commit e9fd6ddcabf8695329f2462d3ece5a8442f2a8cf Author: Sasha Levin Date: Fri Aug 7 15:08:04 2015 -0400 Linux 3.18.20 Signed-off-by: Sasha Levin commit df0e5109cfea25f842bf99f567aac20ac9ef78fe Author: Ming Lei Date: Tue Apr 21 10:00:20 2015 +0800 blk-mq: fix CPU hotplug handling [ Upstream commit 2a34c0872adf252f23a6fef2d051a169ac796cef ] hctx->tags has to be set as NULL in case that it is to be unmapped no matter if set->tags[hctx->queue_num] is NULL or not in blk_mq_map_swqueue() because shared tags can be freed already from another request queue. The same situation has to be considered during handling CPU online too. Unmapped hw queue can be remapped after CPU topo is changed, so we need to allocate tags for the hw queue in blk_mq_map_swqueue(). Then tags allocation for hw queue can be removed in hctx cpu online notifier, and it is reasonable to do that after mapping is updated. Cc: Reported-by: Dongsu Park Tested-by: Dongsu Park Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit bda69f1aaee53837ba22e2ea149219dff486f542 Author: Mike Christie Date: Mon Apr 20 22:42:24 2015 -0500 SCSI: add 1024 max sectors black list flag [ Upstream commit 35e9a9f93994d7f7d12afa41169c7ba05513721b ] This works around a issue with qnap iscsi targets not handling large IOs very well. The target returns: VPD INQUIRY: Block limits page (SBC) Maximum compare and write length: 1 blocks Optimal transfer length granularity: 1 blocks Maximum transfer length: 4294967295 blocks Optimal transfer length: 4294967295 blocks Maximum prefetch, xdread, xdwrite transfer length: 0 blocks Maximum unmap LBA count: 8388607 Maximum unmap block descriptor count: 1 Optimal unmap granularity: 16383 Unmap granularity alignment valid: 0 Unmap granularity alignment: 0 Maximum write same length: 0xffffffff blocks Maximum atomic transfer length: 0 Atomic alignment: 0 Atomic transfer length granularity: 0 and it is *sometimes* able to handle at least one IO of size up to 8 MB. We have seen in traces where it will sometimes work, but other times it looks like it fails and it looks like it returns failures if we send multiple large IOs sometimes. Also it looks like it can return 2 different errors. It will sometimes send iscsi reject errors indicating out of resources or it will send invalid cdb illegal requests check conditions. And then when it sends iscsi rejects it does not seem to handle retries when there are command sequence holes, so I could not just add code to try and gracefully handle that error code. The problem is that we do not have a good contact for the company, so we are not able to determine under what conditions it returns which error and why it sometimes works. So, this patch just adds a new black list flag to set targets like this to the old max safe sectors of 1024. The max_hw_sectors changes added in 3.19 caused this regression, so I also ccing stable. Reported-by: Christian Hesse Signed-off-by: Mike Christie Cc: stable@vger.kernel.org Reviewed-by: Christoph Hellwig Signed-off-by: James Bottomley Signed-off-by: Sasha Levin commit e8780dac8cd1f84f7c31c68bb87c18b6141afca7 Author: Linus Torvalds Date: Thu Jul 9 11:20:01 2015 -0700 Fix firmware loader uevent buffer NULL pointer dereference [ Upstream commit 6f957724b94cb19f5c1c97efd01dd4df8ced323c ] The firmware class uevent function accessed the "fw_priv->buf" buffer without the proper locking and testing for NULL. This is an old bug (looks like it goes back to 2012 and commit 1244691c73b2: "firmware loader: introduce firmware_buf"), but for some reason it's triggering only now in 4.2-rc1. Shuah Khan is trying to bisect what it is that causes this to trigger more easily, but in the meantime let's just fix the bug since others are hitting it too (at least Ingo reports having seen it as well). Reported-and-tested-by: Shuah Khan Acked-by: Ming Lei Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 3e35337a4ba284ce6a338ee0de8c0fbb2932bc2c Author: Christoffer Dall Date: Wed Jul 1 14:08:31 2015 +0200 arm64: Don't report clear pmds and puds as huge [ Upstream commit fd28f5d439fca77348c129d5b73043a56f8a0296 ] The current pmd_huge() and pud_huge() functions simply check if the table bit is not set and reports the entries as huge in that case. This is counter-intuitive as a clear pmd/pud cannot also be a huge pmd/pud, and it is inconsistent with at least arm and x86. To prevent others from making the same mistake as me in looking at code that calls these functions and to fix an issue with KVM on arm64 that causes memory corruption due to incorrect page reference counting resulting from this mistake, let's change the behavior. Signed-off-by: Christoffer Dall Reviewed-by: Steve Capper Acked-by: Marc Zyngier Fixes: 084bd29810a5 ("ARM64: mm: HugeTLB support.") Cc: # 3.11+ Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit 388d75e1e885e8fe0c705a6aa1ed818cf6396df3 Author: Al Viro Date: Sun Jul 12 10:34:29 2015 -0400 9p: don't leave a half-initialized inode sitting around [ Upstream commit 0a73d0a204a4a04a1e110539c5a524ae51f91d6d ] Cc: stable@vger.kernel.org # all branches Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 82bec81e4d7d53b46fca391774271f801b18d6e5 Author: Al Viro Date: Sat Jul 4 16:04:19 2015 -0400 9p: forgetting to cancel request on interrupted zero-copy RPC [ Upstream commit a84b69cb6e0a41e86bc593904faa6def3b957343 ] If we'd already sent a request and decide to abort it, we *must* issue TFLUSH properly and not just blindly reuse the tag, or we'll get seriously screwed when response eventually arrives and we confuse it for response to later request that had reused the same tag. Cc: stable@vger.kernel.org # v3.2 and later Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit c7f10946b88af6d5d82bc9f84d008f0d089972d9 Author: Chuck Lever Date: Tue May 26 11:53:52 2015 -0400 NFS: Fix size of NFSACL SETACL operations [ Upstream commit d683cc49daf7c5afca8cd9654aaa1bf63cdf2ad9 ] When encoding the NFSACL SETACL operation, reserve just the estimated size of the ACL rather than a fixed maximum. This eliminates needless zero padding on the wire that the server ignores. Fixes: ee5dc7732bd5 ('NFS: Fix "kernel BUG at fs/nfs/nfs3xdr.c:1338!"') Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 448d34256e77574e0d0b8ffdc35ec3239d9acfa0 Author: Uwe Kleine-König Date: Wed Apr 29 20:38:46 2015 +0200 watchdog: omap: assert the counter being stopped before reprogramming [ Upstream commit 530c11d432727c697629ad5f9d00ee8e2864d453 ] The omap watchdog has the annoying behaviour that writes to most registers don't have any effect when the watchdog is already running. Quoting the AM335x reference manual: To modify the timer counter value (the WDT_WCRR register), prescaler ratio (the WDT_WCLR[4:2] PTV bit field), delay configuration value (the WDT_WDLY[31:0] DLY_VALUE bit field), or the load value (the WDT_WLDR[31:0] TIMER_LOAD bit field), the watchdog timer must be disabled by using the start/stop sequence (the WDT_WSPR register). Currently the timer is stopped in the .probe callback but still there are possibilities that yield to a situation where omap_wdt_start is entered with the timer running (e.g. when /dev/watchdog is closed without stopping and then reopened). In such a case programming the timeout silently fails! To circumvent this stop the timer before reprogramming. Assuming one of the first things the watchdog user does is setting the timeout explicitly nothing too bad should happen because this explicit setting works fine. Fixes: 7768a13c252a ("[PATCH] OMAP: Add Watchdog driver support") Signed-off-by: Uwe Kleine-König Reviewed-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit dd95eaaea493d74df5ae81c7e5846e6b33ee91b1 Author: Konstantin Khlebnikov Date: Wed Apr 8 19:59:20 2015 +0300 of: return NUMA_NO_NODE from fallback of_node_to_nid() [ Upstream commit c8fff7bc5bba6bd59cad40441c189c4efe7190f6 ] Node 0 might be offline as well as any other numa node, in this case kernel cannot handle memory allocation and crashes. Signed-off-by: Konstantin Khlebnikov Fixes: 0c3f061c195c ("of: implement of_node_to_nid as a weak function") Signed-off-by: Grant Likely Signed-off-by: Sasha Levin commit 3e2003cccc9fb5f73a0d251dbb595f4c6e3a08bd Author: Alan Stern Date: Thu Jan 29 11:29:13 2015 -0500 USB: usbfs: allow URBs to be reaped after disconnection [ Upstream commit 3f2cee73b650921b2e214bf487b2061a1c266504 ] The usbfs API has a peculiar hole: Users are not allowed to reap their URBs after the device has been disconnected. There doesn't seem to be any good reason for this; it is an ad-hoc inconsistency. The patch allows users to issue the USBDEVFS_REAPURB and USBDEVFS_REAPURBNDELAY ioctls (together with their 32-bit counterparts on 64-bit systems) even after the device is gone. If no URBs are pending for a disconnected device then the ioctls will return -ENODEV rather than -EAGAIN, because obviously no new URBs will ever be able to complete. The patch also adds a new capability flag for USBDEVFS_GET_CAPABILITIES to indicate that the reap-after-disconnect feature is supported. Signed-off-by: Alan Stern Tested-by: Chris Dickens Acked-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit bb91f0ab2a32dc6afa29e17e9ba865e5335ffb0e Author: Pali Rohár Date: Tue Jun 23 10:11:19 2015 +0200 dell-laptop: Fix allocating & freeing SMI buffer page [ Upstream commit b8830a4e71b15d0364ac8e6c55301eea73f211da ] This commit fix kernel crash when probing for rfkill devices in dell-laptop driver failed. Function free_page() was incorrectly used on struct page * instead of virtual address of SMI buffer. This commit also simplify allocating page for SMI buffer by using __get_free_page() function instead of sequential call of functions alloc_page() and page_address(). Signed-off-by: Pali Rohár Acked-by: Michal Hocko Cc: stable@vger.kernel.org Signed-off-by: Darren Hart Signed-off-by: Sasha Levin commit 0e05e75326d068727b3790b2e0c927e75031a86b Author: Michal Kazior Date: Fri May 22 10:22:40 2015 +0200 mac80211: prevent possible crypto tx tailroom corruption [ Upstream commit ab499db80fcf07c18e4053f91a619500f663e90e ] There was a possible race between ieee80211_reconfig() and ieee80211_delayed_tailroom_dec(). This could result in inability to transmit data if driver crashed during roaming or rekeying and subsequent skbs with insufficient tailroom appeared. This race was probably never seen in the wild because a device driver would have to crash AND recover within 0.5s which is very unlikely. I was able to prove this race exists after changing the delay to 10s locally and crashing ath10k via debugfs immediately after GTK rekeying. In case of ath10k the counter went below 0. This was harmless but other drivers which actually require tailroom (e.g. for WEP ICV or MMIC) could end up with the counter at 0 instead of >0 and introduce insufficient skb tailroom failures because mac80211 would not resize skbs appropriately anymore. Fixes: 8d1f7ecd2af5 ("mac80211: defer tailroom counter manipulation when roaming") Signed-off-by: Michal Kazior Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit b6839752c823c205e788e3e39307fde48be102c4 Author: Vasily Averin Date: Thu Jun 25 15:01:44 2015 -0700 security_syslog() should be called once only [ Upstream commit d194e5d666225b04c7754471df0948f645b6ab3a ] The final version of commit 637241a900cb ("kmsg: honor dmesg_restrict sysctl on /dev/kmsg") lost few hooks, as result security_syslog() are processed incorrectly: - open of /dev/kmsg checks syslog access permissions by using check_syslog_permissions() where security_syslog() is not called if dmesg_restrict is set. - syslog syscall and /proc/kmsg calls do_syslog() where security_syslog can be executed twice (inside check_syslog_permissions() and then directly in do_syslog()) With this patch security_syslog() is called once only in all syslog-related operations regardless of dmesg_restrict value. Fixes: 637241a900cb ("kmsg: honor dmesg_restrict sysctl on /dev/kmsg") Signed-off-by: Vasily Averin Cc: Kees Cook Cc: Josh Boyer Cc: Eric Paris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ea82d2674523e6b51055e251c94b93114c99045a Author: Chris Metcalf Date: Thu Jun 25 15:02:08 2015 -0700 __bitmap_parselist: fix bug in empty string handling [ Upstream commit 2528a8b8f457d7432552d0e2b6f0f4046bb702f4 ] bitmap_parselist("", &mask, nmaskbits) will erroneously set bit zero in the mask. The same bug is visible in cpumask_parselist() since it is layered on top of the bitmask code, e.g. if you boot with "isolcpus=", you will actually end up with cpu zero isolated. The bug was introduced in commit 4b060420a596 ("bitmap, irq: add smp_affinity_list interface to /proc/irq") when bitmap_parselist() was generalized to support userspace as well as kernelspace. Fixes: 4b060420a596 ("bitmap, irq: add smp_affinity_list interface to /proc/irq") Signed-off-by: Chris Metcalf Cc: Rasmus Villemoes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit f078fd1dae84e8695fdd717554addd0e13d2dc35 Author: Ding Wang Date: Mon May 18 20:14:15 2015 +0800 mmc: card: Fixup request missing in mmc_blk_issue_rw_rq [ Upstream commit 29535f7b797df35cc9b6b3bca635591cdd3dd2a8 ] The current handler of MMC_BLK_CMD_ERR in mmc_blk_issue_rw_rq function may cause new coming request permanent missing when the ongoing request (previoulsy started) complete end. The problem scenario is as follows: (1) Request A is ongoing; (2) Request B arrived, and finally mmc_blk_issue_rw_rq() is called; (3) Request A encounters the MMC_BLK_CMD_ERR error; (4) In the error handling of MMC_BLK_CMD_ERR, suppose mmc_blk_cmd_err() end request A completed and return zero. Continue the error handling, suppose mmc_blk_reset() reset device success; (5) Continue the execution, while loop completed because variable ret is zero now; (6) Finally, mmc_blk_issue_rw_rq() return without processing request B. The process related to the missing request may wait that IO request complete forever, possibly crashing the application or hanging the system. Fix this issue by starting new request when reset success. Signed-off-by: Ding Wang Fixes: 67716327eec7 ("mmc: block: add eMMC hardware reset support") Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 3e2ee0584b7c688bbc2c1951e8348b2302ab4873 Author: Sagi Grimberg Date: Sun Mar 29 15:52:04 2015 +0300 iser-target: Fix possible deadlock in RDMA_CM connection error [ Upstream commit 4a579da2586bd3b79b025947ea24ede2bbfede62 ] Before we reach to connection established we may get an error event. In this case the core won't teardown this connection (never established it), so we take care of freeing it ourselves. Signed-off-by: Sagi Grimberg Cc: # v3.10+ Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit cf57073b8687f6984366cbb158e2609bb1f9b614 Author: Nicholas Bellinger Date: Thu Feb 26 22:19:15 2015 -0800 iscsi-target: Convert iscsi_thread_set usage to kthread.h [ Upstream commit 88dcd2dab5c23b1c9cfc396246d8f476c872f0ca ] This patch converts iscsi-target code to use modern kthread.h API callers for creating RX/TX threads for each new iscsi_conn descriptor, and releasing associated RX/TX threads during connection shutdown. This is done using iscsit_start_kthreads() -> kthread_run() to start new kthreads from within iscsi_post_login_handler(), and invoking kthread_stop() from existing iscsit_close_connection() code. Also, convert iscsit_logout_post_handler_closesession() code to use cmpxchg when determing when iscsit_cause_connection_reinstatement() needs to sleep waiting for completion. Reported-by: Sagi Grimberg Tested-by: Sagi Grimberg Cc: Slava Shwartsman Cc: # v3.10+ Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit bc29d0be4238aafed6dafd70a252cddc213bf3e9 Author: Lv Zheng Date: Wed Jul 1 14:43:26 2015 +0800 ACPICA: Tables: Fix an issue that FACS initialization is performed twice [ Upstream commit c04be18448355441a0c424362df65b6422e27bda ] ACPICA commit 90f5332a15e9d9ba83831ca700b2b9f708274658 This patch adds a new FACS initialization flag for acpi_tb_initialize(). acpi_enable_subsystem() might be invoked several times in OS bootup process, and we don't want FACS initialization to be invoked twice. Lv Zheng. Link: https://github.com/acpica/acpica/commit/90f5332a Cc: All applicable # All applicable Signed-off-by: Lv Zheng Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 5217be2384b4886b25533d7e88d91108f1c61d46 Author: Filipe Manana Date: Fri Jul 3 08:36:11 2015 +0100 Btrfs: fix memory leak in the extent_same ioctl [ Upstream commit 497b4050e0eacd4c746dd396d14916b1e669849d ] We were allocating memory with memdup_user() but we were never releasing that memory. This affected pretty much every call to the ioctl, whether it deduplicated extents or not. This issue was reported on IRC by Julian Taylor and on the mailing list by Marcel Ritter, credit goes to them for finding the issue. Reported-by: Julian Taylor Reported-by: Marcel Ritter Cc: stable@vger.kernel.org Signed-off-by: Filipe Manana Reviewed-by: Mark Fasheh Signed-off-by: Sasha Levin commit 3c668a81f9214f32e521baa89e4b0d7b00dd09f9 Author: Filipe Manana Date: Sat Jun 13 06:52:56 2015 +0100 Btrfs: use kmem_cache_free when freeing entry in inode cache [ Upstream commit c3f4a1685bb87e59c886ee68f7967eae07d4dffa ] The free space entries are allocated using kmem_cache_zalloc(), through __btrfs_add_free_space(), therefore we should use kmem_cache_free() and not kfree() to avoid any confusion and any potential problem. Looking at the kfree() definition at mm/slab.c it has the following comment: /* * (...) * * Don't free memory not originally allocated by kmalloc() * or you will run into trouble. */ So better be safe and use kmem_cache_free(). Cc: stable@vger.kernel.org Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: Chris Mason Signed-off-by: Sasha Levin commit ea446f65b0394a57ce871eae77a8fac9ef213564 Author: Firo Yang Date: Thu Jun 11 09:41:10 2015 +0800 md: fix a build warning [ Upstream commit 4e023612325a9034a542bfab79f78b1fe5ebb841 ] Warning like this: drivers/md/md.c: In function "update_array_info": drivers/md/md.c:6394:26: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] !mddev->persistent != info->not_persistent|| Fix it as Neil Brown said: mddev->persistent != !info->not_persistent || Signed-off-by: Firo Yang Signed-off-by: NeilBrown Signed-off-by: Sasha Levin commit 96558f2fbefed1b3b05d9f8f85fc40f6d74dac3e Author: Steven Rostedt (Red Hat) Date: Tue Jul 7 15:05:03 2015 -0400 tracing: Have branch tracer use recursive field of task struct [ Upstream commit 6224beb12e190ff11f3c7d4bf50cb2922878f600 ] Fengguang Wu's tests triggered a bug in the branch tracer's start up test when CONFIG_DEBUG_PREEMPT set. This was because that config adds some debug logic in the per cpu field, which calls back into the branch tracer. The branch tracer has its own recursive checks, but uses a per cpu variable to implement it. If retrieving the per cpu variable calls back into the branch tracer, you can see how things will break. Instead of using a per cpu variable, use the trace_recursion field of the current task struct. Simply set a bit when entering the branch tracing and clear it when leaving. If the bit is set on entry, just don't do the tracing. There's also the case with lockdep, as the local_irq_save() called before the recursion can also trigger code that can call back into the function. Changing that to a raw_local_irq_save() will protect that as well. This prevents the recursion and the inevitable crash that follows. Link: http://lkml.kernel.org/r/20150630141803.GA28071@wfg-t540p.sh.intel.com Cc: stable@vger.kernel.org # 3.10+ Reported-by: Fengguang Wu Tested-by: Fengguang Wu Signed-off-by: Steven Rostedt Signed-off-by: Sasha Levin commit 8c9482a9bc47fee04173956f1fa05eada7779d82 Author: Steven Rostedt (Red Hat) Date: Thu Jun 25 18:02:29 2015 -0400 tracing/filter: Do not WARN on operand count going below zero [ Upstream commit b4875bbe7e68f139bd3383828ae8e994a0df6d28 ] When testing the fix for the trace filter, I could not come up with a scenario where the operand count goes below zero, so I added a WARN_ON_ONCE(cnt < 0) to the logic. But there is legitimate case that it can happen (although the filter would be wrong). # echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter That is, a single operation without any operands will hit the path where the WARN_ON_ONCE() can trigger. Although this is harmless, and the filter is reported as a error. But instead of spitting out a warning to the kernel dmesg, just fail nicely and report it via the proper channels. Link: http://lkml.kernel.org/r/558C6082.90608@oracle.com Reported-by: Vince Weaver Reported-by: Sasha Levin Cc: stable@vger.kernel.org # 2.6.33+ Signed-off-by: Steven Rostedt Signed-off-by: Sasha Levin commit 0ff74faa025bbc4f751785ba34a2c121e9dcc685 Author: Arne Fitzenreiter Date: Wed Jul 15 13:54:37 2015 +0200 libata: force disable trim for SuperSSpeed S238 [ Upstream commit cda57b1b05cf7b8b99ab4b732bea0b05b6c015cc ] This device loses blocks, often the partition table area, on trim. Disable TRIM. http://pcengines.ch/msata16a.htm Signed-off-by: Arne Fitzenreiter Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit e7a84605061b205350654641d823e1ca9589ec24 Author: Arne Fitzenreiter Date: Wed Jul 15 13:54:36 2015 +0200 libata: add ATA_HORKAGE_NOTRIM [ Upstream commit 71d126fd28de2d4d9b7b2088dbccd7ca62fad6e0 ] Some devices lose data on TRIM whether queued or not. This patch adds a horkage to disable TRIM. tj: Collapsed unnecessary if() nesting. Signed-off-by: Arne Fitzenreiter Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 7a889192e322242945874e52b25f88c8841c8f47 Author: Mimi Zohar Date: Tue Apr 21 13:59:31 2015 -0400 evm: labeling pseudo filesystems exception [ Upstream commit 5101a1850bb7ccbf107929dee9af0cd2f400940f ] To prevent offline stripping of existing file xattrs and relabeling of them at runtime, EVM allows only newly created files to be labeled. As pseudo filesystems are not persistent, stripping of xattrs is not a concern. Some LSMs defer file labeling on pseudo filesystems. This patch permits the labeling of existing files on pseudo files systems. Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 66db51c9f7b2fe7ebdfa753b2aa9abbb9feddc87 Author: Colin Ian King Date: Mon Jul 27 15:23:43 2015 +0100 KEYS: ensure we free the assoc array edit if edit is valid [ Upstream commit HEAD ] commit ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 upstream. __key_link_end is not freeing the associated array edit structure and this leads to a 512 byte memory leak each time an identical existing key is added with add_key(). The reason the add_key() system call returns okay is that key_create_or_update() calls __key_link_begin() before checking to see whether it can update a key directly rather than adding/replacing - which it turns out it can. Thus __key_link() is not called through __key_instantiate_and_link() and __key_link_end() must cancel the edit. CVE-2015-1333 Signed-off-by: Colin Ian King Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman (cherry picked from commit c9cd9b18dac801040ada16562dc579d5ac366d75) Signed-off-by: Sasha Levin commit 6a85c7b5fdf5a300a25a5f804f24b8fb09e472f9 Author: Zhao Junwang Date: Tue Jul 7 17:08:35 2015 +0800 drm: add a check for x/y in drm_mode_setcrtc [ Upstream commit 01447e9f04ba1c49a9534ae6a5a6f26c2bb05226 ] legacy setcrtc ioctl does take a 32 bit value which might indeed overflow the checks of crtc_req->x > INT_MAX and crtc_req->y > INT_MAX aren't needed any more with this v2: -polish the annotation according to Daniel's comment Cc: Daniel Vetter Signed-off-by: Zhao Junwang Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter Signed-off-by: Sasha Levin commit 04e685d86e0c3fd7b47bebb6efdd488222b500e1 Author: Alex Deucher Date: Thu Jul 9 21:08:17 2015 -0400 drm/radeon: add a dpm quirk for Sapphire Radeon R9 270X 2GB GDDR5 [ Upstream commit 5dfc71bc44d91d1620505c064fa22b0b3db58a9d ] bug: https://bugs.freedesktop.org/show_bug.cgi?id=76490 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 0e1b8effa553cc8f07c1a53b93f1ea9ce20b551d Author: Tomas Winkler Date: Thu Jul 16 15:50:45 2015 +0200 mmc: block: Add missing mmc_blk_put() in power_ro_lock_show() [ Upstream commit 9098f84cced870f54d8c410dd2444cfa61467fa0 ] Enclosing mmc_blk_put() is missing in power_ro_lock_show() sysfs handler, let's add it. Fixes: add710eaa886 ("mmc: boot partition ro lock support") Signed-off-by: Tomas Winkler Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 50ca84670e1c8c72b2e4c37e7abfaff0fde42180 Author: Joe Thornber Date: Fri Jul 3 14:51:32 2015 +0100 dm btree: silence lockdep lock inversion in dm_btree_del() [ Upstream commit 1c7518794a3647eb345d59ee52844e8a40405198 ] Allocate memory using GFP_NOIO when deleting a btree. dm_btree_del() can be called via an ioctl and we don't want to recurse into the FS or block layer. Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit dd5657d77b2dad01963f7fb5d1c703c490e45ea3 Author: Dennis Yang Date: Fri Jun 26 15:25:48 2015 +0100 dm btree remove: fix bug in redistribute3 [ Upstream commit 4c7e309340ff85072e96f529582d159002c36734 ] redistribute3() shares entries out across 3 nodes. Some entries were being moved the wrong way, breaking the ordering. This manifested as a BUG() in dm-btree-remove.c:shift() when entries were removed from the btree. For additional context see: https://www.redhat.com/archives/dm-devel/2015-May/msg00113.html Signed-off-by: Dennis Yang Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 8b338c3a9df7ca4b6b9729eef90d7b2e7ba7b800 Author: AMAN DEEP Date: Tue Jul 21 17:20:27 2015 +0300 usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function [ Upstream commit 3496810663922617d4b706ef2780c279252ddd6a ] virt_dev->num_cached_rings counts on freed ring and is not updated correctly. In xhci_free_or_cache_endpoint_ring() function, the free ring is added into cache and then num_rings_cache is incremented as below: virt_dev->ring_cache[rings_cached] = virt_dev->eps[ep_index].ring; virt_dev->num_rings_cached++; here, free ring pointer is added to a current index and then index is incremented. So current index always points to empty location in the ring cache. For getting available free ring, current index should be decremented first and then corresponding ring buffer value should be taken from ring cache. But In function xhci_endpoint_init(), the num_rings_cached index is accessed before decrement. virt_dev->eps[ep_index].new_ring = virt_dev->ring_cache[virt_dev->num_rings_cached]; virt_dev->ring_cache[virt_dev->num_rings_cached] = NULL; virt_dev->num_rings_cached--; This is bug in manipulating the index of ring cache. And it should be as below: virt_dev->num_rings_cached--; virt_dev->eps[ep_index].new_ring = virt_dev->ring_cache[virt_dev->num_rings_cached]; virt_dev->ring_cache[virt_dev->num_rings_cached] = NULL; Cc: Signed-off-by: Aman Deep Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 283d3316851f543eaeceac16c9bcec2100afff57 Author: Johannes Thumshirn Date: Wed Jul 8 17:26:37 2015 +0200 USB: serial: Destroy serial_minors IDR on module exit [ Upstream commit d23f47d4927fd2f61b3a754d83c7bcec215b5cfe ] Destroy serial_minors IDR on module exit, reclaiming the allocated memory. This was detected by the following semantic patch (written by Luis Rodriguez ) @ defines_module_init @ declarer name module_init, module_exit; declarer name DEFINE_IDR; identifier init; @@ module_init(init); @ defines_module_exit @ identifier exit; @@ module_exit(exit); @ declares_idr depends on defines_module_init && defines_module_exit @ identifier idr; @@ DEFINE_IDR(idr); @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @ identifier declares_idr.idr, defines_module_exit.exit; @@ exit(void) { ... idr_destroy(&idr); ... } @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @ identifier declares_idr.idr, defines_module_exit.exit; @@ exit(void) { ... +idr_destroy(&idr); } Signed-off-by: Johannes Thumshirn Cc: stable # v3.11 Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 1159760b3c04013875c1109042da42989c615fe2 Author: Claudio Cappelli Date: Wed Jun 10 20:38:30 2015 +0200 USB: option: add 2020:4000 ID [ Upstream commit f6d7fb37f92622479ef6da604f27561f5045ba1e ] Add device Olivetti Olicard 300 (Network Connect: MT6225) - IDs 2020:4000. T: Bus=01 Lev=02 Prnt=04 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2020 ProdID=4000 Rev=03.00 S: Manufacturer=Network Connect S: Product=MT6225 C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=02 Prot=01 Driver=option I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage Signed-off-by: Claudio Cappelli Suggested-by: Lars Melin Cc: stable [johan: amend commit message with devices info ] Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit c2240da1ee86ee9b1071b0fdca3065dd95e1d617 Author: Peter Sanford Date: Thu Jun 25 17:40:05 2015 -0700 USB: cp210x: add ID for Aruba Networks controllers [ Upstream commit f98a7aa81eeeadcad25665c3501c236d531d4382 ] Add the USB serial console device ID for Aruba Networks 7xxx series controllers which have a USB port for their serial console. Signed-off-by: Peter Sanford Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 689488fc565537d2e2de46ee78e59903768b1385 Author: Felipe Balbi Date: Tue Jun 2 13:03:36 2015 -0500 usb: musb: host: rely on port_mode to call musb_start() [ Upstream commit be9d39881fc4fa39a64b6eed6bab5d9ee5125344 ] Currently, we're calling musb_start() twice for DRD ports in some situations. This has been observed to cause enumeration issues after suspend/resume cycles with AM335x. In order to fix the problem, we just have to fix the check on musb_has_gadget() so that it only returns true if current mode is Host and ignore the fact that we have or not a gadget driver loaded. Fixes: ae44df2e21b5 (usb: musb: call musb_start() only once in OTG mode) Cc: Sebastian Andrzej Siewior Cc: # v3.11+ Tested-by: Sekhar Nori Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit ece29f5be76e3db17bafbb32250290e9c70d38e7 Author: Dan Carpenter Date: Mon May 18 15:29:51 2015 +0300 USB: devio: fix a condition in async_completed() [ Upstream commit 83ed07c5db71bc02bd646d6eb60b48908235cdf9 ] Static checkers complain that the current condition is never true. It seems pretty likely that it's a typo and "URB" was intended instead of "USB". Fixes: 3d97ff63f899 ('usbdevfs: Use scatter-gather lists for large bulk transfers') Signed-off-by: Dan Carpenter Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a0c760181ca874bc8b42fceafcb4aad7000d891a Author: John Youn Date: Mon Sep 17 00:00:00 2001 -0700 usb: dwc3: Reset the transfer resource index on SET_INTERFACE [ Upstream commit aebda618718157a69c0dc0adb978d69bc2b8723c ] This fixes an issue introduced in commit b23c843992b6 (usb: dwc3: gadget: fix DEPSTARTCFG for non-EP0 EPs) that made sure we would only use DEPSTARTCFG once per SetConfig. The trick is that we should use one DEPSTARTCFG per SetConfig *OR* SetInterface. SetInterface was completely missed from the original patch. This problem became aparent after commit 76e838c9f776 (usb: dwc3: gadget: return error if command sent to DEPCMD register fails) added checking of the return status of device endpoint commands. 'Set Endpoint Transfer Resource' command was caught failing occasionally. This is because the Transfer Resource Index was not getting reset during a SET_INTERFACE request. Finally, to fix the issue, was we have to do is make sure that our start_config_issued flag gets reset whenever we receive a SetInterface request. To verify the problem (and its fix), all we have to do is run test 9 from testusb with 'testusb -t 9 -s 2048 -a -c 5000'. Tested-by: Huang Rui Tested-by: Subbaraya Sundeep Bhatta Fixes: b23c843992b6 (usb: dwc3: gadget: fix DEPSTARTCFG for non-EP0 EPs) Cc: # v3.2+ Signed-off-by: John Youn Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit ed290a16f30c83e3d5cb3462a5b7b1367cc5faee Author: Mikulas Patocka Date: Wed Jul 8 13:06:12 2015 -0400 libata: increase the timeout when setting transfer mode [ Upstream commit d531be2ca2f27cca5f041b6a140504999144a617 ] I have a ST4000DM000 disk. If Linux is booted while the disk is spun down, the command that sets transfer mode causes the disk to spin up. The spin-up takes longer than the default 5s timeout, so the command fails and timeout is reported. Fix this by increasing the timeout to 15s, which is enough for the disk to spin up. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit dba1319c94b1d257b5883e1db8b3f0b4fa940d54 Author: Aleksei Mamlin Date: Wed Jul 1 13:48:30 2015 +0300 libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER [ Upstream commit 08c85d2a599d967ede38a847f5594447b6100642 ] Enabling AA on HP 250GB SATA disk VB0250EAVER causes errors: [ 3.788362] ata3.00: failed to enable AA (error_mask=0x1) [ 3.789243] ata3.00: failed to enable AA (error_mask=0x1) Add the ATA_HORKAGE_BROKEN_FPDMA_AA for this specific harddisk. tj: Collected FPDMA_AA entries and updated comment. Signed-off-by: Aleksei Mamlin Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit a8cec2e4b565d341502e92ad3a1cc6aa7bda19e9 Author: Dan Carpenter Date: Wed Jun 10 18:37:23 2015 +0300 ASoC: imx-wm8962: Add a missing error check [ Upstream commit 474ff0ae23b834e9fc18374d14bb5f3e7b3828b4 ] My static checker complains that: sound/soc/fsl/imx-wm8962.c:196 imx_wm8962_probe() warn: we tested 'ret' before and it was 'false' The intent was that we use "ret" to check imx_audmux_v2_configure_port(). Fixes: 8de2ae2a7f1f ('ASoC: fsl: add imx-wm8962 machine driver') Signed-off-by: Dan Carpenter Otherwise, Acked-by: Nicolin Chen Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3f6aa9f86f11b733f067c68e3fc66bc54522d915 Author: Jan Leupold Date: Wed Jun 17 18:21:36 2015 +0200 iio: adc: at91_adc: allow to use full range of startup time [ Upstream commit 815983e9afcb21552e1b9d77e3755d394cbf5249 ] The DT-Property "atmel,adc-startup-time" is stored in an u8 for a microsecond value. When trying to increase the value of STARTUP in Register AT91_ADC_MR some higher values can't be reached. Change the type in function parameter and private structure field from u8 to u32. Signed-off-by: Jan Leupold [nicolas.ferre@atmel.com: change commit message, increase u16 to u32 for startup time] Signed-off-by: Nicolas Ferre Acked-by: Alexandre Belloni Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit b8518de10f23539bbe13bb15203be860cc027923 Author: Peter Meerwald Date: Sun Jun 21 23:50:21 2015 +0200 iio: tmp006: Check channel info on write [ Upstream commit f451957dafe712ab2cd4b7ca8ba9197798115fbe ] only SAMP_FREQ is writable Will lead to SAMP_FREQ being written by any attempt to write to the other exported attributes and hence a rather unexpected result! Signed-off-by: Peter Meerwald Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit b217d7a8e1fcf13a010933d8b7ce34f0d197278c Author: JM Friedt Date: Fri Jun 19 14:48:06 2015 +0200 iio: DAC: ad5624r_spi: fix bit shift of output data value [ Upstream commit 09f4dcc9443c4731b6669066bd1bc4312ef17bcc ] The value sent on the SPI bus is shifted by an erroneous number of bits. The shift value was already computed in the iio_chan_spec structure and hence subtracting this argument to 16 yields an erroneous data position in the SPI stream. Signed-off-by: JM Friedt Acked-by: Lars-Peter Clausen Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 908e65906a2e1f938f0972bbf7b058c6dd945628 Author: Michal Hocko Date: Sun Jul 5 12:33:44 2015 -0400 ext4: replace open coded nofail allocation in ext4_free_blocks() [ Upstream commit 7444a072c387a93ebee7066e8aee776954ab0e41 ] ext4_free_blocks is looping around the allocation request and mimics __GFP_NOFAIL behavior without any allocation fallback strategy. Let's remove the open coded loop and replace it with __GFP_NOFAIL. Without the flag the allocator has no way to find out never-fail requirement and cannot help in any way. Signed-off-by: Michal Hocko Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit f164c7de2710059aae7b66f668f0a2ab5a7689c2 Author: Eryu Guan Date: Sat Jul 4 00:03:44 2015 -0400 ext4: correctly migrate a file with a hole at the beginning [ Upstream commit 8974fec7d72e3e02752fe0f27b4c3719c78d9a15 ] Currently ext4_ind_migrate() doesn't correctly handle a file which contains a hole at the beginning of the file. This caused the migration to be done incorrectly, and then if there is a subsequent following delayed allocation write to the "hole", this would reclaim the same data blocks again and results in fs corruption. # assmuing 4k block size ext4, with delalloc enabled # skip the first block and write to the second block xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/ext4/testfile # converting to indirect-mapped file, which would move the data blocks # to the beginning of the file, but extent status cache still marks # that region as a hole chattr -e /mnt/ext4/testfile # delayed allocation writes to the "hole", reclaim the same data block # again, results in i_blocks corruption xfs_io -c "pwrite 0 4k" /mnt/ext4/testfile umount /mnt/ext4 e2fsck -nf /dev/sda6 ... Inode 53, i_blocks is 16, should be 8. Fix? no ... Signed-off-by: Eryu Guan Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 694fd43fb701e0db5d3cdefc49725a1154a605a7 Author: Eryu Guan Date: Fri Jul 3 23:56:50 2015 -0400 ext4: be more strict when migrating to non-extent based file [ Upstream commit d6f123a9297496ad0b6335fe881504c4b5b2a5e5 ] Currently the check in ext4_ind_migrate() is not enough before doing the real conversion: a) delayed allocated extents could bypass the check on eh->eh_entries and eh->eh_depth This can be demonstrated by this script xfs_io -fc "pwrite 0 4k" -c "pwrite 8k 4k" /mnt/ext4/testfile chattr -e /mnt/ext4/testfile where testfile has two extents but still be converted to non-extent based file format. b) only extent length is checked but not the offset, which would result in data lose (delalloc) or fs corruption (nodelalloc), because non-extent based file only supports at most (12 + 2^10 + 2^20 + 2^30) blocks This can be demostrated by xfs_io -fc "pwrite 5T 4k" /mnt/ext4/testfile chattr -e /mnt/ext4/testfile sync If delalloc is enabled, dmesg prints EXT4-fs warning (device dm-4): ext4_block_to_path:105: block 1342177280 > max in inode 53 EXT4-fs (dm-4): Delayed block allocation failed for inode 53 at logical offset 1342177280 with max blocks 1 with error 5 EXT4-fs (dm-4): This should not happen!! Data will be lost If delalloc is disabled, e2fsck -nf shows corruption Inode 53, i_size is 5497558142976, should be 4096. Fix? no Fix the two issues by a) forcing all delayed allocation blocks to be allocated before checking eh->eh_depth and eh->eh_entries b) limiting the last logical block of the extent is within direct map Signed-off-by: Eryu Guan Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 00131bc068c4b4ff8fbadeddf6859fb4b73d8ed7 Author: Lukas Czerner Date: Fri Jul 3 21:13:55 2015 -0400 ext4: fix reservation release on invalidatepage for delalloc fs [ Upstream commit 9705acd63b125dee8b15c705216d7186daea4625 ] On delalloc enabled file system on invalidatepage operation in ext4_da_page_release_reservation() we want to clear the delayed buffer and remove the extent covering the delayed buffer from the extent status tree. However currently there is a bug where on the systems with page size > block size we will always remove extents from the start of the page regardless where the actual delayed buffers are positioned in the page. This leads to the errors like this: EXT4-fs warning (device loop0): ext4_da_release_space:1225: ext4_da_release_space: ino 13, to_free 1 with only 0 reserved data blocks This however can cause data loss on writeback time if the file system is in ENOSPC condition because we're releasing reservation for someones else delayed buffer. Fix this by only removing extents that corresponds to the part of the page we want to invalidate. This problem is reproducible by the following fio receipt (however I was only able to reproduce it with fio-2.1 or older. [global] bs=8k iodepth=1024 iodepth_batch=60 randrepeat=1 size=1m directory=/mnt/test numjobs=20 [job1] ioengine=sync bs=1k direct=1 rw=randread filename=file1:file2 [job2] ioengine=libaio rw=randwrite direct=1 filename=file1:file2 [job3] bs=1k ioengine=posixaio rw=randwrite direct=1 filename=file1:file2 [job5] bs=1k ioengine=sync rw=randread filename=file1:file2 [job7] ioengine=libaio rw=randwrite filename=file1:file2 [job8] ioengine=posixaio rw=randwrite filename=file1:file2 [job10] ioengine=mmap rw=randwrite bs=1k filename=file1:file2 [job11] ioengine=mmap rw=randwrite direct=1 filename=file1:file2 Signed-off-by: Lukas Czerner Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit ae241ca5155667c947f6a19ea5c370c964768ac7 Author: Ezequiel Garcia Date: Mon May 11 12:20:18 2015 -0300 spi: pl022: Specify 'num-cs' property as required in devicetree binding [ Upstream commit ea6055c46eda1e19e02209814955e13f334bbe1b ] Since commit 39a6ac11df65 ("spi/pl022: Devicetree support w/o platform data") the 'num-cs' parameter cannot be passed through platform data when probing with devicetree. Instead, it's a required devicetree property. Fix the binding documentation so the property is properly specified. Fixes: 39a6ac11df65 ("spi/pl022: Devicetree support w/o platform data") Signed-off-by: Ezequiel Garcia Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 79e215ad098a57b3bc1e82b6891d999ddfc77f73 Author: Sasha Levin Date: Tue Aug 4 13:32:39 2015 -0400 Revert "can: fix loss of CAN frames in raw_rcv" This reverts commit c215cf258214858a5a6c3e63cd7ee78b92d210b2. Signed-off-by: Sasha Levin