zijlstra (Intel) Cc: Shaohua Li Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 75d370fe0b1159aedf960c843b514b39c82e822f Author: Peter Zijlstra Date: Thu Jun 11 10:32:01 2015 +0200 perf: Fix fasync handling on inherited events commit fed66e2cdd4f127a43fd11b8d92a99bdd429528c upstream. Vince reported that the fasync signal stuff doesn't work proper for inherited events. So fix that. Installing fasync allocates memory and sets filp->f_flags |= FASYNC, which upon the demise of the file descriptor ensures the allocation is freed and state is updated. Now for perf, we can have the events stick around for a while after the original FD is dead because of references from child events. So we cannot copy the fasync pointer around. We can however consistently use the parent's fasync, as that will be updated. Reported-and-Tested-by: Vince Weaver Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho deMelo Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: eranian@google.com Link: http://lkml.kernel.org/r/1434011521.1495.71.camel@twins Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 57e25b602cab84202e69f22bce932336cb0db03b Author: Mike Looijmans Date: Tue Jul 28 07:51:01 2015 +0200 rsi: Fix failure to load firmware after memory leak fix and fix the leak commit 5d5cd85ff441534a52f23f821d0a7c644d3b6cce upstream. Fixes commit eae79b4f3e82 ("rsi: fix memory leak in rsi_load_ta_instructions()") which stopped the driver from functioning. Firmware data has been allocated using vmalloc(), resulting in memory that cannot be used for DMA. Hence the firmware was first copied to a buffer allocated with kmalloc() in the original code. This patch reverts the commit and only calls "kfree()" to release the buffer after sending the data. This fixes the memory leak without breaking the driver. Add a comment to the kmemdup() calls to explain why this is done, and abort if memory allocation fails. Tested on a Topic Miami-Florida board which contains the rsi SDIO chip. Also added the same kfree() call to the USB glue driver. This was not tested on actual hardware though, as I only have the SDIO version. Fixes: eae79b4f3e82 ("rsi: fix memory leak in rsi_load_ta_instructions()") Signed-off-by: Mike Looijmans Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit e46ebf0b0f94429f6813d8e4162dd060ef7ca7fd Author: Bob Liu Date: Wed Jul 22 14:40:10 2015 +0800 xen-blkback: replace work_pending with work_busy in purge_persistent_gnt() commit 53bc7dc004fecf39e0ba70f2f8d120a1444315d3 upstream. The BUG_ON() in purge_persistent_gnt() will be triggered when previous purge work haven't finished. There is a work_pending() before this BUG_ON, but it doesn't account if the work is still currently running. Acked-by: Roger Pau Monné Signed-off-by: Bob Liu Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 8fab9f94b4b4d5487bb3e2b683f7f85e8aba5c09 Author: Bob Liu Date: Wed Jul 22 14:40:09 2015 +0800 xen-blkfront: don't add indirect pages to list when !feature_persistent commit 7b0767502b5db11cb1f0daef2d01f6d71b1192dc upstream. We should consider info->feature_persistent when adding indirect page to list info->indirect_pages, else the BUG_ON() in blkif_free() would be triggered. When we are using persistent grants the indirect_pages list should always be empty because blkfront has pre-allocated enough persistent pages to fill all requests on the ring. Acked-by: Roger Pau Monné Signed-off-by: Bob Liu Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 48f8d0f5a4fec334ec2c3c5c6ec6867a885e2329 Author: Robert Jarzmik Date: Tue Aug 4 08:21:33 2015 +0200 clk: pxa: pxa3xx: fix CKEN register access commit b93028c9af807b9474789e6aba34a6135b6cb708 upstream. Clocks 0 to 31 are on CKENA, and not CKENB. The clock register names were inadequately inverted. As a consequence, all clock operations were happening on CKENB, because almost all but 2 clocks are on CKENA. As the clocks were activated by the bootloader in the former tests, it escaped the testing that the wrong clock gate was manipulated. The error was revealed by changing the pxa3xx-nand driver to a module, where upon unloading, the wrong clock was disabled in CKENB. Fixes: 9bbb8a338fb2 ("clk: pxa: add pxa3xx clock driver") Signed-off-by: Robert Jarzmik Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit d73eba8c9e33c0d5b487c04a0fc498432f074fea Author: Wanpeng Li Date: Fri Aug 14 15:34:59 2015 -0700 mm/hwpoison: fix fail isolate hugetlbfs page w/ refcount held commit 036138080a4376e5f3e5d0cca8ac99084c5cf06e upstream. Hugetlbfs pages will get a refcount in get_any_page() or madvise_hwpoison() if soft offlining through madvise. The refcount which is held by the soft offline path should be released if we fail to isolate hugetlbfs pages. Fix it by reducing the refcount for both isolation success and failure. Signed-off-by: Wanpeng Li Acked-by: Naoya Horiguchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0ebc1f07b7570ca97734c408b0ba87bf340b2cb0 Author: Wanpeng Li Date: Fri Aug 14 15:34:56 2015 -0700 mm/hwpoison: fix page refcount of unknown non LRU page commit 4f32be677b124a49459e2603321c7a5605ceb9f8 upstream. After trying to drain pages from pagevec/pageset, we try to get reference count of the page again, however, the reference count of the page is not reduced if the page is still not on LRU list. Fix it by adding the put_page() to drop the page reference which is from __get_any_page(). Signed-off-by: Wanpeng Li Acked-by: Naoya Horiguchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b6805da60f0196d8703963ef0d476001bcea12a4 Author: Manfred Spraul Date: Fri Aug 14 15:35:10 2015 -0700 ipc/sem.c: update/correct memory barriers commit 3ed1f8a99d70ea1cd1508910eb107d0edcae5009 upstream. sem_lock() did not properly pair memory barriers: !spin_is_locked() and spin_unlock_wait() are both only control barriers. The code needs an acquire barrier, otherwise the cpu might perform read operations before the lock test. As no primitive exists inside and since it seems noone wants another primitive, the code creates a local primitive within ipc/sem.c. With regards to -stable: The change of sem_wait_array() is a bugfix, the change to sem_lock() is a nop (just a preprocessor redefinition to improve the readability). The bugfix is necessary for all kernels that use sem_wait_array() (i.e.: starting from 3.10). Signed-off-by: Manfred Spraul Reported-by: Oleg Nesterov Acked-by: Peter Zijlstra (Intel) Cc: "Paul E. McKenney" Cc: Kirill Tkhai Cc: Ingo Molnar Cc: Josh Poimboeuf Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7be83cf01024dd5186ae9743a5438904da1cb6ca Author: Herton R. Krzesinski Date: Fri Aug 14 15:35:02 2015 -0700 ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits commit 602b8593d2b4138c10e922eeaafe306f6b51817b upstream. The current semaphore code allows a potential use after free: in exit_sem we may free the task's sem_undo_list while there is still another task looping through the same semaphore set and cleaning the sem_undo list at freeary function (the task called IPC_RMID for the same semaphore set). For example, with a test program [1] running which keeps forking a lot of processes (which then do a semop call with SEM_UNDO flag), and with the parent right after removing the semaphore set with IPC_RMID, and a kernel built with CONFIG_SLAB, CONFIG_SLAB_DEBUG and CONFIG_DEBUG_SPINLOCK, you can easily see something like the following in the kernel log: Slab corruption (Not tainted): kmalloc-64 start=ffff88003b45c1c0, len=64 000: 6b 6b 6b 6b 6b 6b 6b 6b 00 6b 6b 6b 6b 6b 6b 6b kkkkkkkk.kkkkkkk 010: ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ Prev obj: start=ffff88003b45c180, len=64 000: 00 00 00 00 ad 4e ad de ff ff ff ff 5a 5a 5a 5a .....N......ZZZZ 010: ff ff ff ff ff ff ff ff c0 fb 01 37 00 88 ff ff ...........7.... Next obj: start=ffff88003b45c200, len=64 000: 00 00 00 00 ad 4e ad de ff ff ff ff 5a 5a 5a 5a .....N......ZZZZ 010: ff ff ff ff ff ff ff ff 68 29 a7 3c 00 88 ff ff ........h).<.... BUG: spinlock wrong CPU on CPU#2, test/18028 general protection fault: 0000 [#1] SMP Modules linked in: 8021q mrp garp stp llc nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables binfmt_misc ppdev input_leds joydev parport_pc parport floppy serio_raw virtio_balloon virtio_rng virtio_console virtio_net iosf_mbi crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcspkr qxl ttm drm_kms_helper drm snd_hda_codec_generic i2c_piix4 snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore crc32c_intel virtio_pci virtio_ring virtio pata_acpi ata_generic [last unloaded: speedstep_lib] CPU: 2 PID: 18028 Comm: test Not tainted 4.2.0-rc5+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014 RIP: spin_dump+0x53/0xc0 Call Trace: spin_bug+0x30/0x40 do_raw_spin_unlock+0x71/0xa0 _raw_spin_unlock+0xe/0x10 freeary+0x82/0x2a0 ? _raw_spin_lock+0xe/0x10 semctl_down.clone.0+0xce/0x160 ? __do_page_fault+0x19a/0x430 ? __audit_syscall_entry+0xa8/0x100 SyS_semctl+0x236/0x2c0 ? syscall_trace_leave+0xde/0x130 entry_SYSCALL_64_fastpath+0x12/0x71 Code: 8b 80 88 03 00 00 48 8d 88 60 05 00 00 48 c7 c7 a0 2c a4 81 31 c0 65 8b 15 eb 40 f3 7e e8 08 31 68 00 4d 85 e4 44 8b 4b 08 74 5e <45> 8b 84 24 88 03 00 00 49 8d 8c 24 60 05 00 00 8b 53 04 48 89 RIP [] spin_dump+0x53/0xc0 RSP ---[ end trace 783ebb76612867a0 ]--- NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [test:18053] Modules linked in: 8021q mrp garp stp llc nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables binfmt_misc ppdev input_leds joydev parport_pc parport floppy serio_raw virtio_balloon virtio_rng virtio_console virtio_net iosf_mbi crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcspkr qxl ttm drm_kms_helper drm snd_hda_codec_generic i2c_piix4 snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore crc32c_intel virtio_pci virtio_ring virtio pata_acpi ata_generic [last unloaded: speedstep_lib] CPU: 3 PID: 18053 Comm: test Tainted: G D 4.2.0-rc5+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014 RIP: native_read_tsc+0x0/0x20 Call Trace: ? delay_tsc+0x40/0x70 __delay+0xf/0x20 do_raw_spin_lock+0x96/0x140 _raw_spin_lock+0xe/0x10 sem_lock_and_putref+0x11/0x70 SYSC_semtimedop+0x7bf/0x960 ? handle_mm_fault+0xbf6/0x1880 ? dequeue_task_fair+0x79/0x4a0 ? __do_page_fault+0x19a/0x430 ? kfree_debugcheck+0x16/0x40 ? __do_page_fault+0x19a/0x430 ? __audit_syscall_entry+0xa8/0x100 ? do_audit_syscall_entry+0x66/0x70 ? syscall_trace_enter_phase1+0x139/0x160 SyS_semtimedop+0xe/0x10 SyS_semop+0x10/0x20 entry_SYSCALL_64_fastpath+0x12/0x71 Code: 47 10 83 e8 01 85 c0 89 47 10 75 08 65 48 89 3d 1f 74 ff 7e c9 c3 0f 1f 44 00 00 55 48 89 e5 e8 87 17 04 00 66 90 c9 c3 0f 1f 00 <55> 48 89 e5 0f 31 89 c1 48 89 d0 48 c1 e0 20 89 c9 48 09 c8 c9 Kernel panic - not syncing: softlockup: hung tasks I wasn't able to trigger any badness on a recent kernel without the proper config debugs enabled, however I have softlockup reports on some kernel versions, in the semaphore code, which are similar as above (the scenario is seen on some servers running IBM DB2 which uses semaphore syscalls). The patch here fixes the race against freeary, by acquiring or waiting on the sem_undo_list lock as necessary (exit_sem can race with freeary, while freeary sets un->semid to -1 and removes the same sem_undo from list_proc or when it removes the last sem_undo). After the patch I'm unable to reproduce the problem using the test case [1]. [1] Test case used below: #include #include #include #include #include #include #include #include #include #define NSEM 1 #define NSET 5 int sid[NSET]; void thread() { struct sembuf op; int s; uid_t pid = getuid(); s = rand() % NSET; op.sem_num = pid % NSEM; op.sem_op = 1; op.sem_flg = SEM_UNDO; semop(sid[s], &op, 1); exit(EXIT_SUCCESS); } void create_set() { int i, j; pid_t p; union { int val; struct semid_ds *buf; unsigned short int *array; struct seminfo *__buf; } un; /* Create and initialize semaphore set */ for (i = 0; i < NSET; i++) { sid[i] = semget(IPC_PRIVATE , NSEM, 0644 | IPC_CREAT); if (sid[i] < 0) { perror("semget"); exit(EXIT_FAILURE); } } un.val = 0; for (i = 0; i < NSET; i++) { for (j = 0; j < NSEM; j++) { if (semctl(sid[i], j, SETVAL, un) < 0) perror("semctl"); } } /* Launch threads that operate on semaphore set */ for (i = 0; i < NSEM * NSET * NSET; i++) { p = fork(); if (p < 0) perror("fork"); if (p == 0) thread(); } /* Free semaphore set */ for (i = 0; i < NSET; i++) { if (semctl(sid[i], NSEM, IPC_RMID)) perror("IPC_RMID"); } /* Wait for forked processes to exit */ while (wait(NULL)) { if (errno == ECHILD) break; }; } int main(int argc, char **argv) { pid_t p; srand(time(NULL)); while (1) { p = fork(); if (p < 0) { perror("fork"); exit(EXIT_FAILURE); } if (p == 0) { create_set(); goto end; } /* Wait for forked processes to exit */ while (wait(NULL)) { if (errno == ECHILD) break; }; } end: return 0; } [akpm@linux-foundation.org: use normal comment layout] Signed-off-by: Herton R. Krzesinski Acked-by: Manfred Spraul Cc: Davidlohr Bueso Cc: Rafael Aquini CC: Aristeu Rozanski Cc: David Jeffery Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds