Commit Graph

520162 Commits

Author SHA1 Message Date
Daniel Borkmann
c78e1746d3 net: sched: fix call_rcu() race on classifier module unloads
Vijay reported that a loop as simple as ...

  while true; do
    tc qdisc add dev foo root handle 1: prio
    tc filter add dev foo parent 1: u32 match u32 0 0  flowid 1
    tc qdisc del dev foo root
    rmmod cls_u32
  done

... will panic the kernel. Moreover, he bisected the change
apparently introducing it to 78fd1d0ab0 ("netlink: Re-add
locking to netlink_lookup() and seq walker").

The removal of synchronize_net() from the netlink socket
triggering the qdisc to be removed, seems to have uncovered
an RCU resp. module reference count race from the tc API.
Given that RCU conversion was done after e341694e3e ("netlink:
Convert netlink_lookup() to use RCU protected hash table")
which added the synchronize_net() originally, occasion of
hitting the bug was less likely (not impossible though):

When qdiscs that i) support attaching classifiers and,
ii) have at least one of them attached, get deleted, they
invoke tcf_destroy_chain(), and thus call into ->destroy()
handler from a classifier module.

After RCU conversion, all classifier that have an internal
prio list, unlink them and initiate freeing via call_rcu()
deferral.

Meanhile, tcf_destroy() releases already reference to the
tp->ops->owner module before the queued RCU callback handler
has been invoked.

Subsequent rmmod on the classifier module is then not prevented
since all module references are already dropped.

By the time, the kernel invokes the RCU callback handler from
the module, that function address is then invalid.

One way to fix it would be to add an rcu_barrier() to
unregister_tcf_proto_ops() to wait for all pending call_rcu()s
to complete.

synchronize_rcu() is not appropriate as under heavy RCU
callback load, registered call_rcu()s could be deferred
longer than a grace period. In case we don't have any pending
call_rcu()s, the barrier is allowed to return immediately.

Since we came here via unregister_tcf_proto_ops(), there
are no users of a given classifier anymore. Further nested
call_rcu()s pointing into the module space are not being
done anywhere.

Only cls_bpf_delete_prog() may schedule a work item, to
unlock pages eventually, but that is not in the range/context
of cls_bpf anymore.

Fixes: 25d8c0d55f ("net: rcu-ify tcf_proto")
Fixes: 9888faefe1 ("net: sched: cls_basic use RCU")
Reported-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.r.fastabend@intel.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Thomas Graf <tgraf@suug.ch>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-21 18:48:18 -04:00
Eliad Peller
292208914d iwlwifi: mvm: avoid use-after-free on iwl_mvm_d0i3_enable_tx()
qos_seq points (to a struct) inside the command response data.

Make sure to free the response only after qos_seq is not
needed anymore.

Reported-by: Heng Luo <heng.luo@intel.com>
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2015-05-21 22:36:46 +03:00
Luciano Coelho
a500e469ea iwlwifi: mvm: clean net-detect info if device was reset during suspend
If the device is reset during suspend with net-detect enabled, we
leave the net-detect information dangling and this causes the next
suspend to fail with a warning:

[21795.351010] WARNING: at /root/iwlwifi/iwlwifi-stack-dev/drivers/net/wireless/iwlwifi/mvm/d3.c:989 __iwl_mvm_suspend.isra.6+0x2be/0x460 [iwlmvm]()
[21795.353253] Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [...]
[21795.366168] CPU: 1 PID: 3645 Comm: bash Tainted: G           O 3.10.29-dev #1
[21795.368785] Hardware name: Dell Inc. Latitude E6430/0CPWYR, BIOS A09 12/13/2012
[21795.371441]  f8ec6748 f8ec6748 e51f3ce8 c168aa62 e51f3d10 c103a824 c1871238 f8ec6748
[21795.374228]  000003dd f8eb982e f8eb982e 00000000 c3408ed4 c41edbbc e51f3d20 c103a862
[21795.377006]  00000009 00000000 e51f3da8 f8eb982e c41ee3dc 00000004 e7970000 e51f3d74
[21795.379792] Call Trace:
[21795.382461]  [<c168aa62>] dump_stack+0x16/0x18
[21795.385133]  [<c103a824>] warn_slowpath_common+0x64/0x80
[21795.387803]  [<f8eb982e>] ? __iwl_mvm_suspend.isra.6+0x2be/0x460 [iwlmvm]
[21795.390485]  [<f8eb982e>] ? __iwl_mvm_suspend.isra.6+0x2be/0x460 [iwlmvm]
[21795.393124]  [<c103a862>] warn_slowpath_null+0x22/0x30
[21795.395787]  [<f8eb982e>] __iwl_mvm_suspend.isra.6+0x2be/0x460 [iwlmvm]
[21795.398464]  [<f8eb9d7c>] iwl_mvm_suspend+0xec/0x140 [iwlmvm]
[21795.401127]  [<c104be11>] ? del_timer_sync+0xa1/0xc0
[21795.403800]  [<f8d4107e>] __ieee80211_suspend+0x1de/0xff0 [mac80211]
[21795.406459]  [<c168e43d>] ? mutex_lock_nested+0x25d/0x350
[21795.409084]  [<c1586b64>] ? rtnl_lock+0x14/0x20
[21795.411685]  [<f8cf0076>] ieee80211_suspend+0x16/0x20 [mac80211]
[21795.414318]  [<f8c4e014>] wiphy_suspend+0x74/0x710 [cfg80211]
[21795.416916]  [<c141e612>] __device_suspend+0x1e2/0x220
[21795.419521]  [<f8c4dfa0>] ? addresses_show+0xa0/0xa0 [cfg80211]
[21795.422097]  [<c141f997>] dpm_suspend+0x67/0x210
[21795.424661]  [<c141fd6f>] dpm_suspend_start+0x4f/0x60
[21795.427219]  [<c108d8e0>] suspend_devices_and_enter+0x60/0x480
[21795.429768]  [<c168646a>] ? printk+0x4d/0x4f
[21795.432295]  [<c108de76>] pm_suspend+0x176/0x210
[21795.434830]  [<c108ca5d>] state_store+0x5d/0xb0
[21795.437410]  [<c108ca00>] ? wakeup_count_show+0x50/0x50
[21795.439961]  [<c13208db>] kobj_attr_store+0x1b/0x30
[21795.442514]  [<c11e3a4b>] sysfs_write_file+0xab/0x100
[21795.445088]  [<c11e39a0>] ? sysfs_poll+0xa0/0xa0
[21795.447659]  [<c1179655>] vfs_write+0xa5/0x1c0
[21795.450212]  [<c1179af7>] SyS_write+0x57/0xa0
[21795.452699]  [<c1699ec1>] sysenter_do_call+0x12/0x32
[21795.455146] ---[ end trace faf5321baba2bfdb ]---

To fix this, call the iwl_mvm_free_nd() function in case of any error
during resume.  Additionally, rename the "out_unlock" label to err to
make it clearer that it's only called in error conditions.

Cc: stable@vger.kernel.org [3.19+]
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2015-05-21 22:28:51 +03:00
Luciano Coelho
dcfc7fb134 iwlwifi: mvm: take the UCODE_DOWN reference when resuming
The __iwl_mvm_resume() function always returns 1, which causes
mac80211 to do a reconfig with IEEE80211_RECONFIG_TYPE_RESTART.  This
type of reconfig calls iwl_mvm_restart_complete(), where we unref the
IWL_MVM_REF_UCODE_DOWN, so we should always take the reference in this
case.

This prevents this kind of warning from happening:

[40026.103025] WARNING: at /root/iwlwifi/iwlwifi-stack-dev/drivers/net/wireless/iwlwifi/mvm/mac80211.c:236 iwl_mvm_unref+0xc9/0xd0 [iwlmvm]()
[40026.105145] Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) ctr ccm arc4 autofs4 snd_hda_codec_hdmi snd_hda_codec_idt joydev coretemp kvm_intel kvm aesni_intel ablk_helper cryptd lrw aes_i586 snd_hda_intel xts snd_hda_codec gf128mul snd_hwdep snd_pcm snd_seq_midi dell_wmi snd_rawmidi sparse_keymap snd_seq_midi_event snd_seq uvcvideo dell_laptop videobuf2_core dcdbas microcode videodev psmouse snd_timer videobuf2_vmalloc videobuf2_memops serio_raw snd_seq_device btusb i915 snd bluetooth lpc_ich drm_kms_helper soundcore snd_page_alloc drm i2c_algo_bit wmi parport_pc ppdev video binfmt_misc rpcsec_gss_krb5 nfsd mac_hid nfs_acl nfsv4 auth_rpcgss nfs fscache lockd sunrpc msdos lp parport sdhci_pci sdhci ahci libahci e1000e mmc_core ptp pps_core [last unloaded: compat]
[40026.117640] CPU: 2 PID: 3827 Comm: bash Tainted: G        W  O 3.10.29-dev #1
[40026.120216] Hardware name: Dell Inc. Latitude E6430/0CPWYR, BIOS A09 12/13/2012
[40026.122815]  f8effd18 f8effd18 e740fd18 c168aa62 e740fd40 c103a824 c1871238 f8effd18
[40026.125527]  000000ec f8ec79c9 f8ec79c9 d5d29ba4 d5d2a20c 00000000 e740fd50 c103a862
[40026.128209]  00000009 00000000 e740fd7c f8ec79c9 f1c591c4 00000400 00000000 f8efb490
[40026.130886] Call Trace:
[40026.133506]  [<c168aa62>] dump_stack+0x16/0x18
[40026.136115]  [<c103a824>] warn_slowpath_common+0x64/0x80
[40026.138727]  [<f8ec79c9>] ? iwl_mvm_unref+0xc9/0xd0 [iwlmvm]
[40026.141319]  [<f8ec79c9>] ? iwl_mvm_unref+0xc9/0xd0 [iwlmvm]
[40026.143881]  [<c103a862>] warn_slowpath_null+0x22/0x30
[40026.146453]  [<f8ec79c9>] iwl_mvm_unref+0xc9/0xd0 [iwlmvm]
[40026.149030]  [<f8ec7a4d>] iwl_mvm_mac_reconfig_complete+0x7d/0x210 [iwlmvm]
[40026.151645]  [<f8b74b20>] ? ftrace_raw_event_drv_reconfig_complete+0xc0/0xe0 [mac80211]
[40026.154291]  [<f8b6769e>] ieee80211_reconfig+0x28e/0x2620 [mac80211]
[40026.156920]  [<c10ef0ea>] ? ring_buffer_unlock_commit+0xba/0x100
[40026.159585]  [<f8b4a04d>] ieee80211_resume+0x6d/0x80 [mac80211]
[40026.162206]  [<f8a79722>] wiphy_resume+0x72/0x260 [cfg80211]
[40026.164799]  [<c141e2e7>] ? device_resume+0x57/0x150
[40026.167425]  [<f8a796b0>] ? wiphy_suspend+0x710/0x710 [cfg80211]
[40026.170075]  [<c141e26e>] dpm_run_callback+0x2e/0x50
[40026.172695]  [<c141e321>] device_resume+0x91/0x150
[40026.175334]  [<c141f636>] dpm_resume+0xf6/0x200
[40026.177922]  [<c141f920>] dpm_resume_end+0x10/0x20
[40026.180489]  [<c108d9f7>] suspend_devices_and_enter+0x177/0x480
[40026.183037]  [<c168646a>] ? printk+0x4d/0x4f
[40026.185559]  [<c108de76>] pm_suspend+0x176/0x210
[40026.188065]  [<c108ca5d>] state_store+0x5d/0xb0
[40026.190581]  [<c108ca00>] ? wakeup_count_show+0x50/0x50
[40026.193052]  [<c13208db>] kobj_attr_store+0x1b/0x30
[40026.195608]  [<c11e3a4b>] sysfs_write_file+0xab/0x100
[40026.198055]  [<c11e39a0>] ? sysfs_poll+0xa0/0xa0
[40026.200469]  [<c1179655>] vfs_write+0xa5/0x1c0
[40026.202893]  [<c1179af7>] SyS_write+0x57/0xa0
[40026.205245]  [<c1699ec1>] sysenter_do_call+0x12/0x32
[40026.207619] ---[ end trace db1d5a72a0381b0a ]---

Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Reviewed-by: EliadX Peller <eliad@wizery.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2015-05-21 22:27:12 +03:00
Emmanuel Grumbach
165b3c4f78 iwlwifi: mvm: BT Coex - duplicate the command if sent ASYNC
There are buses that can't handle ASYNC command without
copying them. Duplicate the host command instead.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2015-05-21 22:27:03 +03:00
Liad Kaufman
18f84673fb iwlwifi: nvm: force mac from otp in case nvm mac is reserved
Take the MAC address from the OTP even if one is present in
the NVM, if that MAC address happens to be a reserved one.

Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2015-05-21 22:27:02 +03:00
Haim Dreyfuss
2fc863a514 iwlwifi: mvm: Free fw_status after use to avoid memory leak
fw_status is the only pointer pointing to a block of memory
allocated above and should be freed after use.
Note: this come from Klockwork static analyzer.

Cc: stable@vger.kernel.org [3.19+]
Fixes: 2021a89d7b ("iwlwifi: mvm: treat netdetect wake up separately")
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2015-05-21 22:26:59 +03:00
Alex Deucher
6ca121351b drm/radeon: fix error flag checking in native aux path
That atom table does not check these bits.  Fixes aux
regressions on some boards.

Reported-by: Malte Schröder <malte@tnxip.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2015-05-21 12:43:21 -04:00
Alex Deucher
0f28d1281b drm/radeon: retry dcpd fetch
Retry the dpcd fetch several times.  Some eDP panels
fail several times before the fetch is successful.

bug:
https://bugs.freedesktop.org/show_bug.cgi?id=73530

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2015-05-21 12:43:21 -04:00
Herbert Xu
407d34ef29 xfrm: Always zero high-order sequence number bits
As we're now always including the high bits of the sequence number
in the IV generation process we need to ensure that they don't
contain crap.

This patch ensures that the high sequence bits are always zeroed
so that we don't leak random data into the IV.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2015-05-21 06:56:23 +02:00
Stephane Viau
755c814a7d drm/msm/mdp5: fix incorrect parameter for msm_framebuffer_iova()
The index of ->planes[] array (3rd parameter) cannot be equal to MAX_PLANE.
This looks like a typo that is now fixed.

Signed-off-by: Stephane Viau <sviau@codeaurora.org>
Acked-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2015-05-21 14:31:45 +10:00
NeilBrown
8532e34390 md/bitmap: remove rcu annotation from pointer arithmetic.
Evaluating  "&mddev->disks" is simple pointer arithmetic, so
it does not need 'rcu' annotations - no dereferencing is happening.

Also enhance the comment to explain that 'rdev' in that case
is not actually a pointer to an rdev.

Reported-by: Patrick Marlier <patrick.marlier@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
2015-05-21 09:14:41 +10:00
Eric Work
a81157768a md/raid0: fix restore to sector variable in raid0_make_request
The variable "sector" in "raid0_make_request()" was improperly updated
by a call to "sector_div()" which modifies its first argument in place.
Commit 47d68979cc restored this variable
after the call for later re-use.  Unfortunetly the restore was done after
the referenced variable "bio" was advanced.  This lead to the original
value and the restored value being different.  Here we move this line to
the proper place.

One observed side effect of this bug was discarding a file though
unlinking would cause an unrelated file's contents to be discarded.

Signed-off-by: NeilBrown <neilb@suse.de>
Fixes: 47d68979cc ("md/raid0: fix bug with chunksize not a power of 2.")
Cc: stable@vger.kernel.org (any that received above backport)
URL: https://bugzilla.kernel.org/show_bug.cgi?id=98501
2015-05-21 09:14:25 +10:00
Shaohua Li
487696957e raid5: fix broken async operation chain
ops_run_reconstruct6() doesn't correctly chain asyn operations. The tx returned
by async_gen_syndrome should be added as the dependent tx of next stripe.

The issue is introduced by commit 59fc630b8b
    RAID5: batch adjacent full stripe write

Reported-and-tested-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: NeilBrown <neilb@suse.de>
2015-05-21 09:14:20 +10:00
Thomas Hellstrom
412dbad2c7 Input: vmmouse - do not reference non-existing version of X driver
The vmmouse Kconfig help text was referring to an incorrect user-space
driver version. Fix this.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2015-05-20 14:47:26 -07:00
Hans de Goede
72eceab743 Input: alps - fix finger jumps on lifting 2 fingers on v7 touchpad
On v7 touchpads sometimes when 2 fingers are moved down on the touchpad
until they "fall of" the touchpad, the second touch will report 0 for y
(max y really since the y axis is inverted) and max x as coordinates,
rather then reporting 0, 0 as is expected for a non touching finger.

This commit detects this and treats these touches as non touching.

See the evemu-recording here:
https://bugzilla.redhat.com/attachment.cgi?id=1025058

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1221200
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2015-05-20 14:46:02 -07:00
Arnd Bergmann
632a686b8f Few minimal omap device tree fixes for v4.1-rc series:
- Disable BeagleBone black RTC-only sleep mode because of hardare
   related issues
 
 - Fix NAND on Devkit8000
 
 - Fix WLAN interrupt line on AM335x EVM-SK
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJVXL5oAAoJEBvUPslcq6VzLeQP/Au/JmqSRNZXVLp+ODzdlKUe
 sFUr1mMWBTp+pD6M+fmipXMGXn0X8t6BiFVyYC1hmD3lJ9SsEExzIT14egwQmiGp
 dcu+bIWbwJyi9RFUL8s68y72WM27J7ZzGwqB9oe0yNznWeYmPwfaECrMfkwiPCc+
 FsJAXkCI2lY+Z5HknAswCsFa2/ARMRFiwL95lEWrOn1w4XqqLiEP4vEMX7zHWiI/
 0uxgpicco0vW9IcA7qUCcDkeLbRxkEE+N08/t2SfHnFTnwhhvRwpquKy1DH8576t
 BfNFoauCYzTbax2Hy7EYShWNwtEw4kiec+6vgevv2nCSBBC+KlvTBpiVwhkZVK8g
 OFeqhVXPpcVamGSOjL6SxO2V6ixQWD2S5C/RsJYMOhRtUcvLcI3Jw2W6K/IvAKM9
 qxU2v+CtNibCfJYdhDkRA920wJY3y9/HKdGrjTOw09vsdFTEKlFF60l3/OFnhvar
 yLHyyh9T4UmeLVJIMX6fQJDTC5xvfGRQLnA0v6YjjT1jTgOOGkrE7szWl81rnf06
 RObpNUih4kRBp7NS4yYabpK0kf82r2t2uEwP1nZ3E2l7mTa3622wqK4zFmO5XKs9
 SsBp9Yfmp0Z4lC7WFhyyegTzuUCZx5F/39q1iGpuwCv/ZbcAUk0TbkvtEKp3W5mJ
 SSdiot7OKuscq2cdFGiO
 =x3Wr
 -----END PGP SIGNATURE-----

Merge tag 'omap-for-v4.1/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes

Merge "Few minimal omap device tree fixes for v4.1-rc series" from Tony Lindgren:

- Disable BeagleBone black RTC-only sleep mode because of hardare
  related issues

- Fix NAND on Devkit8000

- Fix WLAN interrupt line on AM335x EVM-SK

* tag 'omap-for-v4.1/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
  ARM: dts: Fix WLAN interrupt line for AM335x EVM-SK
  ARM: dts: omap3-devkit8000: Fix NAND DT node
  ARM: dts: am335x-boneblack: disable RTC-only sleep
2015-05-20 23:23:10 +02:00
Matthew Finlay
c07678bb01 IB/cma: Fix broken AF_IB UD support
Support for using UD and AF_IB is currently broken.  The
IB_CM_SIDR_REQ_RECEIVED message is not handled properly in
cma_save_net_info() and we end up falling into code that will try and
process the request as ipv4/ipv6, which will end up failing.

The resolution is to add a check for the SIDR_REQ and call
cma_save_ib_info() with a NULL path record.  Change cma_save_ib_info()
to copy the src sib info from the listen_id when the path record is NULL.

Reported-by: Hari Shankar <Hari.Shankar@netapp.com>
Signed-off-by: Matt Finlay <matt@mellanox.com>
Acked-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2015-05-20 16:15:56 -04:00
Minghuan Lian
3ad2a5f576 irqchip/gicv3-its: ITS table size should not be smaller than PSZ
When allocating a device table, if the requested allocation is smaller
than the default granule size of the ITS then, we need to round up to
the default size.

Signed-off-by: Minghuan Lian <Minghuan.Lian@freescale.com>
[ stuart: Added comments and massaged changelog ]
Signed-off-by: Stuart Yoder <stuart.yoder@freescale.com>
Reviewed-by: Marc Zygnier <marc.zyngier@arm.com>
Cc: <linux-arm-kernel@lists.infradead.org>
Cc: <jason@lakedaemon.net>
Link: http://lkml.kernel.org/r/1432134795-661-1-git-send-email-stuart.yoder@freescale.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2015-05-20 22:13:37 +02:00
Federico Sauter
4afe260bab CIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE
This patch fixes a race condition that occurs when connecting
to a NT 3.51 host without specifying a NetBIOS name.
In that case a RFC1002_NEGATIVE_SESSION_RESPONSE is received
and the SMB negotiation is reattempted, but under some conditions
it leads SendReceive() to hang forever while waiting for srv_mutex.
This, in turn, sets the calling process to an uninterruptible sleep
state and makes it unkillable.

The solution is to unlock the srv_mutex acquired in the demux
thread *before* going to sleep (after the reconnect error) and
before reattempting the connection.
2015-05-20 13:25:55 -05:00
Nakajima Akira
b29103076b Fix to convert SURROGATE PAIR
Garbled characters happen by using surrogate pair for filename.
  (replace each 1 character to ??)

[Steps to Reproduce for bug]
client# touch $(echo -e '\xf0\x9d\x9f\xa3')
client# touch $(echo -e '\xf0\x9d\x9f\xa4')
client# ls -li
  You see same inode number, same filename(=?? and ??) .

Fix the bug about these functions do not consider about surrogate pair (and IVS).
cifs_utf16_bytes()
cifs_mapchar()
cifs_from_utf16()
cifsConvertToUTF16()

Reported-by: Nakajima Akira <nakajima.akira@nttcom.co.jp>
Signed-off-by: Nakajima Akira <nakajima.akira@nttcom.co.jp>
Signed-off-by: Steve French <smfrench@gmail.com>
2015-05-20 13:12:51 -05:00
Chengyu Song
00b8c95b68 cifs: potential missing check for posix_lock_file_wait
posix_lock_file_wait may fail under certain circumstances, and its result is
usually checked/returned. But given the complexity of cifs, I'm not sure if
the result is intentially left unchecked and always expected to succeed.

Signed-off-by: Chengyu Song <csong84@gatech.edu>
Acked-by: Jeff Layton <jeff.layton@primarydata.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2015-05-20 13:08:33 -05:00
Nakajima Akira
7196ac113a Fix to check Unique id and FileType when client refer file directly.
When you refer file directly on cifs client,
 (e.g. ls -li <filename>, cd <dir>, stat <filename>)
 the function return old inode number and filetype from old inode cache,
 though server has different inode number or filetype.

When server is Windows, cifs client has same problem.
When Server is Windows
, This patch fixes bug in different filetype,
  but does not fix bug in different inode number.
Because QUERY_PATH_INFO response by Windows does not include inode number(Index Number) .

BUG INFO
https://bugzilla.kernel.org/show_bug.cgi?id=90021
https://bugzilla.kernel.org/show_bug.cgi?id=90031

Reported-by: Nakajima Akira <nakajima.akira@nttcom.co.jp>
Signed-off-by: Nakajima Akira <nakajima.akira@nttcom.co.jp>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2015-05-20 13:05:25 -05:00
Chris Mason
153c35b6cc Btrfs: fix regression in raid level conversion
Commit 2f0810880f changed
btrfs_set_block_group_ro to avoid trying to allocate new chunks with the
new raid profile during conversion.  This fixed failures when there was
no space on the drive to allocate a new chunk, but the metadata
reserves were sufficient to continue the conversion.

But this ended up causing a regression when the drive had plenty of
space to allocate new chunks, mostly because reduce_alloc_profile isn't
using the new raid profile.

Fixing btrfs_reduce_alloc_profile is a bigger patch.  For now, do a
partial revert of 2f0810880, and don't error out if we hit ENOSPC.

Signed-off-by: Chris Mason <clm@fb.com>
Tested-by: Dave Sterba <dsterba@suse.cz>
Reported-by: Holger Hoffstaette <holger.hoffstaette@googlemail.com>
2015-05-20 11:03:38 -07:00
Ilya Dryomov
521a04d06a Revert "libceph: clear r_req_lru_item in __unregister_linger_request()"
This reverts commit ba9d114ec5.

.. which introduced a regression that prevented all lingering requests
requeued in kick_requests() from ever being sent to the OSDs, resulting
in a lot of missed notifies.  In retrospect it's pretty obvious that
r_req_lru_item item in the case of lingering requests can be used not
only for notarget, but also for unsent linkage due to how tightly
actual map and enqueue operations are coupled in __map_request().

The assertion that was being silenced is taken care of in the previous
("libceph: request a new osdmap if lingering request maps to no osd")
commit: by always kicking homeless lingering requests we ensure that
none of them ends up on the notarget list outside of the critical
section guarded by request_mutex.

Cc: stable@vger.kernel.org # 3.18+, needs b049453221 "libceph: request a new osdmap if lingering request maps to no osd"
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
2015-05-20 21:02:46 +03:00
Ilya Dryomov
b049453221 libceph: request a new osdmap if lingering request maps to no osd
This commit does two things.  First, if there are any homeless
lingering requests, we now request a new osdmap even if the osdmap that
is being processed brought no changes, i.e. if a given lingering
request turned homeless in one of the previous epochs and remained
homeless in the current epoch.  Not doing so leaves us with a stale
osdmap and as a result we may miss our window for reestablishing the
watch and lose notifies.

MON=1 OSD=1:

    # cat linger-needmap.sh
    #!/bin/bash
    rbd create --size 1 test
    DEV=$(rbd map test)
    ceph osd out 0
    rbd map dne/dne # obtain a new osdmap as a side effect (!)
    sleep 1
    ceph osd in 0
    rbd resize --size 2 test
    # rbd info test | grep size -> 2M
    # blockdev --getsize $DEV -> 1M

N.B.: Not obtaining a new osdmap in between "osd out" and "osd in"
above is enough to make it miss that resize notify, but that is a
bug^Wlimitation of ceph watch/notify v1.

Second, homeless lingering requests are now kicked just like those
lingering requests whose mapping has changed.  This is mainly to
recognize that a homeless lingering request makes no sense and to
preserve the invariant that a registered lingering request is not
sitting on any of r_req_lru_item lists.  This spares us a WARN_ON,
which commit ba9d114ec5 ("libceph: clear r_req_lru_item in
__unregister_linger_request()") tried to fix the _wrong_ way.

Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
2015-05-20 21:02:14 +03:00
Romain Izard
f25bf74c88 ARM: dts: Fix WLAN interrupt line for AM335x EVM-SK
While Sitara AM335x SoCs are very close to OMAP SoCs, the 32-line GPIO
controllers are numbered from 0 on AM335x and from 1 on OMAP. But when
the configuration for the TI WLAN controllers was converted from
platform data to device tree, this detail was overlooked, as 10 boards
were using OMAP with the WL12xx and WL18xx controllers, and only one
was based on AM335x.

This invalid configuration prevents the WL1271 module on the AM335x
EVM-SK from notifying interrupts to the SoC, and breaks the wlan driver.

The DTS must be corrected to use the correct GPIO controller.

Signed-off-by: Romain Izard <romain.izard.pro@gmail.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
2015-05-20 10:00:10 -07:00
Anthoine Bourgeois
ed38c6573b ARM: dts: omap3-devkit8000: Fix NAND DT node
Add nand-ecc-opt and device-width properties to enable nand support on
Devkit8000.

Signed-off-by: Anthoine Bourgeois <anthoine.bourgeois@gmail.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
2015-05-20 10:00:10 -07:00
Robert Nelson
3d76be5b93 ARM: dts: am335x-boneblack: disable RTC-only sleep
Fixes: http://bugs.elinux.org/issues/143

Entering RTC-only sleep is only properly supported on early prototypes series
(pre-A6) of the BeagleBone Black.  Since rev (A6A), which include all production
versions, it is not support at due to.

(rev A6) enable of the 3v3b regulator moved from LDO2 to LDO4 (3v3a)
side-effect: 3v3b rail remains on in sleep-mode (also in off-mode when battery-powered)

(rev A6A) am335x vdds supply moved from LDO3 to LDO1
side-effect: vdds remains supplied in sleep-mode

Reported-by: Matthijs van Duin <matthijsvanduin@gmail.com>
Tested-by: Matthijs van Duin <matthijsvanduin@gmail.com>
Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Felipe Balbi <balbi@ti.com>
Cc: Johan Hovold <johan@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
2015-05-20 10:00:10 -07:00
Ted Kim
c29ed5a456 ib/cm: Change reject message type when destroying cm_id
Problem reported by: Ted Kim <ted.h.kim@oracle.com>:

We have a case where a Linux system and a non-Linux system are
trying to interoperate.  The Linux host is the active side and
starts the connection establishment, but later decides to not go
through with the connection setup and does rdma_destroy_id().

The rdma_destroy_id() eventually works its way down to cm_destroy_id()
in core/cm.c, where a REJ is sent. The non-Linux system
has some trouble recognizing the REJ because of:

A. CM states which can't receive the REJ
B. Some issues about REJ formatting (missing comm ID)

ISSUE A: That part of the spec says, a Consumer Reject REJ can be
sent for a connection abort, but it goes further
and says: can send a REJ message with a "Consumer Reject"
Reason code if they are in a CM state (i.e. REP
Rcvd, MRA(REP) Sent, REQ Rcvd, MRA Sent) that allows
a REJ to be sent (lines 35-38).

Of the states listed there in that sentence, it would
seem to limit the active side to using the Consumer Reject
(for the abort case) in just the REP-Rcvd and MRA-REP-Sent
states. That is basically only after the active side
sees a REP (or alternatively goes down the state transitions
to timeout in which case a Timeout REJ is sent).

As a fix, in cm-destroy-id() move the IB-CM-MRA-REQ-RCVD case
to the same as REQ-SENT.  Essentially, make a REJ sent after
getting an MRA on active side a timeout rather than Consumer-
Reject, which is arguably more correct with the CM state
diagrams previous to getting a REP.

Signed-off-by: Ted Kim <ted.h.kim@oracle.com>
Signed-off-by: Sean Hefty <sean.hefty@intel.com>
2015-05-20 12:41:38 -04:00
Dan Carpenter
65c3b205eb CIFS: remove an unneeded NULL check
Smatch complains because we dereference "ses->server" without checking
some lines earlier inside the call to get_next_mid(ses->server).

	fs/cifs/cifssmb.c:4921 CIFSGetDFSRefer()
	warn: variable dereferenced before check 'ses->server' (see line 4899)

There is only one caller for this function get_dfs_path() and it always
passes a non-null "ses->server" pointer so this NULL check can be
removed.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2015-05-20 11:36:16 -05:00
Tim Beale
c15e10e71c net: phy: Make sure phy_start() always re-enables the phy interrupts
This is an alternative way of fixing:
 commit db9683fb41 ("net: phy: Make sure PHY_RESUMING state change
                      is always processed")

When the PHY state transitions from PHY_HALTED to PHY_RESUMING, there are
two things we need to do:
1). Re-enable interrupts (and power up the physical link, if powered down)
2). Update the PHY state and net-device based on the link status.

There's no strict reason why #1 has to be done from within the main
phy_state_machine() function. There is a risk that other changes to the
PHY (e.g. setting speed/duplex, which calls phy_start_aneg()) could cause
a subsequent state transition before phy_state_machine() has processed
the PHY_RESUMING state change. This would leave the PHY with interrupts
disabled and/or still in the BMCR_PDOWN/low-power mode.

Moving enabling the interrupts and phy_resume() into phy_start() will
guarantee this work always gets done. As the PHY is already in the HALTED
state and interrupts are disabled, it shouldn't conflict with any work
being done in phy_state_machine(). The downside of this change is that if
the PHY_RESUMING state is ever entered from anywhere else, it'll also have
to repeat this work.

Signed-off-by: Tim Beale <tim.beale@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 12:22:08 -04:00
David S. Miller
7764b9dd38 Merge branch 'ipv6_ecmp_fixes'
Michal Kubecek says:

====================
IPv6 ECMP route add/replace fixes

(1) When adding a nexthop of a multipath route fails (e.g. because of a
conflict with an existing route), we are supposed to delete nexthops
already added. However, currently we try to also delete all nexthops we
haven't even tried to add yet so that a "ip route add" command can
actually remove pre-existing routes if it fails.

(2) Attempt to replace a multipath route results in a broken siblings
linked list. Following commands (like "ip route del") can then either
follow a link into freed memory or end in an infinite loop (if the slab
object has been reused).

v2: fix an omission in first patch

v3: change the semantics of replace operation to better match IPv4
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 12:02:26 -04:00
Michal Kubeček
2759647247 ipv6: fix ECMP route replacement
When replacing an IPv6 multipath route with "ip route replace", i.e.
NLM_F_CREATE | NLM_F_REPLACE, fib6_add_rt2node() replaces only first
matching route without fixing its siblings, resulting in corrupted
siblings linked list; removing one of the siblings can then end in an
infinite loop.

IPv6 ECMP implementation is a bit different from IPv4 so that route
replacement cannot work in exactly the same way. This should be a
reasonable approximation:

1. If the new route is ECMP-able and there is a matching ECMP-able one
already, replace it and all its siblings (if any).

2. If the new route is ECMP-able and no matching ECMP-able route exists,
replace first matching non-ECMP-able (if any) or just add the new one.

3. If the new route is not ECMP-able, replace first matching
non-ECMP-able route (if any) or add the new route.

We also need to remove the NLM_F_REPLACE flag after replacing old
route(s) by first nexthop of an ECMP route so that each subsequent
nexthop does not replace previous one.

Fixes: 51ebd31815 ("ipv6: add support of equal cost multipath (ECMP)")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 12:02:26 -04:00
Michal Kubeček
35f1b4e96b ipv6: do not delete previously existing ECMP routes if add fails
If adding a nexthop of an IPv6 multipath route fails, comment in
ip6_route_multipath() says we are going to delete all nexthops already
added. However, current implementation deletes even the routes it
hasn't even tried to add yet. For example, running

  ip route add 1234:5678::/64 \
      nexthop via fe80::aa dev dummy1 \
      nexthop via fe80::bb dev dummy1 \
      nexthop via fe80::cc dev dummy1

twice results in removing all routes first command added.

Limit the second (delete) run to nexthops that succeeded in the first
(add) run.

Fixes: 51ebd31815 ("ipv6: add support of equal cost multipath (ECMP)")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 12:02:25 -04:00
Arnd Bergmann
aad3ae05bb The i.MX fixes for 4.1, 2nd round:
- Fix i.MX27 FEC register map which overlaps the SCC (Security
    Controller) register space.
  - Fix i.MX27 DTB build rule which was wrongly controlled by i.MX31
    option.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJVXKvPAAoJEFBXWFqHsHzOlHUIALL81/Xeud8GZP2VC2ZTR3UH
 KaxkbokwccRYc7mISXWzivnxjS8JDmlc1F8WP1ZcMN+OV32oJuf8GXNZkfujj27c
 f4Aml/S0rTO4bkP1zgVyNPAWpC/4f4xvcNXcGpsyd8vJ9qQaoRuhqE9Tz64no8ho
 SNHvw3hSzgPhrlnYuQ5z6/5/765XI7UnWjYmsotR9qwvhQr2GwVmvo/jNY77UTIO
 0Z7f/oUziUPHfdM3wxeOMFqPczV1eKU6YsKPCoOFdwiJJLH2qjSbzlSCksHldA2Y
 ewtzfY5j4tMogTgZVAMAojILiwsXT8glRJqi9z+xtzO1hC7tkYJm3g2Umbc6bV8=
 =HJpq
 -----END PGP SIGNATURE-----

Merge tag 'imx-fixes-4.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes

Merge "The i.MX fixes for 4.1, 2nd round" from Shawn Guo:

 - Fix i.MX27 FEC register map which overlaps the SCC (Security
   Controller) register space.
 - Fix i.MX27 DTB build rule which was wrongly controlled by i.MX31
   option.

* tag 'imx-fixes-4.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux:
  ARM: dts: fix imx27 dtb build rule
  ARM: dts: imx27: only map 4 Kbyte for fec registers
2015-05-20 17:51:28 +02:00
Steve French
1dc92c450a [cifs] fix null pointer check
Dan Carpenter pointed out an inconsistent null pointer check
in smb2_hdr_assemble that was pointed out by static checker.

Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Sachin Prabhu <sprabhu@redhat.com>
CC: Dan Carpenter <dan.carpenter@oracle.com>w
2015-05-20 09:32:21 -05:00
Rafał Miłecki
c411ead995 ssb: extend fix for PCI related silent reboots to all chipsets
Recent fix for BCM4704 reboots has to be extended as the same problem
affects Linksys WRT350N v1 (BCM4705).

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Reported-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2015-05-20 16:36:06 +03:00
Michal Kazior
f9dca80b98 mac80211: fix AP_VLAN crypto tailroom calculation
Some splats I was seeing:

 (a) WARNING: CPU: 1 PID: 0 at /devel/src/linux/net/mac80211/wep.c:102 ieee80211_wep_add_iv
 (b) WARNING: CPU: 1 PID: 0 at /devel/src/linux/net/mac80211/wpa.c:73 ieee80211_tx_h_michael_mic_add
 (c) WARNING: CPU: 3 PID: 0 at /devel/src/linux/net/mac80211/wpa.c:433 ieee80211_crypto_ccmp_encrypt

I've seen (a) and (b) with ath9k hw crypto and (c)
with ath9k sw crypto. All of them were related to
insufficient skb tailroom and I was able to
trigger these with ping6 program.

AP_VLANs may inherit crypto keys from parent AP.
This wasn't considered and yielded problems in
some setups resulting in inability to transmit
data because mac80211 wouldn't resize skbs when
necessary and subsequently drop some packets due
to insufficient tailroom.

For efficiency purposes don't inspect both AP_VLAN
and AP sdata looking for tailroom counter. Instead
update AP_VLAN tailroom counters whenever their
master AP tailroom counter changes.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-05-20 15:10:11 +02:00
Johannes Berg
252ec2b3aa mac80211: don't split remain-on-channel for coalescing
Due to remain-on-channel scheduling delays, when we split an ROC
while coalescing, we'll usually get a picture like this:

existing ROC:  |------------------|
current time:              ^
new ROC:                   |------|              |-------|

If the expected response frames are then transmitted by the peer
in the hole between the two fragments of the new ROC, we miss
them and the process (e.g. ANQP query) fails.

mac80211 expects that the window to miss something is small:

existing ROC:  |------------------|
new ROC:                   |------||-------|

but that's normally not the case.

To avoid this problem, coalesce only if the new ROC's duration
is <= the remaining time on the existing one:

existing ROC:  |------------------|
new ROC:                   |-----|

and never split a new one but schedule it afterwards instead:

existing ROC:  |------------------|
new ROC:                                       |-------------|

type=bugfix
bug=not-tracked
fixes=unknown

Reported-by: Matti Gottlieb <matti.gottlieb@intel.com>
Reviewed-by: EliadX Peller <eliad@wizery.com>
Reviewed-by: Matti Gottlieb <matti.gottlieb@intel.com>
Tested-by: Matti Gottlieb <matti.gottlieb@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-05-20 15:09:22 +02:00
Florian Westphal
faecbb45eb Revert "netfilter: bridge: query conntrack about skb dnat"
This reverts commit c055d5b03b.

There are two issues:
'dnat_took_place' made me think that this is related to
-j DNAT/MASQUERADE.

But thats only one part of the story.  This is also relevant for SNAT
when we undo snat translation in reverse/reply direction.

Furthermore, I originally wanted to do this mainly to avoid
storing ipv6 addresses once we make DNAT/REDIRECT work
for ipv6 on bridges.

However, I forgot about SNPT/DNPT which is stateless.

So we can't escape storing address for ipv6 anyway. Might as
well do it for ipv4 too.

Reported-and-tested-by: Bernhard Thaler <bernhard.thaler@wvnet.at>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-20 13:51:25 +02:00
Dave Jones
1086bbe97a netfilter: ensure number of counters is >0 in do_replace()
After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:

warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260 [ip_tables]
do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
nf_setsockopt+0x65/0x90
ip_setsockopt+0x61/0xa0
raw_setsockopt+0x16/0x60
sock_common_setsockopt+0x14/0x20
SyS_setsockopt+0x71/0xd0

It turns out we don't validate that the num_counters field in the
struct we pass in from userspace is initialized.

The same problem also exists in ebtables, arptables, ipv6, and the
compat variants.

Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-20 13:46:49 +02:00
Francesco Ruggeri
3bfe049807 netfilter: nfnetlink_{log,queue}: Register pernet in first place
nfnetlink_{log,queue}_init() register the netlink callback nf*_rcv_nl_event
before registering the pernet_subsys, but the callback relies on data
structures allocated by pernet init functions.

When nfnetlink_{log,queue} is loaded, if a netlink message is received after
the netlink callback is registered but before the pernet_subsys is registered,
the kernel will panic in the sequence

nfulnl_rcv_nl_event
  nfnl_log_pernet
    net_generic
      BUG_ON(id == 0)  where id is nfnl_log_net_id.

The panic can be easily reproduced in 4.0.3 by:

while true ;do modprobe nfnetlink_log ; rmmod nfnetlink_log ; done &
while true ;do ip netns add dummy ; ip netns del dummy ; done &

This patch moves register_pernet_subsys to earlier in nfnetlink_log_init.

Notice that the BUG_ON hit in 4.0.3 was recently removed in 2591ffd308
["netns: remove BUG_ONs from net_generic()"].

Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-05-20 13:46:48 +02:00
Liang Li
c447e76b4c kvm/fpu: Enable eager restore kvm FPU for MPX
The MPX feature requires eager KVM FPU restore support. We have verified
that MPX cannot work correctly with the current lazy KVM FPU restore
mechanism. Eager KVM FPU restore should be enabled if the MPX feature is
exposed to VM.

Signed-off-by: Yang Zhang <yang.z.zhang@intel.com>
Signed-off-by: Liang Li <liang.z.li@intel.com>
[Also activate the FPU on AMD processors. - Paolo]
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-05-20 12:30:26 +02:00
Paolo Bonzini
0fdd74f778 Revert "KVM: x86: drop fpu_activate hook"
This reverts commit 4473b570a7.  We'll
use the hook again.

Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-05-20 12:30:15 +02:00
Andrea Arcangeli
e8fd5e9e99 kvm: fix crash in kvm_vcpu_reload_apic_access_page
memslot->userfault_addr is set by the kernel with a mmap executed
from the kernel but the userland can still munmap it and lead to the
below oops after memslot->userfault_addr points to a host virtual
address that has no vma or mapping.

[  327.538306] BUG: unable to handle kernel paging request at fffffffffffffffe
[  327.538407] IP: [<ffffffff811a7b55>] put_page+0x5/0x50
[  327.538474] PGD 1a01067 PUD 1a03067 PMD 0
[  327.538529] Oops: 0000 [#1] SMP
[  327.538574] Modules linked in: macvtap macvlan xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT iptable_filter ip_tables tun bridge stp llc rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache xprtrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ipmi_devintf iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp dcdbas intel_rapl kvm_intel kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd pcspkr sb_edac edac_core ipmi_si ipmi_msghandler acpi_pad wmi acpi_power_meter lpc_ich mfd_core mei_me
[  327.539488]  mei shpchp nfsd auth_rpcgss nfs_acl lockd grace sunrpc mlx4_ib ib_sa ib_mad ib_core mlx4_en vxlan ib_addr ip_tunnel xfs libcrc32c sd_mod crc_t10dif crct10dif_common crc32c_intel mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm drm ahci i2c_core libahci mlx4_core libata tg3 ptp pps_core megaraid_sas ntb dm_mirror dm_region_hash dm_log dm_mod
[  327.539956] CPU: 3 PID: 3161 Comm: qemu-kvm Not tainted 3.10.0-240.el7.userfault19.4ca4011.x86_64.debug #1
[  327.540045] Hardware name: Dell Inc. PowerEdge R420/0CN7CM, BIOS 2.1.2 01/20/2014
[  327.540115] task: ffff8803280ccf00 ti: ffff880317c58000 task.ti: ffff880317c58000
[  327.540184] RIP: 0010:[<ffffffff811a7b55>]  [<ffffffff811a7b55>] put_page+0x5/0x50
[  327.540261] RSP: 0018:ffff880317c5bcf8  EFLAGS: 00010246
[  327.540313] RAX: 00057ffffffff000 RBX: ffff880616a20000 RCX: 0000000000000000
[  327.540379] RDX: 0000000000002014 RSI: 00057ffffffff000 RDI: fffffffffffffffe
[  327.540445] RBP: ffff880317c5bd10 R08: 0000000000000103 R09: 0000000000000000
[  327.540511] R10: 0000000000000000 R11: 0000000000000000 R12: fffffffffffffffe
[  327.540576] R13: 0000000000000000 R14: ffff880317c5bd70 R15: ffff880317c5bd50
[  327.540643] FS:  00007fd230b7f700(0000) GS:ffff880630800000(0000) knlGS:0000000000000000
[  327.540717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  327.540771] CR2: fffffffffffffffe CR3: 000000062a2c3000 CR4: 00000000000427e0
[  327.540837] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  327.540904] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  327.540974] Stack:
[  327.541008]  ffffffffa05d6d0c ffff880616a20000 0000000000000000 ffff880317c5bdc0
[  327.541093]  ffffffffa05ddaa2 0000000000000000 00000000002191bf 00000042f3feab2d
[  327.541177]  00000042f3feab2d 0000000000000002 0000000000000001 0321000000000000
[  327.541261] Call Trace:
[  327.541321]  [<ffffffffa05d6d0c>] ? kvm_vcpu_reload_apic_access_page+0x6c/0x80 [kvm]
[  327.543615]  [<ffffffffa05ddaa2>] vcpu_enter_guest+0x3f2/0x10f0 [kvm]
[  327.545918]  [<ffffffffa05e2f10>] kvm_arch_vcpu_ioctl_run+0x2b0/0x5a0 [kvm]
[  327.548211]  [<ffffffffa05e2d02>] ? kvm_arch_vcpu_ioctl_run+0xa2/0x5a0 [kvm]
[  327.550500]  [<ffffffffa05ca845>] kvm_vcpu_ioctl+0x2b5/0x680 [kvm]
[  327.552768]  [<ffffffff810b8d12>] ? creds_are_invalid.part.1+0x12/0x50
[  327.555069]  [<ffffffff810b8d71>] ? creds_are_invalid+0x21/0x30
[  327.557373]  [<ffffffff812d6066>] ? inode_has_perm.isra.49.constprop.65+0x26/0x80
[  327.559663]  [<ffffffff8122d985>] do_vfs_ioctl+0x305/0x530
[  327.561917]  [<ffffffff8122dc51>] SyS_ioctl+0xa1/0xc0
[  327.564185]  [<ffffffff816de829>] system_call_fastpath+0x16/0x1b
[  327.566480] Code: 0b 31 f6 4c 89 e7 e8 4b 7f ff ff 0f 0b e8 24 fd ff ff e9 a9 fd ff ff 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <48> f7 07 00 c0 00 00 55 48 89 e5 75 2a 8b 47 1c 85 c0 74 1e f0

Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-05-20 12:30:06 +02:00
Ping Cheng
26ba61f871 HID: wacom: fix an Oops caused by wacom_wac_finger_count_touches
We assumed all touch interfaces report touch data. But, Bamboo
and Intuos non-touch devices report express keys on touch
interface. We need to check touch_max before counting touches.

Reported-by: Tasos Sahanidis <tasos@tasossah.com>
Signed-off-by: Ping Cheng <pingc@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2015-05-20 12:00:29 +02:00
Ingo Molnar
e88221c50c x86/fpu: Disable XSAVES* support for now
The kernel's handling of 'compacted' xsave state layout is buggy:

    http://marc.info/?l=linux-kernel&m=142967852317199

I don't have such a system, and the description there is vague, but
from extrapolation I guess that there were two kinds of bugs
observed:

  - boot crashes, due to size calculations being wrong and the dynamic
    allocation allocating a too small xstate area. (This is now fixed
    in the new FPU code - but still present in stable kernels.)

  - FPU state corruption and ABI breakage: if signal handlers try to
    change the FPU state in standard format, which then the kernel
    tries to restore in the compacted format.

These breakages are scary, but they only occur on a small number of
systems that have XSAVES* CPU support. Yet we have had XSAVES support
in the upstream kernel for a large number of stable kernel releases,
and the fixes are involved and unproven.

So do the safe resolution first: disable XSAVES* support and only
use the standard xstate format. This makes the code work and is
easy to backport.

On top of this we can work on enabling (and testing!) proper
compacted format support, without backporting pressure, on top of the
new, cleaned up FPU code.

Cc: <stable@vger.kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-05-20 11:58:26 +02:00
Bjørn Mork
5fb73bc2c8 thinkpad_acpi: Revert unintentional device attribute renaming
The conversion to DEVICE_ATTR_* macros failed to fixup a few cases where
the old attribute names didn't match the show/store function names.
Instead of renaming the functions, the attributes were renamed. This
caused an unintentional API change.  The hwmon required 'name' attribute
were among the renamed attribute, causing libsensors to fail to detect
the hwmon device at all.

Fix by using the DEVICE_ATTR macro for these attributes, allowing the
show/store functions to keep their system specific prefixes.

Fixes: b4dd04ac6e ("thinkpad_acpi: use DEVICE_ATTR_* macros")
Cc: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
2015-05-20 02:18:12 -07:00
Takashi Iwai
219f47e4f9 ALSA: hda - Disable widget power-saving for ALC292 & co
We've got reports that ALC3226 (a Dell variant of ALC292) gives click
noises at transition from D3 to D0 when the widget power-saving is
enabled.  Further debugging session showed that avoiding it isn't
trivial, unfortunately, since paths are basically activated
dynamically while the pins have been already enabled.

This patch disables the widget power-saving for such codecs.

Reported-by: Jonathan McDowell <noodles@earth.li>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-05-20 06:56:23 +02:00