commit 9f9aab6e97a916f0e0aa6d24897a6ec43c411861 Author: Jiri Slaby Date: Thu Feb 11 14:54:44 2016 +0100 Linux 3.12.54 commit 021cc4c804dd34b3a4fca8175506bb8be380242d Author: Nikolay Borisov Date: Thu Dec 17 18:03:35 2015 +0200 dm thin: fix race condition when destroying thin pool workqueue commit 18d03e8c25f173f4107a40d0b8c24defb6ed69f3 upstream. When a thin pool is being destroyed delayed work items are cancelled using cancel_delayed_work(), which doesn't guarantee that on return the delayed item isn't running. This can cause the work item to requeue itself on an already destroyed workqueue. Fix this by using cancel_delayed_work_sync() which guarantees that on return the work item is not running anymore. Fixes: 905e51b39a555 ("dm thin: commit outstanding data every second") Fixes: 85ad643b7e7e5 ("dm thin: add timeout to stop out-of-data-space mode holding IO forever") Signed-off-by: Nikolay Borisov Signed-off-by: Mike Snitzer Cc: Nikolay Borisov Signed-off-by: Jiri Slaby commit d43afc4a7e793dbe84b16e2b35e2522150adc260 Author: Ioan-Adrian Ratiu Date: Fri Nov 20 22:19:02 2015 +0200 HID: usbhid: fix recursive deadlock commit e470127e9606b1fa151c4184243e61296d1e0c0f upstream. The critical section protected by usbhid->lock in hid_ctrl() is too big and because of this it causes a recursive deadlock. "Too big" means the case statement and the call to hid_input_report() do not need to be protected by the spinlock (no URB operations are done inside them). The deadlock happens because in certain rare cases drivers try to grab the lock while handling the ctrl irq which grabs the lock before them as described above. For example newer wacom tablets like 056a:033c try to reschedule proximity reads from wacom_intuos_schedule_prox_event() calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report() which tries to grab the usbhid lock already held by hid_ctrl(). There are two ways to get out of this deadlock: 1. Make the drivers work "around" the ctrl critical region, in the wacom case for ex. by delaying the scheduling of the proximity read request itself to a workqueue. 2. Shrink the critical region so the usbhid lock protects only the instructions which modify usbhid state, calling hid_input_report() with the spinlock unlocked, allowing the device driver to grab the lock first, finish and then grab the lock afterwards in hid_ctrl(). This patch implements the 2nd solution. Signed-off-by: Ioan-Adrian Ratiu Signed-off-by: Jiri Kosina Signed-off-by: Jason Gerecke Signed-off-by: Jiri Slaby commit 48a17e3c2f6f4aecaa85d9af9c98414d792d96b0 Author: Seth Jennings Date: Fri Dec 11 13:40:57 2015 -0800 drivers/base/memory.c: prohibit offlining of memory blocks with missing sections commit 26bbe7ef6d5cdc7ec08cba6d433fca4060f258f3 upstream. Commit bdee237c0343 ("x86: mm: Use 2GB memory block size on large-memory x86-64 systems") and 982792c782ef ("x86, mm: probe memory block size for generic x86 64bit") introduced large block sizes for x86. This made it possible to have multiple sections per memory block where previously, there was a only every one section per block. Since blocks consist of contiguous ranges of section, there can be holes in the blocks where sections are not present. If one attempts to offline such a block, a crash occurs since the code is not designed to deal with this. This patch is a quick fix to gaurd against the crash by not allowing blocks with non-present sections to be offlined. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=107781 Signed-off-by: Seth Jennings Reported-by: Andrew Banman Cc: Daniel J Blueman Cc: Yinghai Lu Cc: Greg KH Cc: Russ Anderson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 1b53306f2b39eb7ee755de71621425a0df20dc91 Author: Mike Snitzer Date: Mon Nov 23 16:24:45 2015 -0500 dm btree: fix leak of bufio-backed block in btree_split_sibling error path commit 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd upstream. The block allocated at the start of btree_split_sibling() is never released if later insert_at() fails. Fix this by releasing the previously allocated bufio block using unlock_block(). Reported-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Jiri Slaby commit 231304036a751d3b6bd736fc81d3b8037d87350d Author: Herbert Xu Date: Sun Nov 1 17:11:19 2015 +0800 crypto: algif_hash - Only export and import on sockets with data commit 4afa5f9617927453ac04b24b584f6c718dfb4f45 upstream. The hash_accept call fails to work on sockets that have not received any data. For some algorithm implementations it may cause crashes. This patch fixes this by ensuring that we only export and import on sockets that have received data. Reported-by: Harsh Jain Signed-off-by: Herbert Xu Tested-by: Stephan Mueller Signed-off-by: Jiri Slaby commit 4366e33206ecab04f5d3ebb471c9b6915c59cbc1 Author: libin Date: Tue Nov 3 08:58:47 2015 +0800 recordmcount: Fix endianness handling bug for nop_mcount commit c84da8b9ad3761eef43811181c7e896e9834b26b upstream. In nop_mcount, shdr->sh_offset and welp->r_offset should handle endianness properly, otherwise it will trigger Segmentation fault if the recordmcount main and file.o have different endianness. Link: http://lkml.kernel.org/r/563806C7.7070606@huawei.com Signed-off-by: Li Bin Signed-off-by: Steven Rostedt Signed-off-by: Jiri Slaby commit b48d054283a2c2d60a100bf7772bf308042c57ac Author: Greg Kroah-Hartman Date: Sun Jan 31 11:11:58 2016 -0800 xhci: fix placement of call to usb_disabled() In the backport of 1eaf35e4dd592c59041bc1ed3248c46326da1f5f, the call to usb_disabled() was too late, after we had already done some allocation. Move that call to the top of the function instead, making the logic match what is intended and is in the original patch. Reported-by: Luis Henriques Signed-off-by: Jiri Slaby commit 237c785fe583ca5838d5389d38c8f3050c276861 Author: Tejun Heo Date: Tue Feb 9 16:11:26 2016 -0500 Revert "workqueue: make sure delayed work run in local cpu" commit 041bd12e272c53a35c54c13875839bcb98c999ce upstream. This reverts commit 874bbfe600a660cba9c776b3957b1ce393151b76. Workqueue used to implicity guarantee that work items queued without explicit CPU specified are put on the local CPU. Recent changes in timer broke the guarantee and led to vmstat breakage which was fixed by 176bed1de5bf ("vmstat: explicitly schedule per-cpu work on the CPU we need it to run on"). vmstat is the most likely to expose the issue and it's quite possible that there are other similar problems which are a lot more difficult to trigger. As a preventive measure, 874bbfe600a6 ("workqueue: make sure delayed work run in local cpu") was applied to restore the local CPU guarnatee. Unfortunately, the change exposed a bug in timer code which got fixed by 22b886dd1018 ("timers: Use proper base migration in add_timer_on()"). Due to code restructuring, the commit couldn't be backported beyond certain point and stable kernels which only had 874bbfe600a6 started crashing. The local CPU guarantee was accidental more than anything else and we want to get rid of it anyway. As, with the vmstat case fixed, 874bbfe600a6 is causing more problems than it's fixing, it has been decided to take the chance and officially break the guarantee by reverting the commit. A debug feature will be added to force foreign CPU assignment to expose cases relying on the guarantee and fixes for the individual cases will be backported to stable as necessary. Signed-off-by: Tejun Heo Fixes: 874bbfe600a6 ("workqueue: make sure delayed work run in local cpu") Link: http://lkml.kernel.org/g/20160120211926.GJ10810@quack.suse.cz Cc: Mike Galbraith Cc: Henrique de Moraes Holschuh Cc: Daniel Bilik Cc: Jan Kara Cc: Shaohua Li Cc: Sasha Levin Cc: Ben Hutchings Cc: Thomas Gleixner Cc: Daniel Bilik Cc: Jiri Slaby Cc: Michal Hocko Signed-off-by: Jiri Slaby commit 933f407f064e9338b17df510197dc5929e4c25c3 Author: Linus Torvalds Date: Thu Oct 15 13:01:50 2015 -0700 vmstat: explicitly schedule per-cpu work on the CPU we need it to run on commit 176bed1de5bf977938cad26551969eca8f0883b1 upstream. The vmstat code uses "schedule_delayed_work_on()" to do the initial startup of the delayed work on the right CPU, but then once it was started it would use the non-cpu-specific "schedule_delayed_work()" to re-schedule it on that CPU. That just happened to schedule it on the same CPU historically (well, in almost all situations), but the code _requires_ this work to be per-cpu, and should say so explicitly rather than depend on the non-cpu-specific scheduling to schedule on the current CPU. The timer code is being changed to not be as single-minded in always running things on the calling CPU. See also commit 874bbfe600a6 ("workqueue: make sure delayed work run in local cpu") that for now maintains the local CPU guarantees just in case there are other broken users that depended on the accidental behavior. js: 3.12 backport Cc: Christoph Lameter Cc: Tejun Heo Cc: Mike Galbraith Cc: Michal Hocko Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 6b443a1b7c6ba75465730e74013b165a55bd3e9e Author: Andrew Morton Date: Fri Jul 17 16:23:28 2015 -0700 openrisc: fix CONFIG_UID16 setting commit 04ea1e91f85615318ea91ce8ab50cb6a01ee4005 upstream. openrisc-allnoconfig: kernel/uid16.c: In function 'SYSC_setgroups16': kernel/uid16.c:184:2: error: implicit declaration of function 'groups_alloc' kernel/uid16.c:184:13: warning: assignment makes pointer from integer without a cast openrisc shouldn't be setting CONFIG_UID16 when CONFIG_MULTIUSER=n. Fixes: 2813893f8b197a1 ("kernel: conditionally support non-root users, groups and capabilities") Reported-by: Fengguang Wu Cc: Iulia Manda Cc: Josh Triplett Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Guenter Roeck Signed-off-by: Jiri Slaby commit d6ace935eafa321e22d6a68c50801c4b914fd2a9 Author: Jiri Slaby Date: Thu Jan 28 11:37:09 2016 +0100 x86: vvar, fix excessive gcc-6 DECLARE_VVAR warnings On 3.12, with gcc-6, I see a lot of: arch/x86/include/asm/vvar.h:33:28: warning: ‘vvaraddr_jiffies’ defined but not used [-Wunused-const-variable] static type const * const vvaraddr_ ## name = \ ^ arch/x86/include/asm/vvar.h:46:1: note: in expansion of macro ‘DECLARE_VVAR’ DECLARE_VVAR(0, volatile unsigned long, jiffies) ^~~~~~~~~~~~ In upstream, this is fixed by ef721987ae (x86, vdso: Introduce VVAR marco for vdso32) and f40c330091 (x86, vdso: Move the vvar and hpet mappings next to the 64-bit vDSO). But this is not applicable to stable. So mark the vvar declaration as __maybe_unused and be done with it. This will generate it to the code only if it is used. I.e. the same as with gcc < 6. Signed-off-by: Jiri Slaby Cc: Andy Lutomirski commit 1fa9b58c6284c20971a0750acb9b17b22775151d Author: Joe Perches Date: Thu Jun 25 15:01:02 2015 -0700 compiler-gcc: integrate the various compiler-gcc[345].h files commit cb984d101b30eb7478d32df56a0023e4603cba7f upstream. As gcc major version numbers are going to advance rather rapidly in the future, there's no real value in separate files for each compiler version. Deduplicate some of the macros #defined in each file too. Neaten comments using normal kernel commenting style. Signed-off-by: Joe Perches Cc: Andi Kleen Cc: Michal Marek Cc: Segher Boessenkool Cc: Sasha Levin Cc: Anton Blanchard Cc: Alan Modra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit e3e923ee38b60564a62214b57bd56d5c601fa08a Author: Steven Noonan Date: Sat Oct 25 15:09:42 2014 -0700 compiler/gcc4+: Remove inaccurate comment about 'asm goto' miscompiles commit 5631b8fba640a4ab2f8a954f63a603fa34eda96b upstream. The bug referenced by the comment in this commit was not completely fixed in GCC 4.8.2, as I mentioned in a thread back in February: https://lkml.org/lkml/2014/2/12/797 The conclusion at that time was to make the quirk unconditional until the bug could be found and fixed in GCC. Unfortunately, when I submitted the patch (commit a9f18034) I left a comment in that claimed the bug was fixed in GCC 4.8.2+. This comment is inaccurate, and should be removed. Signed-off-by: Steven Noonan Signed-off-by: Ingo Molnar Cc: Jakub Jelinek Cc: Richard Henderson Cc: Linus Torvalds Cc: Steven Rostedt Link: http://lkml.kernel.org/r/1414274982-14040-1-git-send-email-steven@uplinklabs.net Cc: Ingo Molnar Signed-off-by: Jiri Slaby commit 0b3f87b4e954c390902d952470a79ef13c224d04 Author: Yang Shi Date: Wed Nov 18 10:48:55 2015 -0800 arm64: restore bogomips information in /proc/cpuinfo commit 92e788b749862ebe9920360513a718e5dd4da7a9 upstream. As previously reported, some userspace applications depend on bogomips showed by /proc/cpuinfo. Although there is much less legacy impact on aarch64 than arm, it does break libvirt. This patch reverts commit 326b16db9f69 ("arm64: delay: don't bother reporting bogomips in /proc/cpuinfo"), but with some tweak due to context change and without the pr_info(). Fixes: 326b16db9f69 ("arm64: delay: don't bother reporting bogomips in /proc/cpuinfo") Signed-off-by: Yang Shi Acked-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Jiri Slaby commit f5e77f5af2a976e6f24feb1fcdd2a6198ae8568b Author: Guenter Roeck Date: Sat Nov 28 08:52:04 2015 -0800 mn10300: Select CONFIG_HAVE_UID16 to fix build failure commit c86576ea114a9a881cf7328dc7181052070ca311 upstream. mn10300 builds fail with fs/stat.c: In function 'cp_old_stat': fs/stat.c:163:2: error: 'old_uid_t' undeclared ipc/util.c: In function 'ipc64_perm_to_ipc_perm': ipc/util.c:540:2: error: 'old_uid_t' undeclared Select CONFIG_HAVE_UID16 and remove local definition of CONFIG_UID16 to fix the problem. Fixes: fbc416ff8618 ("arm64: fix building without CONFIG_UID16") Cc: Arnd Bergmann Acked-by: Arnd Bergmann Acked-by: Acked-by: David Howells Signed-off-by: Guenter Roeck Signed-off-by: Jiri Slaby commit 19a3cb322e06127f8d09050f29302d41eda2f853 Author: Richard Purdie Date: Fri Sep 18 16:31:33 2015 -0700 HID: core: Avoid uninitialized buffer access commit 79b568b9d0c7c5d81932f4486d50b38efdd6da6d upstream. hid_connect adds various strings to the buffer but they're all conditional. You can find circumstances where nothing would be written to it but the kernel will still print the supposedly empty buffer with printk. This leads to corruption on the console/in the logs. Ensure buf is initialized to an empty string. Signed-off-by: Richard Purdie [dvhart: Initialize string to "" rather than assign buf[0] = NULL;] Cc: Jiri Kosina Cc: linux-input@vger.kernel.org Signed-off-by: Darren Hart Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit 01bdbe95b6347933aec4f2c22103cca83adea340 Author: Mikulas Patocka Date: Mon Nov 30 14:47:46 2015 -0500 parisc iommu: fix panic due to trying to allocate too large region commit e46e31a3696ae2d66f32c207df3969613726e636 upstream. When using the Promise TX2+ SATA controller on PA-RISC, the system often crashes with kernel panic, for example just writing data with the dd utility will make it crash. Kernel panic - not syncing: drivers/parisc/sba_iommu.c: I/O MMU @ 000000000000a000 is out of mapping resources CPU: 0 PID: 18442 Comm: mkspadfs Not tainted 4.4.0-rc2 #2 Backtrace: [<000000004021497c>] show_stack+0x14/0x20 [<0000000040410bf0>] dump_stack+0x88/0x100 [<000000004023978c>] panic+0x124/0x360 [<0000000040452c18>] sba_alloc_range+0x698/0x6a0 [<0000000040453150>] sba_map_sg+0x260/0x5b8 [<000000000c18dbb4>] ata_qc_issue+0x264/0x4a8 [libata] [<000000000c19535c>] ata_scsi_translate+0xe4/0x220 [libata] [<000000000c19a93c>] ata_scsi_queuecmd+0xbc/0x320 [libata] [<0000000040499bbc>] scsi_dispatch_cmd+0xfc/0x130 [<000000004049da34>] scsi_request_fn+0x6e4/0x970 [<00000000403e95a8>] __blk_run_queue+0x40/0x60 [<00000000403e9d8c>] blk_run_queue+0x3c/0x68 [<000000004049a534>] scsi_run_queue+0x2a4/0x360 [<000000004049be68>] scsi_end_request+0x1a8/0x238 [<000000004049de84>] scsi_io_completion+0xfc/0x688 [<0000000040493c74>] scsi_finish_command+0x17c/0x1d0 The cause of the crash is not exhaustion of the IOMMU space, there is plenty of free pages. The function sba_alloc_range is called with size 0x11000, thus the pages_needed variable is 0x11. The function sba_search_bitmap is called with bits_wanted 0x11 and boundary size is 0x10 (because dma_get_seg_boundary(dev) returns 0xffff). The function sba_search_bitmap attempts to allocate 17 pages that must not cross 16-page boundary - it can't satisfy this requirement (iommu_is_span_boundary always returns true) and fails even if there are many free entries in the IOMMU space. How did it happen that we try to allocate 17 pages that don't cross 16-page boundary? The cause is in the function iommu_coalesce_chunks. This function tries to coalesce adjacent entries in the scatterlist. The function does several checks if it may coalesce one entry with the next, one of those checks is this: if (startsg->length + dma_len > max_seg_size) break; When it finishes coalescing adjacent entries, it allocates the mapping: sg_dma_len(contig_sg) = dma_len; dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE); sg_dma_address(contig_sg) = PIDE_FLAG | (iommu_alloc_range(ioc, dev, dma_len) << IOVP_SHIFT) | dma_offset; It is possible that (startsg->length + dma_len > max_seg_size) is false (we are just near the 0x10000 max_seg_size boundary), so the funcion decides to coalesce this entry with the next entry. When the coalescing succeeds, the function performs dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE); And now, because of non-zero dma_offset, dma_len is greater than 0x10000. iommu_alloc_range (a pointer to sba_alloc_range) is called and it attempts to allocate 17 pages for a device that must not cross 16-page boundary. To fix the bug, we must make sure that dma_len after addition of dma_offset and alignment doesn't cross the segment boundary. I.e. change if (startsg->length + dma_len > max_seg_size) break; to if (ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) > max_seg_size) break; This patch makes this change (it precalculates max_seg_boundary at the beginning of the function iommu_coalesce_chunks). I also added a check that the mapping length doesn't exceed dma_get_seg_boundary(dev) (it is not needed for Promise TX2+ SATA, but it may be needed for other devices that have dma_get_seg_boundary lower than dma_get_max_seg_size). Signed-off-by: Mikulas Patocka Signed-off-by: Helge Deller Signed-off-by: Jiri Slaby commit 13d8053e68813b547854150d7628e45774210bda Author: Will Deacon Date: Thu Dec 10 16:05:36 2015 +0000 arm64: mm: ensure that the zero page is visible to the page table walker commit 32d6397805d00573ce1fa55f408ce2bca15b0ad3 upstream. In paging_init, we allocate the zero page, memset it to zero and then point TTBR0 to it in order to avoid speculative fetches through the identity mapping. In order to guarantee that the freshly zeroed page is indeed visible to the page table walker, we need to execute a dsb instruction prior to writing the TTBR. Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 8abc0d5b51e7d178e0f0c42814e9830e25bc4509 Author: John Blackwood Date: Mon Dec 7 11:50:34 2015 +0000 arm64: Clear out any singlestep state on a ptrace detach operation commit 5db4fd8c52810bd9740c1240ebf89223b171aa70 upstream. Make sure to clear out any ptrace singlestep state when a ptrace(2) PTRACE_DETACH call is made on arm64 systems. Otherwise, the previously ptraced task will die off with a SIGTRAP signal if the debugger just previously singlestepped the ptraced task. Signed-off-by: John Blackwood [will: added comment to justify why this is in the arch code] Signed-off-by: Will Deacon Signed-off-by: Jiri Slaby commit 4f29293d2b3286bf3ceb26a35990f846e068bc41 Author: Arnd Bergmann Date: Fri Nov 20 12:12:21 2015 +0100 arm64: fix building without CONFIG_UID16 commit fbc416ff86183e2203cdf975e2881d7c164b0271 upstream. As reported by Michal Simek, building an ARM64 kernel with CONFIG_UID16 disabled currently fails because the system call table still needs to reference the individual function entry points that are provided by kernel/sys_ni.c in this case, and the declarations are hidden inside of #ifdef CONFIG_UID16: arch/arm64/include/asm/unistd32.h:57:8: error: 'sys_lchown16' undeclared here (not in a function) __SYSCALL(__NR_lchown, sys_lchown16) I believe this problem only exists on ARM64, because older architectures tend to not need declarations when their system call table is built in assembly code, while newer architectures tend to not need UID16 support. ARM64 only uses these system calls for compatibility with 32-bit ARM binaries. This changes the CONFIG_UID16 check into CONFIG_HAVE_UID16, which is set unconditionally on ARM64 with CONFIG_COMPAT, so we see the declarations whenever we need them, but otherwise the behavior is unchanged. Fixes: af1839eb4bd4 ("Kconfig: clean up the long arch list for the UID16 config option") Signed-off-by: Arnd Bergmann Acked-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Jiri Slaby commit 9bd3d70a00ff00cb2b4e20cc59bd07f3b819f112 Author: Marc Zyngier Date: Mon Nov 16 10:28:17 2015 +0000 arm64: KVM: Fix AArch32 to AArch64 register mapping commit c0f0963464c24e034b858441205455bf2a5d93ad upstream. When running a 32bit guest under a 64bit hypervisor, the ARMv8 architecture defines a mapping of the 32bit registers in the 64bit space. This includes banked registers that are being demultiplexed over the 64bit ones. On exceptions caused by an operation involving a 32bit register, the HW exposes the register number in the ESR_EL2 register. It was so far understood that SW had to distinguish between AArch32 and AArch64 accesses (based on the current AArch32 mode and register number). It turns out that I misinterpreted the ARM ARM, and the clue is in D1.20.1: "For some exceptions, the exception syndrome given in the ESR_ELx identifies one or more register numbers from the issued instruction that generated the exception. Where the exception is taken from an Exception level using AArch32 these register numbers give the AArch64 view of the register." Which means that the HW is already giving us the translated version, and that we shouldn't try to interpret it at all (for example, doing an MMIO operation from the IRQ mode using the LR register leads to very unexpected behaviours). The fix is thus not to perform a call to vcpu_reg32() at all from vcpu_reg(), and use whatever register number is supplied directly. The only case we need to find out about the mapping is when we actively generate a register access, which only occurs when injecting a fault in a guest. Reviewed-by: Robin Murphy Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall Signed-off-by: Jiri Slaby commit a69c779e7eb6df2ba334803a1d4ed3b3ea059249 Author: Ulrich Weigand Date: Tue Jan 12 23:14:22 2016 +1100 scripts/recordmcount.pl: support data in text section on powerpc commit 2e50c4bef77511b42cc226865d6bc568fa7f8769 upstream. If a text section starts out with a data blob before the first function start label, disassembly parsing doing in recordmcount.pl gets confused on powerpc, leading to creation of corrupted module objects. This was not a problem so far since the compiler would never create such text sections. However, this has changed with a recent change in GCC 6 to support distances of > 2GB between a function and its assoicated TOC in the ELFv2 ABI, exposing this problem. There is already code in recordmcount.pl to handle such data blobs on the sparc64 platform. This patch uses the same method to handle those on powerpc as well. Acked-by: Steven Rostedt Signed-off-by: Ulrich Weigand Signed-off-by: Michael Ellerman Signed-off-by: Jiri Slaby commit 166947a76a2586f5ac76203620f89d4f7d82faa9 Author: Boqun Feng Date: Mon Nov 2 09:30:32 2015 +0800 powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered commit 81d7a3294de7e9828310bbf986a67246b13fa01e upstream. According to memory-barriers.txt, xchg*, cmpxchg* and their atomic_ versions all need to be fully ordered, however they are now just RELEASE+ACQUIRE, which are not fully ordered. So also replace PPC_RELEASE_BARRIER and PPC_ACQUIRE_BARRIER with PPC_ATOMIC_ENTRY_BARRIER and PPC_ATOMIC_EXIT_BARRIER in __{cmp,}xchg_{u32,u64} respectively to guarantee fully ordered semantics of atomic{,64}_{cmp,}xchg() and {cmp,}xchg(), as a complement of commit b97021f85517 ("powerpc: Fix atomic_xxx_return barrier semantics") This patch depends on patch "powerpc: Make value-returning atomics fully ordered" for PPC_ATOMIC_ENTRY_BARRIER definition. Signed-off-by: Boqun Feng Reviewed-by: Paul E. McKenney Acked-by: Peter Zijlstra (Intel) Signed-off-by: Michael Ellerman Signed-off-by: Jiri Slaby commit 432c20b3ad866df7b2879437f0331785dc5c073c Author: Boqun Feng Date: Mon Nov 2 09:30:31 2015 +0800 powerpc: Make value-returning atomics fully ordered commit 49e9cf3f0c04bf76ffa59242254110309554861d upstream. According to memory-barriers.txt: > Any atomic operation that modifies some state in memory and returns > information about the state (old or new) implies an SMP-conditional > general memory barrier (smp_mb()) on each side of the actual > operation ... Which mean these operations should be fully ordered. However on PPC, PPC_ATOMIC_ENTRY_BARRIER is the barrier before the actual operation, which is currently "lwsync" if SMP=y. The leading "lwsync" can not guarantee fully ordered atomics, according to Paul Mckenney: https://lkml.org/lkml/2015/10/14/970 To fix this, we define PPC_ATOMIC_ENTRY_BARRIER as "sync" to guarantee the fully-ordered semantics. This also makes futex atomics fully ordered, which can avoid possible memory ordering problems if userspace code relies on futex system call for fully ordered semantics. Fixes: b97021f85517 ("powerpc: Fix atomic_xxx_return barrier semantics") Signed-off-by: Boqun Feng Reviewed-by: Paul E. McKenney Acked-by: Peter Zijlstra (Intel) Signed-off-by: Michael Ellerman Signed-off-by: Jiri Slaby commit e9214d1047a5f215b2275ba6374fb076b9c73245 Author: Michael Neuling Date: Thu Nov 19 15:44:44 2015 +1100 powerpc/tm: Block signal return setting invalid MSR state commit d2b9d2a5ad5ef04ff978c9923d19730cb05efd55 upstream. Currently we allow both the MSR T and S bits to be set by userspace on a signal return. Unfortunately this is a reserved configuration and will cause a TM Bad Thing exception if attempted (via rfid). This patch checks for this case in both the 32 and 64 bit signals code. If both T and S are set, we mark the context as invalid. Found using a syscall fuzzer. Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") Signed-off-by: Michael Neuling Signed-off-by: Michael Ellerman Signed-off-by: Jiri Slaby commit 3e29fa5b742479f73400468314a1c6b9cf553ee4 Author: Dan Streetman Date: Thu Oct 29 09:51:16 2015 -0400 xfrm: dst_entries_init() per-net dst_ops [ Upstream commit a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 ] Remove the dst_entries_init/destroy calls for xfrm4 and xfrm6 dst_ops templates; their dst_entries counters will never be used. Move the xfrm dst_ops initialization from the common xfrm/xfrm_policy.c to xfrm4/xfrm4_policy.c and xfrm6/xfrm6_policy.c, and call dst_entries_init and dst_entries_destroy for each net namespace. The ipv4 and ipv6 xfrms each create dst_ops template, and perform dst_entries_init on the templates. The template values are copied to each net namespace's xfrm.xfrm*_dst_ops. The problem there is the dst_ops pcpuc_entries field is a percpu counter and cannot be used correctly by simply copying it to another object. The result of this is a very subtle bug; changes to the dst entries counter from one net namespace may sometimes get applied to a different net namespace dst entries counter. This is because of how the percpu counter works; it has a main count field as well as a pointer to the percpu variables. Each net namespace maintains its own main count variable, but all point to one set of percpu variables. When any net namespace happens to change one of the percpu variables to outside its small batch range, its count is moved to the net namespace's main count variable. So with multiple net namespaces operating concurrently, the dst_ops entries counter can stray from the actual value that it should be; if counts are consistently moved from one net namespace to another (which my testing showed is likely), then one net namespace winds up with a negative dst_ops count while another winds up with a continually increasing count, eventually reaching its gc_thresh limit, which causes all new traffic on the net namespace to fail with -ENOBUFS. Signed-off-by: Dan Streetman Signed-off-by: Dan Streetman Signed-off-by: Steffen Klassert Signed-off-by: Jiri Slaby commit a319d18681f42990453e19bdf85992c000c5f4d1 Author: Ido Schimmel Date: Mon Jan 18 17:30:22 2016 +0200 team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid [ Upstream commit 60a6531bfe49555581ccd65f66a350cc5693fcde ] We can't be within an RCU read-side critical section when deleting VLANs, as underlying drivers might sleep during the hardware operation. Therefore, replace the RCU critical section with a mutex. This is consistent with team_vlan_rx_add_vid. Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") Acked-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 28882454834f38bd754797c681f74991e45264a5 Author: Eric Dumazet Date: Fri Jan 15 04:56:56 2016 -0800 ipv6: update skb->csum when CE mark is propagated [ Upstream commit 34ae6a1aa0540f0f781dd265366036355fdc8930 ] When a tunnel decapsulates the outer header, it has to comply with RFC 6080 and eventually propagate CE mark into inner header. It turns out IP6_ECN_set_ce() does not correctly update skb->csum for CHECKSUM_COMPLETE packets, triggering infamous "hw csum failure" messages and stack traces. Signed-off-by: Eric Dumazet Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 2f9623733b1bc38d85693744edd41b0016d85260 Author: Eric Dumazet Date: Tue Jan 12 08:58:00 2016 -0800 phonet: properly unshare skbs in phonet_rcv() [ Upstream commit 7aaed57c5c2890634cfadf725173c7c68ea4cb4f ] Ivaylo Dimitrov reported a regression caused by commit 7866a621043f ("dev: add per net_device packet type chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs or corruptions could happen without major crash. But the root cause is that phonet_rcv() can queue skb without checking if skb is shared or not. Many thanks to Ivaylo Dimitrov for his help, diagnosis and tests. Reported-by: Ivaylo Dimitrov Tested-by: Ivaylo Dimitrov Signed-off-by: Eric Dumazet Cc: Remi Denis-Courmont Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 113cc80b09e7ea508faa27636026560cb3cd7764 Author: Neal Cardwell Date: Mon Jan 11 13:42:43 2016 -0500 tcp_yeah: don't set ssthresh below 2 [ Upstream commit 83d15e70c4d8909d722c0d64747d8fb42e38a48f ] For tcp_yeah, use an ssthresh floor of 2, the same floor used by Reno and CUBIC, per RFC 5681 (equation 4). tcp_yeah_ssthresh() was sometimes returning a 0 or negative ssthresh value if the intended reduction is as big or bigger than the current cwnd. Congestion control modules should never return a zero or negative ssthresh. A zero ssthresh generally results in a zero cwnd, causing the connection to stall. A negative ssthresh value will be interpreted as a u32 and will set a target cwnd for PRR near 4 billion. Oleksandr Natalenko reported that a system using tcp_yeah with ECN could see a warning about a prior_cwnd of 0 in tcp_cwnd_reduction(). Testing verified that this was due to tcp_yeah_ssthresh() misbehaving in this way. Reported-by: Oleksandr Natalenko Signed-off-by: Neal Cardwell Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit ea28b18b992f25d05632725c33ff79b943b6d02f Author: Eric Dumazet Date: Fri Jan 8 09:35:51 2016 -0800 ipv6: tcp: add rcu locking in tcp_v6_send_synack() [ Upstream commit 3e4006f0b86a5ae5eb0e8215f9a9e1db24506977 ] When first SYNACK is sent, we already hold rcu_read_lock(), but this is not true if a SYNACK is retransmitted, as a timer (soft) interrupt does not hold rcu_read_lock() Fixes: 45f6fad84cc30 ("ipv6: add complete rcu protection around np->opt") Reported-by: Dave Jones Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 9a4492707cb613dd2b13806031966752b0d1f8a6 Author: Sasha Levin Date: Thu Jan 7 14:52:43 2016 -0500 net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory [ Upstream commit 320f1a4a175e7cd5d3f006f92b4d4d3e2cbb7bb5 ] proc_dostring() needs an initialized destination string, while the one provided in proc_sctp_do_hmac_alg() contains stack garbage. Thus, writing to cookie_hmac_alg would strlen() that garbage and end up accessing invalid memory. Fixes: 3c68198e7 ("sctp: Make hmac algorithm selection for cookie generation dynamic") Signed-off-by: Sasha Levin Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit b2e4e6d22b319e997d9f78215342b33d148f5caa Author: Hannes Frederic Sowa Date: Tue Jan 5 10:46:00 2016 +0100 bridge: Only call /sbin/bridge-stp for the initial network namespace [ Upstream commit ff62198553e43cdffa9d539f6165d3e83f8a42bc ] [I stole this patch from Eric Biederman. He wrote:] > There is no defined mechanism to pass network namespace information > into /sbin/bridge-stp therefore don't even try to invoke it except > for bridge devices in the initial network namespace. > > It is possible for unprivileged users to cause /sbin/bridge-stp to be > invoked for any network device name which if /sbin/bridge-stp does not > guard against unreasonable arguments or being invoked twice on the > same network device could cause problems. [Hannes: changed patch using netns_eq] Cc: Eric W. Biederman Signed-off-by: Eric W. Biederman Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 20f16f7e1a55aaa424af3de6227c58f5fac45749 Author: Florian Westphal Date: Thu Dec 31 14:26:33 2015 +0100 connector: bump skb->users before callback invocation [ Upstream commit 55285bf09427c5abf43ee1d54e892f352092b1f1 ] Dmitry reports memleak with syskaller program. Problem is that connector bumps skb usecount but might not invoke callback. So move skb_get to where we invoke the callback. Reported-by: Dmitry Vyukov Signed-off-by: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 7bb8b4ae0a88f9bbaa492fdc9dd5b52045a19692 Author: Xin Long Date: Tue Dec 29 17:49:25 2015 +0800 sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close [ Upstream commit 068d8bd338e855286aea54e70d1c101569284b21 ] In sctp_close, sctp_make_abort_user may return NULL because of memory allocation failure. If this happens, it will bypass any state change and never free the assoc. The assoc has no chance to be freed and it will be kept in memory with the state it had even after the socket is closed by sctp_close(). So if sctp_make_abort_user fails to allocate memory, we should abort the asoc via sctp_primitive_ABORT as well. Just like the annotation in sctp_sf_cookie_wait_prm_abort and sctp_sf_do_9_1_prm_abort said, "Even if we can't send the ABORT due to low memory delete the TCB. This is a departure from our typical NOMEM handling". But then the chunk is NULL (low memory) and the SCTP_CMD_REPLY cmd would dereference the chunk pointer, and system crash. So we should add SCTP_CMD_REPLY cmd only when the chunk is not NULL, just like other places where it adds SCTP_CMD_REPLY cmd. Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 3877fb02b9401f707b24cbce842b85ba399c491a Author: Andrey Ryabinin Date: Mon Dec 21 12:54:45 2015 +0300 ipv6/addrlabel: fix ip6addrlbl_get() [ Upstream commit e459dfeeb64008b2d23bdf600f03b3605dbb8152 ] ip6addrlbl_get() has never worked. If ip6addrlbl_hold() succeeded, ip6addrlbl_get() will exit with '-ESRCH'. If ip6addrlbl_hold() failed, ip6addrlbl_get() will use about to be free ip6addrlbl_entry pointer. Fix this by inverting ip6addrlbl_hold() check. Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.") Signed-off-by: Andrey Ryabinin Reviewed-by: Cong Wang Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 0f915418573abbc0dbb610f711e01567ac0f1dde Author: Vijay Pandurangan Date: Fri Dec 18 14:34:59 2015 -0500 veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. [ Upstream commit ce8c839b74e3017996fad4e1b7ba2e2625ede82f ] Packets that arrive from real hardware devices have ip_summed == CHECKSUM_UNNECESSARY if the hardware verified the checksums, or CHECKSUM_NONE if the packet is bad or it was unable to verify it. The current version of veth will replace CHECKSUM_NONE with CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to a veth device to be delivered to the application. This caused applications at Twitter to receive corrupt data when network hardware was corrupting packets. We believe this was added as an optimization to skip computing and verifying checksums for communication between containers. However, locally generated packets have ip_summed == CHECKSUM_PARTIAL, so the code as written does nothing for them. As far as we can tell, after removing this code, these packets are transmitted from one stack to another unmodified (tcpdump shows invalid checksums on both sides, as expected), and they are delivered correctly to applications. We didn’t test every possible network configuration, but we tried a few common ones such as bridging containers, using NAT between the host and a container, and routing from hardware devices to containers. We have effectively deployed this in production at Twitter (by disabling RX checksum offloading on veth devices). This code dates back to the first version of the driver, commit ("[NET]: Virtual ethernet device driver"), so I suspect this bug occurred mostly because the driver API has evolved significantly since then. Commit <0b7967503dc97864f283a> ("net/veth: Fix packet checksumming") (in December 2010) fixed this for packets that get created locally and sent to hardware devices, by not changing CHECKSUM_PARTIAL. However, the same issue still occurs for packets coming in from hardware devices. Co-authored-by: Evan Jones Signed-off-by: Evan Jones Cc: Nicolas Dichtel Cc: Phil Sutter Cc: Toshiaki Makita Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Vijay Pandurangan Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 7b6b7c51bcc2096c6d20eb2e7f0af2704011bfb6 Author: Arnd Bergmann Date: Tue Jan 13 17:10:58 2015 +0100 mISDN: avoid arch specific __builtin_return_address call commit 3e7a8716e20b759eec0ad88145255bb33174f0c8 upstream. Not all architectures are able to call __builtin_return_address(). On ARM, the mISDN code produces this warning: hardware/mISDN/w6692.c: In function 'w6692_dctrl': hardware/mISDN/w6692.c:1181:75: warning: unsupported argument to '__builtin_return_address' pr_debug("%s: %s dev(%d) open from %p\n", card->name, __func__, ^ hardware/mISDN/mISDNipac.c: In function 'open_dchannel': hardware/mISDN/mISDNipac.c:759:75: warning: unsupported argument to '__builtin_return_address' pr_debug("%s: %s dev(%d) open from %p\n", isac->name, __func__, ^ In a lot of cases, this is relatively easy to work around by passing the value of __builtin_return_address(0) from the callers into the functions that want it. One exception is the indirect 'open' function call in struct isac_hw. While it would be possible to fix this as well, this patch only addresses the other callers properly and lets this one return the direct parent function, which should be good enough. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 97102daa8efada0036ab6b691458ea8975a61055 Author: Paul Bolle Date: Thu Jan 9 11:53:27 2014 +0100 RDMA/cxgb4: Fix gcc warning on 32-bit arch commit 298589b1cb626adf4beba6dd8e3cd4b64e8799be upstream. Building mem.o for 32 bits x86 triggers a GCC warning: drivers/infiniband/hw/cxgb4/mem.c: In function '_c4iw_write_mem_dma_aligned': drivers/infiniband/hw/cxgb4/mem.c:79:25: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] Silence that warning by casting "&wr_wait" to unsigned long before casting it to __be64. That's what _c4iw_write_mem_inline() already does. Signed-off-by: Paul Bolle Acked-by: Steve Wise Signed-off-by: Roland Dreier Signed-off-by: Jiri Slaby commit f14f05bd713d5a1c5ff9da1cd2e093366e15d61c Author: Kees Cook Date: Thu Oct 24 09:25:39 2013 -0700 lkdtm: adjust recursion size to avoid warnings commit 7d196ac303652588c60350f0a581d71e2e7b1a50 upstream. When CONFIG_FRAME_WARN is set low (e.g. some ARM builds), the hard-coded stack buffer size used for kernel stack over run testing triggers build warnings. Instead, avoid the warning by recalcuating the buffer size and recursion count needed to trigger the test. Also uses the recursion counter indirectly to avoid changing the parameter during the test. Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 72ed62e1217626d3699b4d24e431b4decc359f4f Author: Fabio Estevam Date: Sat Nov 9 15:59:02 2013 -0200 drm: radeon: ni_dpm: Fix unused variable warning when CONFIG_ACPI=n commit 71473dbd66d4a61be4cd531ef96b4877f6ee3941 upstream. With CONFIG_ACPI=n the following build warning is seen: drivers/gpu/drm/radeon/ni_dpm.c:3448:31: warning: unused variable 'eg_pi' [-Wunused-variable] Move the definition of eg_pi inside the CONFIG_ACPI 'if' block. Signed-off-by: Fabio Estevam Signed-off-by: Alex Deucher Signed-off-by: Jiri Slaby commit aa4e02c1183d90f2f575822001b7fd4b0e8cee8e Author: Alex Deucher Date: Tue Nov 12 12:31:54 2013 -0500 drm/radeon: cypress_dpm: Fix unused variable warning when CONFIG_ACPI=n commit 936b32643cb03dcb34ef5dab81970229b1cc2a33 upstream. With CONFIG_ACPI=n the following build warning is seen: drivers/gpu/drm/radeon/cypress_dpm.c:302:31: warning: unused variable 'eg_pi' [-Wunused-variable] Protect eg_pi with CONFIG_ACPI. Based on patch from: Fabio Estevam but doesn't mix allocation and code. Signed-off-by: Alex Deucher Signed-off-by: Jiri Slaby commit c49a18300ffce812f40ef269c76ddfbcbd01e5db Author: Uwe Kleine-König Date: Wed Sep 24 08:51:57 2014 +0100 ARM: 8160/1: drop warning about return_address not using unwind tables commit e16343c47e4276f5ebc77ca16feb5e50ca1918f9 upstream. The warning was introduced in 2009 (commit 4bf1fa5a34aa ([ARM] 5613/1: implement CALLER_ADDRESSx)). The only "problem" here is that CALLER_ADDRESSx for x > 1 returns NULL which doesn't do much harm. The drawback of implementing a fix (i.e. use unwind tables to implement CALLER_ADDRESSx) is that much of the unwinder code would need to be marked as not traceable. Signed-off-by: Uwe Kleine-König Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit 94738c4f7c1cfefee481a3d3e5c8f78de2c9fd41 Author: Behan Webster Date: Wed Sep 24 01:06:46 2014 +0100 ARM: 8158/1: LLVMLinux: use static inline in ARM ftrace.h commit aeea3592a13bf12861943e44fc48f1f270941f8d upstream. With compilers which follow the C99 standard (like modern versions of gcc and clang), "extern inline" does the wrong thing (emits code for an externally linkable version of the inline function). In this case using static inline and removing the NULL version of return_address in return_address.c does the right thing. Signed-off-by: Behan Webster Reviewed-by: Mark Charlebois Acked-by: Steven Rostedt Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit 769954681990aa9ff4c50fb4a3b953894bf03345 Author: Oliver Neukum Date: Thu Dec 3 15:03:34 2015 +0100 xhci: refuse loading if nousb is used commit 1eaf35e4dd592c59041bc1ed3248c46326da1f5f upstream. The module should fail to load. Signed-off-by: Oliver Neukum Signed-off-by: Jiri Slaby commit 12b12f7bacd69c540ec77b31127d6147082f1846 Author: Oliver Freyermuth Date: Mon Dec 28 18:37:38 2015 +0100 USB: cp210x: add ID for ELV Marble Sound Board 1 commit f7d7f59ab124748156ea551edf789994f05da342 upstream. Add the USB device ID for ELV Marble Sound Board 1. Signed-off-by: Oliver Freyermuth Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 54773340800a5e1385074788b875331c66aa39a9 Author: Dan Carpenter Date: Wed Dec 16 14:06:37 2015 +0300 USB: ipaq.c: fix a timeout loop commit abdc9a3b4bac97add99e1d77dc6d28623afe682b upstream. The code expects the loop to end with "retries" set to zero but, because it is a post-op, it will end set to -1. I have fixed this by moving the decrement inside the loop. Fixes: 014aa2a3c32e ('USB: ipaq: minor ipaq_open() cleanup.') Signed-off-by: Dan Carpenter Signed-off-by: Jiri Slaby commit b9b2a88e2b4640362d6a125cbcd5ed12d5ef9d4d Author: Chunfeng Yun Date: Fri Dec 4 15:53:43 2015 +0200 usb: xhci: fix config fail of FS hub behind a HS hub with MTT commit 096b110a3dd3c868e4610937c80d2e3f3357c1a9 upstream. if a full speed hub connects to a high speed hub which supports MTT, the MTT field of its slot context will be set to 1 when xHCI driver setups an xHCI virtual device in xhci_setup_addressable_virt_dev(); once usb core fetch its hub descriptor, and need to update the xHC's internal data structures for the device, the HUB field of its slot context will be set to 1 too, meanwhile MTT is also set before, this will cause configure endpoint command fail, so in the case, we should clear MTT to 0 for full speed hub according to section 6.2.2 Signed-off-by: Chunfeng Yun Signed-off-by: Mathias Nyman Signed-off-by: Jiri Slaby commit 336b1b5095d65f846b023bb92125fa2beb99bdbb Author: Vinod Koul Date: Thu Jan 7 21:48:14 2016 +0530 ASoC: compress: Fix compress device direction check commit a1068045883ed4a18363a4ebad0c3d55e473b716 upstream. The detection of direction for compress was only taking into account codec capabilities and not CPU ones. Fix this by checking the CPU side capabilities as well Tested-by: Ashish Panwar Signed-off-by: Vinod Koul Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit a534abca7ba216497289a56ad715262edc8430af Author: Nikesh Oswal Date: Wed Dec 23 14:18:05 2015 +0000 ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz commit e73694d871867cae8471d2350ce89acb38bc2b63 upstream. For a sample rate of 12kHz the bclk was taken from the 44.1kHz table as we test for a multiple of 8kHz. This patch fixes this issue by testing for multiples of 4kHz instead. Signed-off-by: Nikesh Oswal Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 3a793e4f287c91f95b5510994b6666a42b128e9d Author: Sachin Pandhare Date: Tue Nov 10 23:38:02 2015 +0530 ASoC: wm8962: correct addresses for HPF_C_0/1 commit e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 upstream. From datasheet: R17408 (4400h) HPF_C_1 R17409 (4401h) HPF_C_0 17048 -> 17408 (0x4400) 17049 -> 17409 (0x4401) Signed-off-by: Sachin Pandhare Acked-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 5254c684be63fb23d8eb25b05f05ddefcd73b43c Author: Takashi Iwai Date: Mon Jan 18 14:12:40 2016 +0100 ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream. When a TLV ioctl with numid zero is handled, the driver may spew a kernel warning with a stack trace at each call. The check was intended obviously only for a kernel driver, but not for a user interaction. Let's fix it. This was spotted by syzkaller fuzzer. Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 30e269d8d1af5ab11e613eab94af33693e95ade6 Author: Takashi Iwai Date: Mon Jan 18 13:52:47 2016 +0100 ALSA: hrtimer: Fix stall by hrtimer_cancel() commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 upstream. hrtimer_cancel() waits for the completion from the callback, thus it must not be called inside the callback itself. This was already a problem in the past with ALSA hrtimer driver, and the early commit [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it. However, the previous fix is still insufficient: it may still cause a lockup when the ALSA timer instance reprograms itself in its callback. Then it invokes the start function even in snd_timer_interrupt() that is called in hrtimer callback itself, results in a CPU stall. This is no hypothetical problem but actually triggered by syzkaller fuzzer. This patch tries to fix the issue again. Now we call hrtimer_try_to_cancel() at both start and stop functions so that it won't fall into a deadlock, yet giving some chance to cancel the queue if the functions have been called outside the callback. The proper hrtimer_cancel() is called in anyway at closing, so this should be enough. Reported-and-tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 73c6819503642b1318343be17bf37bf4682669fe Author: Nicolas Boichat Date: Mon Jan 18 21:35:00 2016 +0800 ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream. This reverts one hunk of commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which replaced a number of kmalloc followed by memcpy with memdup calls. In this case, we are copying from a struct snd_pcm_hw_params32 to a struct snd_pcm_hw_params, but the latter is 4 bytes longer than the 32-bit version, so we need to separate kmalloc and copy calls. This actually leads to an out-of-bounds memory access later on in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan). Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()') Signed-off-by: Nicolas Boichat Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit c22f48895eca5b5fca1147f2605f81e8fd5f4538 Author: Nicolas Boichat Date: Mon Jan 18 21:35:01 2016 +0800 ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode commit 9586495dc3011a80602329094e746dbce16cb1f1 upstream. This reverts one hunk of commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which replaced a number of kmalloc followed by memcpy with memdup calls. In this case, we are copying from a struct snd_seq_port_info32 to a struct snd_seq_port_info, but the latter is 4 bytes longer than the 32-bit version, so we need to separate kmalloc and copy calls. Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()') Signed-off-by: Nicolas Boichat Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit d8f5adeeed06acd63b93bc757a7e09adc8c33e64 Author: Takashi Iwai Date: Wed Jan 13 21:35:06 2016 +0100 ALSA: timer: Fix double unlink of active_list commit ee8413b01045c74340aa13ad5bdf905de32be736 upstream. ALSA timer instance object has a couple of linked lists and they are unlinked unconditionally at snd_timer_stop(). Meanwhile snd_timer_interrupt() unlinks it, but it calls list_del() which leaves the element list itself unchanged. This ends up with unlinking twice, and it was caught by syzkaller fuzzer. The fix is to use list_del_init() variant properly there, too. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 7210b17187111e20afca4b4e30a31fa13c71a61b Author: Takashi Iwai Date: Wed Jan 13 17:48:01 2016 +0100 ALSA: timer: Fix race among timer ioctls commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream. ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 6e74b2deb63c48ddcd318b6c3d69f4f503e65d18 Author: Takashi Iwai Date: Thu Jan 14 16:30:58 2016 +0100 ALSA: timer: Harden slave timer list handling commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream. A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Also, some linked lists (active_list and ack_list) of slave instances aren't unlinked immediately at stopping or closing, and this may lead to unexpected accesses. This patch tries to address these issues. It adds spin lock of timer->lock (either from master or slave, which is equivalent) in a few places. For avoiding a deadlock, we ensure that the global slave_active_lock is always locked at first before each timer lock. Also, ack and active_list of slave instances are properly unlinked at snd_timer_stop() and snd_timer_close(). Last but not least, remove the superfluous call of _snd_timer_stop() at removing slave links. This is a noop, and calling it may confuse readers wrt locking. Further cleanup will follow in a later patch. Actually we've got reports of use-after-free by syzkaller fuzzer, and this hopefully fixes these issues. Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 49386ca9bcb24608ed22e19fb61599e6049f8a44 Author: Takashi Iwai Date: Tue Jan 12 15:36:27 2016 +0100 ALSA: seq: Fix race at timer setup and close commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 2e17cb8c3553b2d61d9d70344bbec8a82c56e7d7 Author: Takashi Iwai Date: Tue Jan 12 12:38:02 2016 +0100 ALSA: seq: Fix missing NULL check at remove_events ioctl commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 upstream. snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() unconditionally even if there is no FIFO assigned, and this leads to an Oops due to NULL dereference. The fix is just to add a proper NULL check. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit a4304789eba2e76482913620409000a88fe2d052 Author: Mario Kleiner Date: Tue Dec 22 00:45:43 2015 +0100 ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2) commit 9f660a1c43890c2cdd1f423fd73654e7ca08fe56 upstream. Without this patch, internal speaker and line-out work, but front headphone output jack stays silent on the Mac Pro 4,1. This code path also gets executed on the MacPro 5,1 due to identical codec SSID, but i don't know if it has any positive or adverse effects there or not. (v2) Implement feedback from Takashi Iwai: Reuse alc889_fixup_mbp_vref and just add a new nid 0x19 for the MacPro 4,1. Signed-off-by: Mario Kleiner Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit de9e597b794d947c5cce92be4ce93edf53fd6403 Author: Xiong Zhang Date: Fri Dec 18 13:29:18 2015 +0800 ALSA: hda - Set SKL+ hda controller power at freeze() and thaw() commit 3e6db33aaf1d42a30339f831ec4850570d6cc7a3 upstream. It takes three minutes to enter into hibernation on some OEM SKL machines and we see many codec spurious response after thaw() opertion. This is because HDA is still in D0 state after freeze() call and pci_pm_freeze/pci_pm_freeze_noirq() don't set D3 hot in pci_bus driver. It seems bios still access HDA when system enter into freeze state, HDA will receive codec response interrupt immediately after thaw() call. Because of this unexpected interrupt, HDA enter into a abnormal state and slow down the system enter into hibernation. In this patch, we put HDA into D3 hot state in azx_freeze_noirq() and put HDA into D0 state in azx_thaw_noirq(). V2: Only apply this fix to SKL+ Fix compile error when CONFIG_PM_SLEEP isn't defined [Yet another fix for CONFIG_PM_SLEEP ifdef and the additional comment by tiwai] Signed-off-by: Xiong Zhang Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit e9ba0640bbcaf92ed860559926e0bb8cd6b8137f Author: David Henningsson Date: Mon Dec 7 11:29:31 2015 +0100 ALSA: hda - Add inverted dmic for Packard Bell DOTS commit 02f6ff90400d055f08b0ba0b5f0707630b6faed7 upstream. On the internal mic of the Packard Bell DOTS, one channel has an inverted signal. Add a quirk to fix this up. BugLink: https://bugs.launchpad.net/bugs/1523232 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 74c0820133f1dada0d70c74bc70a9530b2697f86 Author: Takashi Iwai Date: Fri Dec 4 16:44:24 2015 +0100 ALSA: rme96: Fix unexpected volume reset after rate changes commit a74a821624c0c75388a193337babd17a8c02c740 upstream. rme96 driver needs to reset DAC depending on the sample rate, and this results in resetting to the max volume suddenly. It's because of the missing call of snd_rme96_apply_dac_volume(). However, calling this function right after the DAC reset still may not work, and we need some delay before this call. Since the DAC reset and the procedure after that are performed in the spinlock, we delay the DAC volume restore at the end after the spinlock. Reported-and-tested-by: Sylvain LABOISNE Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby