commit 324d8201ba64861b8cf7750aeef08aea062b691a Author: Sasha Levin Date: Sat Jun 13 15:17:18 2015 -0400 Linux 3.18.15 Signed-off-by: Sasha Levin commit 6d1637919e07a42598bebd1c04a9c565cc7ea6da Author: Tony Lindgren Date: Thu Jun 11 11:47:53 2015 -0700 ARM: OMAP3: Fix booting with thumb2 kernel We get a NULL pointer dereference on omap3 for thumb2 compiled kernels: Internal error: Oops: 80000005 [#1] SMP THUMB2 ... [] (_raw_spin_unlock_irqrestore) from [] (omap3_enter_idle_bm+0xc5/0x178) [] (omap3_enter_idle_bm) from [] (cpuidle_enter_state+0x77/0x27c) [] (cpuidle_enter_state) from [] (cpu_startup_entry+0x155/0x23c) [] (cpu_startup_entry) from [] (start_kernel+0x32f/0x338) [] (start_kernel) from [<8000807f>] (0x8000807f) The power management related assembly on omaps needs to interact with ARM mode bootrom code, so we need to keep most of the related assembly in ARM mode. Turns out this error is because of missing ENDPROC for assembly code as suggested by Stephen Boyd . Let's fix the problem by adding ENDPROC in two places to sleep34xx.S. Let's also remove the now duplicate custom code for mode switching. This has been unnecessary since commit 6ebbf2ce437b ("ARM: convert all "mov.* pc, reg" to "bx reg" for ARMv6+"). And let's also remove the comments about local variables, they are now just confusing after the ENDPROC. The reason why ENDPROC makes a difference is it sets .type and then the compiler knows what to do with the thumb bit as explained at: https://wiki.ubuntu.com/ARM/Thumb2PortingHowto Reported-by: Kevin Hilman Tested-by: Kevin Hilman Signed-off-by: Tony Lindgren (cherry picked from commit d8a50941c91a68da202aaa96a3dacd471ea9c693) Cc: # v3.18+ Signed-off-by: Kevin Hilman Signed-off-by: Sasha Levin commit 25798d3d216334361a51ac37429a83c1faa5e97d Author: huaibin Wang Date: Wed Feb 11 18:10:36 2015 +0100 xfrm: release dst_orig in case of error in xfrm_lookup() [ Upstream commit ac37e2515c1a89c477459a2020b6bfdedabdb91b ] dst_orig should be released on error. Function like __xfrm_route_forward() expects that behavior. Since a recent commit, xfrm_lookup() may also be called by xfrm_lookup_route(), which expects the opposite. Let's introduce a new flag (XFRM_LOOKUP_KEEP_DST_REF) to tell what should be done in case of error. Fixes: f92ee61982d("xfrm: Generate blackhole routes only from route lookup functions") Signed-off-by: huaibin Wang Signed-off-by: Nicolas Dichtel Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 7d3b628cb83c4813a7d1bfae28b9a5b196d808c8 Author: Vineet Gupta Date: Sun May 10 12:04:01 2015 +0530 ARC: unbork !LLSC build [ Upstream commit daaf40e53b5dbdf75255d58a45ce8ac65ca511a8 ] Fixes: f7d11e93ee97a locking,arch,arc: Fold atomic_ops Cc: # 3.18 Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit 929275120290b354e361646d942ee905fe4c2687 Author: Wei Yongjun Date: Thu Apr 16 20:19:43 2015 +0800 power/reset: at91: fix return value check in at91_reset_platform_probe() [ Upstream commit 932df43005389300a3336421e4aedb25390ae144 ] In case of error, the function devm_ioremap() returns NULL not ERR_PTR(). The IS_ERR() test in the return value check should be replaced with NULL test. Fixes: ecfe64d8c55f ("power: reset: Add AT91 reset driver") Signed-off-by: Wei Yongjun Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 444a3e132498a80ddd48296897e3ffe1ff53eb76 Author: Sasha Levin Date: Wed Jan 28 15:30:43 2015 -0500 vfs: read file_handle only once in handle_to_path [ Upstream commit 161f873b89136eb1e69477c847d5a5033239d9ba ] We used to read file_handle twice. Once to get the amount of extra bytes, and once to fetch the entire structure. This may be problematic since we do size verifications only after the first read, so if the number of extra bytes changes in userspace between the first and second calls, we'll have an incoherent view of file_handle. Instead, read the constant size once, and copy that over to the final structure without having to re-read it again. Signed-off-by: Sasha Levin Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 59357f02e283dcdb51605301e2c9a5010881c6a6 Author: Christian König Date: Thu May 28 15:51:59 2015 +0200 drm/radeon: partially revert "fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling" [ Upstream commit 7c0411d2fabc2e2702c9871ffb603e251158b317 ] We have that bug for years and some users report side effects when fixing it on older hardware. So revert it for VM_CONTEXT0_PAGE_TABLE_END_ADDR, but keep it for VM 1-15. Signed-off-by: Christian König CC: stable@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 6be00fc73041d4ca474923ab97f44b6505a7cf93 Author: Alex Deucher Date: Tue May 26 18:01:05 2015 -0400 drm/radeon: don't share plls if monitors differ in audio support [ Upstream commit a10f0df0615abb194968fc08147f3cdd70fd5aa5 ] Enabling audio may enable different pll dividers. Don't share plls if the monitors differ in audio support. bug: https://bugzilla.kernel.org/show_bug.cgi?id=98751 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 33c2de6b41bf6555189fa67a5779d78bed324675 Author: Alex Deucher Date: Mon May 18 10:38:25 2015 -0400 drm/radeon: retry dcpd fetch [ Upstream commit 0f28d1281b6c54cc98746ae61e44e7f540758ed4 ] Retry the dpcd fetch several times. Some eDP panels fail several times before the fetch is successful. bug: https://bugs.freedesktop.org/show_bug.cgi?id=73530 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit b772265d7dd5f06e5796d304c413e1a49f2fcde7 Author: Christian König Date: Tue May 12 14:56:17 2015 +0200 drm/radeon: fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling [ Upstream commit 607d48063512707a414e346972e2210dc71ab491 ] The mapping range is inclusive between starting and ending addresses. Signed-off-by: Christian König CC: stable@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 1138470db640bea4462fc64f7e72e499f583f2f3 Author: Alex Deucher Date: Tue May 12 12:51:38 2015 -0400 drm/radeon: add new bonaire pci id [ Upstream commit fcf3b54282e4c5a95a1f45f67558bc105acdbc6a ] Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 512a344861c5b163d34685302347ff2c02197bc6 Author: Liad Kaufman Date: Thu Apr 16 17:21:12 2015 +0300 iwlwifi: pcie: prevent using unmapped memory in fw monitor [ Upstream commit 553452e5ffc0ed13214a287549627d02d9d7fbdc ] In the case of a DMA mapping error on the last iteration of the loop of the allocation of memory of the FW monitor we indeed free the pages, but don't NULL out the page variable thus allowing for the possibility of setting the FW monitor variables with invalid data to use. Fixes: c2d202017da1 ("iwlwifi: pcie: add firmware monitor capabilities") Signed-off-by: Liad Kaufman Signed-off-by: Emmanuel Grumbach Signed-off-by: Sasha Levin commit beeaeeac0f3ea0ad59fbf2ff86e956b1504e16f6 Author: Rafael J. Wysocki Date: Thu May 7 21:19:39 2015 +0200 ACPI / init: Fix the ordering of acpi_reserve_resources() [ Upstream commit b9a5e5e18fbf223502c0b2264c15024e393da928 ] Since acpi_reserve_resources() is defined as a device_initcall(), there's no guarantee that it will be executed in the right order with respect to the rest of the ACPI initialization code. On some systems this leads to breakage if, for example, the address range that should be reserved for the ACPI fixed registers is given to the PCI host bridge instead if the race is won by the wrong code path. Fix this by turning acpi_reserve_resources() into a void function and calling it directly from within the ACPI initialization sequence. Reported-and-tested-by: George McCollister Link: http://marc.info/?t=143092384600002&r=1&w=2 Cc: All applicable Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit f991e4e397c331d9c5ee45f30e362d95581720f6 Author: Mark Hounschell Date: Wed May 13 10:49:09 2015 +0200 sd: Disable support for 256 byte/sector disks [ Upstream commit 74856fbf441929918c49ff262ace9835048e4e6a ] 256 bytes per sector support has been broken since 2.6.X, and no-one stepped up to fix this. So disable support for it. Signed-off-by: Mark Hounschell Signed-off-by: Hannes Reinecke Cc: stable@vger.kernel.org Signed-off-by: James Bottomley Signed-off-by: Sasha Levin commit 65c686d9472936d333532e9f85c4ff35d65b722c Author: K. Y. Srinivasan Date: Fri May 1 11:03:02 2015 -0700 storvsc: Set the SRB flags correctly when no data transfer is needed [ Upstream commit dc45708ca9988656d706940df5fd102672c5de92 ] Set the SRB flags correctly when there is no data transfer. Without this change some IHV drivers will fail valid commands such as TEST_UNIT_READY. Cc: Signed-off-by: K. Y. Srinivasan Reviewed-by: Long Li Signed-off-by: James Bottomley Signed-off-by: Sasha Levin commit 7cbece11c6b77acaf3421f8bf0d5684237c396c9 Author: Larry Finger Date: Fri Apr 24 11:03:37 2015 -0500 rtlwifi: rtl8192cu: Fix kernel deadlock [ Upstream commit 414b7e3b9ce8b0577f613e656fdbc36b34b444dd ] The USB mini-driver in rtlwifi, which is used by rtl8192cu, issues a call to usb_control_msg() with a timeout value of 0. In some instances where the interface is shutting down, this infinite wait results in a CPU deadlock. A one second timeout fixes this problem without affecting any normal operations. This bug is reported at https://bugzilla.novell.com/show_bug.cgi?id=927786. Reported-by: Bernhard Wiedemann Tested-by: Bernhard Wiedemann Signed-off-by: Larry Finger Cc: Stable Cc: Bernhard Wiedemann Cc: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 7747ae24bbd0412325277e082e6dba6295ee9a11 Author: NeilBrown Date: Fri May 8 18:19:34 2015 +1000 md/raid5: don't record new size if resize_stripes fails. [ Upstream commit 6e9eac2dcee5e19f125967dd2be3e36558c42fff ] If any memory allocation in resize_stripes fails we will return -ENOMEM, but in some cases we update conf->pool_size anyway. This means that if we try again, the allocations will be assumed to be larger than they are, and badness results. So only update pool_size if there is no error. This bug was introduced in 2.6.17 and the patch is suitable for -stable. Fixes: ad01c9e3752f ("[PATCH] md: Allow stripes to be expanded in preparation for expanding an array") Cc: stable@vger.kernel.org (v2.6.17+) Signed-off-by: NeilBrown Signed-off-by: Sasha Levin commit 954e522029b02a94a94a22d0696409121e694473 Author: Nadav Haklai Date: Wed Apr 15 19:08:08 2015 +0200 thermal: armada: Update Armada 380 thermal sensor coefficients [ Upstream commit efa86858e1d8970411a140fa1e0c4dd18a8f2a89 ] Improve the Armada 380 thermal sensor accuracy by using updated formula. The updated formula is: Temperature[C degrees] = 0.4761 * tsen_vsen_out - 279.1 Signed-off-by: Nadav Haklai Signed-off-by: Gregory CLEMENT Cc: #v3.16 Signed-off-by: Eduardo Valentin Signed-off-by: Sasha Levin commit d9b300555107c2ba6294ce0e7027a3660b798025 Author: Jean Delvare Date: Thu May 14 14:40:50 2015 +0200 firmware: dmi_scan: Fix ordering of product_uuid [ Upstream commit 5c1ac56b51b9d222ab202dec1ac2f4215346129d ] In function dmi_present(), dmi_walk_early() calls dmi_table(), which calls dmi_decode(), which ultimately calls dmi_save_uuid(). This last function makes a decision based on the value of global variable dmi_ver. The problem is that this variable is set right _after_ dmi_walk_early() returns. So dmi_save_uuid() always sees dmi_ver == 0 regardless of the actual version implemented. This causes /sys/class/dmi/id/product_uuid to always use the old ordering even on systems implementing DMI/SMBIOS 2.6 or later, which should use the new ordering. This is broken since kernel v3.8 for legacy DMI implementations and since kernel v3.10 for SMBIOS 2 implementations. SMBIOS 3 implementations with the 64-bit entry point are not affected. The first breakage does not matter much as in practice legacy DMI implementations are always for versions older than 2.6, which is when the UUID ordering changed. The second breakage is more problematic as it affects the vast majority of x86 systems manufactured since 2009. Signed-off-by: Jean Delvare Fixes: 9f9c9cbb6057 ("drivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists") Fixes: 79bae42d51a5 ("dmi_scan: refactor dmi_scan_machine(), {smbios,dmi}_present()") Acked-by: Zhenzhong Duan Cc: Ben Hutchings Cc: Artem Savkov Cc: Ivan Khoronzhuk Cc: Matt Fleming Cc: stable@vger.kernel.org [v3.10+] Signed-off-by: Sasha Levin commit 74caa044f694e2034394893a3d993f9b90b3e895 Author: Scott Mayhew Date: Tue Apr 28 16:29:53 2015 -0400 svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures [ Upstream commit 9507271d960a1911a51683888837d75c171cd91f ] In an environment where the KDC is running Active Directory, the exported composite name field returned in the context could be large enough to span a page boundary. Attaching a scratch buffer to the decoding xdr_stream helps deal with those cases. The case where we saw this was actually due to behavior that's been fixed in newer gss-proxy versions, but we're fixing it here too. Signed-off-by: Scott Mayhew Cc: stable@vger.kernel.org Reviewed-by: Simo Sorce Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit d6244c787f103b95e0f68283c8546afeaa7b046a Author: Christoph Hellwig Date: Tue Apr 28 15:41:15 2015 +0200 nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op [ Upstream commit ebe9cb3bb13e7b9b281969cd279ce70834f7500f ] If we find a non-confirmed openowner we jump to exit the function, but do not set an error value. Fix this by factoring out a helper to do the check and properly set the error from nfsd4_validate_stateid. Cc: stable@vger.kernel.org Signed-off-by: Christoph Hellwig Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin commit 314b9cf3be0a02e5866f2a45e1d259cbff042dc2 Author: Mel Gorman Date: Thu May 14 15:17:09 2015 -0700 mm, numa: really disable NUMA balancing by default on single node machines [ Upstream commit b0dc2b9bb4ab782115b964310518ee0b17784277 ] NUMA balancing is meant to be disabled by default on UMA machines but the check is using nr_node_ids (highest node) instead of num_online_nodes (online nodes). The consequences are that a UMA machine with a node ID of 1 or higher will enable NUMA balancing. This will incur useless overhead due to minor faults with the impact depending on the workload. These are the impact on the stats when running a kernel build on a single node machine whose node ID happened to be 1: vanilla patched NUMA base PTE updates 5113158 0 NUMA huge PMD updates 643 0 NUMA page range updates 5442374 0 NUMA hint faults 2109622 0 NUMA hint local faults 2109622 0 NUMA hint local percent 100 100 NUMA pages migrated 0 0 Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Cc: [3.8+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit a821ac4c66382f9d6387c8311608f13c6749fea9 Author: Andi Kleen Date: Thu May 14 15:16:53 2015 -0700 tools/vm: fix page-flags build [ Upstream commit 4933f55fe72c86e57efc454dd6e673c7f17af5a3 ] libabikfs.a doesn't exist anymore, so we now need to link with libapi.a. Signed-off-by: Andi Kleen Cc: Naoya Horiguchi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 6fa3566b04207140b2f61813333baa554f0090af Author: Helge Deller Date: Mon May 11 22:01:27 2015 +0200 parisc,metag: Fix crashes due to stack randomization on stack-grows-upwards architectures [ Upstream commit d045c77c1a69703143a36169c224429c48b9eecd ] On architectures where the stack grows upwards (CONFIG_STACK_GROWSUP=y, currently parisc and metag only) stack randomization sometimes leads to crashes when the stack ulimit is set to lower values than STACK_RND_MASK (which is 8 MB by default if not defined in arch-specific headers). The problem is, that when the stack vm_area_struct is set up in fs/exec.c, the additional space needed for the stack randomization (as defined by the value of STACK_RND_MASK) was not taken into account yet and as such, when the stack randomization code added a random offset to the stack start, the stack effectively got smaller than what the user defined via rlimit_max(RLIMIT_STACK) which then sometimes leads to out-of-stack situations and crashes. This patch fixes it by adding the maximum possible amount of memory (based on STACK_RND_MASK) which theoretically could be added by the stack randomization code to the initial stack size. That way, the user-defined stack size is always guaranteed to be at minimum what is defined via rlimit_max(RLIMIT_STACK). This bug is currently not visible on the metag architecture, because on metag STACK_RND_MASK is defined to 0 which effectively disables stack randomization. The changes to fs/exec.c are inside an "#ifdef CONFIG_STACK_GROWSUP" section, so it does not affect other platformws beside those where the stack grows upwards (parisc and metag). Signed-off-by: Helge Deller Cc: linux-parisc@vger.kernel.org Cc: James Hogan Cc: linux-metag@vger.kernel.org Cc: stable@vger.kernel.org # v3.16+ Signed-off-by: Sasha Levin commit 40b09824118a183f5ab0f6d4161911d505e62ee8 Author: Russell King Date: Fri May 15 11:02:23 2015 +0100 ARM: fix missing syscall trace exit [ Upstream commit 1b97937246d8b97c0760d16d8992c7937bdf5e6a ] Josh Stone reports: I've discovered a case where both arm and arm64 will miss a ptrace syscall-exit that they should report. If the syscall is entered without TIF_SYSCALL_TRACE set, then it goes on the fast path. It's then possible to have TIF_SYSCALL_TRACE added in the middle of the syscall, but ret_fast_syscall doesn't check this flag again. Fix this by always checking for a syscall trace in the fast exit path. Reported-by: Josh Stone Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 62267afe2eb7bddbd98b7f15756623156df4456c Author: Philippe Reynes Date: Wed May 13 00:18:26 2015 +0200 ARM: dts: imx27: only map 4 Kbyte for fec registers [ Upstream commit a29ef819f3f34f89a1b9b6a939b4c1cdfe1e85ce ] According to the imx27 documentation, fec has a 4 Kbyte memory space map. Moreover, the actual 16 Kbyte mapping overlaps the SCC (Security Controller) memory register space. So, we reduce the memory register space to 4 Kbyte. Signed-off-by: Philippe Reynes Acked-by: Uwe Kleine-König Fixes: 9f0749e3eb88 ("ARM i.MX27: Add devicetree support") Cc: Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit f0e61cb8cb9ee2c0496439e09d150d66d2b47982 Author: Mark Rutland Date: Wed May 13 15:07:54 2015 +0100 ARM: 8356/1: mm: handle non-pmd-aligned end of RAM [ Upstream commit 965278dcb8ab0b1f666cc47937933c4be4aea48d ] At boot time we round the memblock limit down to section size in an attempt to ensure that we will have mapped this RAM with section mappings prior to allocating from it. When mapping RAM we iterate over PMD-sized chunks, creating these section mappings. Section mappings are only created when the end of a chunk is aligned to section size. Unfortunately, with classic page tables (where PMD_SIZE is 2 * SECTION_SIZE) this means that if a chunk is between 1M and 2M in size the first 1M will not be mapped despite having been accounted for in the memblock limit. This has been observed to result in page tables being allocated from unmapped memory, causing boot-time hangs. This patch modifies the memblock limit rounding to always round down to PMD_SIZE instead of SECTION_SIZE. For classic MMU this means that we will round the memblock limit down to a 2M boundary, matching the limits on section mappings, and preventing allocations from unmapped memory. For LPAE there should be no change as PMD_SIZE == SECTION_SIZE. Signed-off-by: Mark Rutland Reported-by: Stefan Agner Tested-by: Stefan Agner Acked-by: Laura Abbott Tested-by: Hans de Goede Cc: Catalin Marinas Cc: Steve Capper Cc: stable@vger.kernel.org Signed-off-by: Russell King Signed-off-by: Sasha Levin commit a0ed73fbe2457f1f47b638ee4ce8d4aae05d529a Author: Thomas Gleixner Date: Tue May 5 19:49:49 2015 +0200 sched: Handle priority boosted tasks proper in setscheduler() [ Upstream commit 0782e63bc6fe7e2d3408d250df11d388b7799c6b ] Ronny reported that the following scenario is not handled correctly: T1 (prio = 10) lock(rtmutex); T2 (prio = 20) lock(rtmutex) boost T1 T1 (prio = 20) sys_set_scheduler(prio = 30) T1 prio = 30 .... sys_set_scheduler(prio = 10) T1 prio = 30 The last step is wrong as T1 should now be back at prio 20. Commit c365c292d059 ("sched: Consider pi boosting in setscheduler()") only handles the case where a boosted tasks tries to lower its priority. Fix it by taking the new effective priority into account for the decision whether a change of the priority is required. Reported-by: Ronny Meeus Tested-by: Steven Rostedt Signed-off-by: Thomas Gleixner Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Steven Rostedt Cc: Cc: Borislav Petkov Cc: H. Peter Anvin Cc: Mike Galbraith Fixes: c365c292d059 ("sched: Consider pi boosting in setscheduler()") Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1505051806060.4225@nanos Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 71b400b61c03f9982187a92d14ad643d9aa76bff Author: Martin Schwidefsky Date: Wed May 13 14:33:22 2015 +0200 s390/mm: correct return value of pmd_pfn [ Upstream commit 7cded342c09f633666e71ee1ce048f218a9c5836 ] Git commit 152125b7a882df36a55a8eadbea6d0edf1461ee7 "s390/mm: implement dirty bits for large segment table entries" broke the pmd_pfn function, it changed the return value from 'unsigned long' to 'int'. This breaks all machine configurations with memory above the 8TB line. Cc: stable@vger.kernel.org # 3.17+ Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 6cf5b617a17408dcade9147f552ebe9695b1fa84 Author: Johannes Berg Date: Tue May 19 15:40:21 2015 +0200 mac80211: don't use napi_gro_receive() outside NAPI context [ Upstream commit 22d3a3c829fa9ecdb493d1f1f2838d543f8d86a3 ] No matter how the driver manages its NAPI context, there's no way sending frames to it from a timer can be correct, since it would corrupt the internal GRO lists. To avoid that, always use the non-NAPI path when releasing frames from the timer. Cc: stable@vger.kernel.org Reported-by: Jean Trivelly Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 1007d14382998cf46e782daa83d04fb309de1e73 Author: Janusz Dziedzic Date: Mon May 11 11:31:15 2015 +0200 mac80211: move WEP tailroom size check [ Upstream commit 47b4e1fc4972cc43a19121bc2608a60aef3bf216 ] Remove checking tailroom when adding IV as it uses only headroom, and move the check to the ICV generation that actually needs the tailroom. In other case I hit such warning and datapath don't work, when testing: - IBSS + WEP - ath9k with hw crypt enabled - IPv6 data (ping6) WARNING: CPU: 3 PID: 13301 at net/mac80211/wep.c:102 ieee80211_wep_add_iv+0x129/0x190 [mac80211]() [...] Call Trace: [] dump_stack+0x45/0x57 [] warn_slowpath_common+0x8a/0xc0 [] warn_slowpath_null+0x1a/0x20 [] ieee80211_wep_add_iv+0x129/0x190 [mac80211] [] ieee80211_crypto_wep_encrypt+0x6b/0xd0 [mac80211] [] invoke_tx_handlers+0xc51/0xf30 [mac80211] [...] Cc: stable@vger.kernel.org Signed-off-by: Janusz Dziedzic Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit f09aa7ad8b9b63548b8e8302b05eefc60c200944 Author: Harald Freudenberger Date: Thu May 21 10:01:11 2015 +0200 crypto: s390/ghash - Fix incorrect ghash icv buffer handling. [ Upstream commit a1cae34e23b1293eccbcc8ee9b39298039c3952a ] Multitheaded tests showed that the icv buffer in the current ghash implementation is not handled correctly. A move of this working ghash buffer value to the descriptor context fixed this. Code is tested and verified with an multithreaded application via af_alg interface. Cc: stable@vger.kernel.org Signed-off-by: Harald Freudenberger Signed-off-by: Gerald Schaefer Reported-by: Herbert Xu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit bfea0f5c4ba46663fb16ffdab09e57b670e7edcf Author: Michael Brunner Date: Mon May 11 12:46:49 2015 +0200 gpio: gpio-kempld: Fix get_direction return value [ Upstream commit f230e8ffc03f17bd9d6b90ea890b8252a8cc1821 ] This patch fixes an inverted return value of the gpio get_direction function. The wrong value causes the direction sysfs entry and GPIO debugfs file to indicate incorrect GPIO direction settings. In some cases it also prevents setting GPIO output values. The problem is also present in all other stable kernel versions since linux-3.12. Cc: Stable # v3.12+ Reported-by: Jochen Henneberg Signed-off-by: Michael Brunner Reviewed-by: Guenter Roeck Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 7ca7760adbe56a816c44438d6a3a0328506ea585 Author: Scott Branden Date: Mon Mar 16 10:59:52 2015 -0700 rt2x00: add new rt2800usb device DWA 130 [ Upstream commit ea345c145ff23197eab34d0c4d0c8a93d7bea8c6 ] Add the USB Id to link the D-Link DWA 130 USB Wifi adapter to the rt2830 driver. Signed-off-by: Scott Branden Signed-off-by: Pieter Truter Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit a45b402bb2ec47fcb140d86098f035382680a31d Author: Xi Wang Date: Fri May 8 06:39:51 2015 +0100 arm64: bpf: fix signedness bug in loading 64-bit immediate [ Upstream commit 1e4df6b7208140f3c49f316d33a409d3a161f350 ] Consider "(u64)insn1.imm << 32 | imm" in the arm64 JIT. Since imm is signed 32-bit, it is sign-extended to 64-bit, losing the high 32 bits. The fix is to convert imm to u32 first, which will be zero-extended to u64 implicitly. Cc: Zi Shen Lim Cc: Alexei Starovoitov Cc: Catalin Marinas Cc: Fixes: 30d3d94cc3d5 ("arm64: bpf: add 'load 64-bit immediate' instruction") Signed-off-by: Xi Wang [will: removed non-arm64 bits and redundant casting] Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 748e016cf59aef21d02d1ba7ff2a337d616c83c7 Author: Gabriele Mazzotta Date: Sat Apr 25 19:52:37 2015 +0200 libata: Ignore spurious PHY event on LPM policy change [ Upstream commit 09c5b4803a80a5451d950d6a539d2eb311dc0fb1 ] When the LPM policy is set to ATA_LPM_MAX_POWER, the device might generate a spurious PHY event that cuases errors on the link. Ignore this event if it occured within 10s after the policy change. The timeout was chosen observing that on a Dell XPS13 9333 these spurious events can occur up to roughly 6s after the policy change. Link: http://lkml.kernel.org/g/3352987.ugV1Ipy7Z5@xps13 Signed-off-by: Gabriele Mazzotta Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit f62eb4c05075de5353c7bb1d1ea6c795a24abe51 Author: Gabriele Mazzotta Date: Sat Apr 25 19:52:36 2015 +0200 libata: Add helper to determine when PHY events should be ignored [ Upstream commit 8393b811f38acdf7fd8da2028708edad3e68ce1f ] This is a preparation commit that will allow to add other criteria according to which PHY events should be dropped. Signed-off-by: Gabriele Mazzotta Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit f91f6d2d91ba8d57affcc0ac1cbfc256a5f919fd Author: Dan Williams Date: Fri May 8 15:23:55 2015 -0400 ahci: avoton port-disable reset-quirk [ Upstream commit dbfe8ef5599a5370abc441fcdbb382b656563eb4 ] Avoton AHCI occasionally sees drive probe timeouts at driver load time. When this happens SCR_STATUS indicates device detected, but no D2H FIS reception. Reset the internal link state machines by bouncing port-enable in the PCS register when this occurs. Cc: Signed-off-by: Dan Williams Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit d4842a5455e20003780bd81c429065756ed1ebcb Author: Darrick J. Wong Date: Thu May 14 19:11:50 2015 -0400 jbd2: fix r_count overflows leading to buffer overflow in journal recovery [ Upstream commit e531d0bceb402e643a4499de40dd3fa39d8d2e43 ] The journal revoke block recovery code does not check r_count for sanity, which means that an evil value of r_count could result in the kernel reading off the end of the revoke table and into whatever garbage lies beyond. This could crash the kernel, so fix that. However, in testing this fix, I discovered that the code to write out the revoke tables also was not correctly checking to see if the block was full -- the current offset check is fine so long as the revoke table space size is a multiple of the record size, but this is not true when either journal_csum_v[23] are set. Signed-off-by: Darrick J. Wong Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit c164d09cd8eb3f6b8c183409695dc0eb3c4c503a Author: Eryu Guan Date: Thu May 14 19:00:45 2015 -0400 ext4: check for zero length extent explicitly [ Upstream commit 2f974865ffdfe7b9f46a9940836c8b167342563d ] The following commit introduced a bug when checking for zero length extent 5946d08 ext4: check for overlapping extents in ext4_valid_extent_entries() Zero length extent could pass the check if lblock is zero. Adding the explicit check for zero length back. Signed-off-by: Eryu Guan Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit d08570f3f052876a7a4472b66daac86c6a11b6b0 Author: Lukas Czerner Date: Thu May 14 18:55:18 2015 -0400 ext4: fix NULL pointer dereference when journal restart fails [ Upstream commit 9d506594069355d1fb2de3f9104667312ff08ed3 ] Currently when journal restart fails, we'll have the h_transaction of the handle set to NULL to indicate that the handle has been effectively aborted. We handle this situation quietly in the jbd2_journal_stop() and just free the handle and exit because everything else has been done before we attempted (and failed) to restart the journal. Unfortunately there are a number of problems with that approach introduced with commit 41a5b913197c "jbd2: invalidate handle if jbd2_journal_restart() fails" First of all in ext4 jbd2_journal_stop() will be called through __ext4_journal_stop() where we would try to get a hold of the superblock by dereferencing h_transaction which in this case would lead to NULL pointer dereference and crash. In addition we're going to free the handle regardless of the refcount which is bad as well, because others up the call chain will still reference the handle so we might potentially reference already freed memory. Moreover it's expected that we'll get aborted handle as well as detached handle in some of the journalling function as the error propagates up the stack, so it's unnecessary to call WARN_ON every time we get detached handle. And finally we might leak some memory by forgetting to free reserved handle in jbd2_journal_stop() in the case where handle was detached from the transaction (h_transaction is NULL). Fix the NULL pointer dereference in __ext4_journal_stop() by just calling jbd2_journal_stop() quietly as suggested by Jan Kara. Also fix the potential memory leak in jbd2_journal_stop() and use proper handle refcounting before we attempt to free it to avoid use-after-free issues. And finally remove all WARN_ON(!transaction) from the code so that we do not get random traces when something goes wrong because when journal restart fails we will get to some of those functions. Cc: stable@vger.kernel.org Signed-off-by: Lukas Czerner Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Sasha Levin commit 32c5ba5c6ec79e3196215ef849a3b2a6047c9cb5 Author: Pan Xinhui Date: Sat Mar 28 10:42:56 2015 +0800 tty/n_gsm.c: fix a memory leak when gsmtty is removed [ Upstream commit 8f9cfeed3eae86c70d3b04445a6f2036b27b6304 ] when gsmtty_remove put dlci, it will cause memory leak if dlci->port's refcount is zero. So we do the cleanup work in .cleanup callback instead. dlci will be last put in two call chains. 1) gsmld_close -> gsm_cleanup_mux -> gsm_dlci_release -> dlci_put 2) gsmld_remove -> dlci_put so there is a race. the memory leak depends on the race. In call chain 2. we hit the memory leak. below comment tells. release_tty -> tty_driver_remove_tty -> gsmtty_remove -> dlci_put -> tty_port_destructor (WARN_ON(port->itty) and return directly) | tty->port->itty = NULL; | tty_kref_put ---> release_one_tty -> gsmtty_cleanup (added by our patch) So our patch fix the memory leak by doing the cleanup work after tty core did. Signed-off-by: Pan Xinhui Fixes: dfabf7ffa30585 Cc: stable # 3.14+ Acked-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 526639cb205517c4c83f7aef7884f00415990f3f Author: Ludovic Desroches Date: Wed May 6 15:16:46 2015 +0200 mmc: atmel-mci: fix bad variable type for clkdiv [ Upstream commit 60c8f783a18feb95ad967c87e9660caf09fb4700 ] clkdiv is declared as an u32 but it can be set to a negative value causing a huge divisor value. Change its type to int to avoid this case. Signed-off-by: Ludovic Desroches Cc: # 3.4 and later Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 00f255cfbb795222c0bef47c019f9350197c4c2d Author: Anton Blanchard Date: Thu May 14 14:45:40 2015 +1000 powerpc: Align TOC to 256 bytes [ Upstream commit 5e95235ccd5442d4a4fe11ec4eb99ba1b7959368 ] Recent toolchains force the TOC to be 256 byte aligned. We need to enforce this alignment in our linker script, otherwise pointers to our TOC variables (__toc_start, __prom_init_toc_start) could be incorrect. If they are bad, we die a few hundred instructions into boot. Cc: stable@vger.kernel.org Signed-off-by: Anton Blanchard Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit c67ad812758fb5f5bf76e92abbe5dbff75fe47d2 Author: Krzysztof Opasiak Date: Fri Mar 20 15:48:56 2015 +0100 usb: gadget: configfs: Fix interfaces array NULL-termination [ Upstream commit 903124fe1aa284f61745a9dd4fbfa0184e569fff ] memset() to 0 interfaces array before reusing usb_configuration structure. This commit fix bug: ln -s functions/acm.1 configs/c.1 ln -s functions/acm.2 configs/c.1 ln -s functions/acm.3 configs/c.1 echo "UDC name" > UDC echo "" > UDC rm configs/c.1/acm.* rmdir functions/* mkdir functions/ecm.usb0 ln -s functions/ecm.usb0 configs/c.1 echo "UDC name" > UDC [ 82.220969] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 82.229009] pgd = c0004000 [ 82.231698] [00000000] *pgd=00000000 [ 82.235260] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [ 82.240638] Modules linked in: [ 82.243681] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0-rc2 #39 [ 82.249926] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) [ 82.256003] task: c07cd2f0 ti: c07c8000 task.ti: c07c8000 [ 82.261393] PC is at composite_setup+0xe3c/0x1674 [ 82.266073] LR is at composite_setup+0xf20/0x1674 [ 82.270760] pc : [] lr : [] psr: 600001d3 [ 82.270760] sp : c07c9df0 ip : c0806448 fp : ed8c9c9c [ 82.282216] r10: 00000001 r9 : 00000000 r8 : edaae918 [ 82.287425] r7 : ed551cc0 r6 : 00007fff r5 : 00000000 r4 : ed799634 [ 82.293934] r3 : 00000003 r2 : 00010002 r1 : edaae918 r0 : 0000002e [ 82.300446] Flags: nZCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment kernel [ 82.307910] Control: 10c5387d Table: 6bc1804a DAC: 00000015 [ 82.313638] Process swapper/0 (pid: 0, stack limit = 0xc07c8210) [ 82.319627] Stack: (0xc07c9df0 to 0xc07ca000) [ 82.323969] 9de0: 00000000 c06e65f4 00000000 c07c9f68 [ 82.332130] 9e00: 00000067 c07c59ac 000003f7 edaae918 ed8c9c98 ed799690 eca2f140 200001d3 [ 82.340289] 9e20: ee79a2d8 c07c9e88 c07c5304 ffff55db 00010002 edaae810 edaae860 eda96d50 [ 82.348448] 9e40: 00000009 ee264510 00000007 c07ca444 edaae860 c0340890 c0827a40 ffff55e0 [ 82.356607] 9e60: c0827a40 eda96e40 ee264510 edaae810 00000000 edaae860 00000007 c07ca444 [ 82.364766] 9e80: edaae860 c0354170 c03407dc c033db4c edaae810 00000000 00000000 00000010 [ 82.372925] 9ea0: 00000032 c0341670 00000000 00000000 00000001 eda96e00 00000000 00000000 [ 82.381084] 9ec0: 00000000 00000032 c0803a23 ee1aa840 00000001 c005d54c 249e2450 00000000 [ 82.389244] 9ee0: 200001d3 ee1aa840 ee1aa8a0 ed84f4c0 00000000 c07c9f68 00000067 c07c59ac [ 82.397403] 9f00: 00000000 c005d688 ee1aa840 ee1aa8a0 c07db4b4 c006009c 00000032 00000000 [ 82.405562] 9f20: 00000001 c005ce20 c07c59ac c005cf34 f002000c c07ca780 c07c9f68 00000057 [ 82.413722] 9f40: f0020000 413fc090 00000001 c00086b4 c000f804 60000053 ffffffff c07c9f9c [ 82.421880] 9f60: c0803a20 c0011fc0 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c [ 82.430040] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0 [ 82.438199] 9fa0: c000f800 c000f804 60000053 ffffffff 00000000 c0050e70 c0803bc0 c0783bd8 [ 82.446358] 9fc0: ffffffff ffffffff c0783664 00000000 00000000 c07b13e8 00000000 c0803e54 [ 82.454517] 9fe0: c07ca480 c07b13e4 c07ce40c 4000406a 00000000 40008074 00000000 00000000 [ 82.462689] [] (composite_setup) from [] (s3c_hsotg_complete_setup+0xb4/0x418) [ 82.471626] [] (s3c_hsotg_complete_setup) from [] (usb_gadget_giveback_request+0xc/0x10) [ 82.481429] [] (usb_gadget_giveback_request) from [] (s3c_hsotg_complete_request+0xcc/0x12c) [ 82.491583] [] (s3c_hsotg_complete_request) from [] (s3c_hsotg_irq+0x4fc/0x558) [ 82.500614] [] (s3c_hsotg_irq) from [] (handle_irq_event_percpu+0x50/0x150) [ 82.509291] [] (handle_irq_event_percpu) from [] (handle_irq_event+0x3c/0x5c) [ 82.518145] [] (handle_irq_event) from [] (handle_fasteoi_irq+0xd4/0x18c) [ 82.526650] [] (handle_fasteoi_irq) from [] (generic_handle_irq+0x20/0x30) [ 82.535242] [] (generic_handle_irq) from [] (__handle_domain_irq+0x6c/0xdc) [ 82.543923] [] (__handle_domain_irq) from [] (gic_handle_irq+0x2c/0x6c) [ 82.552256] [] (gic_handle_irq) from [] (__irq_svc+0x40/0x74) [ 82.559716] Exception stack(0xc07c9f68 to 0xc07c9fb0) [ 82.564753] 9f60: 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c [ 82.572913] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0 [ 82.581069] 9fa0: c000f800 c000f804 60000053 ffffffff [ 82.586113] [] (__irq_svc) from [] (arch_cpu_idle+0x30/0x3c) [ 82.593491] [] (arch_cpu_idle) from [] (cpu_startup_entry+0x128/0x1a4) [ 82.601740] [] (cpu_startup_entry) from [] (start_kernel+0x350/0x3bc) [ 82.609890] Code: 0a000002 e3530005 05975010 15975008 (e5953000) [ 82.615965] ---[ end trace f57d5f599a5f1bfa ]--- Most of kernel code assume that interface array in struct usb_configuration is NULL terminated. When gadget is composed with configfs configuration structure may be reused for different functions set. This bug happens because purge_configs_funcs() sets only next_interface_id to 0. Interface array still contains pointers to already freed interfaces. If in second try we add less interfaces than earlier we may access unallocated memory when trying to get interface descriptors. Signed-off-by: Krzysztof Opasiak Cc: # 3.10+ Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 5817cd0d35c07dd5d61ccbe2bcda9c9f073896ff Author: Hans de Goede Date: Thu Apr 30 11:09:44 2015 +0200 usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices [ Upstream commit 172115090f5e739660b97694618a2ba86457063a ] Without this flag some versions of these enclosures do not work. Cc: stable@vger.kernel.org Reported-and-tested-by: Christian Schaller Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 66570f4498bc88bbdfead69efd0d899c2c8c96de Author: Mark Edwards Date: Tue Apr 14 08:52:34 2015 -0400 USB: cp210x: add ID for KCF Technologies PRN device [ Upstream commit c735ed74d83f8ecb45c4c4c95a16853c9c3c8157 ] Added the USB serial console device ID for KCF Technologies PRN device which has a USB port for its serial console. Signed-off-by: Mark Edwards Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 0c49dab9ae5c655d41d7990cc7d4382860f82670 Author: Jason A. Donenfeld Date: Wed Apr 22 14:35:08 2015 +0200 USB: pl2303: Remove support for Samsung I330 [ Upstream commit 48ef23a4f686b1e4519d4193c20d26834ff810ff ] This phone is already supported by the visor driver. Signed-off-by: Jason A. Donenfeld Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit e6b61642fcddf50914a22a5983b879b4c0c42f34 Author: Jason A. Donenfeld Date: Wed Apr 22 14:35:09 2015 +0200 USB: visor: Match I330 phone more precisely [ Upstream commit 82ee3aeb9295c5fc37fd2ddf20f13ac2b40ec97d ] Samsung has just released a portable USB3 SSD, coming in a very small and nice form factor. It's USB ID is 04e8:8001, which unfortunately is already used by the Palm Visor driver for the Samsung I330 phone cradle. Having pl2303 or visor pick up this device ID results in conflicts with the usb-storage driver, which handles the newly released portable USB3 SSD. To work around this conflict, I've dug up a mailing list post [1] from a long time ago, in which a user posts the full USB descriptor information. The most specific value in this appears to be the interface class, which has value 255 (0xff). Since usb-storage requires an interface class of 0x8, I believe it's correct to disambiguate the two devices by matching on 0xff inside visor. [1] http://permalink.gmane.org/gmane.linux.usb.user/4264 Signed-off-by: Jason A. Donenfeld Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin commit 59cf84998ed631bb0654decefcabd54487e7fa64 Author: Joe Lawrence Date: Thu Apr 30 17:16:04 2015 +0300 xhci: gracefully handle xhci_irq dead device [ Upstream commit 948fa13504f80b9765d2b753691ab94c83a10341 ] If the xHCI host controller has died (ie, device removed) or suffered other serious fatal error (STS_FATAL), then xhci_irq should handle this condition with IRQ_HANDLED instead of -ESHUTDOWN. Signed-off-by: Joe Lawrence Cc: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 635ab0086fb93a128f17f1415172a4714a8c67ad Author: Mathias Nyman Date: Thu Apr 30 17:16:03 2015 +0300 xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 [ Upstream commit 18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38 ] Our event ring consists of only one segment, and we risk filling the event ring in case we get isoc transfers with short intervals such as webcams that fill a TD every microframe (125us) With 64 TRB segment size one usb camera could fill the event ring in 8ms. A setup with several cameras and other devices can fill up the event ring as it is shared between all devices. This has occurred when uvcvideo queues 5 * 32TD URBs which then get cancelled when the video mode changes. The cancelled URBs are returned in the xhci interrupt context and blocks the interrupt handler from handling the new events. A full event ring will block xhci from scheduling traffic and affect all devices conneted to the xhci, will see errors such as Missed Service Intervals for isoc devices, and and Split transaction errors for LS/FS interrupt devices. Increasing the TRB_PER_SEGMENT will also increase the default endpoint ring size, which is welcome as for most isoc transfer we had to dynamically expand the endpoint ring anyway to be able to queue the 5 * 32TDs uvcvideo queues. The default size used to be 64 TRBs per segment Cc: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 21792ca9e9b5cab0338ac3804d97d50460da5cfd Author: Mathias Nyman Date: Thu Apr 30 17:16:02 2015 +0300 xhci: fix isoc endpoint dequeue from advancing too far on transaction error [ Upstream commit d104d0152a97fade389f47635b73a9ccc7295d0b ] Isoc TDs usually consist of one TRB, sometimes two. When all goes well we receive only one success event for a TD, and move the dequeue pointer to the next TD. This fails if the TD consists of two TRBs and we get a transfer error on the first TRB, we will then see two events for that TD. Fix this by making sure the event we get is for the last TRB in that TD before moving the dequeue pointer to the next TD. This will resolve some of the uvc and dvb issues with the "ERROR Transfer event TRB DMA ptr not part of current TD" error message Cc: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e0bc573f09efd4c681e94d3260722646934b9051 Author: Andy Grover Date: Fri May 22 14:07:44 2015 -0700 target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST [ Upstream commit 5a7125c64def3b21f8147eca8b54949a60963942 ] See https://bugzilla.redhat.com/show_bug.cgi?id=1025672 We need to put() the reference to the scsi host that we got in pscsi_configure_device(). In VIRTUAL_HOST mode it is associated with the dev_virt, not the hba_virt. Signed-off-by: Andy Grover Cc: stable@vger.kernel.org # 2.6.38+ Signed-off-by: Nicholas Bellinger Signed-off-by: Sasha Levin commit 4d0b92162bd496128f027934010e27012fe0d5d0 Author: Stephane Eranian Date: Thu Apr 23 09:07:09 2015 +0200 perf/x86/rapl: Enable Broadwell-U RAPL support [ Upstream commit 44b11fee51711ca85aa2b121a49bf029d18a3722 ] This patch enables RAPL counters (energy consumption counters) support for Intel Broadwell-U processors (Model 61): To use: $ perf stat -a -I 1000 -e power/energy-cores/,power/energy-pkg/,power/energy-ram/ sleep 10 Signed-off-by: Stephane Eranian Cc: Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Thomas Gleixner Cc: jacob.jun.pan@linux.intel.com Cc: kan.liang@intel.com Cc: peterz@infradead.org Cc: sonnyrao@chromium.org Link: http://lkml.kernel.org/r/20150423070709.GA4970@thinkpad Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit d1e0cacec39accf823bdb70cc48902e644ae8c87 Author: Malcolm Priestley Date: Sat Apr 4 20:49:10 2015 +0100 staging: vt6656: use ieee80211_tx_info to select packet type. [ Upstream commit b23f14302e86628625ac3982a6d23e35888755f2 ] Information for packet type is in ieee80211_tx_info band IEEE80211_BAND_5GHZ for PK_TYPE_11A. IEEE80211_TX_RC_USE_CTS_PROTECT via tx_rate flags selects PK_TYPE_11GB This ensures that the packet is always the right type. Signed-off-by: Malcolm Priestley Cc: # v3.17+ Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 87529c630bb8a14ac0110cd4f9b9ed2f76909927 Author: Sławomir Demeszko Date: Tue May 5 17:49:54 2015 +0200 staging: gdm724x: Correction of variable usage after applying ALIGN() [ Upstream commit 892c89d5d7ffd1bb794fe54d86c0eef18d215fab ] Fix regression introduced by commit <29ef8a53542a>. After it writing AT commands to /dev/GCT-ATM0 is unsuccessful (no echo, no response) and dmesg show "gdmtty: invalid payload : 1 16 f011". Before that commit value of dummy_cnt was only a padding size. After using ALIGN() this value is increased by its first argument. So the following usage of this variable needs correction. Signed-off-by: Sławomir Demeszko Cc: stable # 3.14+ Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cbed10970409643e38b6d0e52de3758629f6c2e1 Author: Tatyana Nikolova Date: Fri May 8 16:36:33 2015 -0500 RDMA/core: Fix for parsing netlink string attribute [ Upstream commit ec04847c0c5b471bab2dacceadfdb803a9d1a2ea ] The string iwpm_ulib_name is recorded in a nlmsg as a netlink attribute. Without this fix parsing of the nlmsg by the userspace port mapper service fails because of unknown attribute length, causing the port mapper service not to register the client, which has sent the nlmsg. Signed-off-by: Tatyana Nikolova Cc: #v3.16 Reviewed-By: Jason Gunthorpe Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin commit 53456d8b6c8acf15f0684dc4548a5bad9d4db85f Author: Zidan Wang Date: Tue May 12 14:58:50 2015 +0800 ASoC: wm8994: correct BCLK DIV 348 to 384 [ Upstream commit 17fc2e0a3db11889e942c5ab15a1fcb876638f25 ] According to the RM of wm8958, BCLK DIV 348 doesn't exist, correct it to 384. Signed-off-by: Zidan Wang Acked-by: Charles Keepax Signed-off-by: Mark Brown Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 31158f180bda2d8c4b2caf24854210bad08d3c79 Author: Zidan Wang Date: Tue May 12 14:58:36 2015 +0800 ASoC: wm8960: fix "RINPUT3" audio route error [ Upstream commit 85e36a1f4a735d991ba5106781ea48e89a0b8901 ] It should be "RINPUT3" instead of "LINPUT3" route to "Right Input Mixer". Signed-off-by: Zidan Wang Acked-by: Charles Keepax Signed-off-by: Mark Brown Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit f223455e2074c3bf929fc5e427ad68f06a252554 Author: Koro Chen Date: Mon May 11 10:36:53 2015 +0800 ASoC: dapm: Modify widget stream name according to prefix [ Upstream commit fdb6eb0a12871d5bfaf266c5a0d5259a5437a72f ] When there is prefix specified, currently we will add this prefix in widget->name, but not in widget->sname. it causes failure at snd_soc_dapm_link_dai_widgets: if (!w->sname || !strstr(w->sname, dai_w->name)) because dai_w->name has prefix added, but w->sname does not. We should also add prefix for stream name Signed-off-by: Koro Chen Signed-off-by: Mark Brown Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit c9717bdb1c17a76def4d98da16a5053fd916bee4 Author: Axel Lin Date: Mon Apr 27 14:51:35 2015 +0800 ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls [ Upstream commit 545774bd6e1427d98dde77244329d2311c5eca6f ] mc13xxx_reg_rmw() won't change any bit if passing 0 to the mask field. Pass AUDIO_SSI_SEL instead of 0 for the mask field to set AUDIO_SSI_SEL bit. Signed-off-by: Axel Lin Signed-off-by: Mark Brown Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit fa12b3c686b6bc3a221fbce53fecc684eb50266c Author: Takashi Iwai Date: Wed May 27 16:17:19 2015 +0200 ALSA: hda - Fix noise on AMD radeon 290x controller [ Upstream commit 0fa372b6c95013af1334b3d5c9b5f03a70ecedab ] A new AMD controller [1002:aac8] seems to need the quirk for other AMD NS HDMI stuff, otherwise it gives noisy sounds. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=99021 Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3816eb97049a1ef3dc27c1f92abf2aa87cec46bd Author: Takashi Iwai Date: Tue Nov 25 11:28:07 2014 +0100 ALSA: hda - Add AZX_DCAPS_SNOOP_OFF (and refactor snoop setup) [ Upstream commit 37e661ee10c6d0d1310c62b3d29ae9a63073ac5d ] Add a new driver_caps bit, AZX_DCAPS_SNOOP_OFF, to set the snoop off as default. This new bit is used for the checks in azx_check_snoop_available(). Most of case-switches are replaced with the new dcaps in each entry. While working on it, for avoiding to spend more bits, combine three bits AZX_DCAPS_SNOOP_SCH, AZX_DCAPS_SNOOP_ATI and AZX_DCAPS_SNOOP_NVIDIA bits into a flat type of two bits. This reduces the bits usages, and assign AZX_DCAPS_OFF to this empty bit now. Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3c28d65e3835df1421d94cc57c77b26c9a1c3e44 Author: Takashi Iwai Date: Sun May 24 08:27:52 2015 +0200 Revert "ALSA: hda - Add mute-LED mode control to Thinkpad" [ Upstream commit 3530febb5c7636f6b26d15637f68296804d26491 ] This reverts commit 7290006d8c0900c56d8c58428134f02c35109d17. Through the regression report, it was revealed that the tpacpi_led_set() call to thinkpad_acpi helper doesn't only toggle the mute LED but actually mutes the sound. This is contradiction to the expectation, and rather confuses user. According to Henrique, it's not trivial to judge which TP model behaves "LED-only" and which model does whatever more intrusive, as Lenovo's implementations vary model by model. So, from the safety reason, we should revert the patch for now. Reported-by: Martin Steigerwald Cc: Pali Rohár Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 139cec161789dd64d0c4a1ff4dfd5eee852223af Author: David Henningsson Date: Thu May 28 09:40:23 2015 +0200 ALSA: hda - Disable Headphone Mic boost for ALC662 [ Upstream commit b40eda6408e94ee286cb5720cd3f409f70e01778 ] When headphone mic boost is above zero, some 10 - 20 second delay might occur before the headphone mic is operational. Therefore disable the headphone mic boost control (recording gain is sufficient even without it). (Note: this patch is not about the headset mic, it's about the less common mic-in only mode.) BugLink: https://bugs.launchpad.net/bugs/1454235 Suggested-by: Kailang Yang Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 57840018977554f398f9048b14dc5f3ad937b075 Author: Kailang Yang Date: Mon May 25 17:16:49 2015 +0800 ALSA: hda/realtek - Add ALC256 alias name for Dell [ Upstream commit 823245026ead28a244cb9df5ae79b511da128606 ] Add ALC3246 for Dell platform. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 8401fbb6e3a413be23ec042fbb92e0cd6d3bec4a Author: Ansgar Hegerfeld Date: Thu May 14 12:31:32 2015 +0200 ALSA: hda/realtek - ALC292 dock fix for Thinkpad L450 [ Upstream commit 09ea997677cd44ebe7f42573119aaf46b775c683 ] The Lenovo ThinkPad L450 requires the ALC292_FIXUP_TPT440_DOCK fix in order to get sound output on the docking stations audio port. This patch was tested using a ThinkPad L450 (20DSS00B00) using kernel 4.0.3 and a ThinkPad Pro Dock. Signed-off-by: Ansgar Hegerfeld Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 62bed83cc692bed56ff99470bab7876a5383a293 Author: David Henningsson Date: Tue May 12 14:38:15 2015 +0200 ALSA: hda - Fix headset mic and mic-in for a Dell desktop [ Upstream commit 1f8b46cdc806dfd76386f8442d9a6d0ae69abb25 ] ALC662 does not need any special verbs to change the jack functionality, and enables mic in through the headphone jack mode by changing the direction of the headphone pin node. BugLink: https://bugs.launchpad.net/bugs/1454235 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit c49ead5edb01f741021dffe314500111fd9fb5ad Author: Kailang Yang Date: Tue May 12 17:11:10 2015 +0800 ALSA: hda/realtek - Support headset mode for ALC298 [ Upstream commit 1a5bc8d95020c5a81264146c94102baec6ab0861 ] Support headset mode for ALC298 platform. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit d17c6a846698956c71803e6de5bc35585453442b Author: David Henningsson Date: Mon May 11 14:04:14 2015 +0200 ALSA: hda - Add headset mic quirk for Dell Inspiron 5548 [ Upstream commit 9b5a4e395c2f39fae89f75e4a749be5dba342d22 ] This enables the headset microphone on Dell Inspiron 5548, or at least some variants of it. Cc: stable@vger.kernel.org BugLink: https://bugs.launchpad.net/bugs/1452175 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3b31a80e772b336379c4e77f60322e571c7af4bf Author: Kailang Yang Date: Tue May 5 15:02:42 2015 +0800 ALSA: hda/realtek - Add ALC298 alias name for Dell [ Upstream commit 2c674fac5b1603c6a2aacc88116e3fbc75ebd799 ] Add ALC3266 for Dell platform. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b157594cbacd1cf52298f3ef9c486a0de1656161 Author: Kailang Yang Date: Mon May 4 15:50:47 2015 +0800 ALSA: hda/realtek - Fix typo for ALC286/ALC288 [ Upstream commit ec6bfca835b61df360881c1bf89268f69fed2a61 ] Delete more one break for ALC286/ALC288. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 589f56822b32e6c6d34af21894b7ad219d247cde Author: Takashi Iwai Date: Fri May 1 09:20:34 2015 +0200 ALSA: hda - Add headphone quirk for Lifebook E752 [ Upstream commit 88776f366ede7d9cdce60bd2c9753dd6d6fa8b77 ] Fujitsu Lifebook E752 laptop needs a similar quirk done for Lifebook T731. Otherwise the headphone is always muted. Reported-and-tested-by: Christian Weber Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 645fe60570c0eb82255ef0d0c0b5abdf568d106f Author: Hui Wang Date: Fri Apr 24 13:39:59 2015 +0800 ALSA: hda - fix headset mic detection problem for one more machine [ Upstream commit e8191a8e475551b277d85cd76c3f0f52fdf42e86 ] We have two machines with alc256 codec in the pin quirk table, so moving the common pins to ALC256_STANDARD_PINS. Cc: stable@vger.kernel.org BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1447909 Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 44954e137532e7eb9049809bdbafd13281d40735 Author: Kailang Yang Date: Wed Apr 8 15:01:17 2015 +0800 ALSA: hda/realtek - Support headset mode for ALC286/288 [ Upstream commit f3b703326541d0c1ce85f5e570f6d2b6bd4296ec ] Support headset mode for ALC286 and ALC288 platforms. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e0422326d0f3cad4f5841e112810608be09e7f77 Author: Kailang Yang Date: Mon Mar 30 17:05:37 2015 +0800 ALSA: hda/realtek - Support Dell headset mode for ALC256 [ Upstream commit 7081adf3f98f4c39dc6758208775b2aa48f51f8a ] Dell new platform of ALC256 audio codec. Support headset mode for Dell ALC256 platform. Signed-off-by: Kailang Yang Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit c5f5f1c7e9503218faa7462979085175df82c6c1 Author: Vittorio G (VittGam) Date: Fri May 22 21:15:19 2015 +0200 ALSA: usb-audio: Add quirk for MS LifeCam HD-3000 [ Upstream commit ae425bb2a05bebe786a25cc8ae64e9d16c4d9b83 ] Microsoft LifeCam HD-3000 (045e:0779) needs a similar quirk for suppressing the unsupported sample rate inquiry. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=98481 Cc: Signed-off-by: Vittorio Gambaletta Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit a0382b2c26e6c9782ffa092c47df248020ad3362 Author: Takashi Iwai Date: Tue May 19 10:46:49 2015 +0200 ALSA: usb-audio: Add quirk for MS LifeCam Studio [ Upstream commit fa94b0d72511add5822dc4124f2a3eae66b8863f ] Microsoft LifeCam Studio (045e:0772) needs a similar quirk for suppressing the wrong sample rate inquiry. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=98481 Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 9a740f2444026547cb6aa97f23db436ecc537d32 Author: Adam Honse Date: Sun Apr 12 01:03:07 2015 -0500 ALSA: usb-audio: Don't attempt to get Microsoft Lifecam Cinema sample rate [ Upstream commit eef0342cf32689f77d78ee3302999e5caaa6a8f3 ] Adds Microsoft LifeCam Cinema USB ID to the snd_usb_get_sample_rate_quirk list as the Lifecam Cinema does not appear to support getting the sample rate. Fixes the issue where the LifeCam Cinema would wait for USB timeout and log the message "cannot get freq at ep 0x82" when accessed. Addresses bug report https://bugzilla.kernel.org/show_bug.cgi?id=95961. Signed-off-by: Adam Honse Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit ca6f8915064f0add7894eb0f04419f5bc37a4a5d Author: Eric Wong Date: Tue Mar 31 07:34:05 2015 +0000 ALSA: usb-audio: don't try to get Benchmark DAC1 sample rate [ Upstream commit 9fc88ad6fd86ff6ce979105c633c58cc3980129c ] Adding this quirk allows us to avoid the noisy "cannot get freq at ep 0x1" message in dmesg output every time playback starts. This ought to affect other Benchmark DAC1 variations using the same "Microchip Technology, Inc." chip as well, but I have only tested with the "Pre" variant. Signed-off-by: Eric Wong Cc: Joe Turner Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 352ca4dd2af1ece77eedb42bb092fc527fbce3ec Author: Takashi Iwai Date: Wed Mar 4 15:37:01 2015 +0100 ALSA: usb-audio: Check Marantz/Denon USB DACs in a single place [ Upstream commit 8b28c93fe5a55873ce22b7126e84eb59290f8603 ] There are three places doing the same check. Let's make them together. Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e3a3694d2340e778dbfee07246332a776ba6f100 Author: Frank C Guenther Date: Tue Feb 17 22:13:32 2015 +0100 ALSA: usb: Fix support for Denon DA-300USB DAC (ID 154e:1003) [ Upstream commit 3cd1ce0420ce89937bef9096d5bdb13fbdf0f8b0 ] Fix problem where playback of Denon DA-300USB DAC sometimes does not start and leads to error messages like "clock source 41 is not valid, cannot use". Solution: Treat this device the same as other Denon/Marantz devices in sound/usb/quirks.c. Tested with both PCM and DSD formats. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=93261 Signed-off-by: Frank C Guenther Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b978d2f62a4c2385b2991a9c73eb70943706bb45 Author: Joe Turner Date: Mon Feb 16 20:44:33 2015 +0000 ALSA: usb-audio: Don't attempt to get Lifecam HD-5000 sample rate [ Upstream commit b62b998010028c4dfd7db7c26990efb2a0985a1e ] Adds a quirk to disable the check that the sample rate has been set correctly, as the Lifecam does not support getting the sample rate. This means that we don't need to wait for the USB timeout when attempting to get the sample rate. Waiting for the timeout causes problems in some applications, which give up on the device acquisition process before it has had time to complete, resulting in no sound. [minor tidy up by tiwai] Signed-off-by: Joe Turner Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 320bb9ecddd1b02b5010c8ec1a9bb47849ac003c Author: Jurgen Kramer Date: Wed Dec 17 17:45:20 2014 +0100 ALSA: usb-audio: add native DSD support for Matrix Audio DACs [ Upstream commit 38f74d5b82b329dff5bdf8626e8776a36a1835da ] This patch adds native DSD support for two XMOS based DACs from Matrix Audio: - X-Sabre - Mini-i Pro Signed-off-by: Jurgen Kramer Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 0fffa49aa6f95fb44b9bcc493459170a4dcd8afb Author: Panu Matilainen Date: Sun Nov 30 18:45:40 2014 +0200 ALSA: usb-audio: Add support for Zoom R16/24 capture and midi interfaces [ Upstream commit dacacb0aa0cb6fdeb69313db6acfc82456945d7e ] This makes the midi interface and capture work out of the box with R16 (and presumably R24 too but untested). Playback stream would also seem to function fine except for one caveat: no sound is produced, so it is disabled for now. Mixer descriptors are garbage and will require further quirks to enable functionality, also disabled here. Signed-off-by: Panu Matilainen Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 5634e0f8d14084f47055b81350b5563d3f06fd4c Author: Jurgen Kramer Date: Fri Nov 28 17:32:54 2014 +0100 ALSA: usb-audio: Add mode select quirk for Denon/Marantz DACs [ Upstream commit 6874daad4b0fbed5b2f9bef7f4d3f2b895463a95 ] Denon/Marantz USB DACs need a specific vendor command to switch between PCM and DSD mode. This patch adds a new quirk function to switch between the two modes using the specific USB vendor command. This patch applies to the following devices: - Marantz SA-14S1 - Marantz HD-DAC1 Signed-off-by: Jurgen Kramer Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 43772581af59b445d2350b2344b60b71972c1820 Author: Jurgen Kramer Date: Fri Nov 28 17:32:53 2014 +0100 ALSA: usb-audio: Add native DSD support for Denon/Marantz DACs [ Upstream commit 7a2e9ddc903225d8fb3a510a842144a239017ee4 ] This patch adds native DSD support for the following devices: - Marantz SA-14S1 - Marants HD-DAC1 Signed-off-by: Jurgen Kramer Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e831585eb8fc7dfb64515c86db2205164d0eeb61 Author: Steven Rostedt Date: Sat May 9 03:06:23 2015 +0930 module: Call module notifier on failure after complete_formation() [ Upstream commit 37815bf866ab6722a47550f8d25ad3f1a16a680c ] The module notifier call chain for MODULE_STATE_COMING was moved up before the parsing of args, into the complete_formation() call. But if the module failed to load after that, the notifier call chain for MODULE_STATE_GOING was never called and that prevented the users of those call chains from cleaning up anything that was allocated. Link: http://lkml.kernel.org/r/554C52B9.9060700@gmail.com Reported-by: Pontus Fuchs Fixes: 4982223e51e8 "module: set nx before marking module MODULE_STATE_COMING" Cc: stable@vger.kernel.org # 3.16+ Signed-off-by: Steven Rostedt Signed-off-by: Rusty Russell Signed-off-by: Sasha Levin commit 5fcf8812fdf03db0b54946f4cc909dd70c417d8e Author: Al Viro Date: Thu May 28 23:09:19 2015 -0400 d_walk() might skip too much [ Upstream commit 2159184ea01e4ae7d15f2017e296d4bc82d5aeb0 ] when we find that a child has died while we'd been trying to ascend, we should go into the first live sibling itself, rather than its sibling. Off-by-one in question had been introduced in "deal with deadlock in d_walk()" and the fix needs to be backported to all branches this one has been backported to. Cc: stable@vger.kernel.org # 3.2 and later Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit bfad74288efce9d33b26ea2a694406d4e0727a20 Author: Jan Kara Date: Tue Jun 2 17:10:28 2015 +0200 lib: Fix strnlen_user() to not touch memory after specified maximum [ Upstream commit f18c34e483ff6b1d9866472221e4015b3a4698e4 ] If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ab673124ce097c0eb9a9e6691ebd41eb0d0225ba Author: Guenter Roeck Date: Thu May 28 09:12:23 2015 -0700 hwmon: (nct6683) Add missing sysfs attribute initialization [ Upstream commit c7bd6dc320b85445b6b36a0aff41f929210027c7 ] The following error message is seen when loading the nct6683 driver with DEBUG_LOCK_ALLOC enabled. BUG: key ffff88040b2f0030 not in .data! ------------[ cut here ]------------ WARNING: CPU: 0 PID: 186 at kernel/locking/lockdep.c:2988 lockdep_init_map+0x469/0x630() DEBUG_LOCKS_WARN_ON(1) Caused by a missing call to sysfs_attr_init() when initializing sysfs attributes. Reported-by: Alexey Orishko Reviewed-by: Jean Delvare Cc: stable@vger.kernel.org # v3.18+ Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit f46267a4b26ad38dd0a2f6473c1eaacf3fdf75fd Author: Guenter Roeck Date: Thu May 28 09:08:09 2015 -0700 hwmon: (nct6775) Add missing sysfs attribute initialization [ Upstream commit 1b63bf617206ff35b93c57c67bbe067ac735a85a ] The following error message is seen when loading the nct6775 driver with DEBUG_LOCK_ALLOC enabled. BUG: key ffff88040b2f0030 not in .data! ------------[ cut here ]------------ WARNING: CPU: 0 PID: 186 at kernel/locking/lockdep.c:2988 lockdep_init_map+0x469/0x630() DEBUG_LOCKS_WARN_ON(1) Caused by a missing call to sysfs_attr_init() when initializing sysfs attributes. Reported-by: Alexey Orishko Reviewed-by: Jean Delvare Cc: stable@vger.kernel.org # v3.12+ Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 88ee23a99440e0fc5f4abd3748d647486ff93c4f Author: Thomas Betker Date: Wed Apr 15 21:11:50 2015 +0200 iio: adc: xilinx: Fix VREFN sign [ Upstream commit 97ffae1d30c3f6ceee67d5b0d3e540c08c13c744 ] The VREFN channel is bipolar, not unipolar. Small negative values do occur (e.g., -1mV), and unsigned conversion maps them incorrectly to large positive values (about +1V), so fix this. Signed-off-by: Thomas Betker Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 3ec936bcf36f91348c08366ebd15d3241298d64f Author: Thomas Betker Date: Wed Apr 15 21:11:49 2015 +0200 iio: adc: xilinx: Fix VREFP scale [ Upstream commit 00db4e52f4541965f7fda225eb458a75f892017b ] The scaling factor for VREFP is 3.0/4096, not 1.0/4096; fix this to get correct readings. Signed-off-by: Thomas Betker Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit ec4fc281dab476d0e87cb8f82b966ef95d2f1a9a Author: Thomas Betker Date: Wed Apr 15 21:11:48 2015 +0200 iio: adc: xilinx: Fix "vccaux" channel .address [ Upstream commit d6c96c42283601e311a7a1a3d7e51cde9d7fdb6e ] For the "vccaux" channel, read the VCCAUX register, not VCCINT. Signed-off-by: Thomas Betker Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit e771bc85163b1bb17674c4fd79e987977fe75a5d Author: Thomas Betker Date: Wed Apr 15 21:11:47 2015 +0200 iio: adc: xilinx: Fix register addresses [ Upstream commit 3960d2c0c4aafe98da47a4a2eb64dfa8e88d8df5 ] Define the register addresses for MIN_VCCPINT, MIN_VCCPAUX, MIN_VCCO_DDR correctly. Signed-off-by: Thomas Betker Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 13297fc66bb383cf82e2dac3ae1f3d1a1de1f0a7 Author: Srinivas Pandruvada Date: Tue Apr 14 14:54:18 2015 -0700 iio: pressure: hid-sensor-press: Fix modifier [ Upstream commit 964e2255f1d73fc0136bc206a78a1f86bdad72a7 ] Fix "null" in the raw attribute and scan elements. Signed-off-by: Srinivas Pandruvada Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 465f7808d848b531070229068aadbb2395ad3f98 Author: Srinivas Pandruvada Date: Tue Apr 14 14:53:22 2015 -0700 iio: light: hid-sensor-prox: Fix modifier [ Upstream commit c2aab3d58b96002555a3e70004f593b043830248 ] Currently in_proximity_(null)_raw is getting presented as raw sysfs attribute. Same with the scan_elements. The modifier doesn't apply to this channel. Signed-off-by: Srinivas Pandruvada Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 2439971a06cb72e5c0bc0cdf33701a79fbb2c8d8 Author: Chris Lesiak Date: Tue May 26 15:40:44 2015 -0500 hwmon: (ntc_thermistor) Ensure iio channel is of type IIO_VOLTAGE [ Upstream commit adba657533bdd255f7b78bc8a324091f46b294cd ] When configured via device tree, the associated iio device needs to be measuring voltage for the conversion to resistance to be correct. Return -EINVAL if that is not the case. Signed-off-by: Chris Lesiak Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit da9888ac0e1a4c923ad3c4978d310bbf7c32f0d7 Author: David Vrabel Date: Tue May 19 18:40:49 2015 +0100 xen/events: don't bind non-percpu VIRQs with percpu chip [ Upstream commit 77bb3dfdc0d554befad58fdefbc41be5bc3ed38a ] A non-percpu VIRQ (e.g., VIRQ_CONSOLE) may be freed on a different VCPU than it is bound to. This can result in a race between handle_percpu_irq() and removing the action in __free_irq() because handle_percpu_irq() does not take desc->lock. The interrupt handler sees a NULL action and oopses. Only use the percpu chip/handler for per-CPU VIRQs (like VIRQ_TIMER). # cat /proc/interrupts | grep virq 40: 87246 0 xen-percpu-virq timer0 44: 0 0 xen-percpu-virq debug0 47: 0 20995 xen-percpu-virq timer1 51: 0 0 xen-percpu-virq debug1 69: 0 0 xen-dyn-virq xen-pcpu 74: 0 0 xen-dyn-virq mce 75: 29 0 xen-dyn-virq hvc_console Signed-off-by: David Vrabel Cc: Signed-off-by: Sasha Levin commit b9633548477bc537c11a171af6f6c7d39746ff4a Author: Ilya Dryomov Date: Mon May 11 17:53:34 2015 +0300 Revert "libceph: clear r_req_lru_item in __unregister_linger_request()" [ Upstream commit 521a04d06a729e5971cdee7f84080387ed320527 ] This reverts commit ba9d114ec5578e6e99a4dfa37ff8ae688040fd64. .. which introduced a regression that prevented all lingering requests requeued in kick_requests() from ever being sent to the OSDs, resulting in a lot of missed notifies. In retrospect it's pretty obvious that r_req_lru_item item in the case of lingering requests can be used not only for notarget, but also for unsent linkage due to how tightly actual map and enqueue operations are coupled in __map_request(). The assertion that was being silenced is taken care of in the previous ("libceph: request a new osdmap if lingering request maps to no osd") commit: by always kicking homeless lingering requests we ensure that none of them ends up on the notarget list outside of the critical section guarded by request_mutex. Cc: stable@vger.kernel.org # 3.18+, needs b0494532214b "libceph: request a new osdmap if lingering request maps to no osd" Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil Signed-off-by: Sasha Levin commit 82b02f82fd4f5963582030cb3cdbb6675dc9ce74 Author: Ilya Dryomov Date: Mon May 11 17:53:10 2015 +0300 Revert "libceph: clear r_req_lru_item in __unregister_linger_request()" [ Upstream commit 521a04d06a729e5971cdee7f84080387ed320527 ] This reverts commit ba9d114ec5578e6e99a4dfa37ff8ae688040fd64. .. which introduced a regression that prevented all lingering requests requeued in kick_requests() from ever being sent to the OSDs, resulting in a lot of missed notifies. In retrospect it's pretty obvious that r_req_lru_item item in the case of lingering requests can be used not only for notarget, but also for unsent linkage due to how tightly actual map and enqueue operations are coupled in __map_request(). The assertion that was being silenced is taken care of in the previous ("libceph: request a new osdmap if lingering request maps to no osd") commit: by always kicking homeless lingering requests we ensure that none of them ends up on the notarget list outside of the critical section guarded by request_mutex. Cc: stable@vger.kernel.org # 3.18+, needs b0494532214b "libceph: request a new osdmap if lingering request maps to no osd" Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil Signed-off-by: Sasha Levin commit 8658b4f190913b9df1a8d4531630ab38f863f027 Author: Dave Chinner Date: Fri May 29 07:40:32 2015 +1000 xfs: xfs_iozero can return positive errno [ Upstream commit cddc116228cb9d51d3224d23ba3e61fbbc3ec3d2 ] It was missed when we converted everything in XFs to use negative error numbers, so fix it now. Bug introduced in 3.17 by commit 2451337 ("xfs: global error sign conversion"), and should go back to stable kernels. Thanks to Brian Foster for noticing it. cc: # 3.17, 3.18, 3.19, 4.0 Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Signed-off-by: Sasha Levin commit bebd294bf63ec67763215d868a48e274c53590d5 Author: Dave Chinner Date: Fri May 29 07:40:08 2015 +1000 xfs: xfs_attr_inactive leaves inconsistent attr fork state behind [ Upstream commit 6dfe5a049f2d48582050339d2a6b6fda36dfd14c ] xfs_attr_inactive() is supposed to clean up the attribute fork when the inode is being freed. While it removes attribute fork extents, it completely ignores attributes in local format, which means that there can still be active attributes on the inode after xfs_attr_inactive() has run. This leads to problems with concurrent inode writeback - the in-core inode attribute fork is removed without locking on the assumption that nothing will be attempting to access the attribute fork after a call to xfs_attr_inactive() because it isn't supposed to exist on disk any more. To fix this, make xfs_attr_inactive() completely remove all traces of the attribute fork from the inode, regardless of it's state. Further, also remove the in-core attribute fork structure safely so that there is nothing further that needs to be done by callers to clean up the attribute fork. This means we can remove the in-core and on-disk attribute forks atomically. Also, on error simply remove the in-memory attribute fork. There's nothing that can be done with it once we have failed to remove the on-disk attribute fork, so we may as well just blow it away here anyway. cc: # 3.12 to 4.0 Reported-by: Waiman Long Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Signed-off-by: Sasha Levin commit 4941509f057cc50ba8420ac5f5e6ffdf8715c02a Author: Rusty Russell Date: Wed May 27 10:59:26 2015 +0930 lguest: fix out-by-one error in address checking. [ Upstream commit 83a35114d0e4583e6b0ca39502e68b6a92e2910c ] This bug has been there since day 1; addresses in the top guest physical page weren't considered valid. You could map that page (the check in check_gpte() is correct), but if a guest tried to put a pagetable there we'd check that address manually when walking it, and kill the guest. Signed-off-by: Rusty Russell Cc: stable@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 45948a314fb5d29f92b8537dcf54888ed78bcecc Author: Bob Copeland Date: Thu May 28 15:44:35 2015 -0700 omfs: fix sign confusion for bitmap loop counter [ Upstream commit c0345ee57d461343586b5e1e2f9c3c3766d07fe6 ] The count variable is used to iterate down to (below) zero from the size of the bitmap and handle the one-filling the remainder of the last partial bitmap block. The loop conditional expects count to be signed in order to detect when the final block is processed, after which count goes negative. Unfortunately, a recent change made this unsigned along with some other related fields. The result of is this is that during mount, omfs_get_imap will overrun the bitmap array and corrupt memory unless number of blocks happens to be a multiple of 8 * blocksize. Fix by changing count back to signed: it is guaranteed to fit in an s32 without overflow due to an enforced limit on the number of blocks in the filesystem. Signed-off-by: Bob Copeland Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ce8d4a6371aa570bbe7ecaf618868cc4f6d5b437 Author: Sasha Levin Date: Thu May 28 15:44:29 2015 -0700 fs, omfs: add NULL terminator in the end up the token list [ Upstream commit dcbff39da3d815f08750552fdd04f96b51751129 ] match_token() expects a NULL terminator at the end of the token list so that it would know where to stop. Not having one causes it to overrun to invalid memory. In practice, passing a mount option that omfs didn't recognize would sometimes panic the system. Signed-off-by: Sasha Levin Signed-off-by: Bob Copeland Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 08fb8020b96c0dd8d6199b48c783d9ecb51d1956 Author: John Stultz Date: Fri May 8 13:47:23 2015 -0700 ktime: Fix ktime_divns to do signed division [ Upstream commit f7bcb70ebae0dcdb5a2d859b09e4465784d99029 ] It was noted that the 32bit implementation of ktime_divns() was doing unsigned division and didn't properly handle negative values. And when a ktime helper was changed to utilize ktime_divns, it caused a regression on some IR blasters. See the following bugzilla for details: https://bugzilla.redhat.com/show_bug.cgi?id=1200353 This patch fixes the problem in ktime_divns by checking and preserving the sign bit, and then reapplying it if appropriate after the division, it also changes the return type to a s64 to make it more obvious this is expected. Nicolas also pointed out that negative dividers would cause infinite loops on 32bit systems, negative dividers is unlikely for users of this function, but out of caution this patch adds checks for negative dividers for both 32-bit (BUG_ON) and 64-bit(WARN_ON) versions to make sure no such use cases creep in. [ tglx: Hand an u64 to do_div() to avoid the compiler warning ] Fixes: 166afb64511e 'ktime: Sanitize ktime_to_us/ms conversion' Reported-and-tested-by: Trevor Cordes Signed-off-by: John Stultz Acked-by: Nicolas Pitre Cc: Ingo Molnar Cc: Josh Boyer Cc: One Thousand Gnomes Cc: Link: http://lkml.kernel.org/r/1431118043-23452-1-git-send-email-john.stultz@linaro.org Signed-off-by: Thomas Gleixner Signed-off-by: Sasha Levin commit 55fe6e07b589b0d11bced3ac1d74829b416e7fc6 Author: Nicolas Pitre Date: Wed Dec 3 14:43:06 2014 -0500 ktime: Optimize ktime_divns for constant divisors [ Upstream commit 8b618628b2bf83512fc8df5e8672619d65adfdfb ] At least on ARM, do_div() is optimized to turn constant divisors into an inline multiplication by the reciprocal value at compile time. However this optimization is missed entirely whenever ktime_divns() is used and the slow out-of-line division code is used all the time. Let ktime_divns() use do_div() inline whenever the divisor is constant and small enough. This will make things like ktime_to_us() and ktime_to_ms() much faster. Cc: Arnd Bergmann Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Nicolas Pitre Acked-by: Arnd Bergmann Signed-off-by: Nicolas Pitre Signed-off-by: John Stultz Signed-off-by: Sasha Levin commit 08a468bf87293f0d18f7ce8ad66a42f4371395f7 Author: Liang Li Date: Thu May 21 04:41:25 2015 +0800 kvm/fpu: Enable eager restore kvm FPU for MPX [ Upstream commit c447e76b4cabb49ddae8e49c5758f031f35d55fb ] The MPX feature requires eager KVM FPU restore support. We have verified that MPX cannot work correctly with the current lazy KVM FPU restore mechanism. Eager KVM FPU restore should be enabled if the MPX feature is exposed to VM. Signed-off-by: Yang Zhang Signed-off-by: Liang Li [Also activate the FPU on AMD processors. - Paolo] Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 95678fb1f88e2a397378827536173534cf16a942 Author: Xiao Guangrong Date: Mon May 11 22:55:21 2015 +0800 KVM: MMU: fix SMAP virtualization [ Upstream commit 0be0226f07d14b153a5eedf2bb86e1eb7dcefab5 ] KVM may turn a user page to a kernel page when kernel writes a readonly user page if CR0.WP = 1. This shadow page entry will be reused after SMAP is enabled so that kernel is allowed to access this user page Fix it by setting SMAP && !CR0.WP into shadow page's role and reset mmu once CR4.SMAP is updated Signed-off-by: Xiao Guangrong Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 00f334969132a292e5cc7a383492fdfa9cc834c1 Author: Andrea Arcangeli Date: Fri May 8 14:32:56 2015 +0200 kvm: fix crash in kvm_vcpu_reload_apic_access_page [ Upstream commit e8fd5e9e9984675f45b9a5485909c143fbde248f ] memslot->userfault_addr is set by the kernel with a mmap executed from the kernel but the userland can still munmap it and lead to the below oops after memslot->userfault_addr points to a host virtual address that has no vma or mapping. [ 327.538306] BUG: unable to handle kernel paging request at fffffffffffffffe [ 327.538407] IP: [] put_page+0x5/0x50 [ 327.538474] PGD 1a01067 PUD 1a03067 PMD 0 [ 327.538529] Oops: 0000 [#1] SMP [ 327.538574] Modules linked in: macvtap macvlan xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT iptable_filter ip_tables tun bridge stp llc rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache xprtrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ipmi_devintf iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp dcdbas intel_rapl kvm_intel kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd pcspkr sb_edac edac_core ipmi_si ipmi_msghandler acpi_pad wmi acpi_power_meter lpc_ich mfd_core mei_me [ 327.539488] mei shpchp nfsd auth_rpcgss nfs_acl lockd grace sunrpc mlx4_ib ib_sa ib_mad ib_core mlx4_en vxlan ib_addr ip_tunnel xfs libcrc32c sd_mod crc_t10dif crct10dif_common crc32c_intel mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm drm ahci i2c_core libahci mlx4_core libata tg3 ptp pps_core megaraid_sas ntb dm_mirror dm_region_hash dm_log dm_mod [ 327.539956] CPU: 3 PID: 3161 Comm: qemu-kvm Not tainted 3.10.0-240.el7.userfault19.4ca4011.x86_64.debug #1 [ 327.540045] Hardware name: Dell Inc. PowerEdge R420/0CN7CM, BIOS 2.1.2 01/20/2014 [ 327.540115] task: ffff8803280ccf00 ti: ffff880317c58000 task.ti: ffff880317c58000 [ 327.540184] RIP: 0010:[] [] put_page+0x5/0x50 [ 327.540261] RSP: 0018:ffff880317c5bcf8 EFLAGS: 00010246 [ 327.540313] RAX: 00057ffffffff000 RBX: ffff880616a20000 RCX: 0000000000000000 [ 327.540379] RDX: 0000000000002014 RSI: 00057ffffffff000 RDI: fffffffffffffffe [ 327.540445] RBP: ffff880317c5bd10 R08: 0000000000000103 R09: 0000000000000000 [ 327.540511] R10: 0000000000000000 R11: 0000000000000000 R12: fffffffffffffffe [ 327.540576] R13: 0000000000000000 R14: ffff880317c5bd70 R15: ffff880317c5bd50 [ 327.540643] FS: 00007fd230b7f700(0000) GS:ffff880630800000(0000) knlGS:0000000000000000 [ 327.540717] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 327.540771] CR2: fffffffffffffffe CR3: 000000062a2c3000 CR4: 00000000000427e0 [ 327.540837] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 327.540904] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 327.540974] Stack: [ 327.541008] ffffffffa05d6d0c ffff880616a20000 0000000000000000 ffff880317c5bdc0 [ 327.541093] ffffffffa05ddaa2 0000000000000000 00000000002191bf 00000042f3feab2d [ 327.541177] 00000042f3feab2d 0000000000000002 0000000000000001 0321000000000000 [ 327.541261] Call Trace: [ 327.541321] [] ? kvm_vcpu_reload_apic_access_page+0x6c/0x80 [kvm] [ 327.543615] [] vcpu_enter_guest+0x3f2/0x10f0 [kvm] [ 327.545918] [] kvm_arch_vcpu_ioctl_run+0x2b0/0x5a0 [kvm] [ 327.548211] [] ? kvm_arch_vcpu_ioctl_run+0xa2/0x5a0 [kvm] [ 327.550500] [] kvm_vcpu_ioctl+0x2b5/0x680 [kvm] [ 327.552768] [] ? creds_are_invalid.part.1+0x12/0x50 [ 327.555069] [] ? creds_are_invalid+0x21/0x30 [ 327.557373] [] ? inode_has_perm.isra.49.constprop.65+0x26/0x80 [ 327.559663] [] do_vfs_ioctl+0x305/0x530 [ 327.561917] [] SyS_ioctl+0xa1/0xc0 [ 327.564185] [] system_call_fastpath+0x16/0x1b [ 327.566480] Code: 0b 31 f6 4c 89 e7 e8 4b 7f ff ff 0f 0b e8 24 fd ff ff e9 a9 fd ff ff 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <48> f7 07 00 c0 00 00 55 48 89 e5 75 2a 8b 47 1c 85 c0 74 1e f0 Signed-off-by: Andrea Arcangeli Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 8124dc9b8b36f2f6d14154c33e0cb3cc44208dec Author: Xiao Guangrong Date: Thu May 7 16:20:15 2015 +0800 KVM: MMU: fix smap permission check [ Upstream commit 7cbeed9bce7580479bb97457dad220cb3594b875 ] Current permission check assumes that RSVD bit in PFEC is always zero, however, it is not true since MMIO #PF will use it to quickly identify MMIO access Fix it by clearing the bit if walking guest page table is needed Signed-off-by: Xiao Guangrong Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit b62b720974390bbac424713ad7e2997e0b49633f Author: Paolo Bonzini Date: Thu Apr 2 11:04:05 2015 +0200 KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages [ Upstream commit 898761158be7682082955e3efa4ad24725305fc7 ] smep_andnot_wp is initialized in kvm_init_shadow_mmu and shadow pages should not be reused for different values of it. Thus, it has to be added to the mask in kvm_mmu_pte_write. Reviewed-by: Xiao Guangrong Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 3d93f1105707743a2f43d66d75db9a5b63aa79ad Author: Ingo Molnar Date: Wed May 20 11:45:30 2015 +0200 x86/fpu: Disable XSAVES* support for now [ Upstream commit e88221c50cadade0eb4f7f149f4967d760212695 ] The kernel's handling of 'compacted' xsave state layout is buggy: http://marc.info/?l=linux-kernel&m=142967852317199 I don't have such a system, and the description there is vague, but from extrapolation I guess that there were two kinds of bugs observed: - boot crashes, due to size calculations being wrong and the dynamic allocation allocating a too small xstate area. (This is now fixed in the new FPU code - but still present in stable kernels.) - FPU state corruption and ABI breakage: if signal handlers try to change the FPU state in standard format, which then the kernel tries to restore in the compacted format. These breakages are scary, but they only occur on a small number of systems that have XSAVES* CPU support. Yet we have had XSAVES support in the upstream kernel for a large number of stable kernel releases, and the fixes are involved and unproven. So do the safe resolution first: disable XSAVES* support and only use the standard xstate format. This makes the code work and is easy to backport. On top of this we can work on enabling (and testing!) proper compacted format support, without backporting pressure, on top of the new, cleaned up FPU code. Cc: Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Dave Hansen Cc: Fenghua Yu Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Oleg Nesterov Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 6aded17f7f47cb4ee10776c54372841b21170ae4 Author: Borislav Petkov Date: Mon May 18 10:07:17 2015 +0200 x86/mce: Fix MCE severity messages [ Upstream commit 17fea54bf0ab34fa09a06bbde2f58ed7bbdf9299 ] Derek noticed that a critical MCE gets reported with the wrong error type description: [Hardware Error]: CPU 34: Machine Check Exception: 5 Bank 9: f200003f000100b0 [Hardware Error]: RIP !INEXACT! 10: {intel_idle+0xb1/0x170} [Hardware Error]: TSC 49587b8e321cb [Hardware Error]: PROCESSOR 0:306e4 TIME 1431561296 SOCKET 1 APIC 29 [Hardware Error]: Some CPUs didn't answer in synchronization [Hardware Error]: Machine check: Invalid ^^^^^^^ The last line with 'Invalid' should have printed the high level MCE error type description we get from mce_severity, i.e. something like: [Hardware Error]: Machine check: Action required: data load error in a user process this happens due to the fact that mce_no_way_out() iterates over all MCA banks and possibly overwrites the @msg argument which is used in the panic printing later. Change behavior to take the message of only and the (last) critical MCE it detects. Reported-by: Derek Signed-off-by: Borislav Petkov Cc: Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Tony Luck Link: http://lkml.kernel.org/r/1431936437-25286-3-git-send-email-bp@alien8.de Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit c41c609c77b54451d1404d4fd2bfbf5c7efcd7b9 Author: Chen Yucong Date: Tue Nov 18 10:09:19 2014 +0800 x86, mce, severity: Extend the the mce_severity mechanism to handle UCNA/DEFERRED error [ Upstream commit e3480271f59253cb60d030aa5e615bf00b731fea ] Until now, the mce_severity mechanism can only identify the severity of UCNA error as MCE_KEEP_SEVERITY. Meanwhile, it is not able to filter out DEFERRED error for AMD platform. This patch extends the mce_severity mechanism for handling UCNA/DEFERRED error. In order to do this, the patch introduces a new severity level - MCE_UCNA/DEFERRED_SEVERITY. In addition, mce_severity is specific to machine check exception, and it will check MCIP/EIPV/RIPV bits. In order to use mce_severity mechanism in non-exception context, the patch also introduces a new argument (is_excp) for mce_severity. `is_excp' is used to explicitly specify the calling context of mce_severity. Reviewed-by: Aravind Gopalakrishnan Signed-off-by: Chen Yucong Signed-off-by: Tony Luck Signed-off-by: Sasha Levin commit f83263cae8cc77e23dc375299b7709c3fa36bee5 Author: Paolo Bonzini Date: Wed May 20 11:33:43 2015 +0200 Revert "KVM: x86: drop fpu_activate hook" [ Upstream commit 0fdd74f7784b5cdff7075736992bbb149b1ae49c ] This reverts commit 4473b570a7ebb502f63f292ccfba7df622e5fdd3. We'll use the hook again. Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 11bf6b1ea65f1580477827831d05711e5b87ac7b Author: Eric W. Biederman Date: Thu Apr 2 16:35:48 2015 -0500 fs_pin: Allow for the possibility that m_list or s_list go unused. [ Upstream commit 820f9f147dcce2602eefd9b575bbbd9ea14f0953 ] This is needed to support lazily umounting locked mounts. Because the entire unmounted subtree needs to stay together until there are no users with references to any part of the subtree. To support this guarantee that the fs_pin m_list and s_list nodes are initialized by initializing them in init_fs_pin allowing for the possibility that pin_insert_group does not touch them. Further use hlist_del_init in pin_remove so that there is a hlist_unhashed test before the list we attempt to update the previous list item. Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 0de0e610f6b359c52d4f8b02bac2963f4968c9d6 Author: Eric W. Biederman Date: Wed Jan 7 14:28:26 2015 -0600 mnt: Fail collect_mounts when applied to unmounted mounts [ Upstream commit cd4a40174b71acd021877341684d8bb1dc8ea4ae ] The only users of collect_mounts are in audit_tree.c In audit_trim_trees and audit_add_tree_rule the path passed into collect_mounts is generated from kern_path passed an audit_tree pathname which is guaranteed to be an absolute path. In those cases collect_mounts is obviously intended to work on mounted paths and if a race results in paths that are unmounted when collect_mounts it is reasonable to fail early. The paths passed into audit_tag_tree don't have the absolute path check. But are used to play with fsnotify and otherwise interact with the audit_trees, so again operating only on mounted paths appears reasonable. Avoid having to worry about what happens when we try and audit unmounted filesystems by restricting collect_mounts to mounts that appear in the mount tree. Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit 43969ed3f1f84a000ba14443e78bdbce46a01103 Author: Thomas Petazzoni Date: Thu Mar 12 11:58:12 2015 +0100 ARM: mvebu: do not register custom DMA operations when coherency is disabled This patch is a partial backport of commit ef01c6c36bb8 ("ARM: mvebu: remove Armada 375 Z1 workaround for I/O coherency"). This commit was merged in v3.19, so kernel versions later than v3.19 are not affected by the problem that this commit fixes. It does not make a lot of sense to backport this commit entirely, since it is mainly removing some no longer useful code. However, this commit is also making sure that the bus_register_notifier that register the custom DMA operations that should be used for HW I/O coherency does not get registered when said HW I/O coherency is not enabled. This is particularly critical since we have decided to disable HW I/O coherency completely in all kernels < 4.0, to be on the safe side, while experimenting a new implementation of the HW I/O coherency in >= 4.0. Without this commit, kernels earlier than 3.18 have the custom DMA operations normally used for HW I/O coherency registered (they don't do cache maintenance operations), while HW I/O coherency is disabled. It essentially causes every DMA transfer to transfer garbage. The issue fixed by this commit was introduced by 5ab5afd8ba83 ("ARM: mvebu: implement Armada 375 coherency workaround"), but it was not visible until now since it didn't cause any problem when HW I/O coherency is enabled. Signed-off-by: Thomas Petazzoni Cc: v3.16..v3.18 Signed-off-by: Sasha Levin commit 0c3d774dbb66ff74288bcd8a619d922e5214e2d7 Author: Lv Zheng Date: Mon Apr 13 11:48:52 2015 +0800 ACPICA: Utilities: Cleanup to remove useless ACPI_PRINTF/FORMAT_xxx helpers. [ Upstream commit 1d0a0b2f6df2bf2643fadc990eb143361eca6ada ] ACPICA commit b60612373a4ef63b64a57c124576d7ddb6d8efb6 For physical addresses, since the address may exceed 32-bit address range after calculation, we should use 0x%8.8X%8.8X instead of ACPI_PRINTF_UINT and ACPI_FORMAT_UINT64() instead of ACPI_FORMAT_NATIVE_UINT()/ACPI_FORMAT_TO_UINT(). This patch also removes above replaced macros as there are no users. This is a preparation to switch acpi_physical_address to 64-bit on 32-bit kernel builds. Link: https://github.com/acpica/acpica/commit/b6061237 Signed-off-by: Lv Zheng Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit cf3938da87f57ec3e069ed5697b96e900667c91f Author: Lv Zheng Date: Mon Apr 13 11:48:46 2015 +0800 ACPICA: Utilities: Cleanup to convert physical address printing formats. [ Upstream commit cc2080b0e5a7c6c33ef5e9ffccbc2b8f6f861393 ] ACPICA commit 7f06739db43a85083a70371c14141008f20b2198 For physical addresses, since the address may exceed 32-bit address range after calculation, we should use %8.8X%8.8X (see ACPI_FORMAT_UINT64()) to convert the %p formats. This is a preparation to switch acpi_physical_address to 64-bit on 32-bit kernel builds. Link: https://github.com/acpica/acpica/commit/7f06739d Signed-off-by: Lv Zheng Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 0b68ea95408a88893ce1d2a5992a098933187d3b Author: Lv Zheng Date: Mon Apr 13 11:48:37 2015 +0800 ACPICA: Utilities: Cleanup to enforce ACPI_PHYSADDR_TO_PTR()/ACPI_PTR_TO_PHYSADDR(). [ Upstream commit 6d3fd3cc33d50e4c0d0c0bd172de02caaec3127c ] ACPICA commit 154f6d074dd38d6ebc0467ad454454e6c5c9ecdf There are code pieces converting pointers using "(acpi_physical_address) x" or "ACPI_CAST_PTR (t, x)" formats, this patch cleans up them. Known issues: 1. Cleanup of "(ACPI_PHYSICAL_ADDRRESS) x" for a table field For the conversions around the table fields, it is better to fix it with alignment also fixed. So this patch doesn't modify such code. There should be no functional problem by leaving them unchanged. Link: https://github.com/acpica/acpica/commit/154f6d07 Signed-off-by: Lv Zheng Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 0e2b54f536e73f6da27eb81cd81497f81c1c85a6 Author: Lv Zheng Date: Mon Apr 13 11:48:18 2015 +0800 ACPICA: Tables: Change acpi_find_root_pointer() to use acpi_physical_address. [ Upstream commit f254e3c57b9d952e987502aefa0804c177dd2503 ] ACPICA commit 7d9fd64397d7c38899d3dc497525f6e6b044e0e3 OSPMs like Linux expect an acpi_physical_address returning value from acpi_find_root_pointer(). This triggers warnings if sizeof (acpi_size) doesn't equal to sizeof (acpi_physical_address): drivers/acpi/osl.c:275:3: warning: passing argument 1 of 'acpi_find_root_pointer' from incompatible pointer type [enabled by default] In file included from include/acpi/acpi.h:64:0, from include/linux/acpi.h:36, from drivers/acpi/osl.c:41: include/acpi/acpixf.h:433:1: note: expected 'acpi_size *' but argument is of type 'acpi_physical_address *' This patch corrects acpi_find_root_pointer(). Link: https://github.com/acpica/acpica/commit/7d9fd643 Signed-off-by: Lv Zheng Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 6a381f532a0a998cb464d6fdaf5956b1446014b1 Author: Al Viro Date: Fri Apr 3 15:23:17 2015 -0400 coredump: accept any write method [ Upstream commit 86cc05840a0da1afcb6b8151b53f3b606457c91b ] Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 498a61ea26e42f6e9861be9af860755ac2ecd70f Author: Alexey Khoroshilov Date: Sat Apr 18 02:53:25 2015 +0300 sound/oss: fix deadlock in sequencer_ioctl(SNDCTL_SEQ_OUTOFBAND) [ Upstream commit bc26d4d06e337ade069f33d3f4377593b24e6e36 ] A deadlock can be initiated by userspace via ioctl(SNDCTL_SEQ_OUTOFBAND) on /dev/sequencer with TMR_ECHO midi event. In this case the control flow is: sound_ioctl() -> case SND_DEV_SEQ: case SND_DEV_SEQ2: sequencer_ioctl() -> case SNDCTL_SEQ_OUTOFBAND: spin_lock_irqsave(&lock,flags); play_event(); -> case EV_TIMING: seq_timing_event() -> case TMR_ECHO: seq_copy_to_input() -> spin_lock_irqsave(&lock,flags); It seems that spin_lock_irqsave() around play_event() is not necessary, because the only other call location in seq_startplay() makes the call without acquiring spinlock. So, the patch just removes spinlocks around play_event(). By the way, it removes unreachable code in seq_timing_event(), since (seq_mode == SEQ_2) case is handled in the beginning. Compile tested only. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b064adaacdbf09341b45ada16f8b8bd128f77465 Author: Mark Rutland Date: Fri Mar 6 12:08:30 2015 +0100 ARM: 8307/1: psci: move psci firmware calls out of line [ Upstream commit c097877319ab61dd045b6497953b4e3df8f2bb44 ] arm64 builds with GCC 5 have caused the __asmeq assertions in the PSCI calling code to fire, so move the ARM PSCI calls out of line into their own assembly file for consistency and to safeguard against the same issue occuring with the 32-bit toolchain. [will: brought into line with arm64 implementation] Reported-by: Andy Whitcroft Signed-off-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 4d3352143052bab29ecc38eb8ecac9c23791f107 Author: Takeshi Kihara Date: Thu Apr 30 02:03:51 2015 +0900 mmc: sh_mmcif: Fix timeout value for command request [ Upstream commit bad4371d87d1d1ed1aecd9c9cc21c41ac3f289c8 ] f9fd54f22e ("mmc: sh_mmcif: Use msecs_to_jiffies() for host->timeout") changed the timeout value from 1000 jiffies to 1s. In the case where HZ is 1000 the values are the same. However, for smaller HZ values the timeout is now smaller, 1s instead of 10s in the case of HZ=100. Since the timeout occurs in spite of a normal data transfer a timeout of 10s seems more appropriate. This restores the previous timeout in the case where HZ=100 and results in an increase over the previous timeout for larger values of HZ. Fixes: f9fd54f22e ("mmc: sh_mmcif: Use msecs_to_jiffies() for host->timeout") Signed-off-by: Takeshi Kihara [horms: rewrote changelog to refer to HZ] Signed-off-by: Simon Horman Signed-off-by: Yoshihiro Kaneko Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit c7fe6e650eea13222663101ac8f755ccf158e988 Author: Grygorii Strashko Date: Thu Apr 23 13:43:43 2015 +0300 mmc: core: add missing pm event in mmc_pm_notify to fix hib restore [ Upstream commit 184af16b09360d6273fd6160e6ff7f8e2482ef23 ] The PM_RESTORE_PREPARE is not handled now in mmc_pm_notify(), as result mmc_rescan() could be scheduled and executed at late hibernation restore stages when MMC device is suspended already - which, in turn, will lead to system crash on TI dra7-evm board: WARNING: CPU: 0 PID: 3188 at drivers/bus/omap_l3_noc.c:148 l3_interrupt_handler+0x258/0x374() 44000000.ocp:L3 Custom Error: MASTER MPU TARGET L4_PER1_P3 (Idle): Data Access in User mode during Functional access Hence, add missed PM_RESTORE_PREPARE PM event in mmc_pm_notify(). Fixes: 4c2ef25fe0b8 (mmc: fix all hangs related to mmc/sd card...) Signed-off-by: Grygorii Strashko Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit c7221fe0d853f7cab501743bab242b59fe59d865 Author: Chuanxiao Dong Date: Tue Aug 12 12:01:30 2014 +0800 mmc: card: Don't access RPMB partitions for normal read/write [ Upstream commit 4e93b9a6abc0d028daf3c8a00cb77b679d8a4df4 ] During kernel boot, it will try to read some logical sectors of each block device node for the possible partition table. But since RPMB partition is special and can not be accessed by normal eMMC read / write CMDs, it will cause below error messages during kernel boot: ... mmc0: Got data interrupt 0x00000002 even though no data operation was in progress. mmcblk0rpmb: error -110 transferring data, sector 0, nr 32, cmd response 0x900, card status 0xb00 mmcblk0rpmb: retrying using single block read mmcblk0rpmb: timed out sending r/w cmd command, card status 0x400900 mmcblk0rpmb: timed out sending r/w cmd command, card status 0x400900 mmcblk0rpmb: timed out sending r/w cmd command, card status 0x400900 mmcblk0rpmb: timed out sending r/w cmd command, card status 0x400900 mmcblk0rpmb: timed out sending r/w cmd command, card status 0x400900 mmcblk0rpmb: timed out sending r/w cmd command, card status 0x400900 end_request: I/O error, dev mmcblk0rpmb, sector 0 Buffer I/O error on device mmcblk0rpmb, logical block 0 end_request: I/O error, dev mmcblk0rpmb, sector 8 Buffer I/O error on device mmcblk0rpmb, logical block 1 end_request: I/O error, dev mmcblk0rpmb, sector 16 Buffer I/O error on device mmcblk0rpmb, logical block 2 end_request: I/O error, dev mmcblk0rpmb, sector 24 Buffer I/O error on device mmcblk0rpmb, logical block 3 ... This patch will discard the access request in eMMC queue if it is RPMB partition access request. By this way, it avoids trigger above error messages. Fixes: 090d25fe224c ("mmc: core: Expose access to RPMB partition") Signed-off-by: Yunpeng Gao Signed-off-by: Chuanxiao Dong Tested-by: Michael Shigorin Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit eae444c126cbe594aebe706abb9aba1a6314eff1 Author: Doug Anderson Date: Fri May 1 09:01:27 2015 -0700 pinctrl: Don't just pretend to protect pinctrl_maps, do it for real [ Upstream commit c5272a28566b00cce79127ad382406e0a8650690 ] Way back, when the world was a simpler place and there was no war, no evil, and no kernel bugs, there was just a single pinctrl lock. That was how the world was when (57291ce pinctrl: core device tree mapping table parsing support) was written. In that case, there were instances where the pinctrl mutex was already held when pinctrl_register_map() was called, hence a "locked" parameter was passed to the function to indicate that the mutex was already locked (so we shouldn't lock it again). A few years ago in (42fed7b pinctrl: move subsystem mutex to pinctrl_dev struct), we switched to a separate pinctrl_maps_mutex. ...but (oops) we forgot to re-think about the whole "locked" parameter for pinctrl_register_map(). Basically the "locked" parameter appears to still refer to whether the bigger pinctrl_dev mutex is locked, but we're using it to skip locks of our (now separate) pinctrl_maps_mutex. That's kind of a bad thing(TM). Probably nobody noticed because most of the calls to pinctrl_register_map happen at boot time and we've got synchronous device probing. ...and even cases where we're asynchronous don't end up actually hitting the race too often. ...but after banging my head against the wall for a bug that reproduced 1 out of 1000 reboots and lots of looking through kgdb, I finally noticed this. Anyway, we can now safely remove the "locked" parameter and go back to a war-free, evil-free, and kernel-bug-free world. Fixes: 42fed7ba44e4 ("pinctrl: move subsystem mutex to pinctrl_dev struct") Signed-off-by: Doug Anderson Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 13b1c9845e849fa6752034a808db76ac7ad9c5c9 Author: Christian König Date: Thu May 7 15:19:24 2015 +0200 drm/radeon: more strictly validate the UVD codec [ Upstream commit d52cdfa4a0c6406bbfb33206341eaf1fb1555994 ] MPEG 2/4 are only supported since UVD3. Signed-off-by: Christian König CC: stable@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0566ba74693f1810ed283da70c7d502ffbc3e74c Author: Christian König Date: Thu May 7 15:19:23 2015 +0200 drm/radeon: make UVD handle checking more strict [ Upstream commit a1b403da70e038ca6c6c6fe434d1d873546873a3 ] Invalid messages can crash the hw otherwise. Signed-off-by: Christian König CC: stable@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8a6aaf2098023dce1a53e1f28e032a86000a9afb Author: Christian König Date: Thu May 7 15:19:22 2015 +0200 drm/radeon: make VCE handle check more strict [ Upstream commit 29c63fe22a17c64e54016040cd882481bd45ee5a ] Invalid handles can crash the hw. Signed-off-by: Christian König CC: stable@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 5566f412612436b0cecafbd4d09e6fd3dcb6ab00 Author: monk.liu Date: Tue May 5 09:24:17 2015 +0200 drm/radeon: fix userptr BO unpin bug v3 [ Upstream commit db12973cd581d4e79f4aadd0960948f268d15af7 ] Fixing a memory leak with userptrs. v2: clean up the loop, use an iterator instead v3: remove unused variable Signed-off-by: monk.liu Signed-off-by: Christian König CC: stable@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8cd63e3f93a0233e02222133498841224271019b Author: Christian König Date: Fri May 1 12:34:12 2015 +0200 drm/radeon: disable semaphores for UVD V1 (v2) [ Upstream commit 013ead48a843442e63b9426e3bd5df18ca5d054a ] Hardware doesn't seem to work correctly, just block userspace in this case. v2: add missing defines Bugs: https://bugs.freedesktop.org/show_bug.cgi?id=85320 Signed-off-by: Christian König CC: stable@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8df0e1f7a38bcd279761005d3459410736e978de Author: Jani Nikula Date: Tue May 5 16:32:12 2015 +0300 drm/i915/dp: there is no audio on port A [ Upstream commit 9fcb1704d1d51b12e2f03c78bca013d0cbbb7c98 ] The eDP port A register on PCH split platforms has a slightly different register layout from the other ports, with bit 6 being either alternate scrambler reset or reserved, depending on the generation. Our misinterpretation of the bit as audio has lead to warning. Fix this by not enabling audio on port A, since none of our platforms support audio on port A anyway. v2: DDI doesn't have audio on port A either (Sivakumar Thulasimani) Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=89958 Reported-and-tested-by: Chris Bainbridge Cc: stable@vger.kernel.org Reviewed-by: Sivakumar Thulasimani Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit e209efaabd8097ade1d046a7f087fc0dc93f54f6 Author: Lukas Wunner Date: Mon May 4 15:06:49 2015 +0200 drm/i915: Add missing MacBook Pro models with dual channel LVDS [ Upstream commit 3916e3fd81021fb795bfbdb17f375b6b3685bced ] Single channel LVDS maxes out at 112 MHz. The 15" pre-retina models shipped with 1440x900 (106 MHz) by default or 1680x1050 (119 MHz) as a BTO option, both versions used dual channel LVDS even though the smaller one would have fit into a single channel. Notes: Bug report showing that the MacBookPro8,2 with 1440x900 uses dual channel LVDS (this lead to it being hardcoded in intel_lvds.c by Daniel Vetter with commit 618563e3945b9d0864154bab3c607865b557cecc): https://bugzilla.kernel.org/show_bug.cgi?id=42842 If i915.lvds_channel_mode=2 is missing even though the machine needs it, every other vertical line is white and consequently, only the left half of the screen is visible (verified by myself on a MacBookPro9,1). Forum posting concerning a MacBookPro6,2 with 1440x900, author is using i915.lvds_channel_mode=2 on the kernel command line, proving that the machine uses dual channels: https://bbs.archlinux.org/viewtopic.php?id=185770 Chi Mei N154C6-L04 with 1440x900 is a replacement panel for all MacBook Pro "A1286" models, and that model number encompasses the MacBookPro6,2 / 8,2 / 9,1. Page 17 of the panel's datasheet shows it's driven with dual channel LVDS: http://www.ebay.com/itm/-/400690878560 http://www.everymac.com/ultimate-mac-lookup/?search_keywords=A1286 http://www.taopanel.com/chimei/datasheet/N154C6-L04.pdf Those three 15" models, MacBookPro6,2 / 8,2 / 9,1, are the only ones with i915 graphics and dual channel LVDS, so that list should be complete. And the 8,2 is already in intel_lvds.c. Possible motivation to use dual channel LVDS even on the 1440x900 models: Reduce the number of different parts, i.e. use identical logic boards and display cabling on both versions and the only differing component is the panel. Signed-off-by: Lukas Wunner Acked-by: Jani Nikula Cc: stable@vger.kernel.org [Jani: included notes in the commit message for posterity] Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit 6128995725eb65d9b6971645b9b5e73e148aa549 Author: Mario Kleiner Date: Tue Apr 7 06:31:09 2015 +0200 drm: Zero out invalid vblank timestamp in drm_update_vblank_count. [ Upstream commit fdb68e09bbb1c981f24608d7022c7d93cc47b326 ] Since commit 844b03f27739135fe1fed2fef06da0ffc4c7a081 we make sure that after vblank irq off, we return the last valid (vblank count, vblank timestamp) pair to clients, e.g., during modesets, which is good. An overlooked side effect of that commit for kms drivers without support for precise vblank timestamping is that at vblank irq enable, when we update the vblank counter from the hw counter, we can't update the corresponding vblank timestamp, so now we have a totally mismatched timestamp for the new count to confuse clients. Restore old client visible behaviour from before Linux 3.17, but zero out the timestamp at vblank counter update (instead of disable as in original implementation) if we can't generate a meaningful timestamp immediately for the new vblank counter. This will fix this regression, so callers know they need to retry again later if they need a valid timestamp, but at the same time preserves the improvements made in the commit mentioned above. Signed-off-by: Mario Kleiner Cc: #v3.17+ Cc: Ville Syrjälä Cc: Daniel Vetter Signed-off-by: Dave Airlie Signed-off-by: Sasha Levin commit 6c6e8935df207f8af59b15d2b3344557ce4b5c2d Author: Ulf Hansson Date: Mon Apr 20 16:02:33 2015 +0200 ARM: ux500: Enable GPIO regulator for SD-card for snowball [ Upstream commit 11133db7a836b0cb411faa048f07a38e994d1382 ] Fixes: c94a4ab7af3f ("ARM: ux500: Disable the MMCI gpio-regulator by default") Signed-off-by: Ulf Hansson Reviewed-by: Bjorn Andersson Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 16c5d7f011b24941e285003c5722fda002081efc Author: Ulf Hansson Date: Mon Apr 20 16:02:32 2015 +0200 ARM: ux500: Enable GPIO regulator for SD-card for HREF boards [ Upstream commit f9a8c3914ba85f19c3360b19612d77c47adb8942 ] Fixes: c94a4ab7af3f ("ARM: ux500: Disable the MMCI gpio-regulator by default") Signed-off-by: Ulf Hansson Reviewed-by: Bjorn Andersson Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit f15528a491ba4ae0c8713fc02b947492ea5c4493 Author: Ulf Hansson Date: Mon Apr 20 16:02:31 2015 +0200 ARM: ux500: Move GPIO regulator for SD-card into board DTSs [ Upstream commit 53d2669844263fd5fdc70f0eb6a2eb8a21086d8e ] The GPIO regulator for the SD-card isn't a ux500 SOC configuration, but instead it's specific to the board. Move the definition of it, into the board DTSs. Fixes: c94a4ab7af3f ("ARM: ux500: Disable the MMCI gpio-regulator by default") Signed-off-by: Ulf Hansson Reviewed-by: Bjorn Andersson Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 4e5279e4493ddf627a33e838b8aec103f8f75f0f Author: Nicolas Schichan Date: Wed May 6 18:31:56 2015 +0200 ARM: net fix emit_udiv() for BPF_ALU | BPF_DIV | BPF_K intruction. [ Upstream commit 19fc99d0c6ba7d9b65456496b5bb2169d5f74cd0 ] In that case, emit_udiv() will be called with rn == ARM_R0 (r_scratch) and loading rm first into ARM_R0 will result in jit_udiv() function being called the same dividend and divisor. Fix that by loading rn first into ARM_R1 and then rm into ARM_R0. Signed-off-by: Nicolas Schichan Cc: # v3.13+ Fixes: aee636c4809f (bpf: do not use reciprocal divide) Acked-by: Mircea Gherzan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7b022b8ad207d2d0ce8aa8a16d22a424a417f28d Author: Tony Lindgren Date: Mon May 4 08:54:41 2015 -0700 ARM: OMAP2+: Fix omap off idle power consumption creeping up [ Upstream commit 102bcb6ed2d1c3ffcc7269afc957c2df11942085 ] If we use a combination of VMODE and I2C4 for retention modes, eventually the off idle power consumption will creep up by about 23mW, even during off mode with I2C4 always staying enabled. Turns out this is because of erratum i531 "Extra Power Consumed When Repeated Start Operation Mode Is Enabled on I2C Interface Dedicated for Smart Reflex (I2C4)" as pointed out by Nishanth Menon . Let's fix the issue by adding i2c_cfg_clear_mask for the bits to clear when initializing the I2C4 adapter so we can clear SREN bit that drives the I2C4 lines low otherwise when there is no traffic. Fixes: 3b8c4ebb7630 ("ARM: OMAP3: Fix idle mode signaling for Cc: stable@vger.kernel.org # v3.16+ sys_clkreq and sys_off_mode") Cc: Kevin Hilman Cc: Tero Kristo Reviewed-by: Nishanth Menon Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 0f0e4765c9f488fe1af9973be323cb2dd2326059 Author: Gregory CLEMENT Date: Tue Apr 14 11:50:13 2015 +0200 ARM: mvebu: armada-xp-openblocks-ax3-4: Disable internal RTC [ Upstream commit 750e30d4076ae5e02ad13a376e96c95a2627742c ] There is no crystal connected to the internal RTC on the Open Block AX3. So let's disable it in order to prevent the kernel probing the driver uselessly. Eventually this patches removes the following warning message from the boot log: "rtc-mv d0010300.rtc: internal RTC not ticking" Acked-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Cc: # v3.8 + Signed-off-by: Sasha Levin commit 0fc6b2a34fb22a979a53d4da7d5d632691f5ddac Author: Fabio Estevam Date: Tue Apr 14 11:05:04 2015 -0300 ARM: dts: imx23-olinuxino: Fix polarity of LED GPIO [ Upstream commit cfe8c59762244251fd9a5e281d48808095ff4090 ] On imx23-olinuxino the LED turns on when level logic high is aplied to GPIO2_1. Fix the gpios property accordingly. Fixes: b34aa1850244 ("ARM: dts: imx23-olinuxino: Remove unneeded "default-on"") Reported-by: Stefan Wahren Signed-off-by: Fabio Estevam Tested-by: Stefan Wahren Cc: stable@vger.kernel.org Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 90a235929e099e390e75648404527e97234678cc Author: Stefan Wahren Date: Tue Apr 14 20:37:26 2015 +0000 ARM: dts: imx23-olinuxino: Fix dr_mode of usb0 [ Upstream commit 0fdebe1a2f4d3a8fc03754022fabf8ba95e131a3 ] The dr_mode of usb0 on imx233-olinuxino is left to default "otg". Since the green LED (GPIO2_1) on imx233-olinuxino is connected to the same pin as USB_OTG_ID it's possible to disable USB host by LED toggling: echo 0 > /sys/class/leds/green/brightness [ 1068.890000] ci_hdrc ci_hdrc.0: remove, state 1 [ 1068.890000] usb usb1: USB disconnect, device number 1 [ 1068.920000] usb 1-1: USB disconnect, device number 2 [ 1068.920000] usb 1-1.1: USB disconnect, device number 3 [ 1069.070000] usb 1-1.2: USB disconnect, device number 4 [ 1069.450000] ci_hdrc ci_hdrc.0: USB bus 1 deregistered [ 1074.460000] ci_hdrc ci_hdrc.0: timeout waiting for 00000800 in 11 This patch fixes the issue by setting dr_mode to "host" in the dts file. Reported-by: Harald Geyer Signed-off-by: Stefan Wahren Reviewed-by: Fabio Estevam Reviewed-by: Marek Vasut Acked-by: Peter Chen Fixes: b49312948285 ("ARM: dts: imx23-olinuxino: Add USB host support") Cc: stable@vger.kernel.org Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit bbf9996715a486c5033af0cee525549665727b09 Author: Marek Vasut Date: Fri Apr 24 13:29:47 2015 +0200 ARM: dts: imx28: Fix AUART4 TX-DMA interrupt name [ Upstream commit 4ada77e37a773168fea484899201e272ab44ba8b ] Fix a typo in the TX DMA interrupt name for AUART4. This patch makes AUART4 operational again. Signed-off-by: Marek Vasut Fixes: f30fb03d4d3a ("ARM: dts: add generic DMA device tree binding for mxs-dma") Cc: stable@vger.kernel.org Acked-by: Stefan Wahren Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 06fe1ec5b9f5146f82a5881a861de666e959adf0 Author: Philipp Zabel Date: Tue Apr 21 15:59:53 2015 +0200 ARM: dts: imx6: phyFLEX: USB VBUS control is active-high [ Upstream commit 7f8d49dcc66a3dd3a8fc3078330b8fb9e616ad3f ] The fixed-regulator bindings require a separate property enable-active-high, the standard gpio phandle property polarity setting is ignored. Signed-off-by: Philipp Zabel Fixes: 4fe69a934b1f ("ARM: dts: Add Phytec pfla02 with i.MX6 DualLite/Solo") Cc: stable@vger.kernel.org Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 10787ce6481408710db979b64eb7402049dac789 Author: Markus Pargmann Date: Fri Apr 24 09:27:33 2015 +0200 ARM: dts: imx25: Add #pwm-cells to pwm4 [ Upstream commit f90d3f0d0a11fa77918fd5497cb616dd2faa8431 ] The property '#pwm-cells' is currently missing. It is not possible to use pwm4 without this property. Signed-off-by: Markus Pargmann Fixes: 5658a68fb578 ("ARM i.MX25: Add devicetree") Cc: Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit eeb31bc8b3458687ca0a3123a89f3f0fc1a714c5 Author: Pavel Machek Date: Sun Mar 1 21:07:08 2015 +0200 ARM: dts: OMAP3-N900: Add microphone bias voltages [ Upstream commit 1819e3034ee26ffadc71880064ed8b8e7d74f52c ] N900 audio recording needs that codec provides bias voltage for integrated digital microphone and headset microphone depending which one is used. Digital microphone uses 2 V bias and it comes from the codec A part. Codec B part drives the headset microphone bias and that is set to 2.5 V. Cc: stable@vger.kernel.org # v3.16+ Signed-off-by: Pavel Machek [Jarkko: Headset mic bias changed to 2 (2.5 V) as it was before commit e2e8bfdf6157 ("ASoC: tlv320aic3x: Convert mic bias to a supply widget")] Signed-off-by: Jarkko Nikula Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 90cdd181917a2c28283d35dae0191e2f526a60ec Author: Rabin Vincent Date: Tue May 5 15:15:56 2015 +0200 Revert "dm crypt: fix deadlock when async crypto algorithm returns -EBUSY" [ Upstream commit c0403ec0bb5a8c5b267fb7e16021bec0b17e4964 ] This reverts Linux 4.1-rc1 commit 0618764cb25f6fa9fb31152995de42a8a0496475. The problem which that commit attempts to fix actually lies in the Freescale CAAM crypto driver not dm-crypt. dm-crypt uses CRYPTO_TFM_REQ_MAY_BACKLOG. This means the the crypto driver should internally backlog requests which arrive when the queue is full and process them later. Until the crypto hw's queue becomes full, the driver returns -EINPROGRESS. When the crypto hw's queue if full, the driver returns -EBUSY, and if CRYPTO_TFM_REQ_MAY_BACKLOG is set, is expected to backlog the request and process it when the hardware has queue space. At the point when the driver takes the request from the backlog and starts processing it, it calls the completion function with a status of -EINPROGRESS. The completion function is called (for a second time, in the case of backlogged requests) with a status/err of 0 when a request is done. Crypto drivers for hardware without hardware queueing use the helpers, crypto_init_queue(), crypto_enqueue_request(), crypto_dequeue_request() and crypto_get_backlog() helpers to implement this behaviour correctly, while others implement this behaviour without these helpers (ccp, for example). dm-crypt (before the patch that needs reverting) uses this API correctly. It queues up as many requests as the hw queues will allow (i.e. as long as it gets back -EINPROGRESS from the request function). Then, when it sees at least one backlogged request (gets -EBUSY), it waits till that backlogged request is handled (completion gets called with -EINPROGRESS), and then continues. The references to af_alg_wait_for_completion() and af_alg_complete() in that commit's commit message are irrelevant because those functions only handle one request at a time, unlink dm-crypt. The problem is that the Freescale CAAM driver, which that commit describes as having being tested with, fails to implement the backlogging behaviour correctly. In cam_jr_enqueue(), if the hardware queue is full, it simply returns -EBUSY without backlogging the request. What the observed deadlock was is not described in the commit message but it is obviously the wait_for_completion() in crypto_convert() where dm-crypto would wait for the completion being called with -EINPROGRESS in the case of backlogged requests. This completion will never be completed due to the bug in the CAAM driver. Commit 0618764cb25 incorrectly made dm-crypt wait for every request, even when the driver/hardware queues are not full, which means that dm-crypt will never see -EBUSY. This means that that commit will cause a performance regression on all crypto drivers which implement the API correctly. Revert it. Correct backlog handling should be implemented in the CAAM driver instead. Cc'ing stable purely because commit 0618764cb25 did. If for some reason a stable@ kernel did pick up commit 0618764cb25 it should get reverted. Signed-off-by: Rabin Vincent Reviewed-by: Horia Geanta Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 8d102e1d92688151716b382f191d76bb19f8e89b Author: Ben Hutchings Date: Mon Apr 13 00:26:35 2015 +0100 xen-pciback: Add name prefix to global 'permissive' variable [ Upstream commit 8014bcc86ef112eab9ee1db312dba4e6b608cf89 ] The variable for the 'permissive' module parameter used to be static but was recently changed to be extern. This puts it in the kernel global namespace if the driver is built-in, so its name should begin with a prefix identifying the driver. Signed-off-by: Ben Hutchings Fixes: af6fc858a35b ("xen-pciback: limit guest control of command register") Signed-off-by: David Vrabel Signed-off-by: Sasha Levin commit 3b2ec381961c77785353337031a00691416b4479 Author: Boris Ostrovsky Date: Wed Apr 29 17:10:15 2015 -0400 xen/events: Set irq_info->evtchn before binding the channel to CPU in __startup_pirq() [ Upstream commit 16e6bd5970c88a2ac018b84a5f1dd5c2ff1fdf2c ] .. because bind_evtchn_to_cpu(evtchn, cpu) will map evtchn to 'info' and pass 'info' down to xen_evtchn_port_bind_to_cpu(). Signed-off-by: Boris Ostrovsky Tested-by: Annie Li Cc: Signed-off-by: David Vrabel Signed-off-by: Sasha Levin commit 0120beac6be73f3bdf3ddce4eb428d7667c08cef Author: Boris Ostrovsky Date: Wed Apr 29 17:10:14 2015 -0400 xen/console: Update console event channel on resume [ Upstream commit b9d934f27c91b878c4b2e64299d6e419a4022f8d ] After a resume the hypervisor/tools may change console event channel number. We should re-query it. Signed-off-by: Boris Ostrovsky Cc: Signed-off-by: David Vrabel Signed-off-by: Sasha Levin commit df39fed60dbca981281fe1df2082d60bed944d68 Author: Boris Ostrovsky Date: Wed Apr 29 17:10:13 2015 -0400 xen/xenbus: Update xenbus event channel on resume [ Upstream commit 16f1cf3ba7303228372d3756677bf7d10e79cf9f ] After a resume the hypervisor/tools may change xenbus event channel number. We should re-query it. Signed-off-by: Boris Ostrovsky Cc: Signed-off-by: David Vrabel Signed-off-by: Sasha Levin commit 5ea5c920bfde8717b3382e4909e1ce4c4b12b91d Author: Boris Ostrovsky Date: Wed Apr 29 17:10:12 2015 -0400 xen/events: Clear cpu_evtchn_mask before resuming [ Upstream commit 5cec98834989a014a9560b1841649eaca95cf00e ] When a guest is resumed, the hypervisor may change event channel assignments. If this happens and the guest uses 2-level events it is possible for the interrupt to be claimed by wrong VCPU since cpu_evtchn_mask bits may be stale. This can happen even though evtchn_2l_bind_to_cpu() attempts to clear old bits: irq_info that is passed in is not necessarily the original one (from pre-migration times) but instead is freshly allocated during resume and so any information about which CPU the channel was bound to is lost. Thus we should clear the mask during resume. We also need to make sure that bits for xenstore and console channels are set when these two subsystems are resumed. While rebind_evtchn_irq() (which is invoked for both of them on a resume) calls irq_set_affinity(), the latter will in fact postpone setting affinity until handling the interrupt. But because cpu_evtchn_mask will have bits for these two cleared we won't be able to take the interrupt. With that in mind, we need to bind those two channels explicitly in rebind_evtchn_irq(). We will keep irq_set_affinity() so that we have a pass through generic irq affinity code later, in case something needs to be updated there as well. (Also replace cpumask_of(0) with cpumask_of(info->cpu) in rebind_evtchn_irq(): it should be set to zero in preceding xen_irq_info_evtchn_setup().) Signed-off-by: Boris Ostrovsky Reported-by: Annie Li Cc: # 3.14+ Signed-off-by: David Vrabel Signed-off-by: Sasha Levin commit 881241e8e37b2590ec8bcdce9dc554541010bb6a Author: Naoya Horiguchi Date: Tue May 5 16:23:46 2015 -0700 mm: soft-offline: fix num_poisoned_pages counting on concurrent events [ Upstream commit 602498f9aa43d4951eece3fd6ad95a6d0a78d537 ] If multiple soft offline events hit one free page/hugepage concurrently, soft_offline_page() can handle the free page/hugepage multiple times, which makes num_poisoned_pages counter increased more than once. This patch fixes this wrong counting by checking TestSetPageHWPoison for normal papes and by checking the return value of dequeue_hwpoisoned_huge_page() for hugepages. Signed-off-by: Naoya Horiguchi Acked-by: Dean Nelson Cc: Andi Kleen Cc: [3.14+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 4e258a15e1037e05492a11cde68cb4ece0a21248 Author: Tejun Heo Date: Tue Apr 21 16:49:13 2015 -0400 writeback: use |1 instead of +1 to protect against div by zero [ Upstream commit 464d1387acb94dc43ba772b35242345e3d2ead1b ] mm/page-writeback.c has several places where 1 is added to the divisor to prevent division by zero exceptions; however, if the original divisor is equivalent to -1, adding 1 leads to division by zero. There are three places where +1 is used for this purpose - one in pos_ratio_polynom() and two in bdi_position_ratio(). The second one in bdi_position_ratio() actually triggered div-by-zero oops on a machine running a 3.10 kernel. The divisor is x_intercept - bdi_setpoint + 1 == span + 1 span is confirmed to be (u32)-1. It isn't clear how it ended up that but it could be from write bandwidth calculation underflow fixed by c72efb658f7c ("writeback: fix possible underflow in write bandwidth calculation"). At any rate, +1 isn't a proper protection against div-by-zero. This patch converts all +1 protections to |1. Note that bdi_update_dirty_ratelimit() was already using |1 before this patch. Signed-off-by: Tejun Heo Cc: stable@vger.kernel.org Reviewed-by: Jan Kara Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit f42b455331b5eb2ef5f2cecab28941eb1fada554 Author: Al Viro Date: Fri May 8 22:53:15 2015 -0400 path_openat(): fix double fput() [ Upstream commit f15133df088ecadd141ea1907f2c96df67c729f0 ] path_openat() jumps to the wrong place after do_tmpfile() - it has already done path_cleanup() (as part of path_lookupat() called by do_tmpfile()), so doing that again can lead to double fput(). Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit d7259f44da869f67b40a91efe4dea3580462d305 Author: Naoya Horiguchi Date: Tue May 5 16:23:35 2015 -0700 mm/memory-failure: call shake_page() when error hits thp tail page [ Upstream commit 09789e5de18e4e442870b2d700831f5cb802eb05 ] Currently memory_failure() calls shake_page() to sweep pages out from pcplists only when the victim page is 4kB LRU page or thp head page. But we should do this for a thp tail page too. Consider that a memory error hits a thp tail page whose head page is on a pcplist when memory_failure() runs. Then, the current kernel skips shake_pages() part, so hwpoison_user_mappings() returns without calling split_huge_page() nor try_to_unmap() because PageLRU of the thp head is still cleared due to the skip of shake_page(). As a result, me_huge_page() runs for the thp, which is broken behavior. One effect is a leak of the thp. And another is to fail to isolate the memory error, so later access to the error address causes another MCE, which kills the processes which used the thp. This patch fixes this problem by calling shake_page() for thp tail case. Fixes: 385de35722c9 ("thp: allow a hwpoisoned head page to be put back to LRU") Signed-off-by: Naoya Horiguchi Reviewed-by: Andi Kleen Acked-by: Dean Nelson Cc: Andrea Arcangeli Cc: Hidetoshi Seto Cc: Jin Dongming Cc: [3.4+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 2c981af6c8ed75640a7058473aaf42732386836c Author: Eric W. Biederman Date: Fri May 8 16:36:50 2015 -0500 mnt: Fix fs_fully_visible to verify the root directory is visible [ Upstream commit 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd ] This fixes a dumb bug in fs_fully_visible that allows proc or sys to be mounted if there is a bind mount of part of /proc/ or /sys/ visible. Cc: stable@vger.kernel.org Reported-by: Eric Windisch Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin commit d4b113a8840776191189952a9d194cf7c034af35 Author: Johan Hovold Date: Tue Apr 21 17:42:09 2015 +0200 gpio: sysfs: fix memory leaks and device hotplug [ Upstream commit 483d821108791092798f5d230686868112927044 ] Unregister GPIOs requested through sysfs at chip remove to avoid leaking the associated memory and sysfs entries. The stale sysfs entries prevented the gpio numbers from being exported when the gpio range was later reused (e.g. at device reconnect). This also fixes the related module-reference leak. Note that kernfs makes sure that any on-going sysfs operations finish before the class devices are unregistered and that further accesses fail. The chip exported flag is used to prevent gpiod exports during removal. This also makes it harder to trigger, but does not fix, the related race between gpiochip_remove and export_store, which is really a race with gpiod_request that needs to be addressed separately. Also note that this would prevent the crashes (e.g. NULL-dereferences) at reconnect that affects pre-3.18 kernels, as well as use-after-free on operations on open attribute files on pre-3.14 kernels (prior to kernfs). Fixes: d8f388d8dc8d ("gpio: sysfs interface") Cc: stable # v2.6.27: 01cca93a9491 Signed-off-by: Johan Hovold Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit eed9aeb7b5f84ca10bed64af7b51808540d1b881 Author: Jason Gunthorpe Date: Mon Apr 20 14:01:11 2015 -0600 RDMA/CMA: Canonize IPv4 on IPV6 sockets properly [ Upstream commit 285214409a9e5fceba2215461b4682b6069d8e77 ] When accepting a new IPv4 connect to an IPv6 socket, the CMA tries to canonize the address family to IPv4, but does not properly process the listening sockaddr to get the listening port, and does not properly set the address family of the canonized sockaddr. Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager") Cc: Reported-By: Yotam Kenneth Signed-off-by: Jason Gunthorpe Tested-by: Haggai Eran Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin commit f4ccf646b9332123ed5d49dfa4806989248f8725 Author: Ryusuke Konishi Date: Tue May 5 16:24:00 2015 -0700 nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() [ Upstream commit d8fd150fe3935e1692bf57c66691e17409ebb9c1 ] The range check for b-tree level parameter in nilfs_btree_root_broken() is wrong; it accepts the case of "level == NILFS_BTREE_LEVEL_MAX" even though the level is limited to values in the range of 0 to (NILFS_BTREE_LEVEL_MAX - 1). Since the level parameter is read from storage device and used to index nilfs_btree_path array whose element count is NILFS_BTREE_LEVEL_MAX, it can cause memory overrun during btree operations if the boundary value is set to the level parameter on device. This fixes the broken sanity check and adds a comment to clarify that the upper bound NILFS_BTREE_LEVEL_MAX is exclusive. Signed-off-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 806d32c55b5f014012f3cc62f62fc078b891c630 Author: Junxiao Bi Date: Tue May 5 16:24:02 2015 -0700 ocfs2: dlm: fix race between purge and get lock resource [ Upstream commit b1432a2a35565f538586774a03bf277c27fc267d ] There is a race window in dlm_get_lock_resource(), which may return a lock resource which has been purged. This will cause the process to hang forever in dlmlock() as the ast msg can't be handled due to its lock resource not existing. dlm_get_lock_resource { ... spin_lock(&dlm->spinlock); tmpres = __dlm_lookup_lockres_full(dlm, lockid, namelen, hash); if (tmpres) { spin_unlock(&dlm->spinlock); >>>>>>>> race window, dlm_run_purge_list() may run and purge the lock resource spin_lock(&tmpres->spinlock); ... spin_unlock(&tmpres->spinlock); } } Signed-off-by: Junxiao Bi Cc: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit dc0ddaa4384328e6d14c28627e1ad5bcc5d2bff5 Author: Witold Szczeponik Date: Fri May 1 19:05:20 2015 +0200 ACPI / PNP: add two IDs to list for PNPACPI device enumeration [ Upstream commit 622532bb2fad8fe342fb685727ae0be566f6be5d ] Commit eec15edbb0e1 (ACPI / PNP: use device ID list for PNPACPI device enumeration) changed the way how ACPI devices are enumerated and when they are added to the PNP bus. However, it broke the sound card support on (at least) a vintage IBM ThinkPad 600E: with said commit applied, two of the necessary "CSC01xx" devices are not added to the PNP bus and hence can not be found during the initialization of the "snd-cs4236" module. As a consequence, loading "snd-cs4236" causes null pointer exceptions. The attached patch fixes the problem end re-enables sound on the IBM ThinkPad 600E. Fixes: eec15edbb0e1 (ACPI / PNP: use device ID list for PNPACPI device enumeration) Signed-off-by: Witold Szczeponik Cc: 3.16+ # 3.16+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 834706a238191385c41c9368cb231dee75380ae5 Author: Chris Bainbridge Date: Wed Apr 29 21:21:40 2015 +0100 ACPI / SBS: Add 5 us delay to fix SBS hangs on MacBook [ Upstream commit 3349fb64b2927407017d970dd5c4daf3c5ad69f8 ] Commit 7bc5a2bad0b8 'ACPI: Support _OSI("Darwin") correctly' caused the MacBook firmware to expose the SBS, resulting in intermittent hangs of several minutes on boot, and failure to detect or report the battery. Fix this by adding a 5 us delay to the start of each SMBUS transaction. This timing is the result of experimentation - hangs were observed with 3 us but never with 5 us. Fixes: 7bc5a2bad0b8 'ACPI: Support _OSI("Darwin") correctly' Link: https://bugzilla.kernel.org/show_bug.cgi?id=94651 Signed-off-by: Chris Bainbridge Cc: 3.18+ # 3.18+ [ rjw: Subject and changelog ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin