commit d3c1ffd75577556662a1e8cac3490a8877f7f557 Author: Greg Kroah-Hartman Date: Wed Jun 1 12:18:22 2016 -0700 Linux 4.6.1 commit 91eed689751146820a06eb73c4d55105f230b0e8 Author: Arnd Bergmann Date: Tue May 10 23:30:01 2016 +0200 kbuild: move -Wunused-const-variable to W=1 warning level commit c9c6837d39311b0cc14cdbe7c18e815ab44aefb1 upstream. gcc-6 started warning by default about variables that are not used anywhere and that are marked 'const', generating many false positives in an allmodconfig build, e.g.: arch/arm/mach-davinci/board-da830-evm.c:282:20: warning: 'da830_evm_emif25_pins' defined but not used [-Wunused-const-variable=] arch/arm/plat-omap/dmtimer.c:958:34: warning: 'omap_timer_match' defined but not used [-Wunused-const-variable=] drivers/bluetooth/hci_bcm.c:625:39: warning: 'acpi_bcm_default_gpios' defined but not used [-Wunused-const-variable=] drivers/char/hw_random/omap-rng.c:92:18: warning: 'reg_map_omap4' defined but not used [-Wunused-const-variable=] drivers/devfreq/exynos/exynos5_bus.c:381:32: warning: 'exynos5_busfreq_int_pm' defined but not used [-Wunused-const-variable=] drivers/dma/mv_xor.c:1139:34: warning: 'mv_xor_dt_ids' defined but not used [-Wunused-const-variable=] This is similar to the existing -Wunused-but-set-variable warning that was added in an earlier release and that we disable by default now and only enable when W=1 is set, so it makes sense to do the same here. Once we have eliminated the majority of the warnings for both, we can put them back into the default list. We probably want this in backport kernels as well, to allow building them with gcc-6 without introducing extra warnings. Signed-off-by: Arnd Bergmann Acked-by: Olof Johansson Acked-by: Lee Jones Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 09bac95fa11396b8bdcba21c9784d960eab20650 Author: Johannes Thumshirn Date: Tue Apr 5 11:50:45 2016 +0200 Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" commit 305c2e71b3d733ec065cb716c76af7d554bd5571 upstream. Now that we've done a more comprehensive fix with the intermediate target state we can remove the previous hack introduced with commit 90a88d6ef88e ("scsi: fix soft lockup in scsi_remove_target() on module removal"). Signed-off-by: Johannes Thumshirn Reviewed-by: Ewan D. Milne Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 9f10b086c213b2b56cf4d2198a1194d0aaeca95a Author: Johannes Thumshirn Date: Tue Apr 5 11:50:44 2016 +0200 scsi: Add intermediate STARGET_REMOVE state to scsi_target_state commit f05795d3d771f30a7bdc3a138bf714b06d42aa95 upstream. Add intermediate STARGET_REMOVE state to scsi_target_state to avoid running into the BUG_ON() in scsi_target_reap(). The STARGET_REMOVE state is only valid in the path from scsi_remove_target() to scsi_target_destroy() indicating this target is going to be removed. This re-fixes the problem introduced in commits bc3f02a795d3 ("[SCSI] scsi_remove_target: fix softlockup regression on hot remove") and 40998193560d ("scsi: restart list search after unlock in scsi_remove_target") in a more comprehensive way. [mkp: Included James' fix for scsi_target_destroy()] Signed-off-by: Johannes Thumshirn Fixes: 40998193560dab6c3ce8d25f4fa58a23e252ef38 Reported-by: Sergey Senozhatsky Tested-by: Sergey Senozhatsky Reviewed-by: Ewan D. Milne Reviewed-by: Hannes Reinecke Reviewed-by: James Bottomley Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 359e08c67b1a21a1da16e8c7bbc525d5e63c2192 Author: Mikulas Patocka Date: Tue May 24 22:49:18 2016 +0200 hpfs: implement the show_options method commit 037369b872940cd923835a0a589763180c4a36bc upstream. The HPFS filesystem used generic_show_options to produce string that is displayed in /proc/mounts. However, there is a problem that the options may disappear after remount. If we mount the filesystem with option1 and then remount it with option2, /proc/mounts should show both option1 and option2, however it only shows option2 because the whole option string is replaced with replace_mount_options in hpfs_remount_fs. To fix this bug, implement the hpfs_show_options function that prints options that are currently selected. Signed-off-by: Mikulas Patocka Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit afe77793b7f016a7e346d828458d873f6afe8905 Author: Mikulas Patocka Date: Tue May 24 22:47:00 2016 +0200 hpfs: fix remount failure when there are no options changed commit 44d51706b4685f965cd32acde3fe0fcc1e6198e8 upstream. Commit ce657611baf9 ("hpfs: kstrdup() out of memory handling") checks if the kstrdup function returns NULL due to out-of-memory condition. However, if we are remounting a filesystem with no change to filesystem-specific options, the parameter data is NULL. In this case, kstrdup returns NULL (because it was passed NULL parameter), although no out of memory condition exists. The mount syscall then fails with ENOMEM. This patch fixes the bug. We fail with ENOMEM only if data is non-NULL. The patch also changes the call to replace_mount_options - if we didn't pass any filesystem-specific options, we don't call replace_mount_options (thus we don't erase existing reported options). Fixes: ce657611baf9 ("hpfs: kstrdup() out of memory handling") Signed-off-by: Mikulas Patocka Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9ebe3bf54f844d081cbf0146294d04cc69bd1cb9 Author: Richard Weinberger Date: Tue Apr 26 16:39:48 2016 +0200 UBI: Fix static volume checks when Fastmap is used commit 1900149c835ab5b48bea31a823ea5e5a401fb560 upstream. Ezequiel reported that he's facing UBI going into read-only mode after power cut. It turned out that this behavior happens only when updating a static volume is interrupted and Fastmap is used. A possible trace can look like: ubi0 warning: ubi_io_read_vid_hdr [ubi]: no VID header found at PEB 2323, only 0xFF bytes ubi0 warning: ubi_eba_read_leb [ubi]: switch to read-only mode CPU: 0 PID: 833 Comm: ubiupdatevol Not tainted 4.6.0-rc2-ARCH #4 Hardware name: SAMSUNG ELECTRONICS CO., LTD. 300E4C/300E5C/300E7C/NP300E5C-AD8AR, BIOS P04RAP 10/15/2012 0000000000000286 00000000eba949bd ffff8800c45a7b38 ffffffff8140d841 ffff8801964be000 ffff88018eaa4800 ffff8800c45a7bb8 ffffffffa003abf6 ffffffff850e2ac0 8000000000000163 ffff8801850e2ac0 ffff8801850e2ac0 Call Trace: [] dump_stack+0x63/0x82 [] ubi_eba_read_leb+0x486/0x4a0 [ubi] [] ubi_check_volume+0x83/0xf0 [ubi] [] ubi_open_volume+0x177/0x350 [ubi] [] vol_cdev_open+0x58/0xb0 [ubi] [] chrdev_open+0xae/0x1d0 [] do_dentry_open+0x1ff/0x300 [] ? cdev_put+0x30/0x30 [] vfs_open+0x56/0x60 [] path_openat+0x4f4/0x1190 [] do_filp_open+0x91/0x100 [] ? __alloc_fd+0xc7/0x190 [] do_sys_open+0x13f/0x210 [] SyS_open+0x1e/0x20 [] entry_SYSCALL_64_fastpath+0x1a/0xa4 UBI checks static volumes for data consistency and reads the whole volume upon first open. If the volume is found erroneous users of UBI cannot read from it, but another volume update is possible to fix it. The check is performed by running ubi_eba_read_leb() on every allocated LEB of the volume. For static volumes ubi_eba_read_leb() computes the checksum of all data stored in a LEB. To verify the computed checksum it has to read the LEB's volume header which stores the original checksum. If the volume header is not found UBI treats this as fatal internal error and switches to RO mode. If the UBI device was attached via a full scan the assumption is correct, the volume header has to be present as it had to be there while scanning to get known as mapped. If the attach operation happened via Fastmap the assumption is no longer correct. When attaching via Fastmap UBI learns the mapping table from Fastmap's snapshot of the system state and not via a full scan. It can happen that a LEB got unmapped after a Fastmap was written to the flash. Then UBI can learn the LEB still as mapped and accessing it returns only 0xFF bytes. As UBI is not a FTL it is allowed to have mappings to empty PEBs, it assumes that the layer above takes care of LEB accounting and referencing. UBIFS does so using the LEB property tree (LPT). For static volumes UBI blindly assumes that all LEBs are present and therefore special actions have to be taken. The described situation can happen when updating a static volume is interrupted, either by a user or a power cut. The volume update code first unmaps all LEBs of a volume and then writes LEB by LEB. If the sequence of operations is interrupted UBI detects this either by the absence of LEBs, no volume header present at scan time, or corrupted payload, detected via checksum. In the Fastmap case the former method won't trigger as no scan happened and UBI automatically thinks all LEBs are present. Only by reading data from a LEB it detects that the volume header is missing and incorrectly treats this as fatal error. To deal with the situation ubi_eba_read_leb() from now on checks whether we attached via Fastmap and handles the absence of a volume header like a data corruption error. This way interrupted static volume updates will correctly get detected also when Fastmap is used. Reported-by: Ezequiel Garcia Tested-by: Ezequiel Garcia Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 4704fa547224fd49041c26f7fca3710a47fc449f Author: Chris Mason Date: Mon May 16 09:21:01 2016 -0700 Btrfs: fix handling of faults from btrfs_copy_from_user commit 56244ef151c3cd11f505020ab0b3f45454363bcc upstream. When btrfs_copy_from_user isn't able to copy all of the pages, we need to adjust our accounting to reflect the work that was actually done. Commit 2e78c927d79 changed around the decisions a little and we ended up skipping the accounting adjustments some of the time. This commit makes sure that when we don't copy anything at all, we still hop into the adjustments, and switches to release_bytes instead of write_bytes, since write_bytes isn't aligned. The accounting errors led to warnings during btrfs_destroy_inode: [ 70.847532] WARNING: CPU: 10 PID: 514 at fs/btrfs/inode.c:9350 btrfs_destroy_inode+0x2b3/0x2c0 [ 70.847536] Modules linked in: i2c_piix4 virtio_net i2c_core input_leds button led_class serio_raw acpi_cpufreq sch_fq_codel autofs4 virtio_blk [ 70.847538] CPU: 10 PID: 514 Comm: umount Tainted: G W 4.6.0-rc6_00062_g2997da1-dirty #23 [ 70.847539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.0-1.fc24 04/01/2014 [ 70.847542] 0000000000000000 ffff880ff5cafab8 ffffffff8149d5e9 0000000000000202 [ 70.847543] 0000000000000000 0000000000000000 0000000000000000 ffff880ff5cafb08 [ 70.847547] ffffffff8107bdfd ffff880ff5cafaf8 000024868120013d ffff880ff5cafb28 [ 70.847547] Call Trace: [ 70.847550] [] dump_stack+0x51/0x78 [ 70.847551] [] __warn+0xfd/0x120 [ 70.847553] [] warn_slowpath_null+0x1d/0x20 [ 70.847555] [] btrfs_destroy_inode+0x2b3/0x2c0 [ 70.847556] [] ? __destroy_inode+0x71/0x140 [ 70.847558] [] destroy_inode+0x43/0x70 [ 70.847559] [] ? wake_up_bit+0x2f/0x40 [ 70.847560] [] evict+0x148/0x1d0 [ 70.847562] [] ? start_transaction+0x3de/0x460 [ 70.847564] [] dispose_list+0x59/0x80 [ 70.847565] [] evict_inodes+0x180/0x190 [ 70.847566] [] ? __sync_filesystem+0x3f/0x50 [ 70.847568] [] generic_shutdown_super+0x48/0x100 [ 70.847569] [] ? woken_wake_function+0x20/0x20 [ 70.847571] [] kill_anon_super+0x16/0x30 [ 70.847573] [] btrfs_kill_super+0x1e/0x130 [ 70.847574] [] deactivate_locked_super+0x4e/0x90 [ 70.847576] [] deactivate_super+0x51/0x70 [ 70.847577] [] cleanup_mnt+0x3f/0x80 [ 70.847579] [] __cleanup_mnt+0x12/0x20 [ 70.847581] [] task_work_run+0x68/0xa0 [ 70.847582] [] exit_to_usermode_loop+0xd6/0xe0 [ 70.847583] [] do_syscall_64+0xbd/0x170 [ 70.847586] [] entry_SYSCALL64_slow_path+0x25/0x25 This is the test program I used to force short returns from btrfs_copy_from_user void *dontneed(void *arg) { char *p = arg; int ret; while(1) { ret = madvise(p, BUFSIZE/4, MADV_DONTNEED); if (ret) { perror("madvise"); exit(1); } } } int main(int ac, char **av) { int ret; int fd; char *filename; unsigned long offset; char *buf; int i; pthread_t tid; if (ac != 2) { fprintf(stderr, "usage: dammitdave filename\n"); exit(1); } buf = mmap(NULL, BUFSIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); if (buf == MAP_FAILED) { perror("mmap"); exit(1); } memset(buf, 'a', BUFSIZE); filename = av[1]; ret = pthread_create(&tid, NULL, dontneed, buf); if (ret) { fprintf(stderr, "error %d from pthread_create\n", ret); exit(1); } ret = pthread_detach(tid); if (ret) { fprintf(stderr, "pthread detach failed %d\n", ret); exit(1); } while (1) { fd = open(filename, O_RDWR | O_CREAT, 0600); if (fd < 0) { perror("open"); exit(1); } for (i = 0; i < ROUNDS; i++) { int this_write = BUFSIZE; offset = rand() % MAXSIZE; ret = pwrite(fd, buf, this_write, offset); if (ret < 0) { perror("pwrite"); exit(1); } else if (ret != this_write) { fprintf(stderr, "short write to %s offset %lu ret %d\n", filename, offset, ret); exit(1); } if (i == ROUNDS - 1) { ret = sync_file_range(fd, offset, 4096, SYNC_FILE_RANGE_WRITE); if (ret < 0) { perror("sync_file_range"); exit(1); } } } ret = ftruncate(fd, 0); if (ret < 0) { perror("ftruncate"); exit(1); } ret = close(fd); if (ret) { perror("close"); exit(1); } ret = unlink(filename); if (ret) { perror("unlink"); exit(1); } } return 0; } Signed-off-by: Chris Mason Reported-by: Dave Jones Fixes: 2e78c927d79333f299a8ac81c2fd2952caeef335 Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit b82bec5eabf12739a955ff03a954a7cb7bf57d57 Author: Luke Dashjr Date: Thu Oct 29 08:22:21 2015 +0000 btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl commit 4c63c2454eff996c5e27991221106eb511f7db38 upstream. 32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can be handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr fail. Signed-off-by: Luke Dashjr Reviewed-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit cf1db059e661452cf84b2f8569decca0df78b06e Author: James Hogan Date: Mon Feb 8 18:43:50 2016 +0000 SIGNAL: Move generic copy_siginfo() to signal.h commit ca9eb49aa9562eaadf3cea071ec7018ad6800425 upstream. The generic copy_siginfo() is currently defined in asm-generic/siginfo.h, after including uapi/asm-generic/siginfo.h which defines the generic struct siginfo. However this makes it awkward for an architecture to use it if it has to define its own struct siginfo (e.g. MIPS and potentially IA64), since it means that asm-generic/siginfo.h can only be included after defining the arch-specific siginfo, which may be problematic if the arch-specific definition needs definitions from uapi/asm-generic/siginfo.h. It is possible to work around this by first including uapi/asm-generic/siginfo.h to get the constants before defining the arch-specific siginfo, and include asm-generic/siginfo.h after. However uapi headers can't be included by other uapi headers, so that first include has to be in an ifdef __kernel__, with the non __kernel__ case including the non-UAPI header instead. Instead of that mess, move the generic copy_siginfo() definition into linux/signal.h, which allows an arch-specific uapi/asm/siginfo.h to include asm-generic/siginfo.h and define the arch-specific siginfo, and for the generic copy_siginfo() to see that arch-specific definition. Signed-off-by: James Hogan Cc: Arnd Bergmann Cc: Ralf Baechle Cc: Petr Malat Cc: Tony Luck Cc: Fenghua Yu Cc: Christopher Ferris Cc: linux-arch@vger.kernel.org Cc: linux-mips@linux-mips.org Cc: linux-ia64@vger.kernel.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/12478/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 5269fcd77a7ec9a5ba26b47423d79eafba0210ff Author: Heinz Mauelshagen Date: Tue May 3 19:43:57 2016 +0200 md: md.c: fix oops in mddev_suspend for raid0 commit 092398dce8c2406bfb0c9eebc3e764ff2ddb62a8 upstream. Introduced by upstream commit 70d9798b95562abac005d4ba71d28820f9a201eb The raid0 personality does not create mddev->thread as oposed to other personalities leading to its unconditional access in mddev_suspend() causing an oops. Patch checks for mddev->thread in order to keep the intention of aforementioned commit. Fixes: 70d9798b9556 ("MD: warn for potential deadlock") Signed-off-by: Heinz Mauelshagen Signed-off-by: Shaohua Li Signed-off-by: Greg Kroah-Hartman commit 6e3ef9021846959be412a77506906173118bf3f5 Author: Andreas Noever Date: Sun Apr 10 12:48:27 2016 +0200 thunderbolt: Fix double free of drom buffer commit 2ffa9a5d76a75abbc1f95c17959fced666095bdd upstream. If tb_drom_read() fails, sw->drom is freed but not set to NULL. sw->drom is then freed again in the error path of tb_switch_alloc(). The bug can be triggered by unplugging a thunderbolt device shortly after it is detected by the thunderbolt driver. Clear sw->drom if tb_drom_read() fails. [bhelgaas: add Fixes:, stable versions of interest] Fixes: 343fcb8c70d7 ("thunderbolt: Fix nontrivial endpoint devices.") Signed-off-by: Andreas Noever Signed-off-by: Bjorn Helgaas CC: Lukas Wunner Signed-off-by: Greg Kroah-Hartman commit 80772cfb1c98f38b939a776df6ebcca4e80726a3 Author: Bart Van Assche Date: Thu May 12 10:48:48 2016 -0700 IB/srp: Fix srp_create_target() error handling commit f83b2561a6d4ff12959660ad597580097b744941 upstream. Avoid that the following kernel oops occurs if memory pool allocation fails: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] ib_drain_rq+0x0/0x20 [ib_core] Call Trace: [] srp_create_target+0xca6/0x13a9 [ib_srp] [] dev_attr_store+0x13/0x20 [] sysfs_kf_write+0x40/0x50 [] kernfs_fop_write+0x13c/0x180 [] __vfs_write+0x23/0xf0 [] vfs_write+0xa4/0x1a0 [] SyS_write+0x44/0xa0 [] entry_SYSCALL_64_fastpath+0x1c/0xac Fixes: 1dc7b1f10dcb ("IB/srp: use the new CQ API") Signed-off-by: Bart Van Assche Reviewed-by: Leon Romanovsky Tested-by: Laurence Oberman Cc: Christoph Hellwig Cc: Sagi Grimberg Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit a1e9e0f4f2176938bb1f0bad7d70f9dba27992de Author: Bart Van Assche Date: Tue Apr 12 14:39:18 2016 -0700 IB/srp: Fix a debug kernel crash commit 54f5c9c52d69afa55abf2b034df8d45f588466c3 upstream. Avoid that the following BUG() is triggered against a debug kernel: kernel BUG at include/linux/scatterlist.h:92! RIP: 0010:[] [] srp_map_idb+0x199/0x1a0 [ib_srp] Call Trace: [] srp_map_data+0x84a/0x890 [ib_srp] [] srp_queuecommand+0x1e4/0x610 [ib_srp] [] scsi_dispatch_cmd+0x9e/0x180 [] scsi_request_fn+0x477/0x610 [] __blk_run_queue+0x2e/0x40 [] blk_delay_work+0x20/0x30 [] process_one_work+0x197/0x480 [] worker_thread+0x49/0x490 [] kthread+0xea/0x100 [] ret_from_fork+0x22/0x40 Fixes: f7f7aab1a5c0 ("IB/srp: Convert to new registration API") Signed-off-by: Bart Van Assche Cc: Sagi Grimberg Cc: Christoph Hellwig Reviewed-by: Max Gurtovoy Reviewed-by: Sagi Grimberg Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit f7d3e0bb2f748c2704c883b77793c3b5e8546b0f Author: Hui Wang Date: Wed May 25 12:12:32 2016 +0800 ALSA: hda - Fix headset mic detection problem for one Dell machine commit 86c72d1ce91d804e4fa8d90b316a89597dd220f1 upstream. Add the pin configuration value of this machine into the pin_quirk table to make DELL1_MIC_NO_PRESENCE apply to this machine. Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 005276341b87246a1e04820eee3836890c42821d Author: Kailang Yang Date: Tue May 24 16:46:07 2016 +0800 ALSA: hda/realtek - Add support for ALC295/ALC3254 commit 7d727869c7b86da0874436ac5675dcdadaf3a0a1 upstream. Add support for ALC295/ALC3254. They are simply compatible with ALC225 chip. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 64a09edf10bfd6f40dbdc4525924d66f042096ce Author: Kai-Heng Feng Date: Fri May 20 15:47:23 2016 +0800 ALSA: hda - Fix headphone noise on Dell XPS 13 9360 commit 423cd785619ac6778252fbdb916505aa1c153959 upstream. The headphone has noise when playing sound or switching microphone sources. It uses the same codec on XPS 13 9350, but with different subsystem ID. Applying the fixup can solve the issue. Also, changing the model name to better differentiate models. v2: Reorder by device ID. Signed-off-by: Kai-Heng Feng Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ba1e0df3e71da3564dbd3c39b5b8e39c2937f2c6 Author: Kailang Yang Date: Wed May 4 15:50:18 2016 +0800 ALSA: hda/realtek - New codecs support for ALC234/ALC274/ALC294 commit dcd4f0db6141d6bf2cb897309d5d6f53d1b1696f upstream. Support new codecs for ALC234/ALC274/ALC294. This three codecs was the same IC. But bonding is not the same. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5aa78548be4d04fff593d883291512c29cc32354 Author: Andreas Werner Date: Tue May 3 12:42:00 2016 +0200 mcb: Fixed bar number assignment for the gdd commit f75564d343010b025301d9548f2304f48eb25f01 upstream. The bar number is found in reg2 within the gdd. Therefore we need to change the assigment from reg1 to reg2 which is the correct location. Signed-off-by: Andreas Werner Fixes: '3764e82e5' drivers: Introduce MEN Chameleon Bus Signed-off-by: Johannes Thumshirn Signed-off-by: Greg Kroah-Hartman commit 2a9369456a384d84c521c8ebb48d247e8738f84f Author: Ashutosh Dixit Date: Wed Apr 27 14:36:05 2016 -0700 misc: mic: Fix for double fetch security bug in VOP driver commit 9bf292bfca94694a721449e3fd752493856710f6 upstream. The MIC VOP driver does two successive reads from user space to read a variable length data structure. Kernel memory corruption can result if the data structure changes between the two reads. This patch disallows the chance of this happening. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651 Reported by: Pengfei Wang Reviewed-by: Sudeep Dutt Signed-off-by: Ashutosh Dixit Signed-off-by: Greg Kroah-Hartman commit 8fa0eca935e64b83c18e6aee4aafc313ae5bd9c9 Author: Olga Kornievskaia Date: Tue May 10 16:57:41 2016 -0400 Fixing oops in callback path commit c2985d001d2fb77357aeae675545893b61c50044 upstream. Commit 80f9642724af5 ("NFSv4.x: Enforce the ca_maxreponsesize_cached on the back channel") causes an oops when it receives a callback with cachethis=yes. [ 109.667378] BUG: unable to handle kernel NULL pointer dereference at 00000000000002c8 [ 109.669476] IP: [] nfs4_callback_compound+0x4f8/0x690 [nfsv4] [ 109.671216] PGD 0 [ 109.671736] Oops: 0000 [#1] SMP [ 109.705427] CPU: 1 PID: 3579 Comm: nfsv4.1-svc Not tainted 4.5.0-rc1+ #1 [ 109.706987] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014 [ 109.709468] task: ffff8800b4408000 ti: ffff88008448c000 task.ti: ffff88008448c000 [ 109.711207] RIP: 0010:[] [] nfs4_callback_compound+0x4f8/0x690 [nfsv4] [ 109.713521] RSP: 0018:ffff88008448fca0 EFLAGS: 00010286 [ 109.714762] RAX: ffff880081ee202c RBX: ffff8800b7b5b600 RCX: 0000000000000001 [ 109.716427] RDX: 0000000000000008 RSI: 0000000000000008 RDI: 0000000000000000 [ 109.718091] RBP: ffff88008448fda8 R08: 0000000000000000 R09: 000000000b000000 [ 109.719757] R10: ffff880137786000 R11: ffff8800b7b5b600 R12: 0000000001000000 [ 109.721415] R13: 0000000000000002 R14: 0000000053270000 R15: 000000000000000b [ 109.723061] FS: 0000000000000000(0000) GS:ffff880139640000(0000) knlGS:0000000000000000 [ 109.724931] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 109.726278] CR2: 00000000000002c8 CR3: 0000000034d50000 CR4: 00000000001406e0 [ 109.727972] Stack: [ 109.728465] ffff880081ee202c ffff880081ee201c 000000008448fcc0 ffff8800baccb800 [ 109.730349] ffff8800baccc800 ffffffffa08d0380 0000000000000000 0000000000000000 [ 109.732211] ffff8800b7b5b600 0000000000000001 ffffffff81d073c0 ffff880081ee3090 [ 109.734056] Call Trace: [ 109.734657] [] svc_process_common+0x5c4/0x6c0 [sunrpc] [ 109.736267] [] bc_svc_process+0x1fc/0x360 [sunrpc] [ 109.737775] [] nfs41_callback_svc+0x10c/0x1d0 [nfsv4] [ 109.739335] [] ? prepare_to_wait_event+0xf0/0xf0 [ 109.740799] [] ? nfs4_callback_svc+0x50/0x50 [nfsv4] [ 109.742349] [] kthread+0xd8/0xf0 [ 109.743495] [] ? kthread_park+0x60/0x60 [ 109.744776] [] ret_from_fork+0x3f/0x70 [ 109.746037] [] ? kthread_park+0x60/0x60 [ 109.747324] Code: cc 45 31 f6 48 8b 85 00 ff ff ff 44 89 30 48 8b 85 f8 fe ff ff 44 89 20 48 8b 9d 38 ff ff ff 48 8b bd 30 ff ff ff 48 85 db 74 4c <4c> 8b af c8 02 00 00 4d 8d a5 08 02 00 00 49 81 c5 98 02 00 00 [ 109.754361] RIP [] nfs4_callback_compound+0x4f8/0x690 [nfsv4] [ 109.756123] RSP [ 109.756951] CR2: 00000000000002c8 [ 109.757738] ---[ end trace 2b8555511ab5dfb4 ]--- [ 109.758819] Kernel panic - not syncing: Fatal exception [ 109.760126] Kernel Offset: disabled [ 118.938934] ---[ end Kernel panic - not syncing: Fatal exception It doesn't unlock the table nor does it set the cps->clp pointer which is later needed by nfs4_cb_free_slot(). Fixes: 80f9642724af5 ("NFSv4.x: Enforce the ca_maxresponsesize_cached ...") Signed-off-by: Olga Kornievskaia Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 60863356280d931ccc4b9be39bd1a2d9a1df43d1 Author: Jan Beulich Date: Mon May 16 15:31:07 2016 -0500 objtool: Allow building with older libelf commit 2e51f26245701cb28f154552836b7807159088a8 upstream. The switch to elf_getshdr{num,strndx} post-dates the oldest tool chain the kernel is supposed to be able to build with, so try to cope with such an environment. Signed-off-by: Jan Beulich Signed-off-by: Josh Poimboeuf Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jan Beulich Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/732dae6872b7ff187d94f22bb699a12849d3fe04.1463430618.git.jpoimboe@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 9411afb65b049c35d5faaaff677eb27bf6c85f42 Author: Lucas Stach Date: Tue May 3 19:15:58 2016 +0200 watchdog: sp5100_tco: properly check for new register layouts commit 46856fabe40cc80f92134683cdec7dc0fc8f4000 upstream. Commits 190aa4304de6 (Add AMD Mullins platform support) and cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the driver on a lot more devices, but the following commit missed a single location in the code when checking if the SB800 register offsets should be used. This leads to the wrong register being written which in turn causes ACPI to go haywire. Fix this by introducing a helper function to check for the new register layout and use this consistently. https://bugzilla.kernel.org/show_bug.cgi?id=114201 https://bugzilla.redhat.com/show_bug.cgi?id=1329910 Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800 and later chipsets) Signed-off-by: Lucas Stach Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 21abae567dffb8c6ddff24261acd19f554abfa28 Author: Guenter Roeck Date: Thu Apr 21 07:38:14 2016 -0700 watchdog: core: Fix circular locking dependency commit e1f30282a1d3d0c75d5a08e47c6ac1563065be52 upstream. lockdep reports the following circular locking dependency. ====================================================== INFO: possible circular locking dependency detected ] 4.6.0-rc3-00191-gfabf418 #162 Not tainted ------------------------------------------------------- systemd/1 is trying to acquire lock: ((&(&wd_data->work)->work)){+.+...}, at: [<80141650>] flush_work+0x0/0x280 but task is already holding lock: (&wd_data->lock){+.+...}, at: [<804acfa8>] watchdog_release+0x18/0x190 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&wd_data->lock){+.+...}: [<80662310>] mutex_lock_nested+0x64/0x4a8 [<804aca4c>] watchdog_ping_work+0x18/0x4c [<80143128>] process_one_work+0x1ac/0x500 [<801434b4>] worker_thread+0x38/0x554 [<80149510>] kthread+0xf4/0x108 [<80107c10>] ret_from_fork+0x14/0x24 -> #0 ((&(&wd_data->work)->work)){+.+...}: [<8017c4e8>] lock_acquire+0x70/0x90 [<8014169c>] flush_work+0x4c/0x280 [<801440f8>] __cancel_work_timer+0x9c/0x1e0 [<804acfcc>] watchdog_release+0x3c/0x190 [<8022c5e8>] __fput+0x80/0x1c8 [<80147b28>] task_work_run+0x94/0xc8 [<8010b998>] do_work_pending+0x8c/0xb4 [<80107ba8>] slow_work_pending+0xc/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&wd_data->lock); lock((&(&wd_data->work)->work)); lock(&wd_data->lock); lock((&(&wd_data->work)->work)); commit cf63f0601aba5ba2fd4f95c8d9e2e773f18b3942 Author: Martin Sperl Date: Mon Feb 29 11:39:18 2016 +0000 clk: bcm2835: add locking to pll*_on/off methods commit ec36a5c6682fdd5328abf15c3c67281bed0241d7 upstream. Add missing locking to: * bcm2835_pll_divider_on * bcm2835_pll_divider_off to protect the read modify write cycle for the register access protecting both cm_reg and a2w_reg registers. Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") Signed-off-by: Martin Sperl Signed-off-by: Eric Anholt Reviewed-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 1267ee349ed8b3646c2f7f3154173ac0ef63ba5f Author: Peter Zijlstra Date: Fri May 20 18:04:36 2016 +0200 locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait() commit 54cf809b9512be95f53ed4a5e3b631d1ac42f0fa upstream. Similar to commits: 51d7d5205d33 ("powerpc: Add smp_mb() to arch_spin_is_locked()") d86b8da04dfa ("arm64: spinlock: serialise spin_unlock_wait against concurrent lockers") qspinlock suffers from the fact that the _Q_LOCKED_VAL store is unordered inside the ACQUIRE of the lock. And while this is not a problem for the regular mutual exclusive critical section usage of spinlocks, it breaks creative locking like: spin_lock(A) spin_lock(B) spin_unlock_wait(B) if (!spin_is_locked(A)) do_something() do_something() In that both CPUs can end up running do_something at the same time, because our _Q_LOCKED_VAL store can drop past the spin_unlock_wait() spin_is_locked() loads (even on x86!!). To avoid making the normal case slower, add smp_mb()s to the less used spin_unlock_wait() / spin_is_locked() side of things to avoid this problem. Reported-and-tested-by: Davidlohr Bueso Reported-by: Giovanni Gherdovich Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4eef792d3589ef8382f00994e6d15bcbca946f21 Author: Chanwoo Choi Date: Thu Apr 21 18:58:31 2016 +0900 serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() commit b8995f527aac143e83d3900ff39357651ea4e0f6 upstream. This patch fixes the broken serial log when changing the clock source of uart device. Before disabling the original clock source, this patch enables the new clock source to protect the clock off state for a split second. Signed-off-by: Chanwoo Choi Reviewed-by: Marek Szyprowski Signed-off-by: Greg Kroah-Hartman Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Krzysztof Kozlowski commit 8b16f9dd098c2dd4320f45a89ee9591c32fd9374 Author: Andy Shevchenko Date: Mon Apr 4 17:35:10 2016 +0300 serial: 8250_mid: recognize interrupt source in handler commit c42850f1ae7e70056f852e67bb9dddf927853b47 upstream. There is a special register that shows interrupt status by source. In particular case the source can be a combination of DMA Tx, DMA Rx, and UART. Read the register and call the handlers only for sources that request an interrupt. Fixes: 6ede6dcd87aa ("serial: 8250_mid: add support for DMA engine handling from UART MMIO") Reviewed-by: Heikki Krogerus Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 21f4554511b318159eccb4388398e1a1dc584c59 Author: Andy Shevchenko Date: Mon Apr 4 17:35:09 2016 +0300 serial: 8250_mid: use proper bar for DNV platform commit 107e15fc1f8d6ef69eac5f175971252f76e82f0d upstream. Unlike Intel Medfield and Tangier platforms DNV uses PCI BAR0 for IO compatible resources and BAR1 for MMIO. We need latter in a way to support DMA. Introduce an additional field in the internal structure and pass PCI BAR based on device ID. Reported-by: "Lai, Poey Seng" Fixes: 6ede6dcd87aa ("serial: 8250_mid: add support for DMA engine handling from UART MMIO") Reviewed-by: Heikki Krogerus Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 9706e39b33bcd8f1bfefc44e6f8fabd9ccb544ca Author: David Müller Date: Wed Apr 27 11:58:32 2016 +0200 serial: 8250_pci: fix divide error bug if baud rate is 0 commit 6f210c18c1c0f016772c8cd51ae12a02bfb9e7ef upstream. Since commit 21947ba654a6 ("serial: 8250_pci: replace switch-case by formula"), the 8250 driver crashes in the byt_set_termios() function with a divide error. This is caused by the fact that a baud rate of 0 (B0) is not handled properly. Fix it by falling back to B9600 in this case. Signed-off-by: David Müller Fixes: 21947ba654a6 ("serial: 8250_pci: replace switch-case by formula") Suggested-by: Andy Shevchenko Reviewed-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 0412bb0f42f6b3c31cd13d262a5143e0dc3445e2 Author: Brian Bloniarz Date: Sun Mar 6 13:16:30 2016 -0800 Fix OpenSSH pty regression on close commit 0f40fbbcc34e093255a2b2d70b6b0fb48c3f39aa upstream. OpenSSH expects the (non-blocking) read() of pty master to return EAGAIN only if it has received all of the slave-side output after it has received SIGCHLD. This used to work on pre-3.12 kernels. This fix effectively forces non-blocking read() and poll() to block for parallel i/o to complete for all ttys. It also unwinds these changes: 1) f8747d4a466ab2cafe56112c51b3379f9fdb7a12 tty: Fix pty master read() after slave closes 2) 52bce7f8d4fc633c9a9d0646eef58ba6ae9a3b73 pty, n_tty: Simplify input processing on final close 3) 1a48632ffed61352a7810ce089dc5a8bcd505a60 pty: Fix input race when closing Inspired by analysis and patch from Marc Aurele La France Reported-by: Volth Reported-by: Marc Aurele La France BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=52 BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=2492 Signed-off-by: Brian Bloniarz Reviewed-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman commit c106d26d41ea5b58dcd3385f3ff1f56d9a8b2aa8 Author: Alexandre Belloni Date: Tue Apr 12 14:51:40 2016 +0200 tty/serial: atmel: fix hardware handshake selection commit 5be605ac9af979265d7b64c160ad9928088a78be upstream. Commit 1cf6e8fc8341 ("tty/serial: at91: fix RTS line management when hardware handshake is enabled") actually allowed to enable hardware handshaking. Before, the CRTSCTS flags was silently ignored. As the DMA controller can't drive RTS (as explain in the commit message). Ensure that hardware flow control stays disabled when DMA is used and FIFOs are not available. Signed-off-by: Alexandre Belloni Acked-by: Nicolas Ferre Fixes: 1cf6e8fc8341 ("tty/serial: at91: fix RTS line management when hardware handshake is enabled") Signed-off-by: Greg Kroah-Hartman commit 3550c6dabd72db7b1950077befac1c31f5c7424c Author: Jiri Slaby Date: Tue Mar 22 18:09:51 2016 +0100 TTY: n_gsm, fix false positive WARN_ON commit d175feca89a1c162f60f4e3560ca7bc9437c65eb upstream. Dmitry reported, that the current cleanup code in n_gsm can trigger a warning: WARNING: CPU: 2 PID: 24238 at drivers/tty/n_gsm.c:2048 gsm_cleanup_mux+0x166/0x6b0() ... Call Trace: ... [] warn_slowpath_null+0x29/0x30 kernel/panic.c:490 [] gsm_cleanup_mux+0x166/0x6b0 drivers/tty/n_gsm.c:2048 [] gsmld_open+0x5b7/0x7a0 drivers/tty/n_gsm.c:2386 [] tty_ldisc_open.isra.2+0x78/0xd0 drivers/tty/tty_ldisc.c:447 [] tty_set_ldisc+0x1ca/0xa70 drivers/tty/tty_ldisc.c:567 [< inline >] tiocsetd drivers/tty/tty_io.c:2650 [] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2883 ... But this is a legal path when open fails to find a space in the gsm_mux array and tries to clean up. So make it a standard test instead of a warning. Reported-by: "Dmitry Vyukov" Cc: Alan Cox Link: http://lkml.kernel.org/r/CACT4Y+bHQbAB68VFi7Romcs-Z9ZW3kQRvcq+BvHH1oa5NcAdLA@mail.gmail.com Fixes: 5a640967 ("tty/n_gsm.c: fix a memory leak in gsmld_open()") Signed-off-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman commit f015378c762d260c8277cc39d5de4567be2ccb06 Author: Jiri Slaby Date: Tue May 3 17:05:54 2016 +0200 tty: vt, return error when con_startup fails commit 6798df4c5fe0a7e6d2065cf79649a794e5ba7114 upstream. When csw->con_startup() fails in do_register_con_driver, we return no error (i.e. 0). This was changed back in 2006 by commit 3e795de763. Before that we used to return -ENODEV. So fix the return value to be -ENODEV in that case again. Fixes: 3e795de763 ("VT binding: Add binding/unbinding support for the VT console") Signed-off-by: Jiri Slaby Reported-by: "Dan Carpenter" Signed-off-by: Greg Kroah-Hartman commit e06916ba262e94feb306f2536f1943dffaf6f09f Author: Dave Hansen Date: Fri May 13 15:13:28 2016 -0700 x86/cpufeature, x86/mm/pkeys: Fix broken compile-time disabling of pkeys commit e8df1a95b685af84a81698199ee206e0e66a8b44 upstream. When I added support for the Memory Protection Keys processor feature, I had to reindent the REQUIRED/DISABLED_MASK macros, and also consult the later cpufeature words. I'm not quite sure how I bungled it, but I consulted the wrong word at the end. This only affected required or disabled cpu features in cpufeature words 14, 15 and 16. So, only Protection Keys itself was screwed over here. The result was that if you disabled pkeys in your .config, you might still see some code show up that should have been compiled out. There should be no functional problems, though. In verifying this patch I also realized that the DISABLE_PKU/OSPKE macros were defined backwards and that the cpu_has() check in setup_pku() was not doing the compile-time disabled checks. So also fix the macro for DISABLE_PKU/OSPKE and add a compile-time check for pkeys being enabled in setup_pku(). Signed-off-by: Dave Hansen Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Dave Hansen Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Fixes: dfb4a70f20c5 ("x86/cpufeature, x86/mm/pkeys: Add protection keys related CPUID definitions") Link: http://lkml.kernel.org/r/20160513221328.C200930B@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 618e09a5bff769f07994c35ed82921af67e2b2c9 Author: Stefano Stabellini Date: Wed Apr 20 14:15:01 2016 +0100 xen/x86: actually allocate legacy interrupts on PV guests commit 702f926067d2a4b28c10a3c41a1172dd62d9e735 upstream. b4ff8389ed14 is incomplete: relies on nr_legacy_irqs() to get the number of legacy interrupts when actually nr_legacy_irqs() returns 0 after probe_8259A(). Use NR_IRQS_LEGACY instead. Signed-off-by: Stefano Stabellini Signed-off-by: Greg Kroah-Hartman commit a6e88c7d55b164de72afea1583821f0c8056450e Author: James Hogan Date: Fri Apr 22 10:38:46 2016 +0100 MIPS: KVM: Fix timer IRQ race when writing CP0_Compare commit b45bacd2d048f405c7760e5cc9b60dd67708734f upstream. Writing CP0_Compare clears the timer interrupt pending bit (CP0_Cause.TI), but this wasn't being done atomically. If a timer interrupt raced with the write of the guest CP0_Compare, the timer interrupt could end up being pending even though the new CP0_Compare is nowhere near CP0_Count. We were already updating the hrtimer expiry with kvm_mips_update_hrtimer(), which used both kvm_mips_freeze_hrtimer() and kvm_mips_resume_hrtimer(). Close the race window by expanding out kvm_mips_update_hrtimer(), and clearing CP0_Cause.TI and setting CP0_Compare between the freeze and resume. Since the pending timer interrupt should not be cleared when CP0_Compare is written via the KVM user API, an ack argument is added to distinguish the source of the write. Fixes: e30492bbe95a ("MIPS: KVM: Rewrite count/compare timer emulation") Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: "Radim Krčmář" Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 5a1a83e4f24ed5b304c89d6f04f6b696a0f1b4d7 Author: James Hogan Date: Fri Apr 22 10:38:45 2016 +0100 MIPS: KVM: Fix timer IRQ race when freezing timer commit 4355c44f063d3de4f072d796604c7f4ba4085cc3 upstream. There's a particularly narrow and subtle race condition when the software emulated guest timer is frozen which can allow a guest timer interrupt to be missed. This happens due to the hrtimer expiry being inexact, so very occasionally the freeze time will be after the moment when the emulated CP0_Count transitions to the same value as CP0_Compare (so an IRQ should be generated), but before the moment when the hrtimer is due to expire (so no IRQ is generated). The IRQ won't be generated when the timer is resumed either, since the resume CP0_Count will already match CP0_Compare. With VZ guests in particular this is far more likely to happen, since the soft timer may be frozen frequently in order to restore the timer state to the hardware guest timer. This happens after 5-10 hours of guest soak testing, resulting in an overflow in guest kernel timekeeping calculations, hanging the guest. A more focussed test case to intentionally hit the race (with the help of a new hypcall to cause the timer state to migrated between hardware & software) hits the condition fairly reliably within around 30 seconds. Instead of relying purely on the inexact hrtimer expiry to determine whether an IRQ should be generated, read the guest CP0_Compare and directly check whether the freeze time is before or after it. Only if CP0_Count is on or after CP0_Compare do we check the hrtimer expiry to determine whether the last IRQ has already been generated (which will have pushed back the expiry by one timer period). Fixes: e30492bbe95a ("MIPS: KVM: Rewrite count/compare timer emulation") Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: "Radim Krčmář" Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 65a541b9756f1eaaaeb36708d98cef5828272dfe Author: Gavin Shan Date: Wed May 11 11:15:55 2016 +1000 KVM: PPC: Book3S HV: Fix build error in book3s_hv.c commit 07f8ab255fcc0bce1fabc8fb35ace4f0f5d2ac67 upstream. When CONFIG_KVM_XICS is enabled, CPU_UP_PREPARE and other macros for CPU states in linux/cpu.h are needed by arch/powerpc/kvm/book3s_hv.c. Otherwise, build error as below is seen: gwshan@gwshan:~/sandbox/l$ make arch/powerpc/kvm/book3s_hv.o : CC arch/powerpc/kvm/book3s_hv.o arch/powerpc/kvm/book3s_hv.c: In function ‘kvmppc_cpu_notify’: arch/powerpc/kvm/book3s_hv.c:3072:7: error: ‘CPU_UP_PREPARE’ \ undeclared (first use in this function) This fixes the issue introduced by commit <6f3bb80944> ("KVM: PPC: Book3S HV: kvmppc_host_rm_ops - handle offlining CPUs"). Fixes: 6f3bb8094414 Signed-off-by: Gavin Shan Reviewed-by: Balbir Singh Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 3bae61327149fae40028f00586ccb09c2370db11 Author: Bruce Rogers Date: Thu Apr 28 14:49:21 2016 -0600 KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset commit f24632475d4ffed5626abbfab7ef30a128dd1474 upstream. Commit d28bc9dd25ce reversed the order of two lines which initialize cr0, allowing the current (old) cr0 value to mess up vcpu initialization. This was observed in the checks for cr0 X86_CR0_WP bit in the context of kvm_mmu_reset_context(). Besides, setting vcpu->arch.cr0 after vmx_set_cr0() is completely redundant. Change the order back to ensure proper vcpu initialization. The combination of booting with ovmf firmware when guest vcpus > 1 and kvm's ept=N option being set results in a VM-entry failure. This patch fixes that. Fixes: d28bc9dd25ce ("KVM: x86: INIT and reset sequences are different") Signed-off-by: Bruce Rogers Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 0602824ff6b2e86821be11f30584d49bb39cee0f Author: Andy Honig Date: Tue May 17 17:41:47 2016 +0200 KVM: MTRR: remove MSR 0x2f8 commit 9842df62004f366b9fed2423e24df10542ee0dc5 upstream. MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support was introduced by 9ba075a664df ("KVM: MTRR support"). 0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, which made access to index 124 out of bounds. The surrounding code only WARNs in this situation, thus the guest gained a limited read/write access to struct kvm_arch_vcpu. 0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was not implemented in KVM, therefore 0x2f8 could never do anything useful and getting rid of it is safe. This fixes CVE-2016-3713. Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") Reported-by: David Matlack Signed-off-by: Andy Honig Signed-off-by: Radim Krčmář Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 655ffc26b79979b58301141f8bc6b345daac39fe Author: H Hartley Sweeten Date: Fri Apr 8 10:14:58 2016 -0700 staging: comedi: das1800: fix possible NULL dereference commit d375278d666760e195693b57415ba0a125cadd55 upstream. DMA is optional with this driver. If it was not enabled the devpriv->dma pointer will be NULL. Fix the possible NULL pointer dereference when trying to disable the DMA channels in das1800_ai_cancel() and tidy up the comments to fix the checkpatch.pl issues: WARNING: line over 80 characters It's probably harmless in das1800_ai_setup_dma() because the 'desc' pointer will not be used if DMA is disabled but fix it there also. Fixes: 99dfc3357e98 ("staging: comedi: das1800: remove depends on ISA_DMA_API limitation") Signed-off-by: H Hartley Sweeten Reviewed-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 9dfa165864f52609326ac12ddf3c34c29a4b3805 Author: Yoshihiro Shimoda Date: Fri May 6 15:20:11 2016 +0900 usb: host: xhci-rcar: Avoid long wait in xhci_reset() commit f879fc32aa0c96fbac261b3d857a1239d554ad01 upstream. The firmware of R-Car USB 3.0 host controller will control the reset. So, if the xhci driver doesn't do firmware downloading (e.g. kernel configuration is CONFIG_USB_XHCI_PLATFORM=y and CONFIG_USB_XHCI_RCAR is not set), the reset of USB 3.0 host controller doesn't work correctly. Then, the host controller will cause long wait in xhci_reset() because the CMD_RESET bit of op_regs->command is not cleared for 10 seconds. So, this patch modifies the Kconfig to enable both CONFIG_USB_XHCI_PLATFORM and CONFIG_USB_XHCI_RCAR. Fixes: 4ac8918f3a7 (usb: host: xhci-plat: add support for the R-Car H2 and M2 xHCI controllers) Signed-off-by: Yoshihiro Shimoda Reviewed-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 43a0d8911062c11412f83dd7ed31c5df3db845a8 Author: Chris Bainbridge Date: Mon Apr 25 13:48:38 2016 +0100 usb: core: hub: hub_port_init lock controller instead of bus commit feb26ac31a2a5cb88d86680d9a94916a6343e9e6 upstream. The XHCI controller presents two USB buses to the system - one for USB2 and one for USB3. The hub init code (hub_port_init) is reentrant but only locks one bus per thread, leading to a race condition failure when two threads attempt to simultaneously initialise a USB2 and USB3 device: [ 8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command [ 13.183701] usb 3-3: device descriptor read/all, error -110 On a test system this failure occurred on 6% of all boots. The call traces at the point of failure are: Call Trace: [] schedule+0x37/0x90 [] usb_kill_urb+0x8d/0xd0 [] ? wake_up_atomic_t+0x30/0x30 [] usb_start_wait_urb+0xbe/0x150 [] usb_control_msg+0xbc/0xf0 [] hub_port_init+0x51e/0xb70 [] hub_event+0x817/0x1570 [] process_one_work+0x1ff/0x620 [] ? process_one_work+0x15f/0x620 [] worker_thread+0x64/0x4b0 [] ? rescuer_thread+0x390/0x390 [] kthread+0x105/0x120 [] ? kthread_create_on_node+0x200/0x200 [] ret_from_fork+0x3f/0x70 [] ? kthread_create_on_node+0x200/0x200 Call Trace: [] xhci_setup_device+0x53d/0xa40 [] xhci_address_device+0xe/0x10 [] hub_port_init+0x1bf/0xb70 [] ? trace_hardirqs_on+0xd/0x10 [] hub_event+0x817/0x1570 [] process_one_work+0x1ff/0x620 [] ? process_one_work+0x15f/0x620 [] worker_thread+0x64/0x4b0 [] ? rescuer_thread+0x390/0x390 [] kthread+0x105/0x120 [] ? kthread_create_on_node+0x200/0x200 [] ret_from_fork+0x3f/0x70 [] ? kthread_create_on_node+0x200/0x200 Which results from the two call chains: hub_port_init usb_get_device_descriptor usb_get_descriptor usb_control_msg usb_internal_control_msg usb_start_wait_urb usb_submit_urb / wait_for_completion_timeout / usb_kill_urb hub_port_init hub_set_address xhci_address_device xhci_setup_device Mathias Nyman explains the current behaviour violates the XHCI spec: hub_port_reset() will end up moving the corresponding xhci device slot to default state. As hub_port_reset() is called several times in hub_port_init() it sounds reasonable that we could end up with two threads having their xhci device slots in default state at the same time, which according to xhci 4.5.3 specs still is a big no no: "Note: Software shall not transition more than one Device Slot to the Default State at a time" So both threads fail at their next task after this. One fails to read the descriptor, and the other fails addressing the device. Fix this in hub_port_init by locking the USB controller (instead of an individual bus) to prevent simultaneous initialisation of both buses. Fixes: 638139eb95d2 ("usb: hub: allow to process more usb hub events in parallel") Link: https://lkml.org/lkml/2016/2/8/312 Link: https://lkml.org/lkml/2016/2/4/748 Signed-off-by: Chris Bainbridge Acked-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit d5a52aef089e8672eeefadde22d9ac3421f87a08 Author: Yoshihiro Shimoda Date: Mon Apr 18 16:53:38 2016 +0900 usb: gadget: udc: core: Fix argument of dev_err() in usb_gadget_map_request() commit 5096c4d3bfa75bdd23c78f799aabd08598afb48f upstream. The argument of dev_err() in usb_gadget_map_request() should be dev instead of &gadget->dev. Fixes: 7ace8fc ("usb: gadget: udc: core: Fix argument of dma_map_single for IOMMU") Signed-off-by: Yoshihiro Shimoda Signed-off-by: Greg Kroah-Hartman commit b97df9a884f8c4c47719e0e09c148ba3b940b2ad Author: Alan Stern Date: Fri Apr 29 15:25:17 2016 -0400 USB: leave LPM alone if possible when binding/unbinding interface drivers commit 6fb650d43da3e7054984dc548eaa88765a94d49f upstream. When a USB driver is bound to an interface (either through probing or by claiming it) or is unbound from an interface, the USB core always disables Link Power Management during the transition and then re-enables it afterward. The reason is because the driver might want to prevent hub-initiated link power transitions, in which case the HCD would have to recalculate the various LPM parameters. This recalculation takes place when LPM is re-enabled and the new parameters are sent to the device and its parent hub. However, if the driver does not want to prevent hub-initiated link power transitions then none of this work is necessary. The parameters don't need to be recalculated, and LPM doesn't need to be disabled and re-enabled. It turns out that disabling and enabling LPM can be time-consuming, enough so that it interferes with user programs that want to claim and release interfaces rapidly via usbfs. Since the usbfs kernel driver doesn't set the disable_hub_initiated_lpm flag, we can speed things up and get the user programs to work by leaving LPM alone whenever the flag isn't set. And while we're improving the way disable_hub_initiated_lpm gets used, let's also fix its kerneldoc. Signed-off-by: Alan Stern Tested-by: Matthew Giassa CC: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 726850e58feb6b3ae141c7b20093219eb2819716 Author: Mathias Nyman Date: Mon May 2 11:39:03 2016 +0300 usb: misc: usbtest: fix pattern tests for scatterlists. commit cdc77c82a8286b1181b81b6e5ef60c8e83ded7bc upstream. The current implemenentation restart the sent pattern for each entry in the sg list. The receiving end expects a continuous pattern, and test will fail unless scatterilst entries happen to be aligned with the pattern Fix this by calculating the pattern byte based on total sent size instead of just the current sg entry. Signed-off-by: Mathias Nyman Fixes: 8b5249019352 ("[PATCH] USB: usbtest: scatterlist OUT data pattern testing") Acked-by: Felipe Balbi Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit c9efe2c4da292f79813fa1c2c0feec45a2ead9ef Author: Michal Nazarewicz Date: Fri Apr 8 10:24:11 2016 +0200 usb: f_mass_storage: test whether thread is running before starting another commit f78bbcae86e676fad9e6c6bb6cd9d9868ba23696 upstream. When binding the function to usb_configuration, check whether the thread is running before starting another one. Without that, when function instance is added to multiple configurations, fsg_bing starts multiple threads with all but the latest one being forgotten by the driver. This leads to obvious thread leaks, possible lockups when trying to halt the machine and possible more issues. This fixes issues with legacy/multi¹ gadget as well as configfs gadgets when mass_storage function is added to multiple configurations. This change also simplifies API since the legacy gadgets no longer need to worry about starting the thread by themselves (which was where bug in legacy/multi was in the first place). N.B., this patch doesn’t address adding single mass_storage function instance to a single configuration twice. Thankfully, there’s no legitimate reason for such setup plus, if I’m not mistaken, configfs gadget doesn’t even allow it to be expressed. ¹ I have no example failure though. Conclusion that legacy/multi has a bug is based purely on me reading the code. Acked-by: Alan Stern Signed-off-by: Michal Nazarewicz Tested-by: Ivaylo Dimitrov Cc: Alan Stern Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 7f4b656a720dac319079cbacd5a60fd654e24033 Author: Lars-Peter Clausen Date: Wed Mar 30 13:49:14 2016 +0200 usb: gadget: f_fs: Fix EFAULT generation for async read operations commit 332a5b446b7916d272c2a659a3b20909ce34d2c1 upstream. In the current implementation functionfs generates a EFAULT for async read operations if the read buffer size is larger than the URB data size. Since a application does not necessarily know how much data the host side is going to send it typically supplies a buffer larger than the actual data, which will then result in a EFAULT error. This behaviour was introduced while refactoring the code to use iov_iter interface in commit c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter into io_data"). The original code took the minimum over the URB size and the user buffer size and then attempted to copy that many bytes using copy_to_user(). If copy_to_user() could not copy all data a EFAULT error was generated. Restore the original behaviour by only generating a EFAULT error when the number of bytes copied is not the size of the URB and the target buffer has not been fully filled. Commit 342f39a6c8d3 ("usb: gadget: f_fs: fix check in read operation") already fixed the same problem for the synchronous read path. Fixes: c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter into io_data") Acked-by: Michal Nazarewicz Signed-off-by: Lars-Peter Clausen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 09dff51f97de42b7830dbf50ba08c0a40db4ccc6 Author: Lei Liu Date: Wed May 4 16:34:22 2016 +0800 USB: serial: option: add even more ZTE device ids commit 74d2a91aec97ab832790c9398d320413ad185321 upstream. Add even more ZTE device ids. Signed-off-by: lei liu [johan: rebase and replace commit message ] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d052491d99ed796a248aef37d0faccc039e5d22e Author: lei liu Date: Tue May 3 14:44:19 2016 -0700 USB: serial: option: add more ZTE device ids commit f0d09463c59c2d764a6c6d492cbe6d2c77f27153 upstream. More ZTE device ids. Signed-off-by: lei liu [properly sort them - gregkh] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit cef6950b85720e74080b3c219cb6729ae73cdd2f Author: Schemmel Hans-Christoph Date: Fri Apr 29 08:51:06 2016 +0000 USB: serial: option: add support for Cinterion PH8 and AHxx commit 444f94e9e625f6ec6bbe2cb232a6451c637f35a3 upstream. Added support for Gemalto's Cinterion PH8 and AHxx products with 2 RmNet Interfaces and products with 1 RmNet + 1 USB Audio interface. In addition some minor renaming and formatting. Signed-off-by: Hans-Christoph Schemmel [johan: sort current entries and trim trailing whitespace ] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d5ed68a8b6e456bf55eca4f2b0447d2479550f7e Author: Johan Hovold Date: Sun May 8 20:07:57 2016 +0200 USB: serial: io_edgeport: fix memory leaks in probe error path commit c8d62957d450cc1a22ce3242908709fe367ddc8e upstream. URBs and buffers allocated in attach for Epic devices would never be deallocated in case of a later probe error (e.g. failure to allocate minor numbers) as disconnect is then never called. Fix by moving deallocation to release and making sure that the URBs are first unlinked. Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect, release") Signed-off-by: Johan Hovold Acked-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 367baed6522421efd5174b274bde9d3322976131 Author: Johan Hovold Date: Sun May 8 20:07:56 2016 +0200 USB: serial: io_edgeport: fix memory leaks in attach error path commit c5c0c55598cefc826d6cfb0a417eeaee3631715c upstream. Private data, URBs and buffers allocated for Epic devices during attach were never released on errors (e.g. missing endpoints). Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") Signed-off-by: Johan Hovold Acked-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit c7c68ca6d191123b35e5bf358b8de4deadd42ae7 Author: Johan Hovold Date: Sun May 8 20:08:02 2016 +0200 USB: serial: quatech2: fix use-after-free in probe error path commit 028c49f5e02a257c94129cd815f7c8485f51d4ef upstream. The interface read URB is submitted in attach, but was only unlinked by the driver at disconnect. In case of a late probe error (e.g. due to failed minor allocation), disconnect is never called and we would end up with active URBs for an unbound interface. This in turn could lead to deallocated memory being dereferenced in the completion callback. Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") Signed-off-by: Johan Hovold Acked-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 0e5884b816819ea3086650e5475756835a208bf8 Author: Johan Hovold Date: Sun May 8 20:07:58 2016 +0200 USB: serial: keyspan: fix use-after-free in probe error path commit 35be1a71d70775e7bd7e45fa6d2897342ff4c9d2 upstream. The interface instat and indat URBs were submitted in attach, but never unlinked in release before deallocating the corresponding transfer buffers. In the case of a late probe error (e.g. due to failed minor allocation), disconnect would not have been called before release, causing the buffers to be freed while the URBs are still in use. We'd also end up with active URBs for an unbound interface. Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect, release") Signed-off-by: Johan Hovold Acked-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 49637cf8f0dd70d356c2780c22a727da2bbd5cd9 Author: Johan Hovold Date: Sun May 8 20:08:01 2016 +0200 USB: serial: mxuport: fix use-after-free in probe error path commit 9e45284984096314994777f27e1446dfbfd2f0d7 upstream. The interface read and event URBs are submitted in attach, but were never explicitly unlinked by the driver. Instead the URBs would have been killed by usb-serial core on disconnect. In case of a late probe error (e.g. due to failed minor allocation), disconnect is never called and we could end up with active URBs for an unbound interface. This in turn could lead to deallocated memory being dereferenced in the completion callbacks. Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver") Signed-off-by: Johan Hovold Acked-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 0d8a5ee619ab8c2d5d6a6d045764fc7e79bfe0af Author: Konstantin Shkolnyy Date: Wed May 4 16:56:52 2016 -0500 USB: serial: cp210x: fix hardware flow-control disable commit a377f9e906af4df9071ba8ddba60188cb4013d93 upstream. A bug in the CRTSCTS handling caused RTS to alternate between CRTSCTS=0 => "RTS is transmit active signal" and CRTSCTS=1 => "RTS is used for receive flow control" instead of CRTSCTS=0 => "RTS is statically active" and CRTSCTS=1 => "RTS is used for receive flow control" This only happened after first having enabled CRTSCTS. Signed-off-by: Konstantin Shkolnyy Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") [johan: reword commit message ] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b54260fe250203657e9eac54771005fe99a5463a Author: Alexander Usyskin Date: Tue May 3 18:54:21 2016 -0400 mei: bus: call mei_cl_read_start under device lock commit bc46b45a421a64a0895dd41a34d3d2086e1ac7f6 upstream. Ensure that mei_cl_read_start is called under the device lock also in the bus layer. The function updates global ctrl_wr_list which should be locked. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit 293dc5cee23129f9a97b7661efb4705f43308cd9 Author: Alexander Usyskin Date: Sun Apr 17 12:16:04 2016 -0400 mei: amthif: discard not read messages commit 9d04ee11db7bf0d848266cbfd7db336097a0e239 upstream. When a message is received and amthif client is not in reading state the message is ignored and left dangling in the queue. This may happen after one of the amthif host connections is closed w/o completing the reading. Another client will pick up a wrong message on next read attempt which will lead to link reset. To prevent this the driver has to properly discard the message when amthif client is not in reading state. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit 7f41001cf02dbd4369f04b04e57aeba481d4e635 Author: Alexander Usyskin Date: Sun Apr 17 12:16:03 2016 -0400 mei: fix NULL dereferencing during FW initiated disconnection commit 6a8d648c8d1824117a9e9edb948ed1611fb013c0 upstream. In the case when disconnection is initiated from the FW the driver is flushing items from the write control list while iterating over it: mei_irq_write_handler() list_for_each_entry_safe(ctrl_wr_list) <-- outer loop mei_cl_irq_disconnect_rsp() mei_cl_set_disconnected() mei_io_list_flush(ctrl_wr_list) <-- destorying list We move the list flushing to the completion routine. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit 0c27a6a6a5dd9621e2a1439e55cf371692556305 Author: Takashi Iwai Date: Thu Apr 14 17:32:19 2016 +0200 Bluetooth: vhci: Fix race at creating hci device commit c7c999cb18da88a881e10e07f0724ad0bfaff770 upstream. hci_vhci driver creates a hci device object dynamically upon each HCI_VENDOR_PKT write. Although it checks the already created object and returns an error, it's still racy and may build multiple hci_dev objects concurrently when parallel writes are performed, as the device tracks only a single hci_dev object. This patch introduces a mutex to protect against the concurrent device creations. Signed-off-by: Takashi Iwai Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit f8636442df7d1e9b3874c83668b57aeefbef97cb Author: Jiri Slaby Date: Sat Mar 19 11:49:43 2016 +0100 Bluetooth: vhci: purge unhandled skbs commit 13407376b255325fa817798800117a839f3aa055 upstream. The write handler allocates skbs and queues them into data->readq. Read side should read them, if there is any. If there is none, skbs should be dropped by hdev->flush. But this happens only if the device is HCI_UP, i.e. hdev->power_on work was triggered already. When it was not, skbs stay allocated in the queue when /dev/vhci is closed. So purge the queue in ->release. Program to reproduce: #include #include #include #include #include #include #include int main() { char buf[] = { 0xff, 0 }; struct iovec iov = { .iov_base = buf, .iov_len = sizeof(buf), }; int fd; while (1) { fd = open("/dev/vhci", O_RDWR); if (fd < 0) err(1, "open"); usleep(50); if (writev(fd, &iov, 1) < 0) err(1, "writev"); usleep(50); close(fd); } return 0; } Result: kmemleak: 4609 new suspected memory leaks unreferenced object 0xffff88059f4d5440 (size 232): comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s) hex dump (first 32 bytes): 20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff .#..... .#..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: ... [] __alloc_skb+0x0/0x5a0 [] vhci_create_device+0x5c/0x580 [hci_vhci] [] vhci_write+0x306/0x4c8 [hci_vhci] Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers) Signed-off-by: Jiri Slaby Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 26e11f9fd589d6700335cf8718dfdf32d28f8443 Author: Jiri Slaby Date: Sat Mar 19 11:05:18 2016 +0100 Bluetooth: vhci: fix open_timeout vs. hdev race commit 373a32c848ae3a1c03618517cce85f9211a6facf upstream. Both vhci_get_user and vhci_release race with open_timeout work. They both contain cancel_delayed_work_sync, but do not test whether the work actually created hdev or not. Since the work can be in progress and _sync will wait for finishing it, we can have data->hdev allocated when cancel_delayed_work_sync returns. But the call sites do 'if (data->hdev)' *before* cancel_delayed_work_sync. As a result: * vhci_get_user allocates a second hdev and puts it into data->hdev. The former is leaked. * vhci_release does not release data->hdev properly as it thinks there is none. Fix both cases by moving the actual test *after* the call to cancel_delayed_work_sync. This can be hit by this program: #include #include #include #include #include #include #include #include int main(int argc, char **argv) { int fd; srand(time(NULL)); while (1) { const int delta = (rand() % 200 - 100) * 100; fd = open("/dev/vhci", O_RDWR); if (fd < 0) err(1, "open"); usleep(1000000 + delta); close(fd); } return 0; } And the result is: BUG: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228 Read of size 8 by task kworker/u13:1/32068 ============================================================================= BUG kmalloc-192 (Tainted: G E ): kasan: bad access detected ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age=260 cpu=3 pid=32040 ... kmem_cache_alloc_trace+0x150/0x190 vhci_open+0x50/0x330 [hci_vhci] misc_open+0x35b/0x4e0 chrdev_open+0x23b/0x510 ... INFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age=9 cpu=2 pid=32040 ... __slab_free+0x204/0x310 vhci_release+0xa4/0xd0 [hci_vhci] ... INFO: Slab 0xffffea0001ac3000 objects=16 used=13 fp=0xffff88006b0c1e00 flags=0x5fffff80004080 INFO: Object 0xffff88006b0c1200 @offset=4608 fp=0xffff88006b0c0600 Bytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00 ...k............ Object ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff ...k.......k.... Object ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff .F.k.....F.k.... Object ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00 ................ Object ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff @..k....@..k.... Object ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de P.n............. Object ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00 .........b...... Object ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff ........8..k.... Object ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 .. ............. Object ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff ...........=.... Object ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . .............. Redzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb ........ Padding ffff88006b0c13f8: 00 00 00 00 00 00 00 00 ........ CPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G B E 4.4.6-0-default #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014 Workqueue: hci0 hci_cmd_work [bluetooth] 00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180 ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320 ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80 Call Trace: ... [] ? skb_queue_tail+0x13e/0x150 [] ? vhci_send_frame+0xac/0x100 [hci_vhci] [] ? hci_send_frame+0x188/0x320 [bluetooth] [] ? hci_cmd_work+0x115/0x310 [bluetooth] [] ? process_one_work+0x815/0x1340 [] ? worker_thread+0xe5/0x11f0 [] ? process_one_work+0x1340/0x1340 [] ? kthread+0x1c8/0x230 ... Memory state around the buggy address: ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers) Signed-off-by: Jiri Slaby Signed-off-by: Marcel Holtmann Cc: Dmitry Vyukov Signed-off-by: Greg Kroah-Hartman commit dee5ae282cecfd139be32d61a6fac2947017b83b Author: Adrian Hunter Date: Fri May 20 10:33:47 2016 +0300 mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers commit 822969369482166050c5b2f7013501505e025c39 upstream. The CMD19/CMD14 bus width test has been found to be unreliable in some cases. It is not essential, so simply remove it. Signed-off-by: Adrian Hunter Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 926c2c0bdd2eb09796ea4211f41a61c146ef5ba7 Author: Matt Gumbel Date: Fri May 20 10:33:46 2016 +0300 mmc: longer timeout for long read time quirk commit 32ecd320db39bcb007679ed42f283740641b81ea upstream. 008GE0 Toshiba mmc in some Intel Baytrail tablets responds to MMC_SEND_EXT_CSD in 450-600ms. This patch will... () Increase the long read time quirk timeout from 300ms to 600ms. Original author of that quirk says 300ms was only a guess and that the number may need to be raised in the future. () Add this specific MMC to the quirk Signed-off-by: Matt Gumbel Signed-off-by: Adrian Hunter Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit d81ccd1a3596c9ef9e9ef7b9f65b821b833af636 Author: Gabriele Mazzotta Date: Tue May 24 22:53:08 2016 +0200 dell-rbtn: Ignore ACPI notifications if device is suspended commit ff8651237f39cea60dc89b2d9f25d9ede3fc82c0 upstream. Some BIOSes unconditionally send an ACPI notification to RBTN when the system is resuming from suspend. This makes dell-rbtn send an input event to userspace as if a function key was pressed. Prevent this by ignoring all the notifications received while the device is suspended. Link: https://bugzilla.kernel.org/show_bug.cgi?id=106031 Signed-off-by: Gabriele Mazzotta Tested-by: Alex Hung Reviewed-by: Pali Rohár Signed-off-by: Darren Hart Signed-off-by: Greg Kroah-Hartman commit 97f8ae03311beaf738419945dc7464f6812cd088 Author: Lv Zheng Date: Tue May 3 16:48:20 2016 +0800 ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings commit 30c9bb0d7603e7b3f4d6a0ea231e1cddae020c32 upstream. The order of the _OSI related functionalities is as follows: acpi_blacklisted() acpi_dmi_osi_linux() acpi_osi_setup() acpi_osi_setup() acpi_update_interfaces() if "!*" <<<<<<<<<<<<<<<<<<<<<<<< parse_args() __setup("acpi_osi=") acpi_osi_setup_linux() acpi_update_interfaces() if "!*" <<<<<<<<<<<<<<<<<<<<<<<< acpi_early_init() acpi_initialize_subsystem() acpi_ut_initialize_interfaces() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ acpi_bus_init() acpi_os_initialize1() acpi_install_interface_handler(acpi_osi_handler) acpi_osi_setup_late() acpi_update_interfaces() for "!" >>>>>>>>>>>>>>>>>>>>>>>> acpi_osi_handler() Since acpi_osi_setup_linux() can override acpi_dmi_osi_linux(), the command line setting can override the DMI detection. That's why acpi_blacklisted() is put before __setup("acpi_osi="). Then we can notice the following wrong invocation order. There are acpi_update_interfaces() (marked by <<<<) calls invoked before acpi_ut_initialize_interfaces() (marked by ^^^^). This makes it impossible to use acpi_osi=!* correctly from OSI DMI table or from the command line. The use of acpi_osi=!* is meant to disable both ACPICA (acpi_gbl_supported_interfaces) and Linux specific strings (osi_setup_entries) while the ACPICA part should have stopped working because of the order issue. This patch fixes this issue by moving acpi_update_interfaces() to where it is invoked for acpi_osi=! (marked by >>>>) as this is ensured to be invoked after acpi_ut_initialize_interfaces() (marked by ^^^^). Linux specific strings are still handled in the original place in order to make the following command line working: acpi_osi=!* acpi_osi="Module Device". Note that since acpi_osi=!* is meant to further disable linux specific string comparing to the acpi_osi=!, there is no such use case in our bug fixing work and hence there is no one using acpi_osi=!* either from the command line or from the DMI quirks, this issue is just a theoretical issue. Fixes: 741d81280ad2 (ACPI: Add facility to remove all _OSI strings) Tested-by: Lukas Wunner Tested-by: Chen Yu Signed-off-by: Lv Zheng Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 86accaa9a06395d28e9872dbeb56887b74b7e566 Author: Adrian Hunter Date: Fri May 20 10:33:48 2016 +0300 mmc: sdhci-acpi: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers commit 265984b36ce82fec67957d452dd2b22e010611e4 upstream. The CMD19/CMD14 bus width test has been found to be unreliable in some cases. It is not essential, so simply remove it. Signed-off-by: Adrian Hunter Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 98e4743f6c58eefd00a34d681a5c6f6d6df0e2b8 Author: Adrian Hunter Date: Thu May 19 15:25:42 2016 +0200 mmc: sdhci-acpi: Ensure connected devices are powered when probing commit e5bbf30733f930a1d17b4ccf19eac88e30a39cc7 upstream. Some devices connected to the SDHCI controller may have separate enabling lines that are controlled through GPIO. These devices need to be powered on and enabled before probing. This is to ensure all devices connected can be seen by the controller. Note, for "stable" this patch depends on the following change: commit 78a898d0e395 ("ACPI / PM: Export acpi_device_fix_up_power()") Signed-off-by: Adrian Hunter Reported-and-tested-by: Laszlo Fiat Signed-off-by: Ulf Hansson Reported-by: Laszlo Fiat Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112571 Link: http://lkml.kernel.org/r/CA+7w51inLtQSr656bJvOjGG9oQWKYPXH+xxDPJKbeJ=CcrkS9Q@mail.gmail.com Signed-off-by: Greg Kroah-Hartman commit 43e648edb5d64878d7587f80ed8259ad446f297e Author: Ulf Hansson Date: Thu May 19 15:25:41 2016 +0200 ACPI / PM: Export acpi_device_fix_up_power() commit 78a898d0e39513469858de990de83210fee28ee9 upstream. Drivers that needs acpi_device_fix_up_power(), allow them to be built as modules by exporting this function. Tested-by: Laszlo Fiat Signed-off-by: Ulf Hansson Acked-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 74b9f53139b52b276bbc10bf9c3714944c65c01a Author: Adrian Hunter Date: Thu May 5 08:12:28 2016 +0300 mmc: mmc: Fix partition switch timeout for some eMMCs commit 1c447116d017a98c90f8f71c8c5a611e0aa42178 upstream. Some eMMCs set the partition switch timeout too low. Now typically eMMCs are considered a critical component (e.g. because they store the root file system) and consequently are expected to be reliable. Thus we can neglect the use case where eMMCs can't switch reliably and we might want a lower timeout to facilitate speedy recovery. Although we could employ a quirk for the cards that are affected (if we could identify them all), as described above, there is little benefit to having a low timeout, so instead simply set a minimum timeout. The minimum is set to 300ms somewhat arbitrarily - the examples that have been seen had a timeout of 10ms but were sometimes taking 60-70ms. Signed-off-by: Adrian Hunter Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit c9cf1445e1919cf93d3e48dd72b57f5210b05363 Author: Oliver Hartkopp Date: Mon Mar 21 20:18:21 2016 +0100 can: fix handling of unmodifiable configuration options commit bb208f144cf3f59d8f89a09a80efd04389718907 upstream. As described in 'can: m_can: tag current CAN FD controllers as non-ISO' (6cfda7fbebe) it is possible to define fixed configuration options by setting the according bit in 'ctrlmode' and clear it in 'ctrlmode_supported'. This leads to the incovenience that the fixed configuration bits can not be passed by netlink even when they have the correct values (e.g. non-ISO, FD). This patch fixes that issue and not only allows fixed set bit values to be set again but now requires(!) to provide these fixed values at configuration time. A valid CAN FD configuration consists of a nominal/arbitration bittiming, a data bittiming and a control mode with CAN_CTRLMODE_FD set - which is now enforced by a new can_validate() function. This fix additionally removed the inconsistency that was prohibiting the support of 'CANFD-only' controller drivers, like the RCar CAN FD. For this reason a new helper can_set_static_ctrlmode() has been introduced to provide a proper interface to handle static enabled CAN controller options. Reported-by: Ramesh Shanmugasundaram Signed-off-by: Oliver Hartkopp Reviewed-by: Ramesh Shanmugasundaram Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 823d081963764a582087d3ee5ae68d22b7b20f49 Author: Christophe Ricard Date: Sat Apr 30 09:12:34 2016 +0200 nfc: st21nfca: Fix static checker warning commit b58afe6d6d3a53af165d5946f12c4b08c95acd58 upstream. Fix static checker warning: drivers/nfc/st21nfca/i2c.c:530 st21nfca_hci_i2c_acpi_request_resources() error: 'gpiod_ena' dereferencing possible ERR_PTR() Fix so that if no enable gpio can be retrieved an -ENODEV is returned. Reported-by: Dan Carpenter Fixes: dfa8070d7f64 ("nfc: st21nfca: Add support for acpi probing for i2c device.") Signed-off-by: Christophe Ricard Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 740c23109e875370f4217f507723ee6ccf329b88 Author: Marc Zyngier Date: Fri May 6 19:41:56 2016 +0100 irqchip/gic-v3: Configure all interrupts as non-secure Group-1 commit 7c9b973061b03af62734f613f6abec46c0dd4a88 upstream. The GICv3 driver wrongly assumes that it runs on the non-secure side of a secure-enabled system, while it could be on a system with a single security state, or a GICv3 with GICD_CTLR.DS set. Either way, it is important to configure this properly, or interrupts will simply not be delivered on this HW. Reported-by: Peter Maydell Tested-by: Peter Maydell Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit 00a6ed86a7695a937cf4be481ea08aa492da3c7d Author: Will Deacon Date: Tue Apr 26 12:00:00 2016 +0100 irqchip/gic: Ensure ordering between read of INTACK and shared data commit f86c4fbd930ff6fecf3d8a1c313182bd0f49f496 upstream. When an IPI is generated by a CPU, the pattern looks roughly like: smp_wmb(); On the receiving CPU we rely on the fact that, once we've taken the interrupt, then the freshly written shared data must be visible to us. Put another way, the CPU isn't going to speculate taking an interrupt. Unfortunately, this assumption turns out to be broken. Consider that CPUx wants to send an IPI to CPUy, which will cause CPUy to read some shared_data. Before CPUx has done anything, a random peripheral raises an IRQ to the GIC and the IRQ line on CPUy is raised. CPUy then takes the IRQ and starts executing the entry code, heading towards gic_handle_irq. Furthermore, let's assume that a bunch of the previous interrupts handled by CPUy were SGIs, so the branch predictor kicks in and speculates that irqnr will be <16 and we're likely to head into handle_IPI. The prefetcher then grabs a speculative copy of shared_data which contains a stale value. Meanwhile, CPUx gets round to updating shared_data and asking the GIC to send an SGI to CPUy. Internally, the GIC decides that the SGI is more important than the peripheral interrupt (which hasn't yet been ACKed) but doesn't need to do anything to CPUy, because the IRQ line is already raised. CPUy then reads the ACK register on the GIC, sees the SGI value which confirms the branch prediction and we end up with a stale shared_data value. This patch fixes the problem by adding an smp_rmb() to the IPI entry code in gic_handle_irq. As it turns out, the combination of a control dependency and an ISB instruction from the EOI in the GICv3 driver is enough to provide the ordering we need, so we add a comment there justifying the absence of an explicit smp_rmb(). Signed-off-by: Will Deacon Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit c1bcbc6031afeec2302d5efa6dfcd6f14b1297b2 Author: Manfred Schlaegl Date: Fri May 27 16:36:36 2016 -0700 Input: pwm-beeper - fix - scheduling while atomic commit f49cf3b8b4c841457244c461c66186a719e13bcc upstream. Pwm config may sleep so defer it using a worker. On a Freescale i.MX53 based board we ran into "BUG: scheduling while atomic" because input_inject_event locks interrupts, but imx_pwm_config_v2 sleeps. Tested on Freescale i.MX53 SoC with 4.6.0. Signed-off-by: Manfred Schlaegl Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 8936cc80881638dbd5692bae55eda6d23b7bf36e Author: Roger Quadros Date: Mon May 9 11:28:37 2016 +0300 mfd: omap-usb-tll: Fix scheduling while atomic BUG commit b49b927f16acee626c56a1af4ab4cb062f75b5df upstream. We shouldn't be calling clk_prepare_enable()/clk_prepare_disable() in an atomic context. Fixes the following issue: [ 5.830970] ehci-omap: OMAP-EHCI Host Controller driver [ 5.830974] driver_register 'ehci-omap' [ 5.895849] driver_register 'wl1271_sdio' [ 5.896870] BUG: scheduling while atomic: udevd/994/0x00000002 [ 5.896876] 4 locks held by udevd/994: [ 5.896904] #0: (&dev->mutex){......}, at: [] __driver_attach+0x60/0xac [ 5.896923] #1: (&dev->mutex){......}, at: [] __driver_attach+0x70/0xac [ 5.896946] #2: (tll_lock){+.+...}, at: [] omap_tll_enable+0x2c/0xd0 [ 5.896966] #3: (prepare_lock){+.+...}, at: [] clk_prepare_lock+0x48/0xe0 [ 5.897042] Modules linked in: wlcore_sdio(+) ehci_omap(+) dwc3_omap snd_soc_ts3a225e leds_is31fl319x bq27xxx_battery_i2c tsc2007 bq27xxx_battery bq2429x_charger ina2xx tca8418_keypad as5013 leds_tca6507 twl6040_vibra gpio_twl6040 bmp085_i2c(+) palmas_gpadc usb3503 palmas_pwrbutton bmg160_i2c(+) bmp085 bma150(+) bmg160_core bmp280 input_polldev snd_soc_omap_mcbsp snd_soc_omap_mcpdm snd_soc_omap snd_pcm_dmaengine [ 5.897048] Preemption disabled at:[< (null)>] (null) [ 5.897051] [ 5.897059] CPU: 0 PID: 994 Comm: udevd Not tainted 4.6.0-rc5-letux+ #233 [ 5.897062] Hardware name: Generic OMAP5 (Flattened Device Tree) [ 5.897076] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 5.897087] [] (show_stack) from [] (dump_stack+0x88/0xc0) [ 5.897099] [] (dump_stack) from [] (__schedule_bug+0xac/0xd0) [ 5.897111] [] (__schedule_bug) from [] (__schedule+0x88/0x7e4) [ 5.897120] [] (__schedule) from [] (schedule+0x9c/0xc0) [ 5.897129] [] (schedule) from [] (schedule_preempt_disabled+0x14/0x20) [ 5.897140] [] (schedule_preempt_disabled) from [] (mutex_lock_nested+0x258/0x43c) [ 5.897150] [] (mutex_lock_nested) from [] (clk_prepare_lock+0x48/0xe0) [ 5.897160] [] (clk_prepare_lock) from [] (clk_prepare+0x10/0x28) [ 5.897169] [] (clk_prepare) from [] (omap_tll_enable+0x64/0xd0) [ 5.897180] [] (omap_tll_enable) from [] (usbhs_runtime_resume+0x18/0x17c) [ 5.897192] [] (usbhs_runtime_resume) from [] (pm_generic_runtime_resume+0x2c/0x40) [ 5.897202] [] (pm_generic_runtime_resume) from [] (__rpm_callback+0x38/0x68) [ 5.897210] [] (__rpm_callback) from [] (rpm_callback+0x70/0x88) [ 5.897218] [] (rpm_callback) from [] (rpm_resume+0x4ec/0x7ec) [ 5.897227] [] (rpm_resume) from [] (__pm_runtime_resume+0x4c/0x64) [ 5.897236] [] (__pm_runtime_resume) from [] (driver_probe_device+0x30/0x70) [ 5.897246] [] (driver_probe_device) from [] (__driver_attach+0x88/0xac) [ 5.897256] [] (__driver_attach) from [] (bus_for_each_dev+0x50/0x84) [ 5.897267] [] (bus_for_each_dev) from [] (bus_add_driver+0xcc/0x1e4) [ 5.897276] [] (bus_add_driver) from [] (driver_register+0xac/0xf4) [ 5.897286] [] (driver_register) from [] (do_one_initcall+0x100/0x1b8) [ 5.897296] [] (do_one_initcall) from [] (do_init_module+0x58/0x1c0) [ 5.897304] [] (do_init_module) from [] (SyS_finit_module+0x88/0x90) [ 5.897313] [] (SyS_finit_module) from [] (ret_fast_syscall+0x0/0x1c) [ 5.912697] ------------[ cut here ]------------ [ 5.912711] WARNING: CPU: 0 PID: 994 at kernel/sched/core.c:2996 _raw_spin_unlock+0x28/0x58 [ 5.912717] DEBUG_LOCKS_WARN_ON(val > preempt_count()) Reported-by: H. Nikolaus Schaller Tested-by: H. Nikolaus Schaller Signed-off-by: Roger Quadros Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 58ddce617249f5031cfb11a2ffba7ce40e53f576 Author: Vik Heyndrickx Date: Thu Apr 28 20:46:28 2016 +0200 sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems commit 20878232c52329f92423d27a60e48b6a6389e0dd upstream. Systems show a minimal load average of 0.00, 0.01, 0.05 even when they have no load at all. Uptime and /proc/loadavg on all systems with kernels released during the last five years up until kernel version 4.6-rc5, show a 5- and 15-minute minimum loadavg of 0.01 and 0.05 respectively. This should be 0.00 on idle systems, but the way the kernel calculates this value prevents it from getting lower than the mentioned values. Likewise but not as obviously noticeable, a fully loaded system with no processes waiting, shows a maximum 1/5/15 loadavg of 1.00, 0.99, 0.95 (multiplied by number of cores). Once the (old) load becomes 93 or higher, it mathematically can never get lower than 93, even when the active (load) remains 0 forever. This results in the strange 0.00, 0.01, 0.05 uptime values on idle systems. Note: 93/2048 = 0.0454..., which rounds up to 0.05. It is not correct to add a 0.5 rounding (=1024/2048) here, since the result from this function is fed back into the next iteration again, so the result of that +0.5 rounding value then gets multiplied by (2048-2037), and then rounded again, so there is a virtual "ghost" load created, next to the old and active load terms. By changing the way the internally kept value is rounded, that internal value equivalent now can reach 0.00 on idle, and 1.00 on full load. Upon increasing load, the internally kept load value is rounded up, when the load is decreasing, the load value is rounded down. The modified code was tested on nohz=off and nohz kernels. It was tested on vanilla kernel 4.6-rc5 and on centos 7.1 kernel 3.10.0-327. It was tested on single, dual, and octal cores system. It was tested on virtual hosts and bare hardware. No unwanted effects have been observed, and the problems that the patch intended to fix were indeed gone. Tested-by: Damien Wyart Signed-off-by: Vik Heyndrickx Signed-off-by: Peter Zijlstra (Intel) Cc: Doug Smythies Cc: Linus Torvalds Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 0f004f5a696a ("sched: Cure more NO_HZ load average woes") Link: http://lkml.kernel.org/r/e8d32bff-d544-7748-72b5-3c86cc71f09f@veribox.net Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ea27481a427ee75cb77088b785ae8591eb74870c Author: Jaegeuk Kim Date: Wed May 4 22:05:01 2016 -0700 fscrypto/f2fs: allow fs-specific key prefix for fs encryption commit b5a7aef1ef436ec005fef0efe31a676ec5f4ab31 upstream. This patch allows fscrypto to handle a second key prefix given by filesystem. The main reason is to provide backward compatibility, since previously f2fs used "f2fs:" as a crypto prefix instead of "fscrypt:". Later, ext4 should also provide key_prefix() to give "ext4:". One concern decribed by Ted would be kinda double check overhead of prefixes. In x86, for example, validate_user_key consumes 8 ms after boot-up, which turns out derive_key_aes() consumed most of the time to load specific crypto module. After such the cold miss, it shows almost zero latencies, which treats as a negligible overhead. Note that request_key() detects wrong prefix in prior to derive_key_aes() even. Cc: Ted Tso Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 3718e19da2f1d32867a57bcbe53d6b535fc0909c Author: Josh Poimboeuf Date: Mon May 16 15:16:18 2016 -0500 crypto: sha1-mb - make sha1_x8_avx2() conform to C function ABI commit 4a6b27b79da5ccc6b85dc05bbe6a091e58be896a upstream. Megha Dey reported a kernel panic in crypto code. The problem is that sha1_x8_avx2() clobbers registers r12-r15 without saving and restoring them. Before commit aec4d0e301f1 ("x86/asm/crypto: Simplify stack usage in sha-mb functions"), those registers were saved and restored by the callers of the function. I removed them with that commit because I didn't realize sha1_x8_avx2() clobbered them. Fix the potential undefined behavior associated with clobbering the registers and make the behavior less surprising by changing the registers to be callee saved/restored to conform with the C function call ABI. Also, rdx (aka RSP_SAVE) doesn't need to be saved: I verified that none of the callers rely on it being saved, and it's not a callee-saved register in the C ABI. Fixes: aec4d0e301f1 ("x86/asm/crypto: Simplify stack usage in sha-mb functions") Reported-by: Megha Dey Signed-off-by: Josh Poimboeuf Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 2a956fd6bd8aedd2e040387a2b200b7ad0b9a81b Author: Andy Gross Date: Tue May 3 15:24:11 2016 -0500 clk: qcom: msm8916: Fix crypto clock flags commit 2a0974aa1a0b40a92387ea03dbfeacfbc9ba182c upstream. This patch adds the CLK_SET_RATE_PARENT flag for the crypto core and ahb blocks. Without this flag, clk_set_rate can fail for certain frequency requests. Signed-off-by: Andy Gross Fixes: 3966fab8b6ab ("clk: qcom: Add MSM8916 Global Clock Controller support") Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit ada6fe65f6bb98d017f6ee67b72ae5849dda9432 Author: Corentin LABBE Date: Wed Mar 23 16:11:24 2016 +0100 crypto: sun4i-ss - Replace spinlock_bh by spin_lock_irq{save|restore} commit bdb6cf9f6fe6d9af905ea34b7c4bb78ea601329e upstream. The current sun4i-ss driver could generate data corruption when ciphering/deciphering. It occurs randomly on end of handled data. No root cause have been found and the only way to remove it is to replace all spin_lock_bh by their irq counterparts. Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Signed-off-by: LABBE Corentin Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit e0a75d47ebc09669945f3ea744a9562ec1e9ce90 Author: Horia Geant? Date: Thu Apr 21 19:24:55 2016 +0300 crypto: talitos - fix ahash algorithms registration commit 3639ca840df953f9af6f15fc8a6bf77f19075ab1 upstream. Provide hardware state import/export functionality, as mandated by commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero") Reported-by: Jonas Eymann Signed-off-by: Horia Geant? Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 943c8d78b633d50eaf979842ab5d125ec1b8f8b8 Author: Catalin Vasile Date: Fri May 6 16:18:53 2016 +0300 crypto: caam - fix caam_jr_alloc() ret code commit e930c765ca5c6b039cd22ebfb4504ea7b5dab43d upstream. caam_jr_alloc() used to return NULL if a JR device could not be allocated for a session. In turn, every user of this function used IS_ERR() function to verify if anything went wrong, which does NOT look for NULL values. This made the kernel crash if the sanity check failed, because the driver continued to think it had allocated a valid JR dev instance to the session and at some point it tries to do a caam_jr_free() on a NULL JR dev pointer. This patch is a fix for this issue. Signed-off-by: Catalin Vasile Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 6d40007bb8870d146dc8b388e97b80a5a16dd204 Author: Steven Rostedt (Red Hat) Date: Fri May 13 09:34:12 2016 -0400 ring-buffer: Prevent overflow of size in ring_buffer_resize() commit 59643d1535eb220668692a5359de22545af579f6 upstream. If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE then the DIV_ROUND_UP() will return zero. Here's the details: # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb tracing_entries_write() processes this and converts kb to bytes. 18014398509481980 << 10 = 18446744073709547520 and this is passed to ring_buffer_resize() as unsigned long size. size = DIV_ROUND_UP(size, BUF_PAGE_SIZE); Where DIV_ROUND_UP(a, b) is (a + b - 1)/b BUF_PAGE_SIZE is 4080 and here 18446744073709547520 + 4080 - 1 = 18446744073709551599 where 18446744073709551599 is still smaller than 2^64 2^64 - 18446744073709551599 = 17 But now 18446744073709551599 / 4080 = 4521260802379792 and size = size * 4080 = 18446744073709551360 This is checked to make sure its still greater than 2 * 4080, which it is. Then we convert to the number of buffer pages needed. nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE) but this time size is 18446744073709551360 and 2^64 - (18446744073709551360 + 4080 - 1) = -3823 Thus it overflows and the resulting number is less than 4080, which makes 3823 / 4080 = 0 an nr_pages is set to this. As we already checked against the minimum that nr_pages may be, this causes the logic to fail as well, and we crash the kernel. There's no reason to have the two DIV_ROUND_UP() (that's just result of historical code changes), clean up the code and fix this bug. Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic") Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 0b8eecc14410eaa197809f66f4de8fa85c2721ed Author: Steven Rostedt (Red Hat) Date: Thu May 12 11:01:24 2016 -0400 ring-buffer: Use long for nr_pages to avoid overflow failures commit 9b94a8fba501f38368aef6ac1b30e7335252a220 upstream. The size variable to change the ring buffer in ftrace is a long. The nr_pages used to update the ring buffer based on the size is int. On 64 bit machines this can cause an overflow problem. For example, the following will cause the ring buffer to crash: # cd /sys/kernel/debug/tracing # echo 10 > buffer_size_kb # echo 8556384240 > buffer_size_kb Then you get the warning of: WARNING: CPU: 1 PID: 318 at kernel/trace/ring_buffer.c:1527 rb_update_pages+0x22f/0x260 Which is: RB_WARN_ON(cpu_buffer, nr_removed); Note each ring buffer page holds 4080 bytes. This is because: 1) 10 causes the ring buffer to have 3 pages. (10kb requires 3 * 4080 pages to hold) 2) (2^31 / 2^10 + 1) * 4080 = 8556384240 The value written into buffer_size_kb is shifted by 10 and then passed to ring_buffer_resize(). 8556384240 * 2^10 = 8761737461760 3) The size passed to ring_buffer_resize() is then divided by BUF_PAGE_SIZE which is 4080. 8761737461760 / 4080 = 2147484672 4) nr_pages is subtracted from the current nr_pages (3) and we get: 2147484669. This value is saved in a signed integer nr_pages_to_update 5) 2147484669 is greater than 2^31 but smaller than 2^32, a signed int turns into the value of -2147482627 6) As the value is a negative number, in update_pages_handler() it is negated and passed to rb_remove_pages() and 2147482627 pages will be removed, which is much larger than 3 and it causes the warning because not all the pages asked to be removed were removed. Link: https://bugzilla.kernel.org/show_bug.cgi?id=118001 Fixes: 7a8e76a3829f1 ("tracing: unified trace buffer") Reported-by: Hao Qin Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit f40ec93496a7c63346fc5f3ac80442c82ebad6a2 Author: John Stultz Date: Mon May 16 20:36:15 2016 -0700 asix: Fix offset calculation in asix_rx_fixup() causing slow transmissions commit cd9e2e5d3ff148be9ea210f622ce3e8e8292fcd6 upstream. In testing with HiKey, we found that since commit 3f30b158eba5 ("asix: On RX avoid creating bad Ethernet frames"), we're seeing lots of noise during network transfers: [ 239.027993] asix 1-1.1:1.0 eth0: asix_rx_fixup() Data Header synchronisation was lost, remaining 988 [ 239.037310] asix 1-1.1:1.0 eth0: asix_rx_fixup() Bad Header Length 0x54ebb5ec, offset 4 [ 239.045519] asix 1-1.1:1.0 eth0: asix_rx_fixup() Bad Header Length 0xcdffe7a2, offset 4 [ 239.275044] asix 1-1.1:1.0 eth0: asix_rx_fixup() Data Header synchronisation was lost, remaining 988 [ 239.284355] asix 1-1.1:1.0 eth0: asix_rx_fixup() Bad Header Length 0x1d36f59d, offset 4 [ 239.292541] asix 1-1.1:1.0 eth0: asix_rx_fixup() Bad Header Length 0xaef3c1e9, offset 4 [ 239.518996] asix 1-1.1:1.0 eth0: asix_rx_fixup() Data Header synchronisation was lost, remaining 988 [ 239.528300] asix 1-1.1:1.0 eth0: asix_rx_fixup() Bad Header Length 0x2881912, offset 4 [ 239.536413] asix 1-1.1:1.0 eth0: asix_rx_fixup() Bad Header Length 0x5638f7e2, offset 4 And network throughput ends up being pretty bursty and slow with a overall throughput of at best ~30kB/s (where as previously we got 1.1MB/s with the slower USB1.1 "full speed" host). We found the issue also was reproducible on a x86_64 system, using a "high-speed" USB2.0 port but the throughput did not measurably drop (possibly due to the scp transfer being cpu bound on my slow test hardware). After lots of debugging, I found the check added in the problematic commit seems to be calculating the offset incorrectly. In the normal case, in the main loop of the function, we do: (where offset is zero, or set to "offset += (copy_length + 1) & 0xfffe" in the previous loop) rx->header = get_unaligned_le32(skb->data + offset); offset += sizeof(u32); But the problematic patch calculates: offset = ((rx->remaining + 1) & 0xfffe) + sizeof(u32); rx->header = get_unaligned_le32(skb->data + offset); Adding some debug logic to check those offset calculation used to find rx->header, the one in problematic code is always too large by sizeof(u32). Thus, this patch removes the incorrect " + sizeof(u32)" addition in the problematic calculation, and resolves the issue. Cc: Dean Jenkins Cc: "David B. Robins" Cc: Mark Craske Cc: Emil Goode Cc: "David S. Miller" Cc: YongQin Liu Cc: Guodong Xu Cc: Ivan Vecera Cc: linux-usb@vger.kernel.org Cc: netdev@vger.kernel.org Reported-by: Yongqin Liu Signed-off-by: John Stultz Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1030183a090a8e61b8776ffbfef1cf7c83f2f47e Author: Stefan Metzmacher Date: Tue May 3 10:52:30 2016 +0200 fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication commit 1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44 upstream. Only server which map unknown users to guest will allow access using a non-null NTLMv2_Response. For Samba it's the "map to guest = bad user" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913 Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 86006a0c7a5e577eed7e73591dd6b513be8834c8 Author: Stefan Metzmacher Date: Tue May 3 10:52:30 2016 +0200 fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication commit 777f69b8d26bf35ade4a76b08f203c11e048365d upstream. Only server which map unknown users to guest will allow access using a non-null NTChallengeResponse. For Samba it's the "map to guest = bad user" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913 Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit e92b6159427fe8b06630273140c74f7437d7f73c Author: Stefan Metzmacher Date: Tue May 3 10:52:30 2016 +0200 fs/cifs: correctly to anonymous authentication for the LANMAN authentication commit fa8f3a354bb775ec586e4475bcb07f7dece97e0c upstream. Only server which map unknown users to guest will allow access using a non-null LMChallengeResponse. For Samba it's the "map to guest = bad user" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913 Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 32afd0e6d6c714eb74b4831c5d098f733f261f42 Author: Stefan Metzmacher Date: Tue May 3 10:52:30 2016 +0200 fs/cifs: correctly to anonymous authentication via NTLMSSP commit cfda35d98298131bf38fbad3ce4cd5ecb3cf18db upstream. See [MS-NLMP] 3.2.5.1.2 Server Receives an AUTHENTICATE_MESSAGE from the Client: ... Set NullSession to FALSE If (AUTHENTICATE_MESSAGE.UserNameLen == 0 AND AUTHENTICATE_MESSAGE.NtChallengeResponse.Length == 0 AND (AUTHENTICATE_MESSAGE.LmChallengeResponse == Z(1) OR AUTHENTICATE_MESSAGE.LmChallengeResponse.Length == 0)) -- Special case: client requested anonymous authentication Set NullSession to TRUE ... Only server which map unknown users to guest will allow access using a non-null NTChallengeResponse. For Samba it's the "map to guest = bad user" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913 Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 5483634f63c323f13cbf1a45d6151d6aaf939794 Author: Steve French Date: Thu May 12 21:20:36 2016 -0500 remove directory incorrectly tries to set delete on close on non-empty directories commit 897fba1172d637d344f009d700f7eb8a1fa262f1 upstream. Wrong return code was being returned on SMB3 rmdir of non-empty directory. For SMB3 (unlike for cifs), we attempt to delete a directory by set of delete on close flag on the open. Windows clients set this flag via a set info (SET_FILE_DISPOSITION to set this flag) which properly checks if the directory is empty. With this patch on smb3 mounts we correctly return "DIRECTORY NOT EMPTY" on attempts to remove a non-empty directory. Signed-off-by: Steve French Acked-by: Sachin Prabhu Signed-off-by: Greg Kroah-Hartman commit 5c990e883da06630020b597f60521e528f6d0fbd Author: Jiri Olsa Date: Wed May 18 08:16:10 2016 +0200 perf/x86/intel/uncore: Remove WARN_ON_ONCE in uncore_pci_probe commit ef3f00a4d38e01ec0e7ad1b1c8edc2f5667aaa32 upstream. When booting with nr_cpus=1, uncore_pci_probe tries to init the PCI/uncore also for the other packages and fails with warning when they are not found. The warning is bogus because it's correct to fail here for packages which are not initialized. Remove it and return silently. Fixes: cf6d445f6897 "perf/x86/uncore: Track packages, not per CPU data" Signed-off-by: Jiri Olsa Cc: stable@vger.kernel.org Cc: Peter Zijlstra Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit dbc110f26d44b6bda56c6f9c07429970518adccd Author: Matt Evans Date: Mon May 16 13:54:56 2016 +0100 kvm: arm64: Fix EC field in inject_abt64 commit e4fe9e7dc3828bf6a5714eb3c55aef6260d823a2 upstream. The EC field of the constructed ESR is conditionally modified by ORing in ESR_ELx_EC_DABT_LOW for a data abort. However, ESR_ELx_EC_SHIFT is missing from this condition. Signed-off-by: Matt Evans Acked-by: Marc Zyngier Signed-off-by: Christoffer Dall Signed-off-by: Greg Kroah-Hartman commit 6754f36bb80ab0b5b3e76b80e9c8de4257b9af92 Author: Marc Zyngier Date: Thu Apr 28 16:16:31 2016 +0100 arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables commit d4b9e0790aa764c0b01e18d4e8d33e93ba36d51f upstream. The ARM architecture mandates that when changing a page table entry from a valid entry to another valid entry, an invalid entry is first written, TLB invalidated, and only then the new entry being written. The current code doesn't respect this, directly writing the new entry and only then invalidating TLBs. Let's fix it up. Reported-by: Christoffer Dall Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall Signed-off-by: Greg Kroah-Hartman commit ebe381c0a4ab69f88b502b3dfd3d489202cd0073 Author: Julien Grall Date: Tue May 10 15:40:31 2016 +0100 arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str commit f228b494e56d949be8d8ea09d4f973d1979201bf upstream. The loop that browses the array compat_hwcap_str will stop when a NULL is encountered, however NULL is missing at the end of array. This will lead to overrun until a NULL is found somewhere in the following memory. In reality, this works out because the compat_hwcap2_str array tends to follow immediately in memory, and that *is* terminated correctly. Furthermore, the unsigned int compat_elf_hwcap is checked before printing each capability, so we end up doing the right thing because the size of the two arrays is less than 32. Still, this is an obvious mistake and should be fixed. Note for backporting: commit 12d11817eaafa414 ("arm64: Move /proc/cpuinfo handling code") moved this code in v4.4. Prior to that commit, the same change should be made in arch/arm64/kernel/setup.c. Fixes: 44b82b7700d0 "arm64: Fix up /proc/cpuinfo" Signed-off-by: Julien Grall Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit b987714532522c6507e1b01a0ffdbf5649fdd64a Author: Catalin Marinas Date: Thu May 5 10:44:00 2016 +0100 arm64: Implement pmdp_set_access_flags() for hardware AF/DBM commit 282aa7051b0169991b34716f0f22d9c2f59c46c4 upstream. The update to the accessed or dirty states for block mappings must be done atomically on hardware with support for automatic AF/DBM. The ptep_set_access_flags() function has been fixed as part of commit 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware AF/DBM"). This patch brings pmdp_set_access_flags() in line with the pte counterpart. Fixes: 2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits") Reviewed-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 433dcefb09dea5ca0a419b383d3756052647ac43 Author: Catalin Marinas Date: Wed Apr 13 16:01:22 2016 +0100 arm64: Implement ptep_set_access_flags() for hardware AF/DBM commit 66dbd6e61a526ae7d11a208238ae2c17e5cacb6b upstream. When hardware updates of the access and dirty states are enabled, the default ptep_set_access_flags() implementation based on calling set_pte_at() directly is potentially racy. This triggers the "racy dirty state clearing" warning in set_pte_at() because an existing writable PTE is overridden with a clean entry. There are two main scenarios for this situation: 1. The CPU getting an access fault does not support hardware updates of the access/dirty flags. However, a different agent in the system (e.g. SMMU) can do this, therefore overriding a writable entry with a clean one could potentially lose the automatically updated dirty status 2. A more complex situation is possible when all CPUs support hardware AF/DBM: a) Initial state: shareable + writable vma and pte_none(pte) b) Read fault taken by two threads of the same process on different CPUs c) CPU0 takes the mmap_sem and proceeds to handling the fault. It eventually reaches do_set_pte() which sets a writable + clean pte. CPU0 releases the mmap_sem d) CPU1 acquires the mmap_sem and proceeds to handle_pte_fault(). The pte entry it reads is present, writable and clean and it continues to pte_mkyoung() e) CPU1 calls ptep_set_access_flags() If between (d) and (e) the hardware (another CPU) updates the dirty state (clears PTE_RDONLY), CPU1 will override the PTR_RDONLY bit marking the entry clean again. This patch implements an arm64-specific ptep_set_access_flags() function to perform an atomic update of the PTE flags. Fixes: 2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits") Signed-off-by: Catalin Marinas Reported-by: Ming Lei Tested-by: Julien Grall Cc: Will Deacon [will: reworded comment] Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 790cf8cf5c2f62caed41a93a3508eac91e4d31d0 Author: Catalin Marinas Date: Thu May 5 10:44:02 2016 +0100 arm64: Ensure pmd_present() returns false after pmd_mknotpresent() commit 5bb1cc0ff9a6b68871970737e6c4c16919928d8b upstream. Currently, pmd_present() only checks for a non-zero value, returning true even after pmd_mknotpresent() (which only clears the type bits). This patch converts pmd_present() to using pte_present(), similar to the other pmd_*() checks. As a side effect, it will return true for PROT_NONE mappings, though they are not yet used by the kernel with transparent huge pages. For consistency, also change pmd_mknotpresent() to only clear the PMD_SECT_VALID bit, even though the PMD_TABLE_BIT is already 0 for block mappings (no functional change). The unused PMD_SECT_PROT_NONE definition is removed as transparent huge pages use the pte page prot values. Fixes: 9c7e535fcc17 ("arm64: mm: Route pmd thp functions through pte equivalents") Reviewed-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 8f2bc2a8f1bfd36cb4be9ca15ad320259e8f1263 Author: Catalin Marinas Date: Thu May 5 10:43:59 2016 +0100 arm64: Fix typo in the pmdp_huge_get_and_clear() definition commit 911f56eeb87ee378f5e215469268a7a2f68a5a8a upstream. With hardware AF/DBM support, pmd modifications (transparent huge pages) should be performed atomically using load/store exclusive. The initial patches defined the get-and-clear function and __HAVE_ARCH_* macro without the "huge" word, leaving the pmdp_huge_get_and_clear() to the default, non-atomic implementation. Fixes: 2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits") Reviewed-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman