Headline
CVE-2014-2706
Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.
commit 896c69475eab1022df1cbbf1a18a795a4a45174f Author: Greg Kroah-Hartman Date: Sun Mar 23 21:45:42 2014 -0700 Linux 3.13.7 commit 8a44a89e49d924144d5f207f8be9901f0765bfd8 Author: Zhang Rui Date: Tue Mar 11 22:40:27 2014 +0800 PNP / ACPI: proper handling of ACPI IO/Memory resource parsing failures commit 89935315f192abf7068d0044cefc84f162c3c81f upstream. Before commit b355cee88e3b (ACPI / resources: ignore invalid ACPI device resources), if acpi_dev_resource_memory()/acpi_dev_resource_io() returns false, it means the the resource is not a memeory/IO resource. But after commit b355cee88e3b, those functions return false if the given memory/IO resource entry is invalid (the length of the resource is zero). This breaks pnpacpi_allocated_resource(), because it now recognizes the invalid memory/io resources as resources of unknown type. Thus users see confusing warning messages on machines with zero length ACPI memory/IO resources. Fix the problem by rearranging pnpacpi_allocated_resource() so that it calls acpi_dev_resource_memory() for memory type and IO type resources only, respectively. Fixes: b355cee88e3b (ACPI / resources: ignore invalid ACPI device resources) Signed-off-by: Zhang Rui Reported-and-tested-by: Markus Trippelsdorf Reported-and-tested-by: Julian Wollrath Reported-and-tested-by: Paul Bolle [rjw: Changelog] Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit efab06e95688b2a08d8868d7589e7ba63e5e7dc0 Author: Filipe Brandenburger Date: Mon Mar 3 15:38:25 2014 -0800 memcg: reparent charges of children before processing parent commit 4fb1a86fb5e4209a7d4426d4e586c58e9edc74ac upstream. Sometimes the cleanup after memcg hierarchy testing gets stuck in mem_cgroup_reparent_charges(), unable to bring non-kmem usage down to 0. There may turn out to be several causes, but a major cause is this: the workitem to offline parent can get run before workitem to offline child; parent’s mem_cgroup_reparent_charges() circles around waiting for the child’s pages to be reparented to its lrus, but it’s holding cgroup_mutex which prevents the child from reaching its mem_cgroup_reparent_charges(). Further testing showed that an ordered workqueue for cgroup_destroy_wq is not always good enough: percpu_ref_kill_and_confirm’s call_rcu_sched stage on the way can mess up the order before reaching the workqueue. Instead, when offlining a memcg, call mem_cgroup_reparent_charges() on all its children (and grandchildren, in the correct order) to have their charges reparented first. Fixes: e5fca243abae (“cgroup: use a dedicated workqueue for cgroup destruction”) Signed-off-by: Filipe Brandenburger Signed-off-by: Hugh Dickins Reviewed-by: Tejun Heo Acked-by: Michal Hocko Cc: Johannes Weiner Cc: [v3.10+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 52e7d049fa89983fe97d39a67b788360cce36dea Author: Steve Capper Date: Tue Feb 25 11:38:53 2014 +0000 arm64: mm: Add double logical invert to pte accessors commit 84fe6826c28f69d8708bd575faed7f75e6b6f57f upstream. Page table entries on ARM64 are 64 bits, and some pte functions such as pte_dirty return a bitwise-and of a flag with the pte value. If the flag to be tested resides in the upper 32 bits of the pte, then we run into the danger of the result being dropped if downcast. For example: gather_stats(page, md, pte_dirty(*pte), 1); where pte_dirty(*pte) is downcast to an int. This patch adds a double logical invert to all the pte_ accessors to ensure predictable downcasting. Signed-off-by: Steve Capper [[email protected]: rebased patch to leave pte_write alone to allow for merge with 3.13 stable] Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit c6f538a871a86edca8e555aee2db07880b980eea Author: Nicholas Bellinger Date: Tue Jan 21 20:32:05 2014 -0800 bio-integrity: Fix bio_integrity_verify segment start bug commit 5837c80e870bc3b12ac6a98cdc9ce7a9522a8fb6 upstream. This patch addresses a bug in bio_integrity_verify() code that has been causing DIF READ verify operations to be silently skipped. The issue is that bio->bi_idx will have been incremented within bio_advance() code in the normal blk_update_request() -> req_bio_endio() completion path, and bio_integrity_verify() is using bio_for_each_segment() which starts the bio segment walk at the current bio->bi_idx. So instead use bio_for_each_segment_all() to always start the bio segment walk from zero, regardless of the current bio->bi_idx value after bio_advance() has been called. (Context change for v3.10.y -> v3.13.y code - nab) Cc: Martin K. Petersen Cc: Jens Axboe Cc: Christoph Hellwig Signed-off-by: Nicholas Bellinger Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit fb3fbceae217db1b059f7dc6ec2af40e5955fbfb Author: Qais Yousef Date: Mon Dec 9 09:49:45 2013 +0000 MIPS: include linux/types.h commit 87c99203fea897fbdd84b681ad9fced2517dcf98 upstream. The file uses u16 type but doesn’t include its definition explicitly I was getting this error when including this header in my driver: arch/mips/include/asm/mipsregs.h:644:33: error: unknown type name ‘u16’ Signed-off-by: Qais Yousef Reviewed-by: Steven J. Hill Acked-by: David Daney Signed-off-by: John Crispin Patchwork: http://patchwork.linux-mips.org/patch/6212/ Signed-off-by: Greg Kroah-Hartman commit 0cdd9e51c811d5bfba5e1a4067eea2ac02a2ce26 Author: Oleg Drokin Date: Fri Jan 31 15:41:58 2014 -0500 Fix mountpoint reference leakage in linkat commit d22e6338db7f613dd4f6095c190682fcc519e4b7 upstream. Recent changes to retry on ESTALE in linkat (commit 442e31ca5a49e398351b2954b51f578353fdf210) introduced a mountpoint reference leak and a small memory leak in case a filesystem link operation returns ESTALE which is pretty normal for distributed filesystems like lustre, nfs and so on. Free old_path in such a case. [AV: there was another missing path_put() nearby - on the previous goto retry] Signed-off-by: Oleg Drokin: Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit d40945b81872bf291585ce7dcbe23178ecaaa571 Author: Shuah Khan Date: Thu Feb 20 12:58:15 2014 -0700 regulator: core: Change dummy supplies error message to a warning commit acc3d5cec84f82ebea535fa0bd9500ac3df2aee9 upstream. Change “dummy supplies not allowed” error message to warning instead, as this is a just warning message with no change to the behavior. [Added a CC to stable since some other bug fixes cause this to come up more frequently on PCs which is how it was noticed – broonie] Signed-off-by: Shuah Khan Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit e309995b4f9b6c437e80bf168c2638bfbbcd3aa6 Author: Roman Volkov Date: Fri Jan 24 16:18:11 2014 +0400 ALSA: oxygen: modify adjust_dg_dac_routing function commit 1f91ecc14deea9461aca93273d78871ec4d98fcd upstream. When selecting the audio output destinations (headphones, FP headphones, multichannel output), the channel routing should be changed depending on what destination selected. Also unnecessary I2S channels are digitally muted. This function called when the user selects the destination in the ALSA mixer. Signed-off-by: Roman Volkov Signed-off-by: Clemens Ladisch Signed-off-by: Greg Kroah-Hartman commit ef3d4124c55daf6d0c83da92577a5a8d9eb55b4f Author: Dirk Brandewie Date: Wed Feb 12 10:01:07 2014 -0800 intel_pstate: Add support for Baytrail turbo P states commit 61d8d2abc15e9232c3914c55502b73e559366583 upstream. A documentation update exposed the existance of the turbo ratio register. Update baytrail support to use the turbo range. Signed-off-by: Dirk Brandewie Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit e08b9ad3bd45f09ab77b0d5974fe1f2ab2fea464 Author: Dirk Brandewie Date: Wed Dec 18 10:32:39 2013 -0800 intel_pstate: Add setting voltage value for baytrail P states. commit 007bea098b869945a462420a1f9d442ff169f722 upstream. Baytrail requires setting P state and voltage pairs when adjusting the requested P state. Add function for retrieving the valid voltage values and modify *_set_pstate() functions to caluclate the appropriate voltage for the requested P state. Signed-off-by: Dirk Brandewie Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 802610891c6421e3ea93c3d402891b93ebada52c Author: Gao feng Date: Fri Nov 1 19:34:45 2013 +0800 audit: don’t generate loginuid log when audit disabled commit c2412d91c68426e22add16550f97ae5cd988a159 upstream. If audit is disabled, we shouldn’t generate loginuid audit log. Acked-by: Eric Paris Signed-off-by: Gao feng Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris Signed-off-by: Greg Kroah-Hartman commit cc7d8e305d5291e1d783909c1e4363e07f503cf1 Author: Filipe David Borba Manana Date: Sat Feb 8 15:47:46 2014 +0000 Btrfs: fix data corruption when reading/updating compressed extents commit a2aa75e18a21b21952dc6daa9bac7c9f4426f81f upstream. When using a mix of compressed file extents and prealloc extents, it is possible to fill a page of a file with random, garbage data from some unrelated previous use of the page, instead of a sequence of zeroes. A simple sequence of steps to get into such case, taken from the test case I made for xfstests, is: _scratch_mkfs _scratch_mount "-o compress-force=lzo" $XFS_IO_PROG -f -c “pwrite -S 0x06 -b 18670 266978 18670” $SCRATCH_MNT/foobar $XFS_IO_PROG -c “falloc 26450 665194” $SCRATCH_MNT/foobar $XFS_IO_PROG -c “truncate 542872” $SCRATCH_MNT/foobar $XFS_IO_PROG -c “fsync” $SCRATCH_MNT/foobar This results in the following file items in the fs tree: item 4 key (257 INODE_ITEM 0) itemoff 15879 itemsize 160 inode generation 6 transid 6 size 542872 block group 0 mode 100600 item 5 key (257 INODE_REF 256) itemoff 15863 itemsize 16 inode ref index 2 namelen 6 name: foobar item 6 key (257 EXTENT_DATA 0) itemoff 15810 itemsize 53 extent data disk byte 0 nr 0 gen 6 extent data offset 0 nr 24576 ram 266240 extent compression 0 item 7 key (257 EXTENT_DATA 24576) itemoff 15757 itemsize 53 prealloc data disk byte 12849152 nr 241664 gen 6 prealloc data offset 0 nr 241664 item 8 key (257 EXTENT_DATA 266240) itemoff 15704 itemsize 53 extent data disk byte 12845056 nr 4096 gen 6 extent data offset 0 nr 20480 ram 20480 extent compression 2 item 9 key (257 EXTENT_DATA 286720) itemoff 15651 itemsize 53 prealloc data disk byte 13090816 nr 405504 gen 6 prealloc data offset 0 nr 258048 The on disk extent at offset 266240 (which corresponds to 1 single disk block), contains 5 compressed chunks of file data. Each of the first 4 compress 4096 bytes of file data, while the last one only compresses 3024 bytes of file data. Therefore a read into the file region [285648 ; 286720[ (length = 4096 - 3024 = 1072 bytes) should always return zeroes (our next extent is a prealloc one). The solution here is the compression code path to zero the remaining (untouched) bytes of the last page it uncompressed data into, as the information about how much space the file data consumes in the last page is not known in the upper layer fs/btrfs/extent_io.c:__do_readpage(). In __do_readpage we were correctly zeroing the remainder of the page but only if it corresponds to the last page of the inode and if the inode’s size is not a multiple of the page size. This would cause not only returning random data on reads, but also permanently storing random data when updating parts of the region that should be zeroed. For the example above, it means updating a single byte in the region [285648 ; 286720[ would store that byte correctly but also store random data on disk. A test case for xfstests follows soon. Signed-off-by: Filipe David Borba Manana Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit fc2345d56d07227350981e4528a9dc9ca7f1b570 Author: Filipe David Borba Manana Date: Fri Dec 20 15:17:46 2013 +0000 Btrfs: fix tree mod logging commit 5de865eebb8330eee19c37b31fb6f315a09d4273 upstream. While running the test btrfs/004 from xfstests in a loop, it failed about 1 time out of 20 runs in my desktop. The failure happened in the backref walking part of the test, and the test’s error message was like this: # btrfs/004 93s … [failed, exit status 1] - output mismatch (see /home/fdmanana/git/hub/xfstests_2/results//btrfs/004.out.bad) # — tests/btrfs/004.out 2013-11-26 18:25:29.263333714 +0000 # +++ /home/fdmanana/git/hub/xfstests_2/results//btrfs/004.out.bad 2013-12-10 15:25:10.327518516 +0000 # @@ -1,3 +1,8 @@ # QA output created by 004 # *** test backref walking # -*** done # +unexpected output from # + /home/fdmanana/git/hub/btrfs-progs/btrfs inspect-internal logical-resolve -P 141512704 /home/fdmanana/btrfs-tests/scratch_1 # +expected inum: 405, expected address: 454656, file: /home/fdmanana/btrfs-tests/scratch_1/snap1/p0/d6/d3d/d156/fce, got: # + … (Run ‘diff -u tests/btrfs/004.out /home/fdmanana/git/hub/xfstests_2/results//btrfs/004.out.bad’ to see the entire diff) Ran: btrfs/004 Failures: btrfs/004 Failed 1 of 1 tests But immediately after the test finished, the btrfs inspect-internal command returned the expected output: $ btrfs inspect-internal logical-resolve -P 141512704 /home/fdmanana/btrfs-tests/scratch_1 inode 405 offset 454656 root 258 inode 405 offset 454656 root 5 It turned out this was because the btrfs_search_old_slot() calls performed during backref walking (backref.c:__resolve_indirect_ref) were not finding anything. The reason for this turned out to be that the tree mod logging code was not logging some node multi-step operations atomically, therefore btrfs_search_old_slot() callers iterated often over an incomplete tree that wasn’t fully consistent with any tree state from the past. Besides missing items, this often (but not always) resulted in -EIO errors during old slot searches, reported in dmesg like this: [ 4299.933936] ------------[ cut here ]------------ [ 4299.933949] WARNING: CPU: 0 PID: 23190 at fs/btrfs/ctree.c:1343 btrfs_search_old_slot+0x57b/0xab0 [btrfs]() [ 4299.933950] Modules linked in: btrfs raid6_pq xor pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) bnep rfcomm bluetooth parport_pc ppdev binfmt_misc joydev snd_hda_codec_h [ 4299.933977] CPU: 0 PID: 23190 Comm: btrfs Tainted: G W O 3.12.0-fdm-btrfs-next-16+ #70 [ 4299.933978] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Pro4, BIOS P1.50 09/04/2012 [ 4299.933979] 000000000000053f ffff8806f3fd98f8 ffffffff8176d284 0000000000000007 [ 4299.933982] 0000000000000000 ffff8806f3fd9938 ffffffff8104a81c ffff880659c64b70 [ 4299.933984] ffff880659c643d0 ffff8806599233d8 ffff880701e2e938 0000160000000000 [ 4299.933987] Call Trace: [ 4299.933991] [] dump_stack+0x55/0x76 [ 4299.933994] [] warn_slowpath_common+0x8c/0xc0 [ 4299.933997] [] warn_slowpath_null+0x1a/0x20 [ 4299.934003] [] btrfs_search_old_slot+0x57b/0xab0 [btrfs] [ 4299.934005] [] ? _raw_read_unlock+0x2b/0x50 [ 4299.934010] [] ? __tree_mod_log_search+0x81/0xc0 [btrfs] [ 4299.934019] [] __resolve_indirect_refs+0x130/0x5f0 [btrfs] [ 4299.934027] [] ? free_extent_buffer+0x61/0xc0 [btrfs] [ 4299.934034] [] find_parent_nodes+0x1fc/0xe40 [btrfs] [ 4299.934042] [] ? defrag_lookup_extent+0xe0/0xe0 [btrfs] [ 4299.934048] [] ? defrag_lookup_extent+0xe0/0xe0 [btrfs] [ 4299.934056] [] iterate_extent_inodes+0xe0/0x250 [btrfs] [ 4299.934058] [] ? _raw_spin_unlock+0x2b/0x50 [ 4299.934065] [] iterate_inodes_from_logical+0x92/0xb0 [btrfs] [ 4299.934071] [] ? defrag_lookup_extent+0xe0/0xe0 [btrfs] [ 4299.934078] [] btrfs_ioctl+0xf65/0x1f60 [btrfs] [ 4299.934080] [] ? handle_mm_fault+0x278/0xb00 [ 4299.934083] [] ? up_read+0x23/0x40 [ 4299.934085] [] ? __do_page_fault+0x20c/0x5a0 [ 4299.934088] [] do_vfs_ioctl+0x96/0x570 [ 4299.934090] [] ? error_sti+0x5/0x6 [ 4299.934093] [] ? trace_hardirqs_off_caller+0x28/0xd0 [ 4299.934096] [] ? retint_swapgs+0xe/0x13 [ 4299.934098] [] SyS_ioctl+0x91/0xb0 [ 4299.934100] [] ? trace_hardirqs_on_thunk+0x3a/0x3f [ 4299.934102] [] system_call_fastpath+0x16/0x1b [ 4299.934102] [] system_call_fastpath+0x16/0x1b [ 4299.934104] —[ end trace 48f0cfc902491414 ]— [ 4299.934378] btrfs bad fsid on block 0 These tree mod log operations that must be performed atomically, tree_mod_log_free_eb, tree_mod_log_eb_copy, tree_mod_log_insert_root and tree_mod_log_insert_move, used to be performed atomically before the following commit: c8cc6341653721b54760480b0d0d9b5f09b46741 (Btrfs: stop using GFP_ATOMIC for the tree mod log allocations) That change removed the atomicity of such operations. This patch restores the atomicity while still not doing the GFP_ATOMIC allocations of tree_mod_elem structures, so it has to do the allocations using GFP_NOFS before acquiring the mod log lock. This issue has been experienced by several users recently, such as for example: http://www.spinics.net/lists/linux-btrfs/msg28574.html After running the btrfs/004 test for 679 consecutive iterations with this patch applied, I didn’t ran into the issue anymore. Signed-off-by: Filipe David Borba Manana Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 6ad309b513674283c160fb8d2d3dd61524053442 Author: Filipe David Borba Manana Date: Thu Dec 12 19:19:52 2013 +0000 Btrfs: return immediately if tree log mod is not necessary commit 783577663507411e36e459390ef056556e93ef29 upstream. In ctree.c:tree_mod_log_set_node_key() we were calling __tree_mod_log_insert_key() even when the modification doesn’t need to be logged. This would allocate a tree_mod_elem structure, fill it and pass it to __tree_mod_log_insert(), which would just acquire the tree mod log write lock and then free the tree_mod_elem structure and return (that is, a no-op). Therefore call tree_mod_log_insert() instead of __tree_mod_log_insert() which just returns immediately if the modification doesn’t need to be logged (without allocating the structure, fill it, acquire write lock, free structure). Signed-off-by: Filipe David Borba Manana Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 2b7abdff8b5e7d5e1636a7da1c94fcd40282b928 Author: Suresh Siddha Date: Sun Feb 2 22:56:23 2014 -0800 x86, fpu: Check tsk_used_math() in kernel_fpu_end() for eager FPU commit 731bd6a93a6e9172094a2322bd0ee964bb1f4d63 upstream. For non-eager fpu mode, thread’s fpu state is allocated during the first fpu usage (in the context of device not available exception). This (math_state_restore()) can be a blocking call and hence we enable interrupts (which were originally disabled when the exception happened), allocate memory and disable interrupts etc. But the eager-fpu mode, call’s the same math_state_restore() from kernel_fpu_end(). The assumption being that tsk_used_math() is always set for the eager-fpu mode and thus avoid the code path of enabling interrupts, allocating fpu state using blocking call and disable interrupts etc. But the below issue was noticed by Maarten Baert, Nate Eldredge and few others: If a user process dumps core on an ecrypt fs while aesni-intel is loaded, we get a BUG() in __find_get_block() complaining that it was called with interrupts disabled; then all further accesses to our ecrypt fs hang and we have to reboot. The aesni-intel code (encrypting the core file that we are writing) needs the FPU and quite properly wraps its code in kernel_fpu_{begin,end}(), the latter of which calls math_state_restore(). So after kernel_fpu_end(), interrupts may be disabled, which nobody seems to expect, and they stay that way until we eventually get to __find_get_block() which barfs. For eager fpu, most the time, tsk_used_math() is true. At few instances during thread exit, signal return handling etc, tsk_used_math() might be false. In kernel_fpu_end(), for eager-fpu, call math_state_restore() only if tsk_used_math() is set. Otherwise, don’t bother. Kernel code path which cleared tsk_used_math() knows what needs to be done with the fpu state. Reported-by: Maarten Baert Reported-by: Nate Eldredge Suggested-by: Linus Torvalds Signed-off-by: Suresh Siddha Link: http://lkml.kernel.org/r/1391410583.3801.6.camel@europa Cc: George Spelvin Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 3d61f12b8e8dd832d4b349cfa14bce5ad9572970 Author: Ales Novak Date: Thu Feb 27 11:03:30 2014 +0100 SCSI: storvsc: NULL pointer dereference fix commit b12bb60d6c350b348a4e1460cd68f97ccae9822e upstream. If the initialization of storvsc fails, the storvsc_device_destroy() causes NULL pointer dereference. storvsc_bus_scan() scsi_scan_target() __scsi_scan_target() scsi_probe_and_add_lun(hostdata=NULL) scsi_alloc_sdev(hostdata=NULL) sdev->hostdata = hostdata now the host allocation fails __scsi_remove_device(sdev) calls sdev->host->hostt->slave_destroy() == storvsc_device_destroy(sdev) access of sdev->hostdata->request_mempool Signed-off-by: Ales Novak Signed-off-by: Thomas Abraham Reviewed-by: Jiri Kosina Acked-by: K. Y. Srinivasan Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit f2071913aa710c75cc7ec9c69398bc1d915f488f Author: Chad Dupuis Date: Wed Feb 26 04:15:14 2014 -0500 SCSI: qla2xxx: Fix multiqueue MSI-X registration. commit f324777ea88bab2522602671e46fc0851d7d5e35 upstream. This fixes requesting of the MSI-X vectors for the base response queue. The iteration in the for loop in qla24xx_enable_msix() was incorrect. We should only iterate of the first two MSI-X vectors and not the total number of MSI-X vectors that have given to the driver for this device from pci_enable_msix() in this function. Signed-off-by: Chad Dupuis Signed-off-by: Saurav Kashyap Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3af42a333ed02c55f31a5fb61b87eb5a9e6ff9a5 Author: Giridhar Malavali Date: Wed Feb 26 04:15:12 2014 -0500 SCSI: qla2xxx: Poll during initialization for ISP25xx and ISP83xx commit b77ed25c9f8402e8b3e49e220edb4ef09ecfbb53 upstream. Signed-off-by: Giridhar Malavali Signed-off-by: Saurav Kashyap Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit b7394ca880dd95972878595042f451effcda2dcf Author: Lukasz Dorau Date: Thu Feb 6 12:23:20 2014 -0800 SCSI: isci: correct erroneous for_each_isci_host macro commit c59053a23d586675c25d789a7494adfdc02fba57 upstream. In the first place, the loop ‘for’ in the macro ‘for_each_isci_host’ (drivers/scsi/isci/host.h:314) is incorrect, because it accesses the 3rd element of 2 element array. After the 2nd iteration it executes the instruction: ihost = to_pci_info(pdev)->hosts[2] (while the size of the ‘hosts’ array equals 2) and reads an out of range element. In the second place, this loop is incorrectly optimized by GCC v4.8 (see http://marc.info/?l=linux-kernel&m=138998871911336&w=2). As a result, on platforms with two SCU controllers, the loop is executed more times than it can be (for i=0,1 and 2). It causes kernel panic during entering the S3 state and the following oops after 'rmmod isci’: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] __list_add+0x1b/0xc0 Oops: 0000 [#1] SMP RIP: 0010:[] [] __list_add+0x1b/0xc0 Call Trace: [] __mutex_lock_slowpath+0x114/0x1b0 [] mutex_lock+0x1f/0x30 [] sas_disable_events+0x1b/0x50 [libsas] [] sas_unregister_ha+0x18/0x60 [libsas] [] isci_unregister+0x1e/0x40 [isci] [] isci_pci_remove+0x5d/0x100 [isci] [] pci_device_remove+0x3b/0xb0 [] __device_release_driver+0x7f/0xf0 [] driver_detach+0xa8/0xb0 [] bus_remove_driver+0x9b/0x120 [] driver_unregister+0x2c/0x50 [] pci_unregister_driver+0x23/0x80 [] isci_exit+0x10/0x1e [isci] [] SyS_delete_module+0x16b/0x2d0 [] ? do_notify_resume+0x61/0xa0 [] system_call_fastpath+0x16/0x1b The loop has been corrected. This patch fixes kernel panic during entering the S3 state and the above oops. Signed-off-by: Lukasz Dorau Reviewed-by: Maciej Patelczyk Tested-by: Lukasz Dorau Signed-off-by: Dan Williams Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 25f6f7436d834f0973d9fcb507143abbecdd0208 Author: Dan Williams Date: Thu Feb 6 12:23:01 2014 -0800 SCSI: isci: fix reset timeout handling commit ddfadd7736b677de2d4ca2cd5b4b655368c85a7a upstream. Remove an erroneous BUG_ON() in the case of a hard reset timeout. The reset timeout handler puts the port into the “awaiting link-up” state. The timeout causes the device to be disconnected and we need to be in the awaiting link-up state to re-connect the port. The BUG_ON() made the incorrect assumption that resets never timeout and we always complete the reset in the “resetting” state. Testing this patch also uncovered that libata continues to attempt to reset the port long after the driver has torn down the context. Once the driver has committed to abandoning the link it must indicate to libata that recovery ends by returning -ENODEV from ->lldd_I_T_nexus_reset(). Acked-by: Lukasz Dorau Reported-by: David Milburn Reported-by: Xun Ni Tested-by: Xun Ni Signed-off-by: Dan Williams Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit a0141cd4fb371f151f51f6b4981889b976e2d6a8 Author: Marc Kleine-Budde Date: Fri Feb 28 20:48:36 2014 +0100 can: flexcan: flexcan_remove(): add missing netif_napi_del() commit d96e43e8fce28cf97df576a07af9d65657a41a6f upstream. This patch adds the missing netif_napi_del() to the flexcan_remove() function. Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 7ffe79135857463d8945c16952c8d8a34960d0fa Author: Marc Kleine-Budde Date: Fri Feb 28 17:18:27 2014 +0100 can: flexcan: factor out transceiver {en,dis}able into seperate functions commit f003698e23f6f56a791774f14d0ac35d04872490 upstream. This patch moves the transceiver enable and disable into seperate functions, where the NULL pointer check is hidden. Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 6754f4b6cf48c0d67c21cc7a03cf29b2067d63b3 Author: Marc Kleine-Budde Date: Fri Feb 28 15:30:18 2014 +0100 can: flexcan: fix transition from and to low power mode in chip_{en,dis}able commit 9b00b300e7bce032c467c36ca47fe2a776887fc2 upstream. In flexcan_chip_enable() and flexcan_chip_disable() fixed delays are used. Experiments have shown that the transition from and to low power mode may take several microseconds. This patch adds a while loop which polls the Low Power Mode ACK bit (LPM_ACK) that indicates a successfull mode change. If the function runs into a timeout a error value is returned. Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 2f264c30e4663b93717501391eb218a33ec57ed8 Author: Marc Kleine-Budde Date: Fri Feb 28 14:52:01 2014 +0100 can: flexcan: flexcan_open(): fix error path if flexcan_chip_start() fails commit 7e9e148af01ef388efb6e2490805970be4622792 upstream. If flexcan_chip_start() in flexcan_open() fails, the interrupt is not freed, this patch adds the missing cleanup. Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 76c32c08c7449cb471cb6d0e2f67d3c9b06f9cad Author: Marc Kleine-Budde Date: Wed Feb 19 12:00:51 2014 +0100 can: flexcan: fix shutdown: first disable chip, then all interrupts commit 5be93bdda64e85450598c6e97f79fb8f6acf30e0 upstream. When shutting down the CAN interface (ifconfig canX down) during high CAN bus loads, the CAN core might hang and freeze the whole CPU. This patch fixes the shutdown sequence by first disabling the CAN core then disabling all interrupts. Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 5332f853b4a8d387e4d10c37f7ccce86f49dca38 Author: Anton Blanchard Date: Wed Mar 5 14:29:58 2014 +1100 net: unix socket code abuses csum_partial commit 0a13404dd3bf4ea870e3d96270b5a382edca85c0 upstream. The unix socket code is using the result of csum_partial to hash into a lookup table: unix_hash_fold(csum_partial(sunaddr, len, 0)); csum_partial is only guaranteed to produce something that can be folded into a checksum, as its prototype explains: * returns a 32-bit number suitable for feeding into itself * or csum_tcpudp_magic The 32bit value should not be used directly. Depending on the alignment, the ppc64 csum_partial will return different 32bit partial checksums that will fold into the same 16bit checksum. This difference causes the following testcase (courtesy of Gustavo) to sometimes fail: #include #include int main() { int fd = socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0); int i = 1; setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &i, 4); struct sockaddr addr; addr.sa_family = AF_LOCAL; bind(fd, &addr, 2); listen(fd, 128); struct sockaddr_storage ss; socklen_t sslen = (socklen_t)sizeof(ss); getsockname(fd, (struct sockaddr*)&ss, &sslen); fd = socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0); if (connect(fd, (struct sockaddr*)&ss, sslen) == -1){ perror(NULL); return 1; } printf(“OK\n”); return 0; } As suggested by davem, fix this by using csum_fold to fold the partial 32bit checksum into a 16bit checksum before using it. Signed-off-by: Anton Blanchard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8b553836b01bd52723dde76f2b80e5a76683cbfb Author: Heinz Mauelshagen Date: Wed Mar 12 16:13:39 2014 +0100 dm cache: fix access beyond end of origin device commit e893fba90c09f9b57fb97daae204ea9cc2c52fa5 upstream. In order to avoid wasting cache space a partial block at the end of the origin device is not cached. Unfortunately, the check for such a partial block at the end of the origin device was flawed. Fix accesses beyond the end of the origin device that occured due to attempted promotion of an undetected partial block by: - initializing the per bio data struct to allow cache_end_io to work properly - recognizing access to the partial block at the end of the origin device - avoiding out of bounds access to the discard bitset Otherwise, users can experience errors like the following: attempt to access beyond end of device dm-5: rw=0, want=20971520, limit=20971456 … device-mapper: cache: promotion failed; couldn’t copy block Signed-off-by: Heinz Mauelshagen Acked-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 29344f5af8f0fb1c226dc7281ee710ee4ca4bec6 Author: Heinz Mauelshagen Date: Wed Mar 12 00:40:05 2014 +0100 dm cache: fix truncation bug when copying a block to/from >2TB fast device commit 8b9d96666529a979acf4825391efcc7c8a3e9f12 upstream. During demotion or promotion to a cache’s >2TB fast device we must not truncate the cache block’s associated sector to 32bits. The 32bit temporary result of from_cblock() caused a 32bit multiplication when calculating the sector of the fast device in issue_copy_real(). Use an intermediate 64bit type to store the 32bit from_cblock() to allow for proper 64bit multiplication. Here is an example of how this bug manifests on an ext4 filesystem: EXT4-fs error (device dm-0): ext4_mb_generate_buddy:756: group 17136, 32768 clusters in bitmap, 30688 in gd; block bitmap corrupt. JBD2: Spotted dirty metadata buffer (dev = dm-0, blocknr = 0). There’s a risk of filesystem corruption in case of system crash. Signed-off-by: Heinz Mauelshagen Acked-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 3c47ea5b587d5bb1d63657e0eb34f6fd1e7b0e15 Author: Joe Thornber Date: Fri Mar 7 14:57:19 2014 +0000 dm space map metadata: fix refcount decrement below 0 which caused corruption commit cebc2de44d3bce53e46476e774126c298ca2c8a9 upstream. This has been a relatively long-standing issue that wasn’t nailed down until Teng-Feng Yang’s meticulous bug report to dm-devel on 3/7/2014, see: http://www.redhat.com/archives/dm-devel/2014-March/msg00021.html From that report: “When decreasing the reference count of a metadata block with its reference count equals 3, we will call dm_btree_remove() to remove this enrty from the B+tree which keeps the reference count info in metadata device. The B+tree will try to rebalance the entry of the child nodes in each node it traversed, and the rebalance process contains the following steps. (1) Finding the corresponding children in current node (shadow_current(s)) (2) Shadow the children block (issue BOP_INC) (3) redistribute keys among children, and free children if necessary (issue BOP_DEC) Since the update of a metadata block’s reference count could be recursive, we will stash these reference count update operations in smm->uncommitted and then process them in a FILO fashion. The problem is that step(3) could free the children which is created in step(2), so the BOP_DEC issued in step(3) will be carried out before the BOP_INC issued in step(2) since these BOPs will be processed in FILO fashion. Once the BOP_DEC from step(3) tries to decrease the reference count of newly shadow block, it will report failure for its reference equals 0 before decreasing. It looks like we can solve this issue by processing these BOPs in a FIFO fashion instead of FILO.” Commit 5b564d80 (“dm space map: disallow decrementing a reference count below zero”) changed the code to report an error for this temporary refcount decrement below zero. So what was previously a harmless invalid refcount became a hard failure due to the new error path: device-mapper: space map common: unable to decrement a reference count below 0 device-mapper: thin: 253:6: dm_thin_insert_block() failed: error = -22 device-mapper: thin: 253:6: switching pool to read-only mode This bug is in dm persistent-data code that is common to the DM thin and cache targets. So any users of those targets should apply this fix. Fix this by applying recursive space map operations in FIFO order rather than FILO. Resolves: https://bugzilla.kernel.org/show_bug.cgi?id=68801 Reported-by: Apollon Oikonomopoulos Reported-by: [email protected] Reported-by: Teng-Feng Yang Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit a1bd0d7be94bdc6f63cedc337ab566757b10ffa7 Author: Heinz Mauelshagen Date: Fri Feb 28 12:02:56 2014 -0500 dm cache mq: fix memory allocation failure for large cache devices commit 14f398ca2f26a2ed6236aec54395e0fa06ec8a82 upstream. The memory allocated for the multiqueue policy’s hash table doesn’t need to be physically contiguous. Use vzalloc() instead of kzalloc(). Fedora has been carrying this fix since 10/10/2013. Failure seen during creation of a 10TB cached device with a 2048 sector block size and 411GB cache size: dmsetup: page allocation failure: order:9, mode:0x10c0d0 CPU: 11 PID: 29235 Comm: dmsetup Not tainted 3.10.4 #3 Hardware name: Supermicro X8DTL/X8DTL, BIOS 2.1a 12/30/2011 000000000010c0d0 ffff880090941898 ffffffff81387ab4 ffff880090941928 ffffffff810bb26f 0000000000000009 000000000010c0d0 ffff880090941928 ffffffff81385dbc ffffffff815f3840 ffffffff00000000 000002000010c0d0 Call Trace: [] dump_stack+0x19/0x1b [] warn_alloc_failed+0x110/0x124 [] ? __alloc_pages_direct_compact+0x17c/0x18e [] __alloc_pages_nodemask+0x6c7/0x75e [] __get_free_pages+0x12/0x3f [] kmalloc_order_trace+0x29/0x88 [] __kmalloc+0x36/0x11b [] ? mq_create+0x1dc/0x2cf [dm_cache_mq] [] mq_create+0x2af/0x2cf [dm_cache_mq] [] dm_cache_policy_create+0xa7/0xd2 [dm_cache] [] ? cache_ctr+0x245/0xa13 [dm_cache] [] cache_ctr+0x353/0xa13 [dm_cache] [] dm_table_add_target+0x227/0x2ce [dm_mod] [] table_load+0x286/0x2ac [dm_mod] [] ? dev_wait+0x8a/0x8a [dm_mod] [] ctl_ioctl+0x39a/0x3c2 [dm_mod] [] dm_ctl_ioctl+0xe/0x12 [dm_mod] [] vfs_ioctl+0x21/0x34 [] do_vfs_ioctl+0x3b1/0x3f4 [] ? ____fput+0x9/0xb [] ? task_work_run+0x7e/0x92 [] SyS_ioctl+0x52/0x82 [] system_call_fastpath+0x16/0x1b Signed-off-by: Heinz Mauelshagen Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 088e8c54fafdf0f5046cb512819c3bbc64e5f9c6 Author: Laura Abbott Date: Mon Mar 10 15:49:44 2014 -0700 mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block commit 2af120bc040c5ebcda156df6be6a66610ab6957f upstream. We received several reports of bad page state when freeing CMA pages previously allocated with alloc_contig_range: BUG: Bad page state in process Binder_A pfn:63202 page:d21130b0 count:0 mapcount:1 mapping: (null) index:0x7dfbf page flags: 0x40080068(uptodate|lru|active|swapbacked) Based on the page state, it looks like the page was still in use. The page flags do not make sense for the use case though. Further debugging showed that despite alloc_contig_range returning success, at least one page in the range still remained in the buddy allocator. There is an issue with isolate_freepages_block. In strict mode (which CMA uses), if any pages in the range cannot be isolated, isolate_freepages_block should return failure 0. The current check keeps track of the total number of isolated pages and compares against the size of the range: if (strict && nr_strict_required > total_isolated) total_isolated = 0; After taking the zone lock, if one of the pages in the range is not in the buddy allocator, we continue through the loop and do not increment total_isolated. If in the last iteration of the loop we isolate more than one page (e.g. last page needed is a higher order page), the check for total_isolated may pass and we fail to detect that a page was skipped. The fix is to bail out if the loop immediately if we are in strict mode. There’s no benfit to continuing anyway since we need all pages to be isolated. Additionally, drop the error checking based on nr_strict_required and just check the pfn ranges. This matches with what isolate_freepages_range does. Signed-off-by: Laura Abbott Acked-by: Minchan Kim Cc: Mel Gorman Acked-by: Vlastimil Babka Cc: Joonsoo Kim Acked-by: Bartlomiej Zolnierkiewicz Acked-by: Michal Nazarewicz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ba11e06eaa7370d29f242d75f90db60f9bc4828f Author: Arnd Bergmann Date: Thu Mar 13 10:44:34 2014 +0100 vmxnet3: fix building without CONFIG_PCI_MSI commit 0a8d8c446b5429d15ff2d48f46e00d8a08552303 upstream. Since commit d25f06ea466e "vmxnet3: fix netpoll race condition", the vmxnet3 driver fails to build when CONFIG_PCI_MSI is disabled, because it unconditionally references the vmxnet3_msix_rx() function. To fix this, use the same #ifdef in the caller that exists around the function definition. Signed-off-by: Arnd Bergmann Cc: Neil Horman Cc: Shreyas Bhatewara Cc: “VMware, Inc.” Cc: “David S. Miller” Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aa83c983cd4b40c47262c5c7dd1785c627b95364 Author: Neil Horman Date: Mon Mar 10 06:55:55 2014 -0400 vmxnet3: fix netpoll race condition commit d25f06ea466ea521b563b76661180b4e44714ae6 upstream. vmxnet3’s netpoll driver is incorrectly coded. It directly calls vmxnet3_do_poll, which is the driver internal napi poll routine. As the netpoll controller method doesn’t block real napi polls in any way, there is a potential for race conditions in which the netpoll controller method and the napi poll method run concurrently. The result is data corruption causing panics such as this one recently observed: PID: 1371 TASK: ffff88023762caa0 CPU: 1 COMMAND: “rs:main Q:Reg” #0 [ffff88023abd5780] machine_kexec at ffffffff81038f3b #1 [ffff88023abd57e0] crash_kexec at ffffffff810c5d92 #2 [ffff88023abd58b0] oops_end at ffffffff8152b570 #3 [ffff88023abd58e0] die at ffffffff81010e0b #4 [ffff88023abd5910] do_trap at ffffffff8152add4 #5 [ffff88023abd5970] do_invalid_op at ffffffff8100cf95 #6 [ffff88023abd5a10] invalid_op at ffffffff8100bf9b [exception RIP: vmxnet3_rq_rx_complete+1968] RIP: ffffffffa00f1e80 RSP: ffff88023abd5ac8 RFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff88023b5dcee0 RCX: 00000000000000c0 RDX: 0000000000000000 RSI: 00000000000005f2 RDI: ffff88023b5dcee0 RBP: ffff88023abd5b48 R8: 0000000000000000 R9: ffff88023a3b6048 R10: 0000000000000000 R11: 0000000000000002 R12: ffff8802398d4cd8 R13: ffff88023af35140 R14: ffff88023b60c890 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffff88023abd5b50] vmxnet3_do_poll at ffffffffa00f204a [vmxnet3] #8 [ffff88023abd5b80] vmxnet3_netpoll at ffffffffa00f209c [vmxnet3] #9 [ffff88023abd5ba0] netpoll_poll_dev at ffffffff81472bb7 The fix is to do as other drivers do, and have the poll controller call the top half interrupt handler, which schedules a napi poll properly to recieve frames Tested by myself, successfully. Signed-off-by: Neil Horman CC: Shreyas Bhatewara CC: “VMware, Inc.” CC: “David S. Miller” Reviewed-by: Shreyas N Bhatewara Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bb7048ea362773c2b53ee410a69ff60a029c71ef Author: Bjorn Helgaas Date: Tue Mar 11 14:22:19 2014 -0600 PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not enabled commit 3cdeb713dc66057b50682048c151eae07b186c42 upstream. Andreas reported that after 1f42db786b14 (“PCI: Enable INTx if BIOS left them disabled”), pciehp surprise removal stopped working. This happens because pci_reenable_device() on the hotplug bridge (used in the pciehp_configure_device() path) clears the Interrupt Disable bit, which apparently breaks the bridge’s MSI hotplug event reporting. Previously we cleared the Interrupt Disable bit in do_pci_enable_device(), which is used by both pci_enable_device() and pci_reenable_device(). But we use pci_reenable_device() after the driver may have enabled MSI or MSI-X, and we *set* Interrupt Disable as part of enabling MSI/MSI-X. This patch clears Interrupt Disable only when MSI/MSI-X has not been enabled. Fixes: 1f42db786b14 PCI: Enable INTx if BIOS left them disabled Link: https://bugzilla.kernel.org/show_bug.cgi?id=71691 Reported-and-tested-by: Andreas Noever Signed-off-by: Bjorn Helgaas CC: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 9fddfa0369b13c56045738cffb90a28d48e44f23 Author: Anton Blanchard Date: Wed Mar 5 14:51:37 2014 +1100 ibmveth: Fix endian issues with MAC addresses commit d746ca9561440685edb62614d1bcbbc27ff50e66 upstream. The code to load a MAC address into a u64 for passing to the hypervisor via a register is broken on little endian. Create a helper function called ibmveth_encode_mac_addr which does the right thing in both big and little endian. We were storing the MAC address in a long in struct ibmveth_adapter. It’s never used so remove it - we don’t need another place in the driver where we create endian issues with MAC addresses. Signed-off-by: Anton Blanchard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ccec079c02f3a264647d7c17faebb551071d727f Author: Radim Krčmář Date: Tue Mar 11 19:11:18 2014 +0100 KVM: SVM: fix cr8 intercept window commit 596f3142d2b7be307a1652d59e7b93adab918437 upstream. We always disable cr8 intercept in its handler, but only re-enable it if handling KVM_REQ_EVENT, so there can be a window where we do not intercept cr8 writes, which allows an interrupt to disrupt a higher priority task. Fix this by disabling intercepts in the same function that re-enables them when needed. This fixes BSOD in Windows 2008. Signed-off-by: Radim Krčmář Reviewed-by: Marcelo Tosatti Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 9fe28cdec6fecfd8c8b69f068dc20c3f8439d275 Author: Michael Kerrisk Date: Mon Mar 10 14:46:07 2014 +0100 ipc: Fix 2 bugs in msgrcv() MSG_COPY implementation commit 4f87dac386cc43d5525da7a939d4b4e7edbea22c upstream. While testing and documenting the msgrcv() MSG_COPY flag that Stanislav Kinsbursky added in commit 4a674f34ba04 (“ipc: introduce message queue copy feature” => kernel 3.8), I discovered a couple of bugs in the implementation. The two bugs concern MSG_COPY interactions with other msgrcv() flags, namely: (A) MSG_COPY + MSG_EXCEPT (B) MSG_COPY + !IPC_NOWAIT The bugs are distinct (and the fix for the first one is obvious), however my fix for both is a single-line patch, which is why I’m combining them in a single mail, rather than writing two mails+patches. ===== (A) MSG_COPY + MSG_EXCEPT ===== With the addition of the MSG_COPY flag, there are now two msgrcv() flags–MSG_COPY and MSG_EXCEPT–that modify the meaning of the ‘msgtyp’ argument in unrelated ways. Specifying both in the same call is a logical error that is currently permitted, with the effect that MSG_COPY has priority and MSG_EXCEPT is ignored. The call should give an error if both flags are specified. The patch below implements that behavior. ===== (B) (B) MSG_COPY + !IPC_NOWAIT ===== The test code that was submitted in commit 3a665531a3b7 (“selftests: IPC message queue copy feature test”) shows MSG_COPY being used in conjunction with IPC_NOWAIT. In other words, if there is no message at the position 'msgtyp’. return immediately with the error in ENOMSG. What was not (fully) tested is the behavior if MSG_COPY is specified *without* IPC_NOWAIT, and there is an odd behavior. If the queue contains less than ‘msgtyp’ messages, then the call blocks until the next message is written to the queue. At that point, the msgrcv() call returns a copy of the newly added message, regardless of whether that message is at the ordinal position 'msgtyp’. This is clearly bogus, and problematic for applications that might want to make use of the MSG_COPY flag. I considered the following possible solutions to this problem: (1) Force the call to block until a message *does* appear at the position ‘msgtyp’. (2) If the MSG_COPY flag is specified, the kernel should implicitly add IPC_NOWAIT, so that the call fails with ENOMSG for this case. (3) If the MSG_COPY flag is specified, but IPC_NOWAIT is not, generate an error (probably, EINVAL is the right one). I do not know if any application would really want to have the functionality of solution (1), especially since an application can determine in advance the number of messages in the queue using msgctl() IPC_STAT. Obviously, this solution would be the most work to implement. Solution (2) would have the effect of silently fixing any applications that tried to employ broken behavior. However, it would mean that if we later decided to implement solution (1), then user-space could not easily detect what the kernel supports (but, since I’m somewhat doubtful that solution (1) is needed, I’m not sure that this is much of a problem). Solution (3) would have the effect of informing broken applications that they are doing something broken. The downside is that this would cause a ABI breakage for any applications that are currently employing the broken behavior. However: a) Those applications are almost certainly not getting the results they expect. b) Possibly, those applications don’t even exist, because MSG_COPY is currently hidden behind CONFIG_CHECKPOINT_RESTORE. The upside of solution (3) is that if we later decided to implement solution (1), user-space could determine what the kernel supports, via the error return. In my view, solution (3) is mildly preferable to solution (2), and solution (1) could still be done later if anyone really cares. The patch below implements solution (3). PS. For anyone out there still listening, it’s the usual story: documenting an API (and the thinking about, and the testing of the API, that documentation entails) is the one of the single best ways of finding bugs in the API, as I’ve learned from a lot of experience. Best to do that documentation before releasing the API. Signed-off-by: Michael Kerrisk Acked-by: Stanislav Kinsbursky Cc: Stanislav Kinsbursky Cc: Serge Hallyn Cc: “Eric W. Biederman” Cc: Pavel Emelyanov Cc: Al Viro Cc: KOSAKI Motohiro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ab9ca373d9a5eff5231d52b6005ab7daf3d9238a Author: Richard Weinberger Date: Sun Feb 9 19:47:40 2014 +0100 i2c: Remove usage of orphaned symbol OF_I2C commit 62c19c9d29e65086e5ae76df371ed2e6b23f00cd upstream. The symbol is an orphan, don’t depend on it anymore. Signed-off-by: Richard Weinberger [wsa: enhanced commit message] Signed-off-by: Wolfram Sang Fixes: 687b81d083c0 (i2c: move OF helpers into the core) Signed-off-by: Greg Kroah-Hartman commit fb602e95e563a12c3ac9f9edabde66cdf474e912 Author: Lars-Peter Clausen Date: Tue Mar 4 09:41:53 2014 +0100 ASoC: si476x: Fix IO setup commit 58d4d3c976b33784a1443c446a3d7203bf2153f0 upstream. The si476x is a MFD device and the CODEC driver is using the regmap struct of the parent device, hence automatic IO setup will not work and we need to manually call snd_soc_codec_set_cache_io(). The issue was introduced commit d6173df35f (“ASoC: si476x: Remove custom register I/O implementation”) Fixes: d6173df35f (“ASoC: si476x: Remove custom register I/O implementation”) Signed-off-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3f12d79dcc4b87e94c39946746baa0bad4ac6eea Author: Lars-Peter Clausen Date: Tue Mar 4 09:39:24 2014 +0100 ASoC: 88pm860: Fix IO setup commit 8eeb5c15131d7b5061c10423eda3ae4c68db4eaf upstream. The 88pm860 is a MFD device and the CODEC driver is using the regmap struct of the parent device, hence automatic IO setup will not work and we need to manually call snd_soc_codec_set_cache_io(). The issue was introduced in commit f9ded3b2e7 (“ASoC: 88pm860x: Use regmap for I/O”). Fixes: f9ded3b2e7 (“ASoC: 88pm860x: Use regmap for I/O”). Signed-off-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 6a5037f637e627faf9926dbb8d9005fc92ed0eb0 Author: Alex Deucher Date: Tue Feb 18 10:14:46 2014 -0500 drm/radeon/si: fix typo in dpm sq ramping setup commit 5b43c3cd07981619dbdb1fb935ef705a3e80955f upstream. inverted logic. Noticed-by: Sylvain BERTRAND Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit de23568cfa97c6a8579d5fda880ca633899ec4fd Author: Alex Deucher Date: Fri Jan 17 12:34:55 2014 -0500 drm/radeon: fix minor typos in si_dpm.c commit 407b6dfd9afa30cf963fa99bca91870e47965612 upstream. Copy/paste typos from the ni code. Should not have any functional change. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 086bd4083cf4d89b95489e28af1d3aa3e3a616b8 Author: Alex Deucher Date: Wed Mar 12 16:20:44 2014 -0400 drm/radeon/cik: properly set compute ring status on disable commit b2b3d8d952e4f8d6ac2ce80be96b937f29f6e42e upstream. When we disable the rings, set the status properly. If not other code pathes may try and use the rings which are not functional at this point. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit a69937b3f46798f9323196ad0f7b82d312103360 Author: Alex Deucher Date: Wed Mar 12 15:26:34 2014 -0400 drm/radeon/cik: stop the sdma engines in the enable() function commit 07ae78c9798b79bad3d3adf983c94ba23fde54d4 upstream. We always stop the rings when disabling the engines so just call the stop functions directly from the sdma enable function. This way the rings’ status is set correctly on suspend so there are no problems on resume. Fixes resume failures that result in acceleration getting disabled. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit dc146a47ae549b0ff292237e2aac1bba50bde194 Author: Alex Deucher Date: Wed Mar 12 15:15:58 2014 -0400 drm/radeon/cik: properly set sdma ring status on disable commit 7b1bbe883b3ed962ca2be4daf321f318f5091340 upstream. When we disable the rings, set the status properly. If not other code pathes may try and use the rings which are not functional at this point. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 40ce0b720fb87f6225267bff665f557f0643c3dd Author: Alex Deucher Date: Tue Mar 11 15:02:30 2014 -0400 drm/radeon: fix runpm disabling on non-PX harder commit 7848865914c6a63ead674f0f5604b77df7d3874f upstream. Make sure runtime pm is disabled on non-PX hardware. Should fix powerdown problems without displays attached. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit b39146461f8ea158fe407455467b25b3be09d84e Author: Alex Deucher Date: Wed Dec 18 19:11:27 2013 -0500 drm/radeon: re-order firmware loading in preparation for dpm rework commit 01ac8794a77192236a4b91c33adf4177ac5a21f0 upstream. We need to reorder the driver init sequence to better accomodate dpm which needs to be loaded earlier in the init sequence. Move fw init up so that it’s available for dpm init. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit e3ea8fa6beaf55fee64bf816f3b8a80ad733b2c2 Author: Ville Syrjälä Date: Mon Mar 3 11:33:36 2014 +0200 drm/i915: Reject >165MHz modes w/ DVI monitors commit 6375b768a9850b6154478993e5fb566fa4614a9c upstream. Single-link DVI max dotclock is 165MHz. Filter out modes with higher dotclock when the monitor doesn’t support HDMI. Modes higher than 165 MHz were allowed in commit 7d148ef51a657fd04036c3ed7803da600dd0d451 Author: Daniel Vetter Date: Mon Jul 22 18:02:39 2013 +0200 drm/i915: fix hdmi portclock limits Also don’t attempt to use 12bpc mode with DVI monitors. Cc: Adam Nielsen Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=75345 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=70331 Tested-by: Ralf Jung Signed-off-by: Ville Syrjälä Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 6dffe0c3f7f100a14dff8e3ecd489ca8769e21f8 Author: Imre Deak Date: Fri Feb 14 20:23:54 2014 +0200 drm/i915: fix pch pci device enumeration commit bcdb72ac7c00d2b56359fc82bcc8fe50454717d5 upstream. pci_get_class(class, from) drops the refcount for 'from’, so the extra pci_dev_put we do on it will result in a use after free bug starting with the WARN below. Regression introduced in commit 6a9c4b35e6696a63805b6da5e4889c6986e9ee1b Author: Rui Guo Date: Wed Jun 19 21:10:23 2013 +0800 drm/i915: Fix PCH detect with multiple ISA bridges in VM [ 164.338460] WARNING: CPU: 1 PID: 2094 at include/linux/kref.h:47 klist_next+0xae/0x110() [ 164.347731] CPU: 1 PID: 2094 Comm: modprobe Tainted: G O 3.13.0-imre+ #354 [ 164.356468] Hardware name: Intel Corp. VALLEYVIEW B0 PLATFORM/NOTEBOOK, BIOS BYTICRB1.X64.0062.R70.1310112051 10/11/2013 [ 164.368796] Call Trace: [ 164.371609] [] dump_stack+0x4e/0x7a [ 164.377447] [] warn_slowpath_common+0x7d/0xa0 [ 164.384238] [] warn_slowpath_null+0x1a/0x20 [ 164.390851] [] klist_next+0xae/0x110 [ 164.396777] [] ? pci_do_find_bus+0x70/0x70 [ 164.403286] [] bus_find_device+0x89/0xc0 [ 164.409719] [] pci_get_dev_by_id+0x63/0xa0 [ 164.416238] [] pci_get_class+0x44/0x50 [ 164.422433] [] intel_dsm_detect+0x16f/0x1f0 [i915] [ 164.429801] [] intel_register_dsm_handler+0xe/0x10 [i915] [ 164.437831] [] i915_driver_load+0xafe/0xf30 [i915] [ 164.445126] [] ? intel_alloc_coherent+0x110/0x110 [ 164.452340] [] drm_dev_register+0xc7/0x150 [drm] [ 164.459462] [] drm_get_pci_dev+0x11f/0x1f0 [drm] [ 164.466554] [] ? _raw_spin_unlock_irqrestore+0x51/0x70 [ 164.474287] [] i915_pci_probe+0x56/0x60 [i915] [ 164.481185] [] pci_device_probe+0x78/0xf0 [ 164.487603] [] driver_probe_device+0x155/0x350 [ 164.494505] [] __driver_attach+0x6e/0xa0 [ 164.500826] [] ? __device_attach+0x50/0x50 [ 164.507333] [] bus_for_each_dev+0x6e/0xc0 [ 164.513752] [] driver_attach+0x1e/0x20 [ 164.519870] [] bus_add_driver+0x138/0x260 [ 164.526289] [] ? 0xffffffffa0187fff [ 164.532116] [] driver_register+0x98/0xe0 [ 164.538558] [] ? 0xffffffffa0187fff [ 164.544389] [] __pci_register_driver+0x60/0x70 [ 164.551336] [] drm_pci_init+0x6d/0x120 [drm] [ 164.558040] [] ? 0xffffffffa0187fff [ 164.563928] [] i915_init+0x6a/0x6c [i915] [ 164.570363] [] do_one_initcall+0xaa/0x160 [ 164.576783] [] ? set_memory_nx+0x40/0x50 [ 164.583100] [] load_module+0x1fb5/0x2550 [ 164.589410] [] ? store_uevent+0x40/0x40 [ 164.595628] [] SyS_init_module+0xed/0x100 [ 164.602048] [] system_call_fastpath+0x16/0x1b v2: simplify the loop further (Chris) Signed-off-by: Imre Deak Cc: Jesse Barnes Reported-by: Jesse Barnes Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=65652 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=74161 Reviewed-by: Chris Wilson Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 96c1e8a4bf5c52dcd4b2311d77759b796ca096b6 Author: Alex Deucher Date: Thu Mar 6 13:16:55 2014 -0500 drm/radeon/dpm: fix typo in EVERGREEN_SMC_FIRMWARE_HEADER_softRegisters commit 13714323f83ffa5a772fe0d8b74e0fa32ee08819 upstream. Should be at 0x8 rather than 0. fixes: https://bugzilla.kernel.org/show_bug.cgi?id=60523 Noticed by ArtForz on #radeon Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 8e2050891ecff4f0daafdf1396c08072a229fab5 Author: Alex Deucher Date: Thu Mar 6 18:09:52 2014 -0500 drm/radeon/atom: select the proper number of lanes in transmitter setup commit d03874c881a049a50e12f285077ab1f9fc2686e1 upstream. We need to check for DVI vs. HDMI when setting up duallink since HDMI is single link only. Fixes 4k modes on newer asics. bug: https://bugs.freedesktop.org/show_bug.cgi?id=75223 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit a3a7927a1a99ac5ee7ba3a8a9da9a53917bb3707 Author: Artem Fetishev Date: Mon Mar 10 15:49:45 2014 -0700 fs/proc/base.c: fix GPF in /proc/$PID/map_files commit 70335abb2689c8cd5df91bf2d95a65649addf50b upstream. The expected logic of proc_map_files_get_link() is either to return 0 and initialize ‘path’ or return an error and leave ‘path’ uninitialized. By the time dname_to_vma_addr() returns 0 the corresponding vma may have already be gone. In this case the path is not initialized but the return value is still 0. This results in ‘general protection fault’ inside d_path(). Steps to reproduce: CONFIG_CHECKPOINT_RESTORE=y fd = open(…); while (1) { mmap(fd, …); munmap(fd, …); } ls -la /proc/$PID/map_files Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991 Signed-off-by: Artem Fetishev Signed-off-by: Aleksandr Terekhov Reported-by: Acked-by: Pavel Emelyanov Acked-by: Cyrill Gorcunov Reviewed-by: “Eric W. Biederman” Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d2c1949c854277b9c4bd10b3e12c21ddf3517a74 Author: Nicholas Bellinger Date: Wed Feb 26 03:09:41 2014 -0800 iscsi-target: Fix iscsit_get_tpg_from_np tpg_state bug commit a2a99cea5ec7c1e47825559f0e75a4efbcf8aee3 upstream. This patch fixes a bug in iscsit_get_tpg_from_np() where the tpg->tpg_state sanity check was looking for TPG_STATE_FREE, instead of != TPG_STATE_ACTIVE. The latter is expected during a normal TPG shutdown once the tpg_state goes into TPG_STATE_INACTIVE in order to reject any new incoming login attempts. Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 9b7946975ae8ba68367eb6a13e98dbd19f82ebe5 Author: Mark Rutland Date: Wed Jan 29 14:05:51 2014 -0800 mm/readahead.c: fix do_readahead() for no readpage(s) commit 58d5640ebdb273cc817b0d0cda7bcf2efbbc2ff7 upstream. Commit 63d0f0a3c7e1 (“mm/readahead.c:do_readhead(): don’t check for ->readpage”) unintentionally made do_readahead return 0 for all valid files regardless of whether readahead was supported, rather than the expected -EINVAL. This gets forwarded on to userspace, and results in sys_readahead appearing to succeed in cases that don’t make sense (e.g. when called on pipes or sockets). This issue is detected by the LTP readahead01 testcase. As the exact return value of force_page_cache_readahead is currently never used, we can simplify it to return only 0 or -EINVAL (when readpage or readpages is missing). With that in place we can simply forward on the return value of force_page_cache_readahead in do_readahead. This patch performs said change, restoring the expected semantics. Signed-off-by: Mark Rutland Acked-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 85869425bf6923e428eae62777e153c4e8196d79 Author: Nicholas Bellinger Date: Sun Mar 2 14:51:12 2014 -0800 iser-target: Fix command leak for tx_desc->comp_llnode_batch commit ebbe442183b7b8192c963266f1c89048fefc63a5 upstream. This patch addresses a number of active I/O shutdown issues related to isert_cmd descriptors being leaked that are part of a completion interrupt coalescing batch. This includes adding logic in isert_cq_tx_comp_err() to drain any associated tx_desc->comp_llnode_batch, as well as isert_cq_drain_comp_llist() to drain any associated isert_conn->conn_comp_llist. Also, set tx_desc->llnode_active in isert_init_send_wr() in order to determine when work requests need to be skipped in isert_cq_tx_work() exception path code. Finally, update isert_init_send_wr() to only allow interrupt coalescing when ISER_CONN_UP. Acked-by: Sagi Grimberg Cc: Or Gerlitz Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit a5496ebdd54019d3964e0dc51a7da9d14b4191cc Author: Nicholas Bellinger Date: Thu Feb 27 09:05:03 2014 -0800 iser-target: Fix post_send_buf_count for RDMA READ/WRITE commit b6b87a1df604678ed1be40158080db012a99ccca upstream. This patch fixes the incorrect setting of ->post_send_buf_count related to RDMA WRITEs + READs where isert_rdma_rw->send_wr_num was not being taken into account. This includes incrementing ->post_send_buf_count within isert_put_datain() + isert_get_dataout(), decrementing within __isert_send_completion() + isert_response_completion(), and clearing wr->send_wr_num within isert_completion_rdma_read() This is necessary because even though IB_SEND_SIGNALED is not set for RDMA WRITEs + READs, during a QP failure event the work requests will be returned with exception status from the TX completion queue. Acked-by: Sagi Grimberg Cc: Or Gerlitz Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit e8a65ca98c033cac289cad99e150c88e1575b753 Author: Nicholas Bellinger Date: Thu Feb 27 07:02:48 2014 -0800 iser-target: Ignore completions for FRWRs in isert_cq_tx_work commit 9bb4ca68fc48eea618b1af1c1cde2a251ae32d1b upstream. This patch changes IB_WR_FAST_REG_MR + IB_WR_LOCAL_INV related work requests to include a ISER_FRWR_LI_WRID value in order to signal isert_cq_tx_work() that these requests should be ignored. This is necessary because even though IB_SEND_SIGNALED is not set for either work request, during a QP failure event the work requests will be returned with exception status from the TX completion queue. v2 changes: - Rename ISER_FRWR_LI_WRID -> ISER_FASTREG_LI_WRID (Sagi) Acked-by: Sagi Grimberg Cc: Or Gerlitz Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 93d913f043ffdd1c5d1eef011f01e6d7daa6284f Author: Nicholas Bellinger Date: Mon Feb 3 12:54:39 2014 -0800 iscsi/iser-target: Fix isert_conn->state hung shutdown issues commit defd884845297fd5690594bfe89656b01f16d87e upstream. This patch addresses a couple of different hug shutdown issues related to wait_event() + isert_conn->state. First, it changes isert_conn->conn_wait + isert_conn->conn_wait_comp_err from waitqueues to completions, and sets ISER_CONN_TERMINATING from within isert_disconnect_work(). Second, it splits isert_free_conn() into isert_wait_conn() that is called earlier in iscsit_close_connection() to ensure that all outstanding commands have completed before continuing. Finally, it breaks isert_cq_comp_err() into seperate TX / RX related code, and adds logic in isert_cq_rx_comp_err() to wait for outstanding commands to complete before setting ISER_CONN_DOWN and calling complete(&isert_conn->conn_wait_comp_err). Acked-by: Sagi Grimberg Cc: Or Gerlitz Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 4e83fbac20b01596d2815d73cb55d103e730dc68 Author: Nicholas Bellinger Date: Mon Feb 3 12:53:51 2014 -0800 iscsi/iser-target: Use list_del_init for ->i_conn_node commit 5159d763f60af693a3fcec45dce2021f66e528a4 upstream. There are a handful of uses of list_empty() for cmd->i_conn_node within iser-target code that expect to return false once a cmd has been removed from the per connect list. This patch changes all uses of list_del -> list_del_init in order to ensure that list_empty() returns false as expected. Acked-by: Sagi Grimberg Cc: Or Gerlitz Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 80d8edfe28f62b05c993a785c26bdd71c7b96c72 Author: Rafael J. Wysocki Date: Thu Mar 13 22:11:39 2014 +0100 ACPI / sleep: Add extra checks for HW Reduced ACPI mode sleep states commit a4e90bed511220ff601d064c9e5d583e91308f65 upstream. If the HW Reduced ACPI mode bit is set in the FADT, ACPICA uses the optional sleep control and sleep status registers for making the system enter sleep states (including S5), so it is not possible to use system sleep states or power it off using ACPI if the HW Reduced ACPI mode bit is set and those registers are not available. For this reason, add a new function, acpi_sleep_state_supported(), checking if the HW Reduced ACPI mode bit is set and whether or not system sleep states are usable in that case in addition to checking the return value of acpi_get_sleep_type_data() and make the ACPI sleep setup routines use that function to check the availability of system sleep states. Among other things, this prevents the kernel from attempting to use ACPI for powering off HW Reduced ACPI systems without the sleep control and sleep status registers, because ACPI power off doesn’t have a chance to work on them. That allows alternative power off mechanisms that may actually work to be used on those systems. The affected machines include Dell Venue 8 Pro, Asus T100TA, Haswell Desktop SDP and Ivy Bridge EP Demo depot. References: https://bugzilla.kernel.org/show_bug.cgi?id=70931 Reported-by: Adam Williamson Tested-by: Aubrey Li Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 1bfb1772bd0368d2220c1bc6314c04527295a3bb Author: Rafael J. Wysocki Date: Wed Mar 12 21:49:33 2014 +0100 cpufreq: Skip current frequency initialization for ->setpolicy drivers commit 2ed99e39cb9392312c100d9da591c20641c64d12 upstream. After commit da60ce9f2fac (cpufreq: call cpufreq_driver->get() after calling ->init()) __cpufreq_add_dev() sometimes fails for CPUs handled by intel_pstate, because that driver may return 0 from its ->get() callback if it has not run long enough to collect enough samples on the given CPU. That didn’t happen before commit da60ce9f2fac which added policy->cur initialization to __cpufreq_add_dev() to help reduce code duplication in other cpufreq drivers. However, the code added by commit da60ce9f2fac need not be executed for cpufreq drivers having the ->setpolicy callback defined, because the subsequent invocation of cpufreq_set_policy() will use that callback to initialize the policy anyway and it doesn’t need policy->cur to be initialized upfront. The analogous code in cpufreq_update_policy() is also unnecessary for cpufreq drivers having ->setpolicy set and may be skipped for them as well. Since intel_pstate provides ->setpolicy, skipping the upfront policy->cur initialization for cpufreq drivers with that callback set will cover intel_pstate and the problem it’s been having after commit da60ce9f2fac will be addressed. Fixes: da60ce9f2fac (cpufreq: call cpufreq_driver->get() after calling ->init()) References: https://bugzilla.kernel.org/show_bug.cgi?id=71931 Reported-and-tested-by: Patrik Lundquist Acked-by: Dirk Brandewie Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit b94d12cd299763e67a1bf86ba882076cd891b69f Author: Aaron Plattner Date: Tue Mar 4 12:42:15 2014 -0800 cpufreq: use cpufreq_cpu_get() to avoid cpufreq_get() race conditions commit 999976e0f6233322a878b0b7148c810544d6c8a8 upstream. If a module calls cpufreq_get while cpufreq is initializing, it’s possible for it to be called after cpufreq_driver is set but before cpufreq_cpu_data is written during subsys_interface_register. This happens because cpufreq_get doesn’t take the cpufreq_driver_lock around its use of cpufreq_cpu_data. Fix this by using cpufreq_cpu_get(cpu) to look up the policy rather than reading it out of cpufreq_cpu_data directly. cpufreq_cpu_get() takes the appropriate locks to prevent this race from happening. Since it’s possible for policy to be NULL if the caller passes in an invalid CPU number or calls the function before cpufreq is initialized, delete the BUG_ON(!policy) and simply return 0. Don’t try to return -ENOENT because that’s negative and the function returns an unsigned integer. References: https://bbs.archlinux.org/viewtopic.php?id=177934 Signed-off-by: Aaron Plattner Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 10afe48704c6e18c7a105de088540aa5d506e128 Author: Trond Myklebust Date: Wed Mar 5 08:44:23 2014 -0500 NFSv4: nfs4_stateid_is_current should return ‘true’ for an invalid stateid commit e1253be0ece1a95a02c7f5843194877471af8179 upstream. When nfs4_set_rw_stateid() can fails by returning EIO to indicate that the stateid is completely invalid, then it makes no sense to have it trigger a retry of the READ or WRITE operation. Instead, we should just have it fall through and attempt a recovery. This fixes an infinite loop in which the client keeps replaying the same bad stateid back to the server. Reported-by: Andy Adamson Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 99ff79b6ff23cdc4e439078a84651d05f6725446 Author: Trond Myklebust Date: Sun Mar 2 22:03:12 2014 -0500 NFS: Fix a delegation callback race commit 755a48a7a4eb05b9c8424e3017d947b2961a60e0 upstream. The clean-up in commit 36281caa839f ended up removing a NULL pointer check that is needed in order to prevent an Oops in nfs_async_inode_return_delegation(). Reported-by: “Yan, Zheng” Link: http://lkml.kernel.org/r/[email protected] Fixes: 36281caa839f (NFSv4: Further clean-ups of delegation stateid validation) Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 9d1731e589e3276880c0d76421507c5896f8a08d Author: Trond Myklebust Date: Wed Feb 26 11:19:14 2014 -0800 NFSv4: Fix another nfs4_sequence corruptor commit b7e63a1079b266866a732cf699d8c4d61391bbda upstream. nfs4_release_lockowner needs to set the rpc_message reply to point to the nfs4_sequence_res in order to avoid another Oopsable situation in nfs41_assign_slot. Fixes: fbd4bfd1d9d21 (NFS: Add nfs4_sequence calls for RELEASE_LOCKOWNER) Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 139ee65b608913cf8625da94b842b2b4929e9441 Author: Gabor Juhos Date: Sun Mar 2 20:54:42 2014 +0100 spi: spi-ath79: fix initial GPIO CS line setup commit 61d1cf163c8653934cc8cd5d0b2a562d0990c265 upstream. The ‘ath79_spi_setup_cs’ function initializes the chip select line of a given SPI device in order to make sure that the device is inactive. If the SPI_CS_HIGH bit is set for a given device, it means that the CS line of that device is active HIGH so it must be set to LOW initially. In case of GPIO CS lines, the ‘ath79_spi_setup_cs’ function does the opposite of that due to the wrong GPIO flags. Fix the code to use the correct GPIO flags. Reported-by: Ronald Wahl Signed-off-by: Gabor Juhos Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1022a7fb793ff50c40cb033bf242427b7d9758a5 Author: Philippe De Muyter Date: Thu Feb 27 10:16:15 2014 +0100 spi: spi-imx: spi_imx_remove: do not disable disabled clocks commit fd40dccb1a170ba689664481a3de83617b7194d2 upstream. Currently, at module removal, one gets the following warnings: ------------[ cut here ]------------ WARNING: at drivers/clk/clk.c:780 clk_disable+0x18/0x24() Modules linked in: spi_imx(-) [last unloaded: ev76c560] CPU: 1 PID: 16337 Comm: rmmod Tainted: G W 3.10.17-80548-g90191eb-dirty #33 [<80013b4c>] (unwind_backtrace+0x0/0xf8) from [<800115dc>] (show_stack+0x10/0x14) [<800115dc>] (show_stack+0x10/0x14) from [<800257b8>] (warn_slowpath_common+0x4c/0x68) [<800257b8>] (warn_slowpath_common+0x4c/0x68) from [<800257f0>] (warn_slowpath_null+0x1c/0x24) [<800257f0>] (warn_slowpath_null+0x1c/0x24) from [<803f60ec>] (clk_disable+0x18/0x24) [<803f60ec>] (clk_disable+0x18/0x24) from [<7f02c9cc>] (spi_imx_remove+0x54/0x9c [spi_imx]) [<7f02c9cc>] (spi_imx_remove+0x54/0x9c [spi_imx]) from [<8025868c>] (platform_drv_remove+0x18/0x1c) [<8025868c>] (platform_drv_remove+0x18/0x1c) from [<80256f60>] (__device_release_driver+0x70/0xcc) [<80256f60>] (__device_release_driver+0x70/0xcc) from [<80257770>] (driver_detach+0xcc/0xd0) [<80257770>] (driver_detach+0xcc/0xd0) from [<80256d90>] (bus_remove_driver+0x7c/0xc0) [<80256d90>] (bus_remove_driver+0x7c/0xc0) from [<80068668>] (SyS_delete_module+0x144/0x1f8) [<80068668>] (SyS_delete_module+0x144/0x1f8) from [<8000e080>] (ret_fast_syscall+0x0/0x30) —[ end trace 1f5df9ad54996300 ]— ------------[ cut here ]------------ WARNING: at drivers/clk/clk.c:780 clk_disable+0x18/0x24() Modules linked in: spi_imx(-) [last unloaded: ev76c560] CPU: 1 PID: 16337 Comm: rmmod Tainted: G W 3.10.17-80548-g90191eb-dirty #33 [<80013b4c>] (unwind_backtrace+0x0/0xf8) from [<800115dc>] (show_stack+0x10/0x14) [<800115dc>] (show_stack+0x10/0x14) from [<800257b8>] (warn_slowpath_common+0x4c/0x68) [<800257b8>] (warn_slowpath_common+0x4c/0x68) from [<800257f0>] (warn_slowpath_null+0x1c/0x24) [<800257f0>] (warn_slowpath_null+0x1c/0x24) from [<803f60ec>] (clk_disable+0x18/0x24) [<803f60ec>] (clk_disable+0x18/0x24) from [<7f02c9e8>] (spi_imx_remove+0x70/0x9c [spi_imx]) [<7f02c9e8>] (spi_imx_remove+0x70/0x9c [spi_imx]) from [<8025868c>] (platform_drv_remove+0x18/0x1c) [<8025868c>] (platform_drv_remove+0x18/0x1c) from [<80256f60>] (__device_release_driver+0x70/0xcc) [<80256f60>] (__device_release_driver+0x70/0xcc) from [<80257770>] (driver_detach+0xcc/0xd0) [<80257770>] (driver_detach+0xcc/0xd0) from [<80256d90>] (bus_remove_driver+0x7c/0xc0) [<80256d90>] (bus_remove_driver+0x7c/0xc0) from [<80068668>] (SyS_delete_module+0x144/0x1f8) [<80068668>] (SyS_delete_module+0x144/0x1f8) from [<8000e080>] (ret_fast_syscall+0x0/0x30) —[ end trace 1f5df9ad54996301 ]— Since commit 9e556dcc55774c9a1032f32baa0e5cfafede8b70, "spi: spi-imx: only enable the clocks when we start to transfer a message", clocks are always disabled except when transmitting messages. There is thus no need to disable them at module removal. Fixes: 9e556dcc55774 (spi: spi-imx: only enable the clocks when we start to transfer a message) Signed-off-by: Philippe De Muyter Acked-by: Huang Shijie Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit df273ce5605b1c6e9777bc542dde88126c22296d Author: Axel Lin Date: Fri Feb 14 12:49:12 2014 +0800 spi: fsl-dspi: Fix getting correct address for master commit 017145fef567430789e40f6a22a90ce2a766370b upstream. Current code set platform drvdata to dspi. However, the code in dspi_suspend() and dspi_resume() assumes the drvdata is the address of master. Fix it by setting platform drvdata to master. Signed-off-by: Axel Lin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1a8f08e11619865ee6ab08e25359fd778ce251ee Author: Axel Lin Date: Fri Feb 14 09:53:00 2014 +0800 spi: coldfire-qspi: Fix getting correct address for *mcfqspi commit ee73b4c6e3fc0755a91752ab8eebc8e070038b53 upstream. dev_get_drvdata() returns the address of master rather than mcfqspi. Fixes: af361079 (spi/coldfire-qspi: Drop extra calls to spi_master_get in suspend/resume functions) Signed-off-by: Axel Lin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 69fd455e621f2e15ea44640a366692c2c012d78f Author: Tejun Heo Date: Mon Mar 10 11:13:43 2014 -0400 libata: use wider match for blacklisting Crucial M500 commit 83493d7e782d2630f1a55def14a79f0e7c4faac3 upstream. We’re now blacklisting “Crucial_CT???M500SSD1” and "Crucial_CT???M500SSD3". Also, “Micron_M500*” is blacklisted which is about the same devices as the crucial branded ones. Let’s merge the two Crucial M500 entries and widen the match to “Crucial_CT???M500SSD*” so that we don’t have to fiddle with new entries for similar devices. Signed-off-by: Tejun Heo Suggested-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f05751dd1a4c61273a4cbf0ffdb160adf0270753 Author: Michele Baldessari Date: Fri Mar 7 16:34:29 2014 +0000 libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus SpinPoint M8 (2BA30001) commit b28a613e9138e4b3a64649bd60b13436f4b4b49b upstream. Via commit 87809942d3fa “libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus SpinPoint M8” we added a quirk for disks named “ST1000LM024 HN-M101MBB” with firmware revision "2AR10001". As reported on https://bugzilla.redhat.com/show_bug.cgi?id=1073901, we need to also add firmware revision 2BA30001 as it is broken as well. Reported-by: Nicholas Signed-off-by: Michele Baldessari Tested-by: Guilherme Amadio Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit fc0a62d726d742265b5539e1d9ac1ce752b41cb0 Author: Marios Andreopoulos Date: Mon Mar 3 18:19:59 2014 +0200 libata: disable queued TRIM for Crucial M500 mSATA SSDs commit 2564338b13e6e132ee224edb63e1e872adf431f4 upstream. Queued TRIM commands cause problems and silent file system corruption on Crucial M500 SSDs. This patch disables them for the mSATA model of the drive. Signed-off-by: Marios Andreopoulos Signed-off-by: Tejun Heo Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=71371 Signed-off-by: Greg Kroah-Hartman commit 20d3a0c0738062e2e6fa1a78cc61c882985dfe96 Author: Tejun Heo Date: Fri Mar 7 10:19:57 2014 -0500 firewire: don’t use PREPARE_DELAYED_WORK commit 70044d71d31d6973665ced5be04ef39ac1c09a48 upstream. PREPARE_[DELAYED_]WORK() are being phased out. They have few users and a nasty surprise in terms of reentrancy guarantee as workqueue considers work items to be different if they don’t have the same work function. firewire core-device and sbp2 have been been multiplexing work items with multiple work functions. Introduce fw_device_workfn() and sbp2_lu_workfn() which invoke fw_device->workfn and sbp2_logical_unit->workfn respectively and always use the two functions as the work functions and update the users to set the ->workfn fields instead of overriding work functions using PREPARE_DELAYED_WORK(). This fixes a variety of possible regressions since a2c1c57be8d9 “workqueue: consider work function when searching for busy work items” due to which fw_workqueue lost its required non-reentrancy property. Signed-off-by: Tejun Heo Acked-by: Stefan Richter Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit a9d84d96bfd4fe3da0b142c34f5400e033c67f4a Author: Stefan Richter Date: Thu Mar 6 20:39:04 2014 +0100 firewire: ohci: fix probe failure with Agere/LSI controllers commit 0ca49345b6f489e95f8d6edeb0b092e257475b2a upstream. Since commit bd972688eb24 "firewire: ohci: Fix ‘failed to read phy reg’ on FW643 rev8", there is a high chance that firewire-ohci fails to initialize LSI née Agere controllers. https://bugzilla.kernel.org/show_bug.cgi?id=65151 Peter Hurley points out the reason: IEEE 1394a:2000 clause 5A.1 (or IEEE 1394:2008 clause 17.2.1) say: “The PHY shall insure that no more than 10 ms elapse from the reassertion of LPS until the interface is reset. The link shall not assert LReq until the reset is complete.” In other words, the link needs to give the PHY at least 10 ms to get the interface operational. With just the msleep(1) in bd972688eb24, the first read_phy_reg() during ohci_enable() may happen before the phy-link interface reset was finished, and fail. Due to the high variability of msleep(n) with small n, this failure was not fully reproducible, and not apparent at all with low CONFIG_HZ setting. On the other hand, Peter can no longer reproduce the issue with FW643 rev8. The read phy reg failures that happened back then may have had an unrelated cause. So, just revert bd972688eb24, except for the valid comment on TSB82AA2 cards. Reported-by: Mikhail Gavrilov Reported-by: Jay Fenlason Reported-by: Clemens Ladisch Reported-by: Peter Hurley Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit ea76e76a104ec2b8c3d6cb236274762ee3eda22b Author: Stefan Richter Date: Tue Feb 18 22:25:15 2014 +0100 firewire: net: fix use after free commit 8987583366ae9e03c306c2b7d73bdb952df1d08d upstream. Commit 8408dc1c14c1 “firewire: net: use dev_printk API” introduced a use-after-free in a failure path. fwnet_transmit_packet_failed(ptask) may free ptask, then the dev_err() call dereferenced it. The fix is straightforward; simply reorder the two calls. Reported-by: Dan Carpenter Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 6c8060cc19f4e1c0e659b9f3402bb124b93fc9da Author: Steven Rostedt (Red Hat) Date: Wed Feb 26 13:37:38 2014 -0500 tracing: Do not add event files for modules that fail tracepoints commit 45ab2813d40d88fc575e753c38478de242d03f88 upstream. If a module fails to add its tracepoints due to module tainting, do not create the module event infrastructure in the debugfs directory. As the events will not work and worse yet, they will silently fail, making the user wonder why the events they enable do not display anything. Having a warning on module load and the events not visible to the users will make the cause of the problem much clearer. Link: http://lkml.kernel.org/r/[email protected] Fixes: 6d723736e472 “tracing/events: add support for modules to TRACE_EVENT” Acked-by: Mathieu Desnoyers Cc: Rusty Russell Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 02e1cf79d668aa2f1b97d1af5ef694beef340c39 Author: Kieran Clancy Date: Sat Mar 1 00:42:28 2014 +1030 ACPI / EC: Clear stale EC events on Samsung systems commit ad332c8a45330d170bb38b95209de449b31cd1b4 upstream. A number of Samsung notebooks (530Uxx/535Uxx/540Uxx/550Pxx/900Xxx/etc) continue to log events during sleep (lid open/close, AC plug/unplug, battery level change), which accumulate in the EC until a buffer fills. After the buffer is full (tests suggest it holds 8 events), GPEs stop being triggered for new events. This state persists on wake or even on power cycle, and prevents new events from being registered until the EC is manually polled. This is the root cause of a number of bugs, including AC not being detected properly, lid close not triggering suspend, and low ambient light not triggering the keyboard backlight. The bug also seemed to be responsible for performance issues on at least one user’s machine. Juan Manuel Cabo found the cause of bug and the workaround of polling the EC manually on wake. The loop which clears the stale events is based on an earlier patch by Lan Tianyu (see referenced attachment). This patch: - Adds a function acpi_ec_clear() which polls the EC for stale _Q events at most ACPI_EC_CLEAR_MAX (currently 100) times. A warning is logged if this limit is reached. - Adds a flag EC_FLAGS_CLEAR_ON_RESUME which is set to 1 if the DMI system vendor is Samsung. This check could be replaced by several more specific DMI vendor/product pairs, but it’s likely that the bug affects more Samsung products than just the five series mentioned above. Further, it should not be harmful to run acpi_ec_clear() on systems without the bug; it will return immediately after finding no data waiting. - Runs acpi_ec_clear() on initialisation (boot), from acpi_ec_add() - Runs acpi_ec_clear() on wake, from acpi_ec_unblock_transactions() References: https://bugzilla.kernel.org/show_bug.cgi?id=44161 References: https://bugzilla.kernel.org/show_bug.cgi?id=45461 References: https://bugzilla.kernel.org/show_bug.cgi?id=57271 References: https://bugzilla.kernel.org/attachment.cgi?id=126801 Suggested-by: Juan Manuel Cabo Signed-off-by: Kieran Clancy Reviewed-by: Lan Tianyu Reviewed-by: Dennis Jansen Tested-by: Kieran Clancy Tested-by: Juan Manuel Cabo Tested-by: Dennis Jansen Tested-by: Maurizio D’Addona Tested-by: San Zamoyski Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit a2f83717197b337ee22b114a0ef7c3bcb65b618c Author: Zhang Rui Date: Thu Feb 27 11:37:15 2014 +0800 ACPI / resources: ignore invalid ACPI device resources commit b355cee88e3b1a193f0e9a81db810f6f83ad728b upstream. ACPI table may export resource entry with 0 length. But the current code interprets this kind of resource in a wrong way. It will create a resource structure with res->end = acpi_resource->start + acpi_resource->len - 1; This patch fixes a problem on my machine that a platform device fails to be created because one of its ACPI IO resource entry (start = 0, end = 0, length = 0) is translated into a generic resource with start = 0, end = 0xffffffff. Signed-off-by: Zhang Rui Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 9a59929c894645615835deb478f99de178530b22 Author: Li Zefan Date: Thu Feb 27 18:19:36 2014 +0800 cpuset: fix a race condition in __cpuset_node_allowed_softwall() commit 99afb0fd5f05aac467ffa85c36778fec4396209b upstream. It’s not safe to access task’s cpuset after releasing task_lock(). Holding callback_mutex won’t help. Signed-off-by: Li Zefan Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 54dbb836be1d8d9a398b8d6ef9184276179ae3cc Author: Li Zefan Date: Thu Feb 27 18:19:03 2014 +0800 cpuset: fix a locking issue in cpuset_migrate_mm() commit 4729583006772b9530404bc1bb7c3aa4a10ffd4d upstream. I can trigger a lockdep warning: # mount -t cgroup -o cpuset xxx /cgroup # mkdir /cgroup/cpuset # mkdir /cgroup/tmp # echo 0 > /cgroup/tmp/cpuset.cpus # echo 0 > /cgroup/tmp/cpuset.mems # echo 1 > /cgroup/tmp/cpuset.memory_migrate # echo $$ > /cgroup/tmp/tasks # echo 1 > /cgruop/tmp/cpuset.mems =============================== [ INFO: suspicious RCU usage. ] 3.14.0-rc1-0.1-default+ #32 Not tainted ------------------------------- include/linux/cgroup.h:682 suspicious rcu_dereference_check() usage! … [] dump_stack+0x72/0x86 [] lockdep_rcu_suspicious+0x101/0x140 [] cpuset_migrate_mm+0xb1/0xe0 … We used to hold cgroup_mutex when calling cpuset_migrate_mm(), but now we hold cpuset_mutex, which causes task_css() to complain. This is not a false-positive but a real issue. Holding cpuset_mutex won’t prevent a task from migrating to another cpuset, and it won’t prevent the original task->cgroup from destroying during this change. Fixes: 5d21cc2db040 (cpuset: replace cgroup_mutex locking with cpuset internal locking) Signed-off-by: Li Zefan Sigend-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 23e7b2a51543f47e902501193deac95838fdfafd Author: Chuansheng Liu Date: Mon Feb 24 11:29:50 2014 +0800 genirq: Remove racy waitqueue_active check commit c685689fd24d310343ac33942e9a54a974ae9c43 upstream. We hit one rare case below: T1 calling disable_irq(), but hanging at synchronize_irq() always; The corresponding irq thread is in sleeping state; And all CPUs are in idle state; After analysis, we found there is one possible scenerio which causes T1 is waiting there forever: CPU0 CPU1 synchronize_irq() wait_event() spin_lock() atomic_dec_and_test(&threads_active) insert the __wait into queue spin_unlock() if(waitqueue_active) atomic_read(&threads_active) wake_up() Here after inserted the __wait into queue on CPU0, and before test if queue is empty on CPU1, there is no barrier, it maybe cause it is not visible for CPU1 immediately, although CPU0 has updated the queue list. It is similar for CPU0 atomic_read() threads_active also. So we’d need one smp_mb() before waitqueue_active.that, but removing the waitqueue_active() check solves it as wel l and it makes things simple and clear. Signed-off-by: Chuansheng Liu Cc: Xiaoming Wang Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit ccc59a798621cae43c23e9bfad1364c7f4e68613 Author: Mathias Nyman Date: Fri Mar 7 17:06:57 2014 +0200 Revert “xhci 1.0: Limit arbitrarily-aligned scatter gather.” commit e2ed511400d41e0d136089d5a55ceab57c6a2426 upstream. This reverts commit 247bf557273dd775505fb9240d2d152f4f20d304. This commit, together with commit 3804fad45411b48233b48003e33a78f290d227c8 “USBNET: ax88179_178a: enable tso if usb host supports sg dma” were origially added to get xHCI 1.0 hosts and usb ethernet ax88179_178a devices working together with scatter gather. xHCI 1.0 hosts pose some requirement on how transfer buffers are aligned, setting this requirement for 1.0 hosts caused USB 3.0 mass storage devices to fail more frequently. USB 3.0 mass storage devices used to work before 3.14-rc1. Theoretically, the TD fragment rules could have caused an occasional disk glitch. Now the devices *will* fail, instead of theoretically failing. >From a user perspective, this looks like a regression; the USB device obviously fails on 3.14-rc1, and may sometimes silently fail on prior kernels. The proper soluition is to implement the TD fragment rules required, but for now this patch needs to be reverted to get USB 3.0 mass storage devices working at the level they used to. Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit c9e725327d148c3d388203b825db9d03c85b7449 Author: Julius Werner Date: Tue Mar 4 11:27:38 2014 -0800 usb: Make DELAY_INIT quirk wait 100ms between Get Configuration requests commit d86db25e53fa69e3e97f3b55dd82a70689787c5d upstream. The DELAY_INIT quirk only reduces the frequency of enumeration failures with the Logitech HD Pro C920 and C930e webcams, but does not quite eliminate them. We have found that adding a delay of 100ms between the first and second Get Configuration request makes the device enumerate perfectly reliable even after several weeks of extensive testing. The reasons for that are anyone’s guess, but since the DELAY_INIT quirk already delays enumeration by a whole second, wating for another 10th of that isn’t really a big deal for the one other device that uses it, and it will resolve the problems with these webcams. Signed-off-by: Julius Werner Signed-off-by: Greg Kroah-Hartman commit 9ff0672a0c30b8ffe0bbc373d0f14d763b01071e Author: Julius Werner Date: Tue Mar 4 10:52:39 2014 -0800 usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e commit e0429362ab15c46ea4d64c3f8c9e0933e48a143a upstream. We’ve encountered a rare issue when enumerating two Logitech webcams after a reboot that doesn’t power cycle the USB ports. They are spewing random data (possibly some leftover UVC buffers) on the second (full-sized) Get Configuration request of the enumeration phase. Since the data is random this can potentially cause all kinds of odd behavior, and since it occasionally happens multiple times (after the kernel issues another reset due to the garbled configuration descriptor), it is not always recoverable. Set the USB_DELAY_INIT quirk that seems to work around the issue. Signed-off-by: Julius Werner Signed-off-by: Greg Kroah-Hartman commit f7162a5072554ea4f625870f9b3b167cb68a3a8e Author: Mathias Nyman Date: Fri Mar 7 17:06:58 2014 +0200 Revert “USBNET: ax88179_178a: enable tso if usb host supports sg dma” commit 469d417b68958a064c09e7875646c97c6e783dfc upstream. This reverts commit 3804fad45411b48233b48003e33a78f290d227c8. This commit, together with commit 247bf557273dd775505fb9240d2d152f4f20d304 “xhci 1.0: Limit arbitrarily-aligned scatter gather.” were origially added to get xHCI 1.0 hosts and usb ethernet ax88179_178a devices working together with scatter gather. xHCI 1.0 hosts pose some requirement on how transfer buffers are aligned, setting this requirement for 1.0 hosts caused USB 3.0 mass storage devices to fail more frequently. USB 3.0 mass storage devices used to work before 3.14-rc1. Theoretically, the TD fragment rules could have caused an occasional disk glitch. Now the devices *will* fail, instead of theoretically failing. >From a user perspective, this looks like a regression; the USB device obviously fails on 3.14-rc1, and may sometimes silently fail on prior kernels. The proper soluition is to implement the TD fragment rules for xHCI 1.0 hosts, but for now, revert this patch until scatter gather can be properly supported. Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit cb00925f5bed4a8e175c1b0c39710c87aa30d3d5 Author: Jean Delvare Date: Sun Mar 2 15:33:35 2014 +0100 x86_pkg_temp_thermal: Do not expose as a hwmon device commit 79786880a47a8c5b4c8146c03432b3387a07a169 upstream. The temperature value reported by x86_pkg_temp_thermal is already reported by the coretemp driver. So, do not expose this thermal zone as a hwmon device, because it would be redundant. Signed-off-by: Jean Delvare Cc: Zhang Rui Cc: Eduardo Valentin Acked-by: Guenter Roeck Signed-off-by: Zhang Rui Signed-off-by: Greg Kroah-Hartman commit 06d38fdaac851499908c9fac4c69c4bf14d47126 Author: Daniel J Blueman Date: Thu Mar 13 19:43:01 2014 +0800 x86/amd/numa: Fix northbridge quirk to assign correct NUMA node commit 847d7970defb45540735b3fb4e88471c27cacd85 upstream. For systems with multiple servers and routed fabric, all northbridges get assigned to the first server. Fix this by also using the node reported from the PCI bus. For single-fabric systems, the northbriges are on PCI bus 0 by definition, which are on NUMA node 0 by definition, so this is invarient on most systems. Tested on fam10h and fam15h single and multi-fabric systems and candidate for stable. Signed-off-by: Daniel J Blueman Acked-by: Steffen Persvold Acked-by: Borislav Petkov Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a6ea2faeff2d839b2ad1f8e9921d02e502669c69 Author: Linus Torvalds Date: Fri Mar 7 18:58:40 2014 -0800 x86: fix compile error due to X86_TRAP_NMI use in asm files commit b01d4e68933ec23e43b1046fa35d593cefcf37d1 upstream. It’s an enum, not a #define, you can’t use it in asm files. Introduced in commit 5fa10196bdb5 (“x86: Ignore NMIs that come in during early boot”), and sadly I didn’t compile-test things like I should have before pushing out. My weak excuse is that the x86 tree generally doesn’t introduce stupid things like this (and the ARM pull afterwards doesn’t cause me to do a compile-test either, since I don’t cross-compile). Cc: Don Zickus Cc: H. Peter Anvin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 28a3bffbd681ddf2f89c2edb9c8238b9bfdf6b62 Author: H. Peter Anvin Date: Fri Mar 7 15:05:20 2014 -0800 x86: Ignore NMIs that come in during early boot commit 5fa10196bdb5f190f595ebd048490ee52dddea0f upstream. Don Zickus reports: A customer generated an external NMI using their iLO to test kdump worked. Unfortunately, the machine hung. Disabling the nmi_watchdog made things work. I speculated the external NMI fired, caused the machine to panic (as expected) and the perf NMI from the watchdog came in and was latched. My guess was this somehow caused the hang. ---- It appears that the latched NMI stays latched until the early page table generation on 64 bits, which causes exceptions to happen which end in IRET, which re-enable NMI. Therefore, ignore NMIs that come in during early execution, until we have proper exception handling. Reported-and-tested-by: Don Zickus Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 7622f5047de6c1f4eb799cd5dc6726dc1f872dfa Author: Markus Pargmann Date: Thu Feb 20 17:36:03 2014 +0100 regulator: core: Replace direct ops->enable usage commit 30c219710358c5cca2f8bd2e9e547c6aadf7cf8b upstream. There are some direct ops->enable in the regulator core driver. This is a potential issue as the function _regulator_do_enable() handles gpio regulators and the normal ops->enable calls. These gpio regulators are simply ignored when ops->enable is called directly. One possible bug is that boot-on and always-on gpio regulators are not enabled on registration. This patch replaces all ops->enable calls by _regulator_do_enable. [Handle missing enable operations – broonie] Signed-off-by: Markus Pargmann Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ac0b124ab251e33d17c7b8179e6966949e6ef570 Author: Linus Walleij Date: Tue Feb 25 22:41:41 2014 +0100 ARM: 7991/1: sa1100: fix compile problem on Collie commit 052450fdc55894a39fbae93d9bbe43947956f663 upstream. Due to a problem in the MFD Kconfig it was not possible to compile the UCB battery driver for the Collie SA1100 system, in turn making it impossible to compile in the battery driver. (See patch "mfd: include all drivers in subsystem menu".) After fixing the MFD Kconfig (separate patch) a compile error appears in the Collie battery driver due to the implicitly requiring through via prior to commit 40ca061b “ARM: 7841/1: sa1100: remove complex GPIO interface". Fix this up by including the required header into . Cc: Andrea Adami Cc: Dmitry Eremin-Solenikov Signed-off-by: Linus Walleij Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit efc489ecfa3cdb6fa01a7d4d21c136a7aaee54f3 Author: Russell King Date: Wed Feb 26 19:40:46 2014 +0000 ARM: fix noMMU kallsyms symbol filtering commit 006fa2599bf0daf107cbb7a8a99fcfb9a998a169 upstream. With noMMU, CONFIG_PAGE_OFFSET was not being set correctly. As there’s no MMU, PAGE_OFFSET should be equal to PHYS_OFFSET in all cases. This commit makes that explicit. Since we do this, we don’t need to mess around in asm/memory.h with ifdefs to sort this out, so let’s get rid of that, and there’s no point offering the “Memory split” option for noMMU as that’s meaningless there. Fixes: b9b32bf70f2f (“ARM: use linker magic for vectors and vector stubs”) Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 2347fd9993606f8c3bc4326179bf220afc4fe07f Author: Russell King Date: Mon Mar 3 14:49:51 2014 +0000 DRM: armada: fix use of kfifo_put() commit d13c46c67e546bb1dc1c4dc7c43e388d0119276b upstream. The kfifo_put() API changed in 498d319bb512 (kfifo API type safety) which now results in the wrong pointer being added to the kfifo ring, which then causes an oops. Fix this. Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 63efcd401368beb67b84b7d6306386a12946d226 Author: Anton Blanchard Date: Tue Mar 4 08:31:24 2014 +1100 powerpc: Align p_dyn, p_rela and p_st symbols commit a5b2cf5b1af424ee3dd9e3ce6d5cea18cb927e67 upstream. The 64bit relocation code places a few symbols in the text segment. These symbols are only 4 byte aligned where they need to be 8 byte aligned. Add an explicit alignment. Signed-off-by: Anton Blanchard Tested-by: Laurent Dufour Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 11758f94f70a50fdfe8c32fcadc76d60e3ce8b15 Author: Michael Neuling Date: Mon Mar 3 14:21:40 2014 +1100 powerpc/tm: Fix crash when forking inside a transaction commit 621b5060e823301d0cba4cb52a7ee3491922d291 upstream. When we fork/clone we currently don’t copy any of the TM state to the new thread. This results in a TM bad thing (program check) when the new process is switched in as the kernel does a tmrechkpt with TEXASR FS not set. Also, since R1 is from userspace, we trigger the bad kernel stack pointer detection. So we end up with something like this: Bad kernel stack pointer 0 at c0000000000404fc cpu 0x2: Vector: 700 (Program Check) at [c00000003ffefd40] pc: c0000000000404fc: restore_gprs+0xc0/0x148 lr: 0000000000000000 sp: 0 msr: 9000000100201030 current = 0xc000001dd1417c30 paca = 0xc00000000fe00800 softe: 0 irq_happened: 0x01 pid = 0, comm = swapper/2 WARNING: exception is not recoverable, can’t continue The below fixes this by flushing the TM state before we copy the task_struct to the clone. To do this we go through the tmreclaim patch, which removes the checkpointed registers from the CPU and transitions the CPU out of TM suspend mode. Hence we need to call tmrechkpt after to restore the checkpointed state and the TM mode for the current task. To make this fail from userspace is simply: tbegin li r0, 2 sc Kudos to Adhemerval Zanella Neto for finding this. Signed-off-by: Michael Neuling cc: Adhemerval Zanella Neto Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit b5814b7c640b4ddc9f0b77a0bda0e2cd3fc29266 Author: Chen-Yu Tsai Date: Tue Feb 11 00:22:37 2014 +0800 pinctrl: sunxi: use chained_irq_{enter, exit} for GIC compatibility commit 905a5117e79367b7e58ae046d12ca9961f048c89 upstream. On tha Allwinner A20 SoC, the external interrupts on the pin controller device are connected to the GIC. Without chained_irq_{enter, exit}, external GPIO interrupts, such as used by mmc core card detect, cause the system to hang. This issue was first encountered during my attempt to get out-of-band interrupts for WiFi on the Cubietruck working. With David’s new series of sunci-mci using mmc slot-gpio for (GPIO interrupt based) card detection, removing the SD card also causes my Cubietruck to hang. This problem should extend to all Allwinner A20 based boards. With this fix, the system no longer hangs when I remove or insert the SD card. /proc/interrupts show that the interrupt has correctly fired. However the system still does not detect card removal/insertion. I believe this is another unrelated issue. Signed-off-by: Chen-Yu Tsai Acked-by: Maxime Ripard Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 0986f8dcd0bfbb8e08d1d3608f4a30df6b511d27 Author: Takashi Iwai Date: Fri Mar 7 08:37:19 2014 +0100 ALSA: hda - Fix loud click noise with IdeaPad 410Y commit 9b745ab897199c2af9f21ca9681ef86d5b971002 upstream. Lenovo IdeaPad 410Y with ALC282 codec makes loud click noises at boot and shutdown. Also, it wrongly misdetects the acpi_thinkpad hook. This patch adds a device-specific fixup for disabling the shutup callback that is the cause of the click noise and also avoiding the thinpad_helper calls. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=71511 Reported-and-tested-by: Guilherme Amadio Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit dfb75ea6ce2a965038e743e8b08cc44fec24e50d Author: Takashi Iwai Date: Wed Mar 5 12:00:29 2014 +0100 ALSA: hda - Use analog beep for Thinkpads with AD1984 codecs commit f3e9b59cb948e2328bc06635ad39572d5b7b4791 upstream. For making the driver behavior compatible with the earlier kernels, use the analog beep in the loopback path instead of the digital beep. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6cf3524adc82270715bb8ef1fa628c92f747f284 Author: Takashi Iwai Date: Wed Mar 5 11:52:24 2014 +0100 ALSA: hda - Add missing loopback merge path for AD1884/1984 codecs commit c5eda4c1bf6214332c46fb2f4e7c42a85e5e5643 upstream. The mixer widget (NID 0x20) of AD1884 and AD1984 codecs isn’t connected directly to the actual I/O paths but only via another mixer widget (NID 0x21). We need a similar fix as we did for AD1882. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 646234ad18161cf8829ae342f47141777f18d698 Author: Hui Wang Date: Tue Mar 4 16:20:18 2014 +0800 ALSA: hda - add automute fix for another dell AIO model commit 3b4467522630b7ea0d65a691007ef0a93d471f8f upstream. When plugging a headphone or headset, lots of noise is heard from internal speaker, after changing the automute via amp instead of pinctl, the noise disappears. BugLink: https://bugs.launchpad.net/bugs/1268468 Cc: David Henningsson Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b663d40c4f4188fa1e3285e30bec644b8a9ae70e Author: Marius Knaust Date: Mon Mar 3 01:48:58 2014 +0100 ALSA: hda - Added inverted digital-mic handling for Acer TravelMate 8371 commit a6b92b6650d010d58b6e6fe42c6271266e0b1134 upstream. Signed-off-by: Marius Knaust Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6c93dda1b41614d253a7b6fd66fcde5c42e92f5f Author: Takashi Iwai Date: Wed Mar 5 12:34:39 2014 +0100 ALSA: usb-audio: Add quirk for Logitech Webcam C500 commit e805ca8b0a9b6c91099c0eaa4b160a1196a4ae25 upstream. Logitech C500 (046d:0807) needs the same workaround like other Logitech Webcams. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 93a53db4634ac72fb01bca45da35c4b64090a238 Author: Roman Volkov Date: Fri Jan 24 16:18:14 2014 +0400 ALSA: oxygen: Xonar DG(X): capture from I2S channel 1, not 2 commit 3dd77654fb1d7f68b9739f3039bad8dbbc0739f8 upstream. Actually CS4245 connected to the I2S channel 1 for capture, not channel 2. Otherwise capturing and playback does not work for CS4245. Signed-off-by: Roman Volkov Signed-off-by: Clemens Ladisch Signed-off-by: Greg Kroah-Hartman commit 103f448ae7fca76762d074cc3e5ca57f2ad86ef9 Author: Rob Clark Date: Wed Mar 12 10:59:37 2014 -0400 drm/ttm: don’t oops if no invalidate_caches() commit 9ef7506f7eff3fc42724269f62e30164c141661f upstream. A few of the simpler TTM drivers (cirrus, ast, mgag200) do not implement this function. Yet can end up somehow with an evicted bo: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) PGD 16e761067 PUD 16e6cf067 PMD 0 Oops: 0010 [#1] SMP Modules linked in: bnep bluetooth rfkill fuse ip6t_rpfilter ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter ip_tables sg btrfs zlib_deflate raid6_pq xor dm_queue_length iTCO_wdt iTCO_vendor_support coretemp kvm dcdbas dm_service_time microcode serio_raw pcspkr lpc_ich mfd_core i7core_edac edac_core ses enclosure ipmi_si ipmi_msghandler shpchp acpi_power_meter mperf nfsd auth_rpcgss nfs_acl lockd uinput sunrpc dm_multipath xfs libcrc32c ata_generic pata_acpi sr_mod cdrom sd_mod usb_storage mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit lpfc drm_kms_helper ttm crc32c_intel ata_piix bfa drm ixgbe libata i2c_core mdio crc_t10dif ptp crct10dif_common pps_core scsi_transport_fc dca scsi_tgt megaraid_sas bnx2 dm_mirror dm_region_hash dm_log dm_mod CPU: 16 PID: 2572 Comm: X Not tainted 3.10.0-86.el7.x86_64 #1 Hardware name: Dell Inc. PowerEdge R810/0H235N, BIOS 0.3.0 11/14/2009 task: ffff8801799dabc0 ti: ffff88016c884000 task.ti: ffff88016c884000 RIP: 0010:[<0000000000000000>] [< (null)>] (null) RSP: 0018:ffff88016c885ad8 EFLAGS: 00010202 RAX: ffffffffa04e94c0 RBX: ffff880178937a20 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000240004 RDI: ffff880178937a00 RBP: ffff88016c885b60 R08: 00000000000171a0 R09: ffff88007cf171a0 R10: ffffea0005842540 R11: ffffffff810487b9 R12: ffff880178937b30 R13: ffff880178937a00 R14: ffff88016c885b78 R15: ffff880179929400 FS: 00007f81ba2ef980(0000) GS:ffff88007cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000016e763000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffffffffa0306fae ffff8801799295c0 0000000000260004 0000000000000001 ffff88016c885b60 ffffffffa0307669 00ff88007cf17738 ffff88017cf17700 ffff880178937a00 ffff880100000000 ffff880100000000 0000000079929400 Call Trace: [] ? ttm_bo_handle_move_mem+0x54e/0x5b0 [ttm] [] ? ttm_bo_mem_space+0x169/0x340 [ttm] [] ttm_bo_move_buffer+0x117/0x130 [ttm] [] ? perf_event_init_context+0x141/0x220 [] ttm_bo_validate+0xc1/0x130 [ttm] [] mgag200_bo_pin+0x87/0xc0 [mgag200] [] mga_crtc_cursor_set+0x474/0xbb0 [mgag200] [] ? __mem_cgroup_commit_charge+0x152/0x3b0 [] ? mutex_lock+0x12/0x2f [] drm_mode_cursor_common+0x123/0x170 [drm] [] drm_mode_cursor_ioctl+0x41/0x50 [drm] [] drm_ioctl+0x502/0x630 [drm] [] ? __do_page_fault+0x1f4/0x510 [] ? __restore_xstate_sig+0x218/0x4f0 [] do_vfs_ioctl+0x2e5/0x4d0 [] ? file_has_perm+0x8e/0xa0 [] SyS_ioctl+0x81/0xa0 [] system_call_fastpath+0x16/0x1b Code: Bad RIP value. RIP [< (null)>] (null) RSP CR2: 0000000000000000 Signed-off-by: Rob Clark Reviewed-by: Jérôme Glisse Reviewed-by: Thomas Hellstrom Signed-off-by: Greg Kroah-Hartman commit 3d74ef5bc0c7de5e35c7559cecf90c705f74c4f9 Author: Lauri Kasanen Date: Fri Feb 28 20:50:23 2014 +0200 drm/radeon: TTM must be init with cpu-visible VRAM, v2 commit 14eedc32a3c0ec9dd70448a73763ee21feae3111 upstream. Without this, a bo may get created in the cpu-inaccessible vram. Before the CP engines get setup, all copies are done via cpu memcpy. This means that the cpu tries to read from inaccessible memory, fails, and the radeon module proceeds to disable acceleration. Doing this has no downsides, as the real VRAM size gets set as soon as the CP engines get init. This is a candidate for 3.14 fixes. v2: Add comment on why the function is used Signed-off-by: Lauri Kasanen Signed-off-by: Alex Deucher Reviewed-by: Christian König Signed-off-by: Greg Kroah-Hartman commit eb11b51a8c1e66cdec83cadd06368b473a923c64 Author: Ben Hutchings Date: Thu Feb 6 01:00:41 2014 +0000 perf trace: Decode architecture-specific signal numbers commit 02c5bb4a352a4cca56e9b5d3a2a57d61062eb2e1 upstream. SIGSTKFLT is not defined on alpha, mips or sparc. SIGEMT and SIGSWI are defined on some architectures and should be decoded here if so. Signed-off-by: Ben Hutchings Fixes: 8bad5b0abfdb (‘perf trace: Beautify signal number arg in several syscalls’) Cc: Ingo Molnar Cc: Paul Mackerras Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit a34ac1c897ff2f45d27a3a67d4443d2206237184 Author: Vineet Gupta Date: Fri Mar 7 13:22:22 2014 +0530 ARC: Use correct PTAG register for icache flush commit b053940df41808f0f27568eb36820d10a8a987f8 upstream. This fixes a subtle issue with cache flush which could potentially cause random userspace crashes because of stale icache lines. This error crept in when consolidating the cache flush code Fixes: bd12976c3664 (ARC: cacheflush refactor #3: Unify the {d,i}cache) Signed-off-by: Vineet Gupta Cc: [email protected] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 151f4364c35d22fd5d38f55d54f2ac02ab17dbe9 Author: Amitkumar Karwar Date: Tue Mar 4 18:43:14 2014 -0800 mwifiex: save and copy AP’s VHT capability info correctly commit d51246481c7f28bbfa1f814ded2da65e531cd4b2 upstream. While preparing association request, intersection of device’s VHT capability information and corresponding field advertised by AP is used. This patch fixes a couple errors while saving and copying vht_cap and vht_oper fields from AP’s beacon. Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit cb00ded416c7eff5490508f05e1be65617f7de82 Author: Amitkumar Karwar Date: Tue Mar 4 18:43:13 2014 -0800 mwifiex: copy AP’s HT capability info correctly commit c99b1861c232e1f641f13b8645e0febb3712cc71 upstream. While preparing association request, intersection of device’s HT capability information and corresponding fields advertised by AP is used. This patch fixes an error while copying this field from AP’s beacon. Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 31ff38d4a3e963386862fa629783419763a9512e Author: Bing Zhao Date: Wed Feb 26 20:11:22 2014 -0800 mwifiex: do not advertise usb autosuspend support commit adb07df1e039e9fe43e66aeea8b4771f83659dbb upstream. As many Surface Pro I & II users have found out, the mwifiex_usb doesn’t support usb autosuspend, and it has caused some system stability issues. Bug 69661 - mwifiex_usb on MS Surface Pro 1 is unstable Bug 60815 - Interface hangs in mwifiex_usb Bug 64111 - mwifiex_usb USB8797 crash failed to get signal information USB autosuspend get triggered when Surface Pro’s AC power is removed or powertop enables power saving on USB8797 device. Driver’s suspend handler is called here, but resume handler won’t be called until the AC power is put back on or powertop disables power saving for USB8797. We need to refactor the suspend/resume handlers to support usb autosuspend properly. For now let’s just remove it. Signed-off-by: Bing Zhao Signed-off-by: Amitkumar Karwar Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f3ae134c0c5c3767e81507b8f49b9beeb5871c05 Author: Amitkumar Karwar Date: Tue Feb 18 15:41:56 2014 -0800 mwifiex: fix cmd and Tx data timeout issue for PCIe cards commit 1c97560f6d751a620978504a4a888c631192b71a upstream. We are sending sleep confirm done interrupt in the middle of sleep handshake. There is a corner case when Tx done interrupt is received from firmware during sleep handshake due to which host and firmware power states go out of sync causing cmd and Tx data timeout problem. Hence sleep confirm done interrupt is sent at the end of sleep handshake to fix the problem. Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2bfadc170480d3bb9314eb17bab68f6d65377097 Author: Amitkumar Karwar Date: Tue Feb 18 15:41:55 2014 -0800 mwifiex: add NULL check for PCIe Rx skb commit bb8e6a1ee881d131e404f0f1f5e8dc9281002771 upstream. We may get a NULL pointer here if skb allocation for Rx packet was failed earlier. Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 193e9c47e093b57911599eec73fd6b137dd90ffa Author: Avinash Patil Date: Tue Feb 18 15:41:54 2014 -0800 mwifiex: clean pcie ring only when device is present commit 4f7ba432202c8330cc03ab959c6228d0de5dc4a3 upstream. Write io memory to clean PCIe buffer only when PCIe device is present else this results into crash because of invalid memory access. Signed-off-by: Avinash Patil Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 45e5cb4f43d33e72ff5f98c80b081eb42e4e4182 Author: Emmanuel Grumbach Date: Wed Feb 12 15:15:05 2014 +0200 iwlwifi: disable TX AMPDU by default for iwldvm commit 205e2210daa975d92ace485a65a31ccc4077fe1a upstream. NICs supported by iwldvm don’t handle well TX AMPDU. Disable it by default, still leave the possibility to the user to force enable it with a debug parameter. NICs supported by iwlmvm don’t suffer from the same issue, leave TX AMPDU enabled by default for these. Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit b5ce1c5cd3058743b9b5e083e6be6dd517672e0e Author: Emmanuel Grumbach Date: Tue Mar 4 10:28:23 2014 +0200 iwlwifi: mvm: don’t WARN when statistics are handled late commit 1e9291996c4eedf79883f47ec635235e39d3d6cd upstream. Since the statistics handler is asynchrous, it can very well be that we will handle the statistics (hence the RSSI fluctuation) when we already disassociated. Don’t WARN on this case. This solves: https://bugzilla.redhat.com/show_bug.cgi?id=1071998 Fixes: 2b76ef13086f (“iwlwifi: mvm: implement reduced Tx power”) Reviewed-by: Johannes Berg Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 7ea0a7368b4a33158385e542b25a9364bf3a1e60 Author: Johannes Berg Date: Tue Feb 25 10:37:15 2014 +0100 iwlwifi: fix TX status for aggregated packets commit 143582c6847cb285b361804c613127c25de60ca4 upstream. Only the first packet is currently handled correctly, but then all others are assumed to have failed which is problematic. Fix this, marking them all successful instead (since if they’re not then the firmware will have transmitted them as single frames.) This fixes the lost packet reporting. Also do a tiny variable scoping cleanup. Signed-off-by: Johannes Berg [Add the dvm part] Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 3cc6e41b3522982d2c230b654d3251f0e9d6d756 Author: Emmanuel Grumbach Date: Tue Feb 18 10:30:18 2014 +0200 iwlwifi: dvm: clear IWL_STA_UCODE_INPROGRESS when assoc fails commit ec6f678c74dbdb06a6a775bbb00f1d26c17c404b upstream. We set IWL_STA_UCODE_INPROGRESS flag when we add a station and clear it when we send the LQ command for it. But the LQ command is sent only when the association succeeds. If the association doesn’t succeed, we would leave this flag set and that wouldn’t indicate the station entry as vacant. This probably fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1065663 Reviewed-by: Johannes Berg Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 0da54ae17dd4ed21172b1dd8777bd2fa66e48132 Author: Max Stepanov Date: Sun Feb 16 16:36:57 2014 +0200 iwlwifi: mvm: change of listen interval from 70 to 10 commit e7eb65cac0720df8b3946af7f7a9dc363cf0a814 upstream. Some APs reject STA association request if a listen interval value exceeds a threshold of 10. Thus, for example, Cisco APs may deny STA associations returning status code 12 (Association denied due to reason outside the scope of 802.11 standard) in the association response frame. Fixing the issue by setting the default IWL_CONN_MAX_LISTEN_INTERVAL value from 70 to 10. Signed-off-by: Max Stepanov Reviewed-by: Alexander Bondar Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit aece9b1c232183e35079ef96bf3547f85e5ac4ed Author: Felix Fietkau Date: Mon Feb 24 22:26:06 2014 +0100 ath9k: fix invalid descriptor discarding commit b7b146c9c9a0248cc57da71244f672ebc54bbef1 upstream. Only set sc->rx.discard_next to rx_stats->rs_more when actually discarding the current descriptor. Also, fix a detection of broken descriptors: First the code checks if the current descriptor is not done. Then it checks if the next descriptor is done. Add a check that afterwards checks the first descriptor again, because it might have been completed in the mean time. This fixes a regression introduced in commit 723e711356b5a8a95728a890e254e8b0d47b55cf “ath9k: fix handling of broken descriptors” Reported-by: Marco André Dinis Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 179c5b22373511b9e8f73183f03d89e92278ab3e Author: Felix Fietkau Date: Sat Feb 22 13:48:19 2014 +0100 ath9k: fix ps-poll responses under a-mpdu sessions commit 558ff225de80ac95b132d3a115ddadcd64498b4f upstream. When passing tx frames to the U-APSD queue for powersave poll responses, the ath_atx_tid pointer needs to be passed to ath_tx_setup_buffer for proper sequence number accounting. This fixes high latency and connection stability issues with ath9k running as AP and a few kinds of mobile phones as client, when PS-Poll is heavily used Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 32a043df6119a09384ba7b11659237ad2b527d79 Author: Stanislaw Gruszka Date: Wed Feb 19 13:15:17 2014 +0100 ath9k: protect tid->sched check commit 21f8aaee0c62708654988ce092838aa7df4d25d8 upstream. We check tid->sched without a lock taken on ath_tx_aggr_sleep(). That is race condition which can result of doing list_del(&tid->list) twice (second time with poisoned list node) and cause crash like shown below: [424271.637220] BUG: unable to handle kernel paging request at 00100104 [424271.637328] IP: [] ath_tx_aggr_sleep+0x62/0xe0 [ath9k] … [424271.639953] Call Trace: [424271.639998] [] ? ath9k_get_survey+0x110/0x110 [ath9k] [424271.640083] [] ath9k_sta_notify+0x42/0x50 [ath9k] [424271.640177] [] sta_ps_start+0x8f/0x1c0 [mac80211] [424271.640258] [] ? free_compound_page+0x2e/0x40 [424271.640346] [] ieee80211_rx_handlers+0x9d5/0x2340 [mac80211] [424271.640437] [] ? kmem_cache_free+0x1d8/0x1f0 [424271.640510] [] ? kfree_skbmem+0x34/0x90 [424271.640578] [] ? put_page+0x2c/0x40 [424271.640640] [] ? kfree_skbmem+0x34/0x90 [424271.640706] [] ? kfree_skbmem+0x34/0x90 [424271.640787] [] ? ieee80211_rx_handlers_result+0x73/0x1d0 [mac80211] [424271.640897] [] ieee80211_prepare_and_rx_handle+0x520/0xad0 [mac80211] [424271.641009] [] ? ieee80211_rx_handlers+0x2ed/0x2340 [mac80211] [424271.641104] [] ? ip_output+0x7e/0xd0 [424271.641182] [] ieee80211_rx+0x307/0x7c0 [mac80211] [424271.641266] [] ath_rx_tasklet+0x88e/0xf70 [ath9k] [424271.641358] [] ? ieee80211_rx+0x1dc/0x7c0 [mac80211] [424271.641445] [] ath9k_tasklet+0xcb/0x130 [ath9k] Bug report: https://bugzilla.kernel.org/show_bug.cgi?id=70551 Reported-and-tested-by: Max Sydorenko Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4f43875080345abf7f2179277c80c9d2aac03242 Author: Sujith Manoharan Date: Fri Feb 14 08:15:20 2014 +0530 ath9k: Fix ETSI compliance for AR9462 2.0 commit b3050248c167871ca52cfdb2ce78aa2460249346 upstream. The minimum CCA power threshold values have to be adjusted for existing cards to be in compliance with new regulations. Newer cards will make use of the values obtained from EEPROM, support for this was added earlier. To make sure that cards that are already in use and don’t have proper values in EEPROM, do not violate regulations, use the initvals instead. Reported-by: Jeang Daniel Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit da7167c516e89a1f21a89fe330e7fbc788fcc5cd Author: Johannes Berg Date: Tue Mar 4 13:46:53 2014 +0100 mac80211: clear sequence/fragment number in QoS-null frames commit 864a6040f395464003af8dd0d8ca86fed19866d4 upstream. Avoid leaking data by sending uninitialized memory and setting an invalid (non-zero) fragment number (the sequence number is ignored anyway) by setting the seq_ctrl field to zero. Fixes: 3f52b7e328c5 (“mac80211: mesh power save basics”) Fixes: ce662b44ce22 (“mac80211: send (QoS) Null if no buffered frames”) Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 9d4db3ae507ad9b6865bb0d169edaa4f65986c4a Author: Johannes Berg Date: Thu Feb 27 20:47:53 2014 +0100 mac80211: fix association to 20/40 MHz VHT networks commit cb664981607a6b5b3d670ad57bbda893b2528d96 upstream. When a VHT network uses 20 or 40 MHz as per the HT operation information, the channel center frequency segment 0 field in the VHT operation information is reserved, so ignore it. This fixes association with such networks when the AP puts 0 into the field, previously we’d disconnect due to an invalid channel with the message wlan0: AP VHT information is invalid, disable VHT Fixes: f2d9d270c15ae (“mac80211: support VHT association”) Reported-by: Tim Nelson Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit ad9a120c6d56834e693a2490e636f7609e6587ba Author: Johannes Berg Date: Fri Feb 21 20:34:34 2014 +0100 mac80211: don’t validate unchanged AP bandwidth while tracking commit 963a1852fbac4f75a2d938fa2e734ef1e6d4c044 upstream. The MLME code in mac80211 must track whether or not the AP changed bandwidth, but if there’s no change while tracking it shouldn’t do anything, otherwise regulatory updates can make it impossible to connect to certain APs if the regulatory database doesn’t match the information from the AP. See the precise scenario described in the code. This still leaves some possible problems with CSA or if the AP actually changed bandwidth, but those cases are less common and won’t completely prevent using it. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=70881 Reported-and-tested-by: Nate Carlson Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit fcb6d3c79824d350893edfa7b50d6ba1f670c4ec Author: Emmanuel Grumbach Date: Thu Feb 20 09:22:11 2014 +0200 mac80211: fix AP powersave TX vs. wakeup race commit 1d147bfa64293b2723c4fec50922168658e613ba upstream. There is a race between the TX path and the STA wakeup: while a station is sleeping, mac80211 buffers frames until it wakes up, then the frames are transmitted. However, the RX and TX path are concurrent, so the packet indicating wakeup can be processed while a packet is being transmitted. This can lead to a situation where the buffered frames list is emptied on the one side, while a frame is being added on the other side, as the station is still seen as sleeping in the TX path. As a result, the newly added frame will not be send anytime soon. It might be sent much later (and out of order) when the station goes to sleep and wakes up the next time. Additionally, it can lead to the crash below. Fix all this by synchronising both paths with a new lock. Both path are not fastpath since they handle PS situations. In a later patch we’ll remove the extra skb queue locks to reduce locking overhead. BUG: unable to handle kernel NULL pointer dereference at 000000b0 IP: [] ieee80211_report_used_skb+0x11/0x3e0 [mac80211] *pde = 00000000 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC EIP: 0060:[] EFLAGS: 00210282 CPU: 1 EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211] EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000 ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff0ff0 DR7: 00000400 Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000) iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9 Stack: e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0 ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210 ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002 Call Trace: [] ieee80211_free_txskb+0x15/0x20 [mac80211] [] invoke_tx_handlers+0x1661/0x1780 [mac80211] [] ieee80211_tx+0x75/0x100 [mac80211] [] ieee80211_xmit+0x8f/0xc0 [mac80211] [] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211] [] dev_hard_start_xmit+0x450/0x950 [] sch_direct_xmit+0xa9/0x250 [] __qdisc_run+0x4b/0x150 [] dev_queue_xmit+0x2c2/0xca0 Reported-by: Yaara Rozenblum Signed-off-by: Emmanuel Grumbach Reviewed-by: Stanislaw Gruszka [reword commit log, use a separate lock] Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit ce343c6775c58b43db41fce40fb61a298e35a6a9 Author: Felix Fietkau Date: Tue Feb 11 16:02:47 2014 +0100 mac80211: send control port protocol frames to the VO queue commit 1bf4bbb4024dcdab5e57634dd8ae1072d42a53ac upstream. Improves reliability of wifi connections with WPA, since authentication frames are prioritized over normal traffic and also typically exempt from aggregation. Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 29ae1150cde8790a54da9c718cc3b32c851eb96d Author: Vlad Yasevich Date: Mon Mar 3 15:33:53 2014 -0500 macvlan: Add support for ‘always_on’ offload features [ Upstream commit 8b4703e9bd1172a5f8244276ebb94302e6153e26 ] Macvlan currently inherits all of its features from the lower device. When lower device disables offload support, this causes macvlan to disable offload support as well. This causes performance regression when using macvlan/macvtap in bridge mode. It can be easily demonstrated by creating 2 namespaces using macvlan in bridge mode and running netperf between them: MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.0.1 () port 0 AF_INET Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 20.00 1204.61 To restore the performance, we add software offload features to the list of “always_on” features for macvlan. This way when a namespace or a guest using macvtap initially sends a packet, this packet will not be segmented at macvlan level. It will only be segmented when macvlan sends the packet to the lower device. MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.0.1 () port 0 AF_INET Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 20.00 5507.35 Fixes: 6acf54f1cf0a6747bac9fea26f34cfc5a9029523 (macvtap: Add support of packet capture on macvtap device.) Fixes: 797f87f83b60685ff8a13fa0572d2f10393c50d3 (macvlan: fix netdev feature propagation from lower device) CC: Florian Westphal CC: Christian Borntraeger CC: Jason Wang CC: Michael S. Tsirkin Tested-by: Christian Borntraeger Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 265a589f4b621022b591977c4a16c8173be7a11b Author: Daniel Borkmann Date: Mon Mar 3 17:23:04 2014 +0100 net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable [ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ] RFC4895 introduced AUTH chunks for SCTP; during the SCTP handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS being optional though): ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- A special case is when an endpoint requires COOKIE-ECHO chunks to be authenticated: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- ------------------ AUTH; COOKIE-ECHO ----------------> <-------------------- COOKIE-ACK --------------------- RFC4895, section 6.3. Receiving Authenticated Chunks says: The receiver MUST use the HMAC algorithm indicated in the HMAC Identifier field. If this algorithm was not specified by the receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk during association setup, the AUTH chunk and all the chunks after it MUST be discarded and an ERROR chunk SHOULD be sent with the error cause defined in Section 4.1. […] If no endpoint pair shared key has been configured for that Shared Key Identifier, all authenticated chunks MUST be silently discarded. […] When an endpoint requires COOKIE-ECHO chunks to be authenticated, some special procedures have to be followed because the reception of a COOKIE-ECHO chunk might result in the creation of an SCTP association. If a packet arrives containing an AUTH chunk as a first chunk, a COOKIE-ECHO chunk as the second chunk, and possibly more chunks after them, and the receiver does not have an STCB for that packet, then authentication is based on the contents of the COOKIE-ECHO chunk. In this situation, the receiver MUST authenticate the chunks in the packet by using the RANDOM parameters, CHUNKS parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO chunk, and possibly a local shared secret as inputs to the authentication procedure specified in Section 6.3. If authentication fails, then the packet is discarded. If the authentication is successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO MUST be processed. If the receiver has an STCB, it MUST process the AUTH chunk as described above using the STCB from the existing association to authenticate the COOKIE-ECHO chunk and all the chunks after it. […] Commit bbd0d59809f9 introduced the possibility to receive and verification of AUTH chunk, including the edge case for authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, the function sctp_sf_do_5_1D_ce() handles processing, unpacks and creates a new association if it passed sanity checks and also tests for authentication chunks being present. After a new association has been processed, it invokes sctp_process_init() on the new association and walks through the parameter list it received from the INIT chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO and SCTP_PARAM_CHUNKS, and copies them into asoc->peer meta data (peer_random, peer_hmacs, peer_chunks) in case sysctl -w net.sctp.auth_enable=1 is set. If in INIT’s SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, peer_random != NULL and peer_hmacs != NULL the peer is to be assumed asoc->peer.auth_capable=1, in any other case asoc->peer.auth_capable=0. Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is available, we set up a fake auth chunk and pass that on to sctp_sf_authenticate(), which at latest in sctp_auth_calculate_hmac() reliably dereferences a NULL pointer at position 0…0008 when setting up the crypto key in crypto_hash_setkey() by using asoc->asoc_shared_key that is NULL as condition key_id == asoc->active_key_id is true if the AUTH chunk was injected correctly from remote. This happens no matter what net.sctp.auth_enable sysctl says. The fix is to check for net->sctp.auth_enable and for asoc->peer.auth_capable before doing any operations like sctp_sf_authenticate() as no key is activated in sctp_auth_asoc_init_active_key() for each case. Now as RFC4895 section 6.3 states that if the used HMAC-ALGO passed from the INIT chunk was not used in the AUTH chunk, we SHOULD send an error; however in this case it would be better to just silently discard such a maliciously prepared handshake as we didn’t even receive a parameter at all. Also, as our endpoint has no shared key configured, section 6.3 says that MUST silently discard, which we are doing from now onwards. Before calling sctp_sf_pdiscard(), we need not only to free the association, but also the chunk->auth_chunk skb, as commit bbd0d59809f9 created a skb clone in that case. I have tested this locally by using netfilter’s nfqueue and re-injecting packets into the local stack after maliciously modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) and the SCTP packet containing the COOKIE_ECHO (injecting AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk”) Signed-off-by: Daniel Borkmann Cc: Vlad Yasevich Cc: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3f1e8767921c95ff3fdea16b79540001374d9dfa Author: Xin Long Date: Mon Mar 3 20:18:36 2014 +0800 ip_tunnel:multicast process cause panic due to skb->_skb_refdst NULL pointer [ Upstream commit 10ddceb22bab11dab10ba645c7df2e4a8e7a5db5 ] when ip_tunnel process multicast packets, it may check if the packet is looped back packet though ‘rt_is_output_route(skb_rtable(skb))' in ip_tunnel_rcv(), but before that , skb->_skb_refdst has been dropped in iptunnel_pull_header(), so which leads to a panic. fix the bug: https://bugzilla.kernel.org/show_bug.cgi?id=70681 Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 80e7fb6d5e835c7f5aee0d860f4199640a7f2f13 Author: Michael Chan Date: Fri Feb 28 15:05:10 2014 -0800 tg3: Don’t check undefined error bits in RXBD [ Upstream commit d7b95315cc7f441418845a165ee56df723941487 ] Redefine the RXD_ERR_MASK to include only relevant error bits. This fixes a customer reported issue of randomly dropping packets on the 5719. Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ff00f2f44b96edd9a31ba331f2c5bd2289ef8572 Author: Hans Schillstrom Date: Thu Feb 27 12:57:58 2014 +0100 ipv6: ipv6_find_hdr restore prev functionality [ Upstream commit accfe0e356327da5bd53da8852b93fc22de9b5fc ] The commit 9195bb8e381d81d5a315f911904cdf0cfcc919b8 (“ipv6: improve ipv6_find_hdr() to skip empty routing headers”) broke ipv6_find_hdr(). When a target is specified like IPPROTO_ICMPV6 ipv6_find_hdr() returns -ENOENT when it’s found, not the header as expected. A part of IPVS is broken and possible also nft_exthdr_eval(). When target is -1 which it is most cases, it works. This patch exits the do while loop if the specific header is found so the nexthdr could be returned as expected. Reported-by: Art -kwaak- van Breemen Signed-off-by: Hans Schillstrom CC:Ansis Atteka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d93114e2bc720ccc75ff8defe490fbc987935bcb Author: Hiroaki SHIMODA Date: Wed Feb 26 21:43:42 2014 +0900 sch_tbf: Fix potential memory leak in tbf_change(). [ Upstream commit 724b9e1d75ab3401aaa081bd4efb440c1b3509db ] The allocated child qdisc is not freed in error conditions. Defer the allocation after user configuration turns out to be valid and acceptable. Fixes: cc106e441a63b (“net: sched: tbf: fix the calculation of max_size”) Signed-off-by: Hiroaki SHIMODA Cc: Yang Yingliang Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4de185063bc4585ef3b56775ec0f8057031f8cd5 Author: Edward Cree Date: Tue Feb 25 13:17:59 2014 +0000 sfc: check for NULL efx->ptp_data in efx_ptp_event [ Upstream commit 8f355e5cee63c2c0c145d8206c4245d0189f47ff ] If we receive a PTP event from the NIC when we haven’t set up PTP state in the driver, we attempt to read through a NULL pointer efx->ptp_data, triggering a panic. Signed-off-by: Edward Cree Acked-by: Shradha Shah Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 503f0b1c00d9d399701571c056fde026339b0be8 Author: Hannes Frederic Sowa Date: Mon Feb 24 00:48:05 2014 +0100 ipv4: ipv6: better estimate tunnel header cut for correct ufo handling [ Upstream commit 91a48a2e85a3b70ce10ead34b4ab5347f8d215c9 ] Currently the UFO fragmentation process does not correctly handle inner UDP frames. (The following tcpdumps are captured on the parent interface with ufo disabled while tunnel has ufo enabled, 2000 bytes payload, mtu 1280, both sit device): IPv6: 16:39:10.031613 IP (tos 0x0, ttl 64, id 3208, offset 0, flags [DF], proto IPv6 (41), length 1300) 192.168.122.151 > 1.1.1.1: IP6 (hlim 64, next-header Fragment (44) payload length: 1240) 2001::1 > 2001::8: frag (0x00000001:0|1232) 44883 > distinct: UDP, length 2000 16:39:10.031709 IP (tos 0x0, ttl 64, id 3209, offset 0, flags [DF], proto IPv6 (41), length 844) 192.168.122.151 > 1.1.1.1: IP6 (hlim 64, next-header Fragment (44) payload length: 784) 2001::1 > 2001::8: frag (0x00000001:0|776) 58979 > 46366: UDP, length 5471 We can see that fragmentation header offset is not correctly updated. (fragmentation id handling is corrected by 916e4cf46d0204 (“ipv6: reuse ip6_frag_id from ip6_ufo_append_data”)). IPv4: 16:39:57.737761 IP (tos 0x0, ttl 64, id 3209, offset 0, flags [DF], proto IPIP (4), length 1296) 192.168.122.151 > 1.1.1.1: IP (tos 0x0, ttl 64, id 57034, offset 0, flags [none], proto UDP (17), length 1276) 192.168.99.1.35961 > 192.168.99.2.distinct: UDP, length 2000 16:39:57.738028 IP (tos 0x0, ttl 64, id 3210, offset 0, flags [DF], proto IPIP (4), length 792) 192.168.122.151 > 1.1.1.1: IP (tos 0x0, ttl 64, id 57035, offset 0, flags [none], proto UDP (17), length 772) 192.168.99.1.13531 > 192.168.99.2.20653: UDP, length 51109 In this case fragmentation id is incremented and offset is not updated. First, I aligned inet_gso_segment and ipv6_gso_segment: * align naming of flags * ipv6_gso_segment: setting skb->encapsulation is unnecessary, as we always ensure that the state of this flag is left untouched when returning from upper gso segmenation function * ipv6_gso_segment: move skb_reset_inner_headers below updating the fragmentation header data, we don’t care for updating fragmentation header data * remove currently unneeded comment indicating skb->encapsulation might get changed by upper gso_segment callback (gre and udp-tunnel reset encapsulation after segmentation on each fragment) If we encounter an IPIP or SIT gso skb we now check for the protocol == IPPROTO_UDP and that we at least have already traversed another ip(6) protocol header. The reason why we have to special case GSO_IPIP and GSO_SIT is that we reset skb->encapsulation to 0 while skb_mac_gso_segment the inner protocol of GSO_UDP_TUNNEL or GSO_GRE packets. Reported-by: Wolfgang Walter Cc: Cong Wang Cc: Tom Herbert Cc: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7d6282f767f556a3427ad82e664ac3428295d71a Author: Hannes Frederic Sowa Date: Fri Feb 21 02:55:35 2014 +0100 ipv6: reuse ip6_frag_id from ip6_ufo_append_data [ Upstream commit 916e4cf46d0204806c062c8c6c4d1f633852c5b6 ] Currently we generate a new fragmentation id on UFO segmentation. It is pretty hairy to identify the correct net namespace and dst there. Especially tunnels use IFF_XMIT_DST_RELEASE and thus have no skb_dst available at all. This causes unreliable or very predictable ipv6 fragmentation id generation while segmentation. Luckily we already have pregenerated the ip6_frag_id in ip6_ufo_append_data and can use it here. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3a6c703c4c516eb40908d49220cd278c00d2e629 Author: Jason Wang Date: Fri Feb 21 13:08:04 2014 +0800 virtio-net: alloc big buffers also when guest can receive UFO [ Upstream commit 0e7ede80d929ff0f830c44a543daa1acd590c749 ] We should alloc big buffers also when guest can receive UFO packets to let the big packets fit into guest rx buffer. Fixes 5c5167515d80f78f6bb538492c423adcae31ad65 (virtio-net: Allow UFO feature to be set and advertised.) Cc: Rusty Russell Cc: Michael S. Tsirkin Cc: Sridhar Samudrala Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Acked-by: Rusty Russell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7450c98a062f36a6b86d305049468fe1bd3b9124 Author: Duan Jiong Date: Thu Feb 27 17:14:41 2014 +0800 neigh: recompute reachabletime before returning from neigh_periodic_work() [ Upstream commit feff9ab2e7fa773b6a3965f77375fe89f7fd85cf ] If the neigh table’s entries is less than gc_thresh1, the function will return directly, and the reachabletime will not be recompute, so the reachabletime can be guessed. Signed-off-by: Duan Jiong Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4a7ca91f73c57607ec0bf71540a3a99dc22ce3cd Author: Eric Dumazet Date: Thu Feb 20 10:09:18 2014 -0800 net-tcp: fastopen: fix high order allocations [ Upstream commit f5ddcbbb40aa0ba7fbfe22355d287603dbeeaaac ] This patch fixes two bugs in fastopen : 1) The tcp_sendmsg(…, @size) argument was ignored. Code was relying on user not fooling the kernel with iovec mismatches 2) When MTU is about 64KB, tcp_send_syn_data() attempts order-5 allocations, which are likely to fail when memory gets fragmented. Fixes: 783237e8daf13 (“net-tcp: Fast Open client - sending SYN-data”) Signed-off-by: Eric Dumazet Cc: Yuchung Cheng Acked-by: Yuchung Cheng Tested-by: Yuchung Cheng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d9c46adfdaee7290439d4474f28d771d9bcdf16 Author: Fernando Luis Vazquez Cao Date: Tue Feb 18 21:20:09 2014 +0900 tun: remove bogus hardware vlan acceleration flags from vlan_features [ Upstream commit 6671b2240c54585d4afb5286a29f1569fe5e40a8 ] Even though only the outer vlan tag can be HW accelerated in the transmission path, in the TUN/TAP driver vlan_features mirrors hw_features, which happens to have the NETIF_F_HW_VLAN_?TAG_TX flags set. Because of this, during packet tranmisssion through a stacked vlan device dev_hard_start_xmit, (incorrectly) assuming that the vlan device supports hardware vlan acceleration, does not add the vlan header to the skb payload and the inner vlan tags are lost (vlan_tci contains the outer vlan tag when userspace reads the packet from the tap device). Signed-off-by: Fernando Luis Vazquez Cao Signed-off-by: Toshiaki Makita Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ed7806263aea63f3003937a406fa06780052694 Author: Toshiaki Makita Date: Tue Feb 18 21:20:08 2014 +0900 veth: Fix vlan_features so as to be able to use stacked vlan interfaces [ Upstream commit 8d0d21f4053c07714802cbe8b1fe26913ec296cc ] Even if we create a stacked vlan interface such as veth0.10.20, it sends single tagged frames (tagged with only vid 10). Because vlan_features of a veth interface has the NETIF_F_HW_VLAN_[CTAG/STAG]_TX bits, veth0.10 also has that feature, so dev_hard_start_xmit(veth0.10) doesn’t call __vlan_put_tag() and vlan_dev_hard_start_xmit(veth0.10) overwrites vlan_tci. This prevents us from using a combination of 802.1ad and 802.1Q in containers, etc. Signed-off-by: Toshiaki Makita Acked-by: Flavio Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 62d7bd41bad0f286af6d2c046026908d140ee479 Author: Alexandre Bounine Date: Mon Mar 3 15:38:36 2014 -0800 rapidio/tsi721: fix tasklet termination in dma channel release commit 04379dffdd4da820d51a1566ad2e86f3b1ad97ed upstream. This patch is a modification of the patch originally proposed by Xiaotian Feng : https://lkml.org/lkml/2012/11/5/413 This new version disables DMA channel interrupts and ensures that the tasklet wil not be scheduled again before calling tasklet_kill(). Unfortunately the updated patch was not released at that time due to planned rework of Tsi721 mport driver to use threaded interrupts (which has yet to happen). Recently the issue was reported again: https://lkml.org/lkml/2014/2/19/762. Description from the original Xiaotian’s patch: “Some drivers use tasklet_disable in device remove/release process, tasklet_disable will inc tasklet->count and return. If the tasklet is not handled yet under some softirq pressure, the tasklet will be placed on the tasklet_vec, never have a chance to be excuted. This might lead to a heavy loaded ksoftirqd, wakeup with pending_softirq, but tasklet is disabled. tasklet_kill should be used in this case.” This patch is applicable to kernel versions starting from v3.5. Signed-off-by: Alexandre Bounine Cc: Matt Porter Cc: Xiaotian Feng Reviewed-by: Thomas Gleixner Cc: Mike Galbraith Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cc0187dade5a22dc084bf6de585a05bfd15118e2 Author: George McCollister Date: Tue Feb 18 17:56:51 2014 -0600 sched: Fix double normalization of vruntime commit 791c9e0292671a3bfa95286bb5c08129d8605618 upstream. dequeue_entity() is called when p->on_rq and sets se->on_rq = 0 which appears to guarentee that the !se->on_rq condition is met. If the task has done set_current_state(TASK_INTERRUPTIBLE) without schedule() the second condition will be met and vruntime will be incorrectly adjusted twice. In certain cases this can result in the task’s vruntime never increasing past the vruntime of other tasks on the CFS’ run queue, starving them of CPU time. This patch changes switched_from_fair() to use !p->on_rq instead of !se->on_rq. I’m able to cause a task with a priority of 120 to starve all other tasks with the same priority on an ARM platform running 3.2.51-rt72 PREEMPT RT by writing one character at time to a serial tty (16550 UART) in a tight loop. I’m also able to verify making this change corrects the problem on that platform and kernel version. Signed-off-by: George McCollister Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2cdb598f1cbd46457dd4947f8dce814dafcce4f8 Author: Hugh Dickins Date: Mon Mar 3 15:38:24 2014 -0800 memcg: fix endless loop in __mem_cgroup_iter_next() commit ce48225fe3b1b0d1fc9fceb96ac3d8a879e45114 upstream. Commit 0eef615665ed (“memcg: fix css reference leak and endless loop in mem_cgroup_iter”) got the interaction with the commit a few before it d8ad30559715 (“mm/memcg: iteration skip memcgs not yet fully initialized”) slightly wrong, and we didn’t notice at the time. It’s elusive, and harder to get than the original, but for a couple of days before rc1, I several times saw a endless loop similar to that supposedly being fixed. This time it was a tighter loop in __mem_cgroup_iter_next(): because we can get here when our root has already been offlined, and the ordering of conditions was such that we then just cycled around forever. Fixes: 0eef615665ed (“memcg: fix css reference leak and endless loop in mem_cgroup_iter”). Signed-off-by: Hugh Dickins Acked-by: Michal Hocko Cc: Johannes Weiner Cc: Greg Thelen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9a4325ade228730389fe84518b527699715cdd0e Author: Al Viro Date: Mon Feb 10 15:18:55 2014 -0500 ocfs2 syncs the wrong range… commit 1b56e98990bcdbb20b9fab163654b9315bf158e8 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit fa41dd083df604a1b2e8cb4bdc3d757b207fb1ef Author: Jan Kara Date: Mon Mar 3 15:38:32 2014 -0800 ocfs2: fix quota file corruption commit 15c34a760630ca2c803848fba90ca0646a9907dd upstream. Global quota files are accessed from different nodes. Thus we cannot cache offset of quota structure in the quota file after we drop our node reference count to it because after that moment quota structure may be freed and reallocated elsewhere by a different node resulting in corruption of quota file. Fix the problem by clearing dq_off when we are releasing dquot structure. We also remove the DB_READ_B handling because it is useless - DQ_ACTIVE_B is set iff DQ_READ_B is set. Signed-off-by: Jan Kara Cc: Goldwyn Rodrigues Cc: Joel Becker Reviewed-by: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e57b39cc048ae2c9b8933f6c063b67e9b140e5c6 Author: Vlastimil Babka Date: Mon Mar 3 15:38:27 2014 -0800 mm: include VM_MIXEDMAP flag in the VM_SPECIAL list to avoid m(un)locking commit 9050d7eba40b3d79551668f54e68fd6f51945ef3 upstream. Daniel Borkmann reported a VM_BUG_ON assertion failing: ------------[ cut here ]------------ kernel BUG at mm/mlock.c:528! invalid opcode: 0000 [#1] SMP Modules linked in: ccm arc4 iwldvm […] video CPU: 3 PID: 2266 Comm: netsniff-ng Not tainted 3.14.0-rc2+ #8 Hardware name: LENOVO 2429BP3/2429BP3, BIOS G4ET37WW (1.12 ) 05/29/2012 task: ffff8801f87f9820 ti: ffff88002cb44000 task.ti: ffff88002cb44000 RIP: 0010:[] [] munlock_vma_pages_range+0x2e0/0x2f0 Call Trace: do_munmap+0x18f/0x3b0 vm_munmap+0x41/0x60 SyS_munmap+0x22/0x30 system_call_fastpath+0x1a/0x1f RIP munlock_vma_pages_range+0x2e0/0x2f0 —[ end trace a0088dcf07ae10f2 ]— because munlock_vma_pages_range() thinks it’s unexpectedly in the middle of a THP page. This can be reproduced with default config since 3.11 kernels. A reproducer can be found in the kernel’s selftest directory for networking by running ./psock_tpacket. The problem is that an order=2 compound page (allocated by alloc_one_pg_vec_page() is part of the munlocked VM_MIXEDMAP vma (mapped by packet_mmap()) and mistaken for a THP page and assumed to be order=9. The checks for THP in munlock came with commit ff6a6da60b89 (“mm: accelerate munlock() treatment of THP pages”), i.e. since 3.9, but did not trigger a bug. It just makes munlock_vma_pages_range() skip such compound pages until the next 512-pages-aligned page, when it encounters a head page. This is however not a problem for vma’s where mlocking has no effect anyway, but it can distort the accounting. Since commit 7225522bb429 (“mm: munlock: batch non-THP page isolation and munlock+putback using pagevec”) this can trigger a VM_BUG_ON in PageTransHuge() check. This patch fixes the issue by adding VM_MIXEDMAP flag to VM_SPECIAL, a list of flags that make vma’s non-mlockable and non-mergeable. The reasoning is that VM_MIXEDMAP vma’s are similar to VM_PFNMAP, which is already on the VM_SPECIAL list, and both are intended for non-LRU pages where mlocking makes no sense anyway. Related Lkml discussion can be found in [2]. [1] tools/testing/selftests/net/psock_tpacket [2] https://lkml.org/lkml/2014/1/10/427 Signed-off-by: Vlastimil Babka Signed-off-by: Daniel Borkmann Reported-by: Daniel Borkmann Tested-by: Daniel Borkmann Cc: Thomas Hellstrom Cc: John David Anglin Cc: HATAYAMA Daisuke Cc: Konstantin Khlebnikov Cc: Carsten Otte Cc: Jared Hulbert Tested-by: Hannes Frederic Sowa Cc: Kirill A. Shutemov Acked-by: Rik van Riel Cc: Andrea Arcangeli Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ea9d6af4dc15a8df707a2234a918b39d7fa62367 Author: Johannes Weiner Date: Mon Mar 3 15:38:41 2014 -0800 mm: page_alloc: exempt GFP_THISNODE allocations from zone fairness commit 27329369c9ecf37771b2a65202cbf5578cff3331 upstream. Jan Stancek reports manual page migration encountering allocation failures after some pages when there is still plenty of memory free, and bisected the problem down to commit 81c0a2bb515f (“mm: page_alloc: fair zone allocator policy”). The problem is that GFP_THISNODE obeys the zone fairness allocation batches on one hand, but doesn’t reset them and wake kswapd on the other hand. After a few of those allocations, the batches are exhausted and the allocations fail. Fixing this means either having GFP_THISNODE wake up kswapd, or GFP_THISNODE not participating in zone fairness at all. The latter seems safer as an acute bugfix, we can clean up later. Reported-by: Jan Stancek Signed-off-by: Johannes Weiner Acked-by: Rik van Riel Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6babaa16e706ffac1840534865a875cf0eb037fa Author: Minchan Kim Date: Mon Mar 3 15:38:34 2014 -0800 zram: avoid null access when fail to alloc meta commit db5d711e2db776f18219b033e5dc4fb7e4264dd7 upstream. zram_meta_alloc could fail so caller should check it. Otherwise, your system will hang. Signed-off-by: Minchan Kim Acked-by: Jerome Marchand Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman