4 years agoLinux 3.12.54 v3.12.54
Jiri Slaby [Thu, 11 Feb 2016 13:54:44 +0000 (14:54 +0100)]
Linux 3.12.54

4 years agodm thin: fix race condition when destroying thin pool workqueue
Nikolay Borisov [Thu, 17 Dec 2015 16:03:35 +0000 (18:03 +0200)]
dm thin: fix race condition when destroying thin pool workqueue

commit 18d03e8c25f173f4107a40d0b8c24defb6ed69f3 upstream.

When a thin pool is being destroyed delayed work items are
cancelled using cancel_delayed_work(), which doesn't guarantee that on
return the delayed item isn't running.  This can cause the work item to
requeue itself on an already destroyed workqueue.  Fix this by using
cancel_delayed_work_sync() which guarantees that on return the work item
is not running anymore.

Fixes: 905e51b39a555 ("dm thin: commit outstanding data every second")
Fixes: 85ad643b7e7e5 ("dm thin: add timeout to stop out-of-data-space mode holding IO forever")
Signed-off-by: Nikolay Borisov <>
Signed-off-by: Mike Snitzer <>
Cc: Nikolay Borisov <>
Signed-off-by: Jiri Slaby <>
4 years agoHID: usbhid: fix recursive deadlock
Ioan-Adrian Ratiu [Fri, 20 Nov 2015 20:19:02 +0000 (22:19 +0200)]
HID: usbhid: fix recursive deadlock

commit e470127e9606b1fa151c4184243e61296d1e0c0f upstream.

The critical section protected by usbhid->lock in hid_ctrl() is too
big and because of this it causes a recursive deadlock. "Too big" means
the case statement and the call to hid_input_report() do not need to be
protected by the spinlock (no URB operations are done inside them).

The deadlock happens because in certain rare cases drivers try to grab
the lock while handling the ctrl irq which grabs the lock before them
as described above. For example newer wacom tablets like 056a:033c try
to reschedule proximity reads from wacom_intuos_schedule_prox_event()
calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report()
which tries to grab the usbhid lock already held by hid_ctrl().

There are two ways to get out of this deadlock:
    1. Make the drivers work "around" the ctrl critical region, in the
    wacom case for ex. by delaying the scheduling of the proximity read
    request itself to a workqueue.
    2. Shrink the critical region so the usbhid lock protects only the
    instructions which modify usbhid state, calling hid_input_report()
    with the spinlock unlocked, allowing the device driver to grab the
    lock first, finish and then grab the lock afterwards in hid_ctrl().

This patch implements the 2nd solution.

Signed-off-by: Ioan-Adrian Ratiu <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Jason Gerecke <>
Signed-off-by: Jiri Slaby <>
4 years agodrivers/base/memory.c: prohibit offlining of memory blocks with missing sections
Seth Jennings [Fri, 11 Dec 2015 21:40:57 +0000 (13:40 -0800)]
drivers/base/memory.c: prohibit offlining of memory blocks with missing sections

commit 26bbe7ef6d5cdc7ec08cba6d433fca4060f258f3 upstream.

Commit bdee237c0343 ("x86: mm: Use 2GB memory block size on large-memory
x86-64 systems") and 982792c782ef ("x86, mm: probe memory block size for
generic x86 64bit") introduced large block sizes for x86.  This made it
possible to have multiple sections per memory block where previously,
there was a only every one section per block.

Since blocks consist of contiguous ranges of section, there can be holes
in the blocks where sections are not present.  If one attempts to
offline such a block, a crash occurs since the code is not designed to
deal with this.

This patch is a quick fix to gaurd against the crash by not allowing
blocks with non-present sections to be offlined.


Signed-off-by: Seth Jennings <>
Reported-by: Andrew Banman <>
Cc: Daniel J Blueman <>
Cc: Yinghai Lu <>
Cc: Greg KH <>
Cc: Russ Anderson <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Jiri Slaby <>
4 years agodm btree: fix leak of bufio-backed block in btree_split_sibling error path
Mike Snitzer [Mon, 23 Nov 2015 21:24:45 +0000 (16:24 -0500)]
dm btree: fix leak of bufio-backed block in btree_split_sibling error path

commit 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd upstream.

The block allocated at the start of btree_split_sibling() is never
released if later insert_at() fails.

Fix this by releasing the previously allocated bufio block using

Reported-by: Mikulas Patocka <>
Signed-off-by: Mike Snitzer <>
Signed-off-by: Jiri Slaby <>
4 years agocrypto: algif_hash - Only export and import on sockets with data
Herbert Xu [Sun, 1 Nov 2015 09:11:19 +0000 (17:11 +0800)]
crypto: algif_hash - Only export and import on sockets with data

commit 4afa5f9617927453ac04b24b584f6c718dfb4f45 upstream.

The hash_accept call fails to work on sockets that have not received
any data.  For some algorithm implementations it may cause crashes.

This patch fixes this by ensuring that we only export and import on
sockets that have received data.

Reported-by: Harsh Jain <>
Signed-off-by: Herbert Xu <>
Tested-by: Stephan Mueller <>
Signed-off-by: Jiri Slaby <>
4 years agorecordmcount: Fix endianness handling bug for nop_mcount
libin [Tue, 3 Nov 2015 00:58:47 +0000 (08:58 +0800)]
recordmcount: Fix endianness handling bug for nop_mcount

commit c84da8b9ad3761eef43811181c7e896e9834b26b upstream.

In nop_mcount, shdr->sh_offset and welp->r_offset should handle
endianness properly, otherwise it will trigger Segmentation fault
if the recordmcount main and file.o have different endianness.

Signed-off-by: Li Bin <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Jiri Slaby <>
4 years agoxhci: fix placement of call to usb_disabled()
Greg Kroah-Hartman [Sun, 31 Jan 2016 19:11:58 +0000 (11:11 -0800)]
xhci: fix placement of call to usb_disabled()

In the backport of 1eaf35e4dd592c59041bc1ed3248c46326da1f5f, the call to
usb_disabled() was too late, after we had already done some allocation.
Move that call to the top of the function instead, making the logic
match what is intended and is in the original patch.

Reported-by: Luis Henriques <>
Signed-off-by: Jiri Slaby <>
4 years agoRevert "workqueue: make sure delayed work run in local cpu"
Tejun Heo [Tue, 9 Feb 2016 21:11:26 +0000 (16:11 -0500)]
Revert "workqueue: make sure delayed work run in local cpu"

commit 041bd12e272c53a35c54c13875839bcb98c999ce upstream.

This reverts commit 874bbfe600a660cba9c776b3957b1ce393151b76.

Workqueue used to implicity guarantee that work items queued without
explicit CPU specified are put on the local CPU.  Recent changes in
timer broke the guarantee and led to vmstat breakage which was fixed
by 176bed1de5bf ("vmstat: explicitly schedule per-cpu work on the CPU
we need it to run on").

vmstat is the most likely to expose the issue and it's quite possible
that there are other similar problems which are a lot more difficult
to trigger.  As a preventive measure, 874bbfe600a6 ("workqueue: make
sure delayed work run in local cpu") was applied to restore the local
CPU guarnatee.  Unfortunately, the change exposed a bug in timer code
which got fixed by 22b886dd1018 ("timers: Use proper base migration in
add_timer_on()").  Due to code restructuring, the commit couldn't be
backported beyond certain point and stable kernels which only had
874bbfe600a6 started crashing.

The local CPU guarantee was accidental more than anything else and we
want to get rid of it anyway.  As, with the vmstat case fixed,
874bbfe600a6 is causing more problems than it's fixing, it has been
decided to take the chance and officially break the guarantee by
reverting the commit.  A debug feature will be added to force foreign
CPU assignment to expose cases relying on the guarantee and fixes for
the individual cases will be backported to stable as necessary.

Signed-off-by: Tejun Heo <>
Fixes: 874bbfe600a6 ("workqueue: make sure delayed work run in local cpu")
Cc: Mike Galbraith <>
Cc: Henrique de Moraes Holschuh <>
Cc: Daniel Bilik <>
Cc: Jan Kara <>
Cc: Shaohua Li <>
Cc: Sasha Levin <>
Cc: Ben Hutchings <>
Cc: Thomas Gleixner <>
Cc: Daniel Bilik <>
Cc: Jiri Slaby <>
Cc: Michal Hocko <>
Signed-off-by: Jiri Slaby <>
4 years agovmstat: explicitly schedule per-cpu work on the CPU we need it to run on
Linus Torvalds [Thu, 15 Oct 2015 20:01:50 +0000 (13:01 -0700)]
vmstat: explicitly schedule per-cpu work on the CPU we need it to run on

commit 176bed1de5bf977938cad26551969eca8f0883b1 upstream.

The vmstat code uses "schedule_delayed_work_on()" to do the initial
startup of the delayed work on the right CPU, but then once it was
started it would use the non-cpu-specific "schedule_delayed_work()" to
re-schedule it on that CPU.

That just happened to schedule it on the same CPU historically (well, in
almost all situations), but the code _requires_ this work to be per-cpu,
and should say so explicitly rather than depend on the non-cpu-specific
scheduling to schedule on the current CPU.

The timer code is being changed to not be as single-minded in always
running things on the calling CPU.

See also commit 874bbfe600a6 ("workqueue: make sure delayed work run in
local cpu") that for now maintains the local CPU guarantees just in case
there are other broken users that depended on the accidental behavior.

js: 3.12 backport

Cc: Christoph Lameter <>
Cc: Tejun Heo <>
Cc: Mike Galbraith <>
Cc: Michal Hocko <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Jiri Slaby <>
4 years agoopenrisc: fix CONFIG_UID16 setting
Andrew Morton [Fri, 17 Jul 2015 23:23:28 +0000 (16:23 -0700)]
openrisc: fix CONFIG_UID16 setting

commit 04ea1e91f85615318ea91ce8ab50cb6a01ee4005 upstream.


  kernel/uid16.c: In function 'SYSC_setgroups16':
  kernel/uid16.c:184:2: error: implicit declaration of function 'groups_alloc'
  kernel/uid16.c:184:13: warning: assignment makes pointer from integer without a cast

openrisc shouldn't be setting CONFIG_UID16 when CONFIG_MULTIUSER=n.

Fixes: 2813893f8b197a1 ("kernel: conditionally support non-root users, groups and capabilities")
Reported-by: Fengguang Wu <>
Cc: Iulia Manda <>
Cc: Josh Triplett <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Cc: Guenter Roeck <>
Signed-off-by: Jiri Slaby <>
4 years agox86: vvar, fix excessive gcc-6 DECLARE_VVAR warnings
Jiri Slaby [Thu, 28 Jan 2016 10:37:09 +0000 (11:37 +0100)]
x86: vvar, fix excessive gcc-6 DECLARE_VVAR warnings

On 3.12, with gcc-6, I see a lot of:
arch/x86/include/asm/vvar.h:33:28: warning: ‘vvaraddr_jiffies’ defined but not used [-Wunused-const-variable]
  static type const * const vvaraddr_ ## name =   \
arch/x86/include/asm/vvar.h:46:1: note: in expansion of macro ‘DECLARE_VVAR’
 DECLARE_VVAR(0, volatile unsigned long, jiffies)

In upstream, this is fixed by ef721987ae (x86, vdso: Introduce VVAR
marco for vdso32) and f40c330091 (x86, vdso: Move the vvar and hpet
mappings next to the 64-bit vDSO). But this is not applicable to

So mark the vvar declaration as __maybe_unused and be done with it.
This will generate it to the code only if it is used. I.e. the same as
with gcc < 6.

Signed-off-by: Jiri Slaby <>
Cc: Andy Lutomirski <>
4 years agocompiler-gcc: integrate the various compiler-gcc[345].h files
Joe Perches [Thu, 25 Jun 2015 22:01:02 +0000 (15:01 -0700)]
compiler-gcc: integrate the various compiler-gcc[345].h files

commit cb984d101b30eb7478d32df56a0023e4603cba7f upstream.

As gcc major version numbers are going to advance rather rapidly in the
future, there's no real value in separate files for each compiler

Deduplicate some of the macros #defined in each file too.

Neaten comments using normal kernel commenting style.

Signed-off-by: Joe Perches <>
Cc: Andi Kleen <>
Cc: Michal Marek <>
Cc: Segher Boessenkool <>
Cc: Sasha Levin <>
Cc: Anton Blanchard <>
Cc: Alan Modra <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Jiri Slaby <>
4 years agocompiler/gcc4+: Remove inaccurate comment about 'asm goto' miscompiles
Steven Noonan [Sat, 25 Oct 2014 22:09:42 +0000 (15:09 -0700)]
compiler/gcc4+: Remove inaccurate comment about 'asm goto' miscompiles

commit 5631b8fba640a4ab2f8a954f63a603fa34eda96b upstream.

The bug referenced by the comment in this commit was not
completely fixed in GCC 4.8.2, as I mentioned in a thread back
in February:

The conclusion at that time was to make the quirk unconditional
until the bug could be found and fixed in GCC. Unfortunately,
when I submitted the patch (commit a9f18034) I left a comment
in that claimed the bug was fixed in GCC 4.8.2+.

This comment is inaccurate, and should be removed.

Signed-off-by: Steven Noonan <>
Signed-off-by: Ingo Molnar <>
Cc: Jakub Jelinek <>
Cc: Richard Henderson <>
Cc: Linus Torvalds <>
Cc: Steven Rostedt <>
Cc: Ingo Molnar <>
Signed-off-by: Jiri Slaby <>
4 years agoarm64: restore bogomips information in /proc/cpuinfo
Yang Shi [Wed, 18 Nov 2015 18:48:55 +0000 (10:48 -0800)]
arm64: restore bogomips information in /proc/cpuinfo

commit 92e788b749862ebe9920360513a718e5dd4da7a9 upstream.

As previously reported, some userspace applications depend on bogomips
showed by /proc/cpuinfo. Although there is much less legacy impact on
aarch64 than arm, it does break libvirt.

This patch reverts commit 326b16db9f69 ("arm64: delay: don't bother
reporting bogomips in /proc/cpuinfo"), but with some tweak due to
context change and without the pr_info().

Fixes: 326b16db9f69 ("arm64: delay: don't bother reporting bogomips in /proc/cpuinfo")
Signed-off-by: Yang Shi <>
Acked-by: Will Deacon <>
Signed-off-by: Catalin Marinas <>
Signed-off-by: Jiri Slaby <>
4 years agomn10300: Select CONFIG_HAVE_UID16 to fix build failure
Guenter Roeck [Sat, 28 Nov 2015 16:52:04 +0000 (08:52 -0800)]
mn10300: Select CONFIG_HAVE_UID16 to fix build failure

commit c86576ea114a9a881cf7328dc7181052070ca311 upstream.

mn10300 builds fail with

fs/stat.c: In function 'cp_old_stat':
fs/stat.c:163:2: error: 'old_uid_t' undeclared

ipc/util.c: In function 'ipc64_perm_to_ipc_perm':
ipc/util.c:540:2: error: 'old_uid_t' undeclared

Select CONFIG_HAVE_UID16 and remove local definition of CONFIG_UID16
to fix the problem.

Fixes: fbc416ff8618 ("arm64: fix building without CONFIG_UID16")
Cc: Arnd Bergmann <>
Acked-by: Arnd Bergmann <>
Acked-by: Acked-by: David Howells <>
Signed-off-by: Guenter Roeck <>
Signed-off-by: Jiri Slaby <>
4 years agoHID: core: Avoid uninitialized buffer access
Richard Purdie [Fri, 18 Sep 2015 23:31:33 +0000 (16:31 -0700)]
HID: core: Avoid uninitialized buffer access

commit 79b568b9d0c7c5d81932f4486d50b38efdd6da6d upstream.

hid_connect adds various strings to the buffer but they're all
conditional. You can find circumstances where nothing would be written
to it but the kernel will still print the supposedly empty buffer with
printk. This leads to corruption on the console/in the logs.

Ensure buf is initialized to an empty string.

Signed-off-by: Richard Purdie <>
[dvhart: Initialize string to "" rather than assign buf[0] = NULL;]
Cc: Jiri Kosina <>
Signed-off-by: Darren Hart <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Jiri Slaby <>
4 years agoparisc iommu: fix panic due to trying to allocate too large region
Mikulas Patocka [Mon, 30 Nov 2015 19:47:46 +0000 (14:47 -0500)]
parisc iommu: fix panic due to trying to allocate too large region

commit e46e31a3696ae2d66f32c207df3969613726e636 upstream.

When using the Promise TX2+ SATA controller on PA-RISC, the system often
crashes with kernel panic, for example just writing data with the dd
utility will make it crash.

Kernel panic - not syncing: drivers/parisc/sba_iommu.c: I/O MMU @ 000000000000a000 is out of mapping resources

CPU: 0 PID: 18442 Comm: mkspadfs Not tainted 4.4.0-rc2 #2
 [<000000004021497c>] show_stack+0x14/0x20
 [<0000000040410bf0>] dump_stack+0x88/0x100
 [<000000004023978c>] panic+0x124/0x360
 [<0000000040452c18>] sba_alloc_range+0x698/0x6a0
 [<0000000040453150>] sba_map_sg+0x260/0x5b8
 [<000000000c18dbb4>] ata_qc_issue+0x264/0x4a8 [libata]
 [<000000000c19535c>] ata_scsi_translate+0xe4/0x220 [libata]
 [<000000000c19a93c>] ata_scsi_queuecmd+0xbc/0x320 [libata]
 [<0000000040499bbc>] scsi_dispatch_cmd+0xfc/0x130
 [<000000004049da34>] scsi_request_fn+0x6e4/0x970
 [<00000000403e95a8>] __blk_run_queue+0x40/0x60
 [<00000000403e9d8c>] blk_run_queue+0x3c/0x68
 [<000000004049a534>] scsi_run_queue+0x2a4/0x360
 [<000000004049be68>] scsi_end_request+0x1a8/0x238
 [<000000004049de84>] scsi_io_completion+0xfc/0x688
 [<0000000040493c74>] scsi_finish_command+0x17c/0x1d0

The cause of the crash is not exhaustion of the IOMMU space, there is
plenty of free pages. The function sba_alloc_range is called with size
0x11000, thus the pages_needed variable is 0x11. The function
sba_search_bitmap is called with bits_wanted 0x11 and boundary size is
0x10 (because dma_get_seg_boundary(dev) returns 0xffff).

The function sba_search_bitmap attempts to allocate 17 pages that must not
cross 16-page boundary - it can't satisfy this requirement
(iommu_is_span_boundary always returns true) and fails even if there are
many free entries in the IOMMU space.

How did it happen that we try to allocate 17 pages that don't cross
16-page boundary? The cause is in the function iommu_coalesce_chunks. This
function tries to coalesce adjacent entries in the scatterlist. The
function does several checks if it may coalesce one entry with the next,
one of those checks is this:

if (startsg->length + dma_len > max_seg_size)

When it finishes coalescing adjacent entries, it allocates the mapping:

sg_dma_len(contig_sg) = dma_len;
dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE);
sg_dma_address(contig_sg) =
| (iommu_alloc_range(ioc, dev, dma_len) << IOVP_SHIFT)
| dma_offset;

It is possible that (startsg->length + dma_len > max_seg_size) is false
(we are just near the 0x10000 max_seg_size boundary), so the funcion
decides to coalesce this entry with the next entry. When the coalescing
succeeds, the function performs
dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE);
And now, because of non-zero dma_offset, dma_len is greater than 0x10000.
iommu_alloc_range (a pointer to sba_alloc_range) is called and it attempts
to allocate 17 pages for a device that must not cross 16-page boundary.

To fix the bug, we must make sure that dma_len after addition of
dma_offset and alignment doesn't cross the segment boundary. I.e. change
if (startsg->length + dma_len > max_seg_size)
if (ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) > max_seg_size)

This patch makes this change (it precalculates max_seg_boundary at the
beginning of the function iommu_coalesce_chunks). I also added a check
that the mapping length doesn't exceed dma_get_seg_boundary(dev) (it is
not needed for Promise TX2+ SATA, but it may be needed for other devices
that have dma_get_seg_boundary lower than dma_get_max_seg_size).

Signed-off-by: Mikulas Patocka <>
Signed-off-by: Helge Deller <>
Signed-off-by: Jiri Slaby <>
4 years agoarm64: mm: ensure that the zero page is visible to the page table walker
Will Deacon [Thu, 10 Dec 2015 16:05:36 +0000 (16:05 +0000)]
arm64: mm: ensure that the zero page is visible to the page table walker

commit 32d6397805d00573ce1fa55f408ce2bca15b0ad3 upstream.

In paging_init, we allocate the zero page, memset it to zero and then
point TTBR0 to it in order to avoid speculative fetches through the
identity mapping.

In order to guarantee that the freshly zeroed page is indeed visible to
the page table walker, we need to execute a dsb instruction prior to
writing the TTBR.

Signed-off-by: Will Deacon <>
Signed-off-by: Greg Kroah-Hartman <>
4 years agoarm64: Clear out any singlestep state on a ptrace detach operation
John Blackwood [Mon, 7 Dec 2015 11:50:34 +0000 (11:50 +0000)]
arm64: Clear out any singlestep state on a ptrace detach operation

commit 5db4fd8c52810bd9740c1240ebf89223b171aa70 upstream.

Make sure to clear out any ptrace singlestep state when a ptrace(2)
PTRACE_DETACH call is made on arm64 systems.

Otherwise, the previously ptraced task will die off with a SIGTRAP
signal if the debugger just previously singlestepped the ptraced task.

Signed-off-by: John Blackwood <>
[will: added comment to justify why this is in the arch code]
Signed-off-by: Will Deacon <>
Signed-off-by: Jiri Slaby <>
4 years agoarm64: fix building without CONFIG_UID16
Arnd Bergmann [Fri, 20 Nov 2015 11:12:21 +0000 (12:12 +0100)]
arm64: fix building without CONFIG_UID16

commit fbc416ff86183e2203cdf975e2881d7c164b0271 upstream.

As reported by Michal Simek, building an ARM64 kernel with CONFIG_UID16
disabled currently fails because the system call table still needs to
reference the individual function entry points that are provided by
kernel/sys_ni.c in this case, and the declarations are hidden inside
of #ifdef CONFIG_UID16:

arch/arm64/include/asm/unistd32.h:57:8: error: 'sys_lchown16' undeclared here (not in a function)
 __SYSCALL(__NR_lchown, sys_lchown16)

I believe this problem only exists on ARM64, because older architectures
tend to not need declarations when their system call table is built
in assembly code, while newer architectures tend to not need UID16
support. ARM64 only uses these system calls for compatibility with
32-bit ARM binaries.

This changes the CONFIG_UID16 check into CONFIG_HAVE_UID16, which is
set unconditionally on ARM64 with CONFIG_COMPAT, so we see the
declarations whenever we need them, but otherwise the behavior is

Fixes: af1839eb4bd4 ("Kconfig: clean up the long arch list for the UID16 config option")
Signed-off-by: Arnd Bergmann <>
Acked-by: Will Deacon <>
Signed-off-by: Catalin Marinas <>
Signed-off-by: Jiri Slaby <>
4 years agoarm64: KVM: Fix AArch32 to AArch64 register mapping
Marc Zyngier [Mon, 16 Nov 2015 10:28:17 +0000 (10:28 +0000)]
arm64: KVM: Fix AArch32 to AArch64 register mapping

commit c0f0963464c24e034b858441205455bf2a5d93ad upstream.

When running a 32bit guest under a 64bit hypervisor, the ARMv8
architecture defines a mapping of the 32bit registers in the 64bit
space. This includes banked registers that are being demultiplexed
over the 64bit ones.

On exceptions caused by an operation involving a 32bit register, the
HW exposes the register number in the ESR_EL2 register. It was so
far understood that SW had to distinguish between AArch32 and AArch64
accesses (based on the current AArch32 mode and register number).

It turns out that I misinterpreted the ARM ARM, and the clue is in
D1.20.1: "For some exceptions, the exception syndrome given in the
ESR_ELx identifies one or more register numbers from the issued
instruction that generated the exception. Where the exception is
taken from an Exception level using AArch32 these register numbers
give the AArch64 view of the register."

Which means that the HW is already giving us the translated version,
and that we shouldn't try to interpret it at all (for example, doing
an MMIO operation from the IRQ mode using the LR register leads to
very unexpected behaviours).

The fix is thus not to perform a call to vcpu_reg32() at all from
vcpu_reg(), and use whatever register number is supplied directly.
The only case we need to find out about the mapping is when we
actively generate a register access, which only occurs when injecting
a fault in a guest.

Reviewed-by: Robin Murphy <>
Signed-off-by: Marc Zyngier <>
Signed-off-by: Christoffer Dall <>
Signed-off-by: Jiri Slaby <>
4 years agoscripts/ support data in text section on powerpc
Ulrich Weigand [Tue, 12 Jan 2016 12:14:22 +0000 (23:14 +1100)]
scripts/ support data in text section on powerpc

commit 2e50c4bef77511b42cc226865d6bc568fa7f8769 upstream.

If a text section starts out with a data blob before the first
function start label, disassembly parsing doing in
gets confused on powerpc, leading to creation of corrupted module

This was not a problem so far since the compiler would never create
such text sections.  However, this has changed with a recent change
in GCC 6 to support distances of > 2GB between a function and its
assoicated TOC in the ELFv2 ABI, exposing this problem.

There is already code in to handle such data blobs
on the sparc64 platform.  This patch uses the same method to handle
those on powerpc as well.

Acked-by: Steven Rostedt <>
Signed-off-by: Ulrich Weigand <>
Signed-off-by: Michael Ellerman <>
Signed-off-by: Jiri Slaby <>
4 years agopowerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
Boqun Feng [Mon, 2 Nov 2015 01:30:32 +0000 (09:30 +0800)]
powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered

commit 81d7a3294de7e9828310bbf986a67246b13fa01e upstream.

According to memory-barriers.txt, xchg*, cmpxchg* and their atomic_
versions all need to be fully ordered, however they are now just
RELEASE+ACQUIRE, which are not fully ordered.

__{cmp,}xchg_{u32,u64} respectively to guarantee fully ordered semantics
of atomic{,64}_{cmp,}xchg() and {cmp,}xchg(), as a complement of commit
b97021f85517 ("powerpc: Fix atomic_xxx_return barrier semantics")

This patch depends on patch "powerpc: Make value-returning atomics fully
ordered" for PPC_ATOMIC_ENTRY_BARRIER definition.

Signed-off-by: Boqun Feng <>
Reviewed-by: Paul E. McKenney <>
Acked-by: Peter Zijlstra (Intel) <>
Signed-off-by: Michael Ellerman <>
Signed-off-by: Jiri Slaby <>
4 years agopowerpc: Make value-returning atomics fully ordered
Boqun Feng [Mon, 2 Nov 2015 01:30:31 +0000 (09:30 +0800)]
powerpc: Make value-returning atomics fully ordered

commit 49e9cf3f0c04bf76ffa59242254110309554861d upstream.

According to memory-barriers.txt:

> Any atomic operation that modifies some state in memory and returns
> information about the state (old or new) implies an SMP-conditional
> general memory barrier (smp_mb()) on each side of the actual
> operation ...

Which mean these operations should be fully ordered. However on PPC,
PPC_ATOMIC_ENTRY_BARRIER is the barrier before the actual operation,
which is currently "lwsync" if SMP=y. The leading "lwsync" can not
guarantee fully ordered atomics, according to Paul Mckenney:

To fix this, we define PPC_ATOMIC_ENTRY_BARRIER as "sync" to guarantee
the fully-ordered semantics.

This also makes futex atomics fully ordered, which can avoid possible
memory ordering problems if userspace code relies on futex system call
for fully ordered semantics.

Fixes: b97021f85517 ("powerpc: Fix atomic_xxx_return barrier semantics")
Signed-off-by: Boqun Feng <>
Reviewed-by: Paul E. McKenney <>
Acked-by: Peter Zijlstra (Intel) <>
Signed-off-by: Michael Ellerman <>
Signed-off-by: Jiri Slaby <>
4 years agopowerpc/tm: Block signal return setting invalid MSR state
Michael Neuling [Thu, 19 Nov 2015 04:44:44 +0000 (15:44 +1100)]
powerpc/tm: Block signal return setting invalid MSR state

commit d2b9d2a5ad5ef04ff978c9923d19730cb05efd55 upstream.

Currently we allow both the MSR T and S bits to be set by userspace on
a signal return.  Unfortunately this is a reserved configuration and
will cause a TM Bad Thing exception if attempted (via rfid).

This patch checks for this case in both the 32 and 64 bit signals
code.  If both T and S are set, we mark the context as invalid.

Found using a syscall fuzzer.

Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
Signed-off-by: Michael Neuling <>
Signed-off-by: Michael Ellerman <>
Signed-off-by: Jiri Slaby <>
4 years agoxfrm: dst_entries_init() per-net dst_ops
Dan Streetman [Thu, 29 Oct 2015 13:51:16 +0000 (09:51 -0400)]
xfrm: dst_entries_init() per-net dst_ops

[ Upstream commit a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 ]

Remove the dst_entries_init/destroy calls for xfrm4 and xfrm6 dst_ops
templates; their dst_entries counters will never be used.  Move the
xfrm dst_ops initialization from the common xfrm/xfrm_policy.c to
xfrm4/xfrm4_policy.c and xfrm6/xfrm6_policy.c, and call dst_entries_init
and dst_entries_destroy for each net namespace.

The ipv4 and ipv6 xfrms each create dst_ops template, and perform
dst_entries_init on the templates.  The template values are copied to each
net namespace's xfrm.xfrm*_dst_ops.  The problem there is the dst_ops
pcpuc_entries field is a percpu counter and cannot be used correctly by
simply copying it to another object.

The result of this is a very subtle bug; changes to the dst entries
counter from one net namespace may sometimes get applied to a different
net namespace dst entries counter.  This is because of how the percpu
counter works; it has a main count field as well as a pointer to the
percpu variables.  Each net namespace maintains its own main count
variable, but all point to one set of percpu variables.  When any net
namespace happens to change one of the percpu variables to outside its
small batch range, its count is moved to the net namespace's main count
variable.  So with multiple net namespaces operating concurrently, the
dst_ops entries counter can stray from the actual value that it should
be; if counts are consistently moved from one net namespace to another
(which my testing showed is likely), then one net namespace winds up
with a negative dst_ops count while another winds up with a continually
increasing count, eventually reaching its gc_thresh limit, which causes
all new traffic on the net namespace to fail with -ENOBUFS.

Signed-off-by: Dan Streetman <>
Signed-off-by: Dan Streetman <>
Signed-off-by: Steffen Klassert <>
Signed-off-by: Jiri Slaby <>
4 years agoteam: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
Ido Schimmel [Mon, 18 Jan 2016 15:30:22 +0000 (17:30 +0200)]
team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid

[ Upstream commit 60a6531bfe49555581ccd65f66a350cc5693fcde ]

We can't be within an RCU read-side critical section when deleting
VLANs, as underlying drivers might sleep during the hardware operation.
Therefore, replace the RCU critical section with a mutex. This is
consistent with team_vlan_rx_add_vid.

Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
Acked-by: Jiri Pirko <>
Signed-off-by: Ido Schimmel <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoipv6: update skb->csum when CE mark is propagated
Eric Dumazet [Fri, 15 Jan 2016 12:56:56 +0000 (04:56 -0800)]
ipv6: update skb->csum when CE mark is propagated

[ Upstream commit 34ae6a1aa0540f0f781dd265366036355fdc8930 ]

When a tunnel decapsulates the outer header, it has to comply
with RFC 6080 and eventually propagate CE mark into inner header.

It turns out IP6_ECN_set_ce() does not correctly update skb->csum
for CHECKSUM_COMPLETE packets, triggering infamous "hw csum failure"
messages and stack traces.

Signed-off-by: Eric Dumazet <>
Acked-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agophonet: properly unshare skbs in phonet_rcv()
Eric Dumazet [Tue, 12 Jan 2016 16:58:00 +0000 (08:58 -0800)]
phonet: properly unshare skbs in phonet_rcv()

[ Upstream commit 7aaed57c5c2890634cfadf725173c7c68ea4cb4f ]

Ivaylo Dimitrov reported a regression caused by commit 7866a621043f
("dev: add per net_device packet type chains").

skb->dev becomes NULL and we crash in __netif_receive_skb_core().

Before above commit, different kind of bugs or corruptions could happen
without major crash.

But the root cause is that phonet_rcv() can queue skb without checking
if skb is shared or not.

Many thanks to Ivaylo Dimitrov for his help, diagnosis and tests.

Reported-by: Ivaylo Dimitrov <>
Tested-by: Ivaylo Dimitrov <>
Signed-off-by: Eric Dumazet <>
Cc: Remi Denis-Courmont <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agotcp_yeah: don't set ssthresh below 2
Neal Cardwell [Mon, 11 Jan 2016 18:42:43 +0000 (13:42 -0500)]
tcp_yeah: don't set ssthresh below 2

[ Upstream commit 83d15e70c4d8909d722c0d64747d8fb42e38a48f ]

For tcp_yeah, use an ssthresh floor of 2, the same floor used by Reno
and CUBIC, per RFC 5681 (equation 4).

tcp_yeah_ssthresh() was sometimes returning a 0 or negative ssthresh
value if the intended reduction is as big or bigger than the current
cwnd. Congestion control modules should never return a zero or
negative ssthresh. A zero ssthresh generally results in a zero cwnd,
causing the connection to stall. A negative ssthresh value will be
interpreted as a u32 and will set a target cwnd for PRR near 4

Oleksandr Natalenko reported that a system using tcp_yeah with ECN
could see a warning about a prior_cwnd of 0 in
tcp_cwnd_reduction(). Testing verified that this was due to
tcp_yeah_ssthresh() misbehaving in this way.

Reported-by: Oleksandr Natalenko <>
Signed-off-by: Neal Cardwell <>
Signed-off-by: Yuchung Cheng <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoipv6: tcp: add rcu locking in tcp_v6_send_synack()
Eric Dumazet [Fri, 8 Jan 2016 17:35:51 +0000 (09:35 -0800)]
ipv6: tcp: add rcu locking in tcp_v6_send_synack()

[ Upstream commit 3e4006f0b86a5ae5eb0e8215f9a9e1db24506977 ]

When first SYNACK is sent, we already hold rcu_read_lock(), but this
is not true if a SYNACK is retransmitted, as a timer (soft) interrupt
does not hold rcu_read_lock()

Fixes: 45f6fad84cc30 ("ipv6: add complete rcu protection around np->opt")
Reported-by: Dave Jones <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agonet: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
Sasha Levin [Thu, 7 Jan 2016 19:52:43 +0000 (14:52 -0500)]
net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory

[ Upstream commit 320f1a4a175e7cd5d3f006f92b4d4d3e2cbb7bb5 ]

proc_dostring() needs an initialized destination string, while the one
provided in proc_sctp_do_hmac_alg() contains stack garbage.

Thus, writing to cookie_hmac_alg would strlen() that garbage and end up
accessing invalid memory.

Fixes: 3c68198e7 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
Signed-off-by: Sasha Levin <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agobridge: Only call /sbin/bridge-stp for the initial network namespace
Hannes Frederic Sowa [Tue, 5 Jan 2016 09:46:00 +0000 (10:46 +0100)]
bridge: Only call /sbin/bridge-stp for the initial network namespace

[ Upstream commit ff62198553e43cdffa9d539f6165d3e83f8a42bc ]

[I stole this patch from Eric Biederman. He wrote:]

> There is no defined mechanism to pass network namespace information
> into /sbin/bridge-stp therefore don't even try to invoke it except
> for bridge devices in the initial network namespace.
> It is possible for unprivileged users to cause /sbin/bridge-stp to be
> invoked for any network device name which if /sbin/bridge-stp does not
> guard against unreasonable arguments or being invoked twice on the
> same network device could cause problems.

[Hannes: changed patch using netns_eq]

Cc: Eric W. Biederman <>
Signed-off-by: Eric W. Biederman <>
Signed-off-by: Hannes Frederic Sowa <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoconnector: bump skb->users before callback invocation
Florian Westphal [Thu, 31 Dec 2015 13:26:33 +0000 (14:26 +0100)]
connector: bump skb->users before callback invocation

[ Upstream commit 55285bf09427c5abf43ee1d54e892f352092b1f1 ]

Dmitry reports memleak with syskaller program.
Problem is that connector bumps skb usecount but might not invoke callback.

So move skb_get to where we invoke the callback.

Reported-by: Dmitry Vyukov <>
Signed-off-by: Florian Westphal <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agosctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close
Xin Long [Tue, 29 Dec 2015 09:49:25 +0000 (17:49 +0800)]
sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close

[ Upstream commit 068d8bd338e855286aea54e70d1c101569284b21 ]

In sctp_close, sctp_make_abort_user may return NULL because of memory
allocation failure. If this happens, it will bypass any state change
and never free the assoc. The assoc has no chance to be freed and it
will be kept in memory with the state it had even after the socket is
closed by sctp_close().

So if sctp_make_abort_user fails to allocate memory, we should abort
the asoc via sctp_primitive_ABORT as well. Just like the annotation in
sctp_sf_cookie_wait_prm_abort and sctp_sf_do_9_1_prm_abort said,
"Even if we can't send the ABORT due to low memory delete the TCB.
This is a departure from our typical NOMEM handling".

But then the chunk is NULL (low memory) and the SCTP_CMD_REPLY cmd would
dereference the chunk pointer, and system crash. So we should add
SCTP_CMD_REPLY cmd only when the chunk is not NULL, just like other
places where it adds SCTP_CMD_REPLY cmd.

Signed-off-by: Xin Long <>
Acked-by: Marcelo Ricardo Leitner <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoipv6/addrlabel: fix ip6addrlbl_get()
Andrey Ryabinin [Mon, 21 Dec 2015 09:54:45 +0000 (12:54 +0300)]
ipv6/addrlabel: fix ip6addrlbl_get()

[ Upstream commit e459dfeeb64008b2d23bdf600f03b3605dbb8152 ]

ip6addrlbl_get() has never worked. If ip6addrlbl_hold() succeeded,
ip6addrlbl_get() will exit with '-ESRCH'. If ip6addrlbl_hold() failed,
ip6addrlbl_get() will use about to be free ip6addrlbl_entry pointer.

Fix this by inverting ip6addrlbl_hold() check.

Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.")
Signed-off-by: Andrey Ryabinin <>
Reviewed-by: Cong Wang <>
Acked-by: YOSHIFUJI Hideaki <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoveth: don’t modify ip_summed; doing so treats packets with bad checksums as good.
Vijay Pandurangan [Fri, 18 Dec 2015 19:34:59 +0000 (14:34 -0500)]
veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.

[ Upstream commit ce8c839b74e3017996fad4e1b7ba2e2625ede82f ]

Packets that arrive from real hardware devices have ip_summed ==
CHECKSUM_UNNECESSARY if the hardware verified the checksums, or
CHECKSUM_NONE if the packet is bad or it was unable to verify it. The
current version of veth will replace CHECKSUM_NONE with
CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to
a veth device to be delivered to the application. This caused applications
at Twitter to receive corrupt data when network hardware was corrupting

We believe this was added as an optimization to skip computing and
verifying checksums for communication between containers. However, locally
generated packets have ip_summed == CHECKSUM_PARTIAL, so the code as
written does nothing for them. As far as we can tell, after removing this
code, these packets are transmitted from one stack to another unmodified
(tcpdump shows invalid checksums on both sides, as expected), and they are
delivered correctly to applications. We didn’t test every possible network
configuration, but we tried a few common ones such as bridging containers,
using NAT between the host and a container, and routing from hardware
devices to containers. We have effectively deployed this in production at
Twitter (by disabling RX checksum offloading on veth devices).

This code dates back to the first version of the driver, commit
<e314dbdc1c0dc6a548ecf> ("[NET]: Virtual ethernet device driver"), so I
suspect this bug occurred mostly because the driver API has evolved
significantly since then. Commit <0b7967503dc97864f283a> ("net/veth: Fix
packet checksumming") (in December 2010) fixed this for packets that get
created locally and sent to hardware devices, by not changing
CHECKSUM_PARTIAL. However, the same issue still occurs for packets coming
in from hardware devices.

Co-authored-by: Evan Jones <>
Signed-off-by: Evan Jones <>
Cc: Nicolas Dichtel <>
Cc: Phil Sutter <>
Cc: Toshiaki Makita <>
Signed-off-by: Vijay Pandurangan <>
Acked-by: Cong Wang <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agomISDN: avoid arch specific __builtin_return_address call
Arnd Bergmann [Tue, 13 Jan 2015 16:10:58 +0000 (17:10 +0100)]
mISDN: avoid arch specific __builtin_return_address call

commit 3e7a8716e20b759eec0ad88145255bb33174f0c8 upstream.

Not all architectures are able to call __builtin_return_address().
On ARM, the mISDN code produces this warning:

hardware/mISDN/w6692.c: In function 'w6692_dctrl':
hardware/mISDN/w6692.c:1181:75: warning: unsupported argument to '__builtin_return_address'
  pr_debug("%s: %s dev(%d) open from %p\n", card->name, __func__,
hardware/mISDN/mISDNipac.c: In function 'open_dchannel':
hardware/mISDN/mISDNipac.c:759:75: warning: unsupported argument to '__builtin_return_address'
  pr_debug("%s: %s dev(%d) open from %p\n", isac->name, __func__,

In a lot of cases, this is relatively easy to work around by
passing the value of __builtin_return_address(0) from the
callers into the functions that want it. One exception is
the indirect 'open' function call in struct isac_hw. While it
would be possible to fix this as well, this patch only addresses
the other callers properly and lets this one return the direct
parent function, which should be good enough.

Signed-off-by: Arnd Bergmann <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoRDMA/cxgb4: Fix gcc warning on 32-bit arch
Paul Bolle [Thu, 9 Jan 2014 10:53:27 +0000 (11:53 +0100)]
RDMA/cxgb4: Fix gcc warning on 32-bit arch

commit 298589b1cb626adf4beba6dd8e3cd4b64e8799be upstream.

Building mem.o for 32 bits x86 triggers a GCC warning:

    drivers/infiniband/hw/cxgb4/mem.c: In function '_c4iw_write_mem_dma_aligned':
    drivers/infiniband/hw/cxgb4/mem.c:79:25: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]

Silence that warning by casting "&wr_wait" to unsigned long before
casting it to __be64.  That's what _c4iw_write_mem_inline() already does.

Signed-off-by: Paul Bolle <>
Acked-by: Steve Wise <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Jiri Slaby <>
4 years agolkdtm: adjust recursion size to avoid warnings
Kees Cook [Thu, 24 Oct 2013 16:25:39 +0000 (09:25 -0700)]
lkdtm: adjust recursion size to avoid warnings

commit 7d196ac303652588c60350f0a581d71e2e7b1a50 upstream.

When CONFIG_FRAME_WARN is set low (e.g. some ARM builds), the hard-coded
stack buffer size used for kernel stack over run testing triggers build
warnings. Instead, avoid the warning by recalcuating the buffer size and
recursion count needed to trigger the test. Also uses the recursion counter
indirectly to avoid changing the parameter during the test.

Signed-off-by: Kees Cook <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Jiri Slaby <>
4 years agodrm: radeon: ni_dpm: Fix unused variable warning when CONFIG_ACPI=n
Fabio Estevam [Sat, 9 Nov 2013 17:59:02 +0000 (15:59 -0200)]
drm: radeon: ni_dpm: Fix unused variable warning when CONFIG_ACPI=n

commit 71473dbd66d4a61be4cd531ef96b4877f6ee3941 upstream.

With CONFIG_ACPI=n the following build warning is seen:

drivers/gpu/drm/radeon/ni_dpm.c:3448:31: warning: unused variable 'eg_pi' [-Wunused-variable]

Move the definition of eg_pi inside the CONFIG_ACPI 'if' block.

Signed-off-by: Fabio Estevam <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Jiri Slaby <>
4 years agodrm/radeon: cypress_dpm: Fix unused variable warning when CONFIG_ACPI=n
Alex Deucher [Tue, 12 Nov 2013 17:31:54 +0000 (12:31 -0500)]
drm/radeon: cypress_dpm: Fix unused variable warning when CONFIG_ACPI=n

commit 936b32643cb03dcb34ef5dab81970229b1cc2a33 upstream.

With CONFIG_ACPI=n the following build warning is seen:

drivers/gpu/drm/radeon/cypress_dpm.c:302:31: warning: unused variable 'eg_pi' [-Wunused-variable]

Protect eg_pi with CONFIG_ACPI.

Based on patch from: Fabio Estevam <>
but doesn't mix allocation and code.

Signed-off-by: Alex Deucher <>
Signed-off-by: Jiri Slaby <>
4 years agoARM: 8160/1: drop warning about return_address not using unwind tables
Uwe Kleine-König [Wed, 24 Sep 2014 07:51:57 +0000 (08:51 +0100)]
ARM: 8160/1: drop warning about return_address not using unwind tables

commit e16343c47e4276f5ebc77ca16feb5e50ca1918f9 upstream.

The warning was introduced in 2009 (commit 4bf1fa5a34aa ([ARM] 5613/1:
implement CALLER_ADDRESSx)). The only "problem" here is that
CALLER_ADDRESSx for x > 1 returns NULL which doesn't do much harm.

The drawback of implementing a fix (i.e. use unwind tables to implement CALLER_ADDRESSx) is that much of the unwinder code would need to be marked as not

Signed-off-by: Uwe Kleine-König <>
Signed-off-by: Russell King <>
Signed-off-by: Jiri Slaby <>
4 years agoARM: 8158/1: LLVMLinux: use static inline in ARM ftrace.h
Behan Webster [Wed, 24 Sep 2014 00:06:46 +0000 (01:06 +0100)]
ARM: 8158/1: LLVMLinux: use static inline in ARM ftrace.h

commit aeea3592a13bf12861943e44fc48f1f270941f8d upstream.

With compilers which follow the C99 standard (like modern versions of gcc and
clang), "extern inline" does the wrong thing (emits code for an externally
linkable version of the inline function). In this case using static inline
and removing the NULL version of return_address in return_address.c does
the right thing.

Signed-off-by: Behan Webster <>
Reviewed-by: Mark Charlebois <>
Acked-by: Steven Rostedt <>
Signed-off-by: Russell King <>
Signed-off-by: Jiri Slaby <>
4 years agoxhci: refuse loading if nousb is used
Oliver Neukum [Thu, 3 Dec 2015 14:03:34 +0000 (15:03 +0100)]
xhci: refuse loading if nousb is used

commit 1eaf35e4dd592c59041bc1ed3248c46326da1f5f upstream.

The module should fail to load.

Signed-off-by: Oliver Neukum <>
Signed-off-by: Jiri Slaby <>
4 years agoUSB: cp210x: add ID for ELV Marble Sound Board 1
Oliver Freyermuth [Mon, 28 Dec 2015 17:37:38 +0000 (18:37 +0100)]
USB: cp210x: add ID for ELV Marble Sound Board 1

commit f7d7f59ab124748156ea551edf789994f05da342 upstream.

Add the USB device ID for ELV Marble Sound Board 1.

Signed-off-by: Oliver Freyermuth <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Jiri Slaby <>
4 years agoUSB: ipaq.c: fix a timeout loop
Dan Carpenter [Wed, 16 Dec 2015 11:06:37 +0000 (14:06 +0300)]
USB: ipaq.c: fix a timeout loop

commit abdc9a3b4bac97add99e1d77dc6d28623afe682b upstream.

The code expects the loop to end with "retries" set to zero but, because
it is a post-op, it will end set to -1.  I have fixed this by moving the
decrement inside the loop.

Fixes: 014aa2a3c32e ('USB: ipaq: minor ipaq_open() cleanup.')
Signed-off-by: Dan Carpenter <>
Signed-off-by: Jiri Slaby <>
4 years agousb: xhci: fix config fail of FS hub behind a HS hub with MTT
Chunfeng Yun [Fri, 4 Dec 2015 13:53:43 +0000 (15:53 +0200)]
usb: xhci: fix config fail of FS hub behind a HS hub with MTT

commit 096b110a3dd3c868e4610937c80d2e3f3357c1a9 upstream.

if a full speed hub connects to a high speed hub which
supports MTT, the MTT field of its slot context will be set
to 1 when xHCI driver setups an xHCI virtual device in
xhci_setup_addressable_virt_dev(); once usb core fetch its
hub descriptor, and need to update the xHC's internal data
structures for the device, the HUB field of its slot context
will be set to 1 too, meanwhile MTT is also set before,
this will cause configure endpoint command fail, so in the
case, we should clear MTT to 0 for full speed hub according
to section 6.2.2

Signed-off-by: Chunfeng Yun <>
Signed-off-by: Mathias Nyman <>
Signed-off-by: Jiri Slaby <>
4 years agoASoC: compress: Fix compress device direction check
Vinod Koul [Thu, 7 Jan 2016 16:18:14 +0000 (21:48 +0530)]
ASoC: compress: Fix compress device direction check

commit a1068045883ed4a18363a4ebad0c3d55e473b716 upstream.

The detection of direction for compress was only taking into account codec
capabilities and not CPU ones. Fix this by checking the CPU side capabilities
as well

Tested-by: Ashish Panwar <>
Signed-off-by: Vinod Koul <>
Signed-off-by: Mark Brown <>
Signed-off-by: Jiri Slaby <>
4 years agoASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
Nikesh Oswal [Wed, 23 Dec 2015 14:18:05 +0000 (14:18 +0000)]
ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz

commit e73694d871867cae8471d2350ce89acb38bc2b63 upstream.

For a sample rate of 12kHz the bclk was taken from the 44.1kHz table as
we test for a multiple of 8kHz. This patch fixes this issue by testing
for multiples of 4kHz instead.

Signed-off-by: Nikesh Oswal <>
Signed-off-by: Charles Keepax <>
Signed-off-by: Mark Brown <>
Signed-off-by: Jiri Slaby <>
4 years agoASoC: wm8962: correct addresses for HPF_C_0/1
Sachin Pandhare [Tue, 10 Nov 2015 18:08:02 +0000 (23:38 +0530)]
ASoC: wm8962: correct addresses for HPF_C_0/1

commit e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 upstream.

From datasheet:
R17408 (4400h) HPF_C_1
R17409 (4401h) HPF_C_0
17048 -> 17408 (0x4400)
17049 -> 17409 (0x4401)

Signed-off-by: Sachin Pandhare <>
Acked-by: Charles Keepax <>
Signed-off-by: Mark Brown <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
Takashi Iwai [Mon, 18 Jan 2016 13:12:40 +0000 (14:12 +0100)]
ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0

commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream.

When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call.  The check was
intended obviously only for a kernel driver, but not for a user
interaction.  Let's fix it.

This was spotted by syzkaller fuzzer.

Reported-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: hrtimer: Fix stall by hrtimer_cancel()
Takashi Iwai [Mon, 18 Jan 2016 12:52:47 +0000 (13:52 +0100)]
ALSA: hrtimer: Fix stall by hrtimer_cancel()

commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 upstream.

hrtimer_cancel() waits for the completion from the callback, thus it
must not be called inside the callback itself.  This was already a
problem in the past with ALSA hrtimer driver, and the early commit
[fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.

However, the previous fix is still insufficient: it may still cause a
lockup when the ALSA timer instance reprograms itself in its callback.
Then it invokes the start function even in snd_timer_interrupt() that
is called in hrtimer callback itself, results in a CPU stall.  This is
no hypothetical problem but actually triggered by syzkaller fuzzer.

This patch tries to fix the issue again.  Now we call
hrtimer_try_to_cancel() at both start and stop functions so that it
won't fall into a deadlock, yet giving some chance to cancel the queue
if the functions have been called outside the callback.  The proper
hrtimer_cancel() is called in anyway at closing, so this should be

Reported-and-tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
Nicolas Boichat [Mon, 18 Jan 2016 13:35:00 +0000 (21:35 +0800)]
ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode

commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream.

This reverts one hunk of
commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which
replaced a number of kmalloc followed by memcpy with memdup calls.

In this case, we are copying from a struct snd_pcm_hw_params32 to
a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
the 32-bit version, so we need to separate kmalloc and copy calls.

This actually leads to an out-of-bounds memory access later on
in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).

Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()')
Signed-off-by: Nicolas Boichat <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
Nicolas Boichat [Mon, 18 Jan 2016 13:35:01 +0000 (21:35 +0800)]
ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode

commit 9586495dc3011a80602329094e746dbce16cb1f1 upstream.

This reverts one hunk of
commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which
replaced a number of kmalloc followed by memcpy with memdup calls.

In this case, we are copying from a struct snd_seq_port_info32 to a
struct snd_seq_port_info, but the latter is 4 bytes longer than the
32-bit version, so we need to separate kmalloc and copy calls.

Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()')
Signed-off-by: Nicolas Boichat <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: timer: Fix double unlink of active_list
Takashi Iwai [Wed, 13 Jan 2016 20:35:06 +0000 (21:35 +0100)]
ALSA: timer: Fix double unlink of active_list

commit ee8413b01045c74340aa13ad5bdf905de32be736 upstream.

ALSA timer instance object has a couple of linked lists and they are
unlinked unconditionally at snd_timer_stop().  Meanwhile
snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
the element list itself unchanged.  This ends up with unlinking twice,
and it was caught by syzkaller fuzzer.

The fix is to use list_del_init() variant properly there, too.

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: timer: Fix race among timer ioctls
Takashi Iwai [Wed, 13 Jan 2016 16:48:01 +0000 (17:48 +0100)]
ALSA: timer: Fix race among timer ioctls

commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream.

ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object.  A simplistic fix is to make
each ioctl exclusive.  We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.

The downside is, of course, the worse concurrency.  But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: timer: Harden slave timer list handling
Takashi Iwai [Thu, 14 Jan 2016 15:30:58 +0000 (16:30 +0100)]
ALSA: timer: Harden slave timer list handling

commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.

A slave timer instance might be still accessible in a racy way while
operating the master instance as it lacks of locking.  Since the
master operation is mostly protected with timer->lock, we should cope
with it while changing the slave instance, too.  Also, some linked
lists (active_list and ack_list) of slave instances aren't unlinked
immediately at stopping or closing, and this may lead to unexpected

This patch tries to address these issues.  It adds spin lock of
timer->lock (either from master or slave, which is equivalent) in a
few places.  For avoiding a deadlock, we ensure that the global
slave_active_lock is always locked at first before each timer lock.

Also, ack and active_list of slave instances are properly unlinked at
snd_timer_stop() and snd_timer_close().

Last but not least, remove the superfluous call of _snd_timer_stop()
at removing slave links.  This is a noop, and calling it may confuse
readers wrt locking.  Further cleanup will follow in a later patch.

Actually we've got reports of use-after-free by syzkaller fuzzer, and
this hopefully fixes these issues.

Reported-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: seq: Fix race at timer setup and close
Takashi Iwai [Tue, 12 Jan 2016 14:36:27 +0000 (15:36 +0100)]
ALSA: seq: Fix race at timer setup and close

commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream.

ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client.  This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.

This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: seq: Fix missing NULL check at remove_events ioctl
Takashi Iwai [Tue, 12 Jan 2016 11:38:02 +0000 (12:38 +0100)]
ALSA: seq: Fix missing NULL check at remove_events ioctl

commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 upstream.

snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
unconditionally even if there is no FIFO assigned, and this leads to
an Oops due to NULL dereference.  The fix is just to add a proper NULL

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
Mario Kleiner [Mon, 21 Dec 2015 23:45:43 +0000 (00:45 +0100)]
ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)

commit 9f660a1c43890c2cdd1f423fd73654e7ca08fe56 upstream.

Without this patch, internal speaker and line-out work,
but front headphone output jack stays silent on the
Mac Pro 4,1.

This code path also gets executed on the MacPro 5,1 due
to identical codec SSID, but i don't know if it has any
positive or adverse effects there or not.

(v2) Implement feedback from Takashi Iwai: Reuse
     alc889_fixup_mbp_vref and just add a new nid
     0x19 for the MacPro 4,1.

Signed-off-by: Mario Kleiner <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
Xiong Zhang [Fri, 18 Dec 2015 05:29:18 +0000 (13:29 +0800)]
ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()

commit 3e6db33aaf1d42a30339f831ec4850570d6cc7a3 upstream.

It takes three minutes to enter into hibernation on some OEM SKL
machines and we see many codec spurious response after thaw() opertion.
This is because HDA is still in D0 state after freeze() call and
pci_pm_freeze/pci_pm_freeze_noirq() don't set D3 hot in pci_bus driver.
It seems bios still access HDA when system enter into freeze state,
HDA will receive codec response interrupt immediately after thaw() call.
Because of this unexpected interrupt, HDA enter into a abnormal
state and slow down the system enter into hibernation.

In this patch, we put HDA into D3 hot state in azx_freeze_noirq() and
put HDA into D0 state in azx_thaw_noirq().

V2: Only apply this fix to SKL+
    Fix compile error when CONFIG_PM_SLEEP isn't defined

[Yet another fix for CONFIG_PM_SLEEP ifdef and the additional comment
 by tiwai]

Signed-off-by: Xiong Zhang <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: hda - Add inverted dmic for Packard Bell DOTS
David Henningsson [Mon, 7 Dec 2015 10:29:31 +0000 (11:29 +0100)]
ALSA: hda - Add inverted dmic for Packard Bell DOTS

commit 02f6ff90400d055f08b0ba0b5f0707630b6faed7 upstream.

On the internal mic of the Packard Bell DOTS, one channel
has an inverted signal. Add a quirk to fix this up.

Signed-off-by: David Henningsson <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: rme96: Fix unexpected volume reset after rate changes
Takashi Iwai [Fri, 4 Dec 2015 15:44:24 +0000 (16:44 +0100)]
ALSA: rme96: Fix unexpected volume reset after rate changes

commit a74a821624c0c75388a193337babd17a8c02c740 upstream.

rme96 driver needs to reset DAC depending on the sample rate, and this
results in resetting to the max volume suddenly.  It's because of the
missing call of snd_rme96_apply_dac_volume().

However, calling this function right after the DAC reset still may not
work, and we need some delay before this call.  Since the DAC reset
and the procedure after that are performed in the spinlock, we delay
the DAC volume restore at the end after the spinlock.

Reported-and-tested-by: Sylvain LABOISNE <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoLinux 3.12.53 v3.12.53
Jiri Slaby [Mon, 25 Jan 2016 11:43:57 +0000 (12:43 +0100)]
Linux 3.12.53

4 years agoppp, slip: Validate VJ compression slot parameters completely
Ben Hutchings [Sun, 1 Nov 2015 16:22:53 +0000 (16:22 +0000)]
ppp, slip: Validate VJ compression slot parameters completely

commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae upstream.

Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).

Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL.  Change the callers accordingly.

Compile-tested only.

Reported-by: 郭永刚 <>
Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoisdn_ppp: Add checks for allocation failure in isdn_ppp_open()
Ben Hutchings [Sun, 1 Nov 2015 16:21:24 +0000 (16:21 +0000)]
isdn_ppp: Add checks for allocation failure in isdn_ppp_open()

commit 0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 upstream.

Compile-tested only.

Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoARC: Fix silly typo in MAINTAINERS file
Vineet Gupta [Sat, 14 Nov 2015 07:28:53 +0000 (12:58 +0530)]
ARC: Fix silly typo in MAINTAINERS file

commit 30b9dbee895ff0d5cbf155bd1ef3f0f5992bca6f upstream.

Signed-off-by: Jiri Slaby <>
4 years agoMAINTAINERS: Add public mailing list for ARC
Vineet Gupta [Mon, 26 Oct 2015 05:22:57 +0000 (10:52 +0530)]
MAINTAINERS: Add public mailing list for ARC

commit 9acdc911b55569145034b01075adf658891afbd2 upstream.

Signed-off-by: Vineet Gupta <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: hda - Apply pin fixup for HP ProBook 6550b
Takashi Iwai [Wed, 4 Nov 2015 21:39:16 +0000 (22:39 +0100)]
ALSA: hda - Apply pin fixup for HP ProBook 6550b

commit c932b98c1e47312822d911c1bb76e81ef50e389c upstream.

HP ProBook 6550b needs the same pin fixup applied to other HP B-series
laptops with docks for making its headphone and dock headphone jacks
working properly.  We just need to add the codec SSID to the list.

Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoALSA: hda - Add Intel Lewisburg device IDs Audio
Alexandra Yates [Wed, 4 Nov 2015 23:56:09 +0000 (15:56 -0800)]
ALSA: hda - Add Intel Lewisburg device IDs Audio

commit 5cf92c8b3dc5da59e05dc81bdc069cedf6f38313 upstream.

Adding Intel codename Lewisburg platform device IDs for audio.

[rearranged the position by tiwai]

Signed-off-by: Alexandra Yates <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Jiri Slaby <>
4 years agoipmi: move timer init to before irq is setup
Jan Stancek [Tue, 8 Dec 2015 18:57:51 +0000 (13:57 -0500)]
ipmi: move timer init to before irq is setup

commit 27f972d3e00b50639deb4cc1392afaeb08d3cecc upstream.

We encountered a panic on boot in ipmi_si on a dell per320 due to an
uninitialized timer as follows.

static int smi_start_processing(void       *send_info,
                                ipmi_smi_t intf)
        /* Try to claim any interrupts. */
        if (new_smi->irq_setup)

 --> IRQ arrives here and irq handler tries to modify uninitialized timer

    which triggers BUG_ON(!timer->function) in __mod_timer().

 Call Trace:
   [<ffffffffa0532617>] start_new_msg+0x47/0x80 [ipmi_si]
   [<ffffffffa053269e>] start_check_enables+0x4e/0x60 [ipmi_si]
   [<ffffffffa0532bd8>] smi_event_handler+0x1e8/0x640 [ipmi_si]
   [<ffffffff810f5584>] ? __rcu_process_callbacks+0x54/0x350
   [<ffffffffa053327c>] si_irq_handler+0x3c/0x60 [ipmi_si]
   [<ffffffff810efaf0>] handle_IRQ_event+0x60/0x170
   [<ffffffff810f245e>] handle_edge_irq+0xde/0x180
   [<ffffffff8100fc59>] handle_irq+0x49/0xa0
   [<ffffffff8154643c>] do_IRQ+0x6c/0xf0
   [<ffffffff8100ba53>] ret_from_intr+0x0/0x11

        /* Set up the timer that drives the interface. */
        setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi);

The following patch fixes the problem.

To: Corey Minyard <>
Signed-off-by: Jan Stancek <>
Signed-off-by: Tony Camuso <>
Signed-off-by: Corey Minyard <>
Signed-off-by: Jiri Slaby <>
4 years agox86/boot: Double BOOT_HEAP_SIZE to 64KB
H.J. Lu [Mon, 4 Jan 2016 18:17:09 +0000 (10:17 -0800)]
x86/boot: Double BOOT_HEAP_SIZE to 64KB

commit 8c31902cffc4d716450be549c66a67a8a3dd479c upstream.

When decompressing kernel image during x86 bootup, malloc memory
for ELF program headers may run out of heap space, which leads
to system halt.  This patch doubles BOOT_HEAP_SIZE to 64KB.

Tested with 32-bit kernel which failed to boot without this patch.

Signed-off-by: H.J. Lu <>
Acked-by: H. Peter Anvin <>
Cc: Andy Lutomirski <>
Cc: Borislav Petkov <>
Cc: Brian Gerst <>
Cc: Denys Vlasenko <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Jiri Slaby <>
4 years agox86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
Mario Kleiner [Fri, 18 Dec 2015 19:24:06 +0000 (20:24 +0100)]
x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]

commit 2f0c0b2d96b1205efb14347009748d786c2d9ba5 upstream.

Without the reboot=pci method, the iMac 10,1 simply
hangs after printing "Restarting system" at the point
when it should reboot. This fixes it.

Signed-off-by: Mario Kleiner <>
Cc: Andy Lutomirski <>
Cc: Borislav Petkov <>
Cc: Brian Gerst <>
Cc: Dave Jones <>
Cc: Denys Vlasenko <>
Cc: H. Peter Anvin <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Jiri Slaby <>
4 years agoKVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR
Paul Mackerras [Thu, 12 Nov 2015 05:43:02 +0000 (16:43 +1100)]
KVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR

commit c20875a3e638e4a03e099b343ec798edd1af5cc6 upstream.

Currently it is possible for userspace (e.g. QEMU) to set a value
for the MSR for a guest VCPU which has both of the TS bits set,
which is an illegal combination.  The result of this is that when
we execute a hrfid (hypervisor return from interrupt doubleword)
instruction to enter the guest, the CPU will take a TM Bad Thing
type of program interrupt (vector 0x700).

Now, if PR KVM is configured in the kernel along with HV KVM, we
actually handle this without crashing the host or giving hypervisor
privilege to the guest; instead what happens is that we deliver a
program interrupt to the guest, with SRR0 reflecting the address
of the hrfid instruction and SRR1 containing the MSR value at that
point.  If PR KVM is not configured in the kernel, then we try to
run the host's program interrupt handler with the MMU set to the
guest context, which almost certainly causes a host crash.

This closes the hole by making kvmppc_set_msr_hv() check for the
illegal combination and force the TS field to a safe value (00,
meaning non-transactional).

Signed-off-by: Paul Mackerras <>
Signed-off-by: Jiri Slaby <>
4 years agox86/xen: don't reset vcpu_info on a cancelled suspend
Ouyang Zhaowei (Charles) [Wed, 6 May 2015 01:47:04 +0000 (09:47 +0800)]
x86/xen: don't reset vcpu_info on a cancelled suspend

commit 6a1f513776b78c994045287073e55bae44ed9f8c upstream.

On a cancelled suspend the vcpu_info location does not change (it's
still in the per-cpu area registered by xen_vcpu_setup()).  So do not
call xen_hvm_init_shared_info() which would make the kernel think its
back in the shared info.  With the wrong vcpu_info, events cannot be
received and the domain will hang after a cancelled suspend.

Signed-off-by: Charles Ouyang <>
Reviewed-by: Boris Ostrovsky <>
Signed-off-by: David Vrabel <>
Signed-off-by: Jiri Slaby <>
4 years agoxen/gntdev: Grant maps should not be subject to NUMA balancing
Boris Ostrovsky [Tue, 10 Nov 2015 20:10:33 +0000 (15:10 -0500)]
xen/gntdev: Grant maps should not be subject to NUMA balancing

commit 9c17d96500f78d7ecdb71ca6942830158bc75a2b upstream.

Doing so will cause the grant to be unmapped and then, during
fault handling, the fault to be mistakenly treated as NUMA hint

In addition, even if those maps could partcipate in NUMA
balancing, it wouldn't provide any benefit since we are unable
to determine physical page's node (even if/when VNUMA is

Marking grant maps' VMAs as VM_IO will exclude them from being
part of NUMA balancing.

Signed-off-by: Boris Ostrovsky <>
Signed-off-by: David Vrabel <>
Signed-off-by: Jiri Slaby <>
4 years agox86/signal: Fix restart_syscall number for x32 tasks
Dmitry V. Levin [Mon, 30 Nov 2015 21:54:36 +0000 (00:54 +0300)]
x86/signal: Fix restart_syscall number for x32 tasks

commit 22eab1108781eff09961ae7001704f7bd8fb1dce upstream.

When restarting a syscall with regs->ax == -ERESTART_RESTARTBLOCK,
regs->ax is assigned to a restart_syscall number.  For x32 tasks, this
syscall number must have __X32_SYSCALL_BIT set, otherwise it will be
an x86_64 syscall number instead of a valid x32 syscall number. This
issue has been there since the introduction of x32.

Reported-by: strace/tests/restart_syscall.test
Reported-and-tested-by: Elvira Khabirova <>
Signed-off-by: Dmitry V. Levin <>
Cc: Elvira Khabirova <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Jiri Slaby <>
4 years agoudp: properly support MSG_PEEK with truncated buffers
Eric Dumazet [Wed, 30 Dec 2015 13:51:12 +0000 (08:51 -0500)]
udp: properly support MSG_PEEK with truncated buffers

commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream.

Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.

In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
returns -EFAULT.

This bug does not happen in upstream kernels since Al Viro did a great
job to replace this into :
skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
This variant is safe vs short buffers.

For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic
skb_copy_and_csum_datagram_iovec() call.

This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.

Signed-off-by: Eric Dumazet <>
Acked-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoKEYS: Fix keyring ref leak in join_session_keyring()
Yevgeny Pats [Tue, 19 Jan 2016 22:09:04 +0000 (22:09 +0000)]
KEYS: Fix keyring ref leak in join_session_keyring()

commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 upstream.

This fixes CVE-2016-0728.

If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.

This can be tested with the following program:

#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>

int main(int argc, const char *argv[])
int i = 0;
key_serial_t serial;

if (serial < 0) {
return -1;

if (keyctl(KEYCTL_SETPERM, serial,
   KEY_POS_ALL | KEY_USR_ALL) < 0) {
return -1;

for (i = 0; i < 100; i++) {
if (serial < 0) {
return -1;

return 0;

If, after the program has run, there something like the following line in

3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty

with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning.  If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.

Reported-by: Yevgeny Pats <>
Signed-off-by: David Howells <>
Acked-by: Don Zickus <>
Acked-by: Prarit Bhargava <>
Acked-by: Jarod Wilson <>
Signed-off-by: James Morris <>
Signed-off-by: Jiri Slaby <>
4 years agoKEYS: Fix race between read and revoke
David Howells [Fri, 18 Dec 2015 01:34:26 +0000 (01:34 +0000)]
KEYS: Fix race between read and revoke

commit b4a1b4f5047e4f54e194681125c74c0aa64d637d upstream.

This fixes CVE-2015-7550.

There's a race between keyctl_read() and keyctl_revoke().  If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.

This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.

Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.

I think the bug was introduced with the original keyrings code.

This was discovered by a multithreaded test program generated by syzkaller
(  Here's a cleaned up version:

#include <sys/types.h>
#include <keyutils.h>
#include <pthread.h>
void *thr0(void *arg)
key_serial_t key = (unsigned long)arg;
return 0;
void *thr1(void *arg)
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
int main()
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;

Build as:

cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread

Run as:

while keyctl-race; do :; done

as it may need several iterations to crash the kernel.  The crash can be
summarised as:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff81279b08>] user_read+0x56/0xa3
Call Trace:
 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f

Reported-by: Dmitry Vyukov <>
Signed-off-by: David Howells <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: James Morris <>
Signed-off-by: Jiri Slaby <>
4 years agoUSB: quirks: Fix another ELAN touchscreen
Adrien Vergé [Tue, 24 Nov 2015 15:02:04 +0000 (16:02 +0100)]
USB: quirks: Fix another ELAN touchscreen

commit df36c5bede207f734e4750beb2b14fb892050280 upstream.

Like other buggy models that had their fixes [1], the touchscreen with
id 04f3:21b8 from ELAN Microelectronics needs the device-qualifier
quirk. Otherwise, it fails to respond, blocks the boot for a random
amount of time and pollutes dmesg with:

[ 2887.373196] usb 1-5: new full-speed USB device number 41 using xhci_hcd
[ 2889.502000] usb 1-5: unable to read config index 0 descriptor/start: -71
[ 2889.502005] usb 1-5: can't read configurations, error -71
[ 2889.654571] usb 1-5: new full-speed USB device number 42 using xhci_hcd
[ 2891.783438] usb 1-5: unable to read config index 0 descriptor/start: -71
[ 2891.783443] usb 1-5: can't read configurations, error -71

[1]: See commits c68929f876af5dd749947a32c99e and dc703ec.

Tested-by: Adrien Vergé <>
Signed-off-by: Adrien Vergé <>
Signed-off-by: Greg Kroah-Hartman <>
Cc: Oliver Neukum <>
Signed-off-by: Jiri Slaby <>
4 years agosctp: Prevent soft lockup when sctp_accept() is called during a timeout event
Karl Heiss [Thu, 24 Sep 2015 16:15:07 +0000 (12:15 -0400)]
sctp: Prevent soft lockup when sctp_accept() is called during a timeout event

commit 635682a14427d241bab7bbdeebb48a7d7b91638e upstream.

A case can occur when sctp_accept() is called by the user during
a heartbeat timeout event after the 4-way handshake.  Since
sctp_assoc_migrate() changes both assoc-> and assoc->ep, the
bh_sock_lock in sctp_generate_heartbeat_event() will be taken with
the listening socket but released with the new association socket.
The result is a deadlock on any future attempts to take the listening
socket lock.

Note that this race can occur with other SCTP timeouts that take
the bh_lock_sock() in the event sctp_accept() is called.

 BUG: soft lockup - CPU#9 stuck for 67s! [swapper:0]
 RIP: 0010:[<ffffffff8152d48e>]  [<ffffffff8152d48e>] _spin_lock+0x1e/0x30
 RSP: 0018:ffff880028323b20  EFLAGS: 00000206
 RAX: 0000000000000002 RBX: ffff880028323b20 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: ffff880028323be0 RDI: ffff8804632c4b48
 RBP: ffffffff8100bb93 R08: 0000000000000000 R09: 0000000000000000
 R10: ffff880610662280 R11: 0000000000000100 R12: ffff880028323aa0
 R13: ffff8804383c3880 R14: ffff880028323a90 R15: ffffffff81534225
 FS:  0000000000000000(0000) GS:ffff880028320000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
 CR2: 00000000006df528 CR3: 0000000001a85000 CR4: 00000000000006e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 Process swapper (pid: 0, threadinfo ffff880616b70000, task ffff880616b6cab0)
 ffff880028323c40 ffffffffa01c2582 ffff880614cfb020 0000000000000000
 <d> 0100000000000000 00000014383a6c44 ffff8804383c3880 ffff880614e93c00
 <d> ffff880614e93c00 0000000000000000 ffff8804632c4b00 ffff8804383c38b8
 Call Trace:
 [<ffffffffa01c2582>] ? sctp_rcv+0x492/0xa10 [sctp]
 [<ffffffff8148c559>] ? nf_iterate+0x69/0xb0
 [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0
 [<ffffffff8148c716>] ? nf_hook_slow+0x76/0x120
 [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0
 [<ffffffff8149757d>] ? ip_local_deliver_finish+0xdd/0x2d0
 [<ffffffff81497808>] ? ip_local_deliver+0x98/0xa0
 [<ffffffff81496ccd>] ? ip_rcv_finish+0x12d/0x440
 [<ffffffff81497255>] ? ip_rcv+0x275/0x350
 [<ffffffff8145cfeb>] ? __netif_receive_skb+0x4ab/0x750

With lockdep debugging:

 [ BUG: bad unlock balance detected! ]
 CslRx/12087 is trying to release lock (slock-AF_INET) at:
 [<ffffffffa01bcae0>] sctp_generate_timeout_event+0x40/0xe0 [sctp]
 but there are no more locks to release!

 other info that might help us debug this:
 2 locks held by CslRx/12087:
 #0:  (&asoc->timers[i]){+.-...}, at: [<ffffffff8108ce1f>] run_timer_softirq+0x16f/0x3e0
 #1:  (slock-AF_INET){+.-...}, at: [<ffffffffa01bcac3>] sctp_generate_timeout_event+0x23/0xe0 [sctp]

Ensure the socket taken is also the same one that is released by
saving a copy of the socket before entering the timeout event
critical section.

Signed-off-by: Karl Heiss <>
Signed-off-by: David S. Miller <>
Cc: Ben Hutchings <>
Signed-off-by: Jiri Slaby <>
4 years agom68k/mac: Make SCC reset work more reliably
Finn Thain [Sun, 12 Jan 2014 13:56:38 +0000 (00:56 +1100)]
m68k/mac: Make SCC reset work more reliably

commit 56931d73697c99ecf7aba6ae86c94d3a2d15d596 upstream.

For SCC initialization we cannot assume that the control register is in
the correct state to accept a register pointer. So first read from the
control register in order to "sync" up.

Signed-off-by: Finn Thain <>
Signed-off-by: Geert Uytterhoeven <>
Cc: Oliver Neukum <>
Signed-off-by: Jiri Slaby <>
4 years agom68k/mm: Check for mm != NULL in do_page_fault() debug code
Geert Uytterhoeven [Tue, 10 Dec 2013 10:35:47 +0000 (11:35 +0100)]
m68k/mm: Check for mm != NULL in do_page_fault() debug code

commit 4e25c0e92f8eaf69bc51d1d523bcb7268e7dd162 upstream.

When DEBUG is enabled, do_page_fault() may dereference a NULL pointer,
causing recursive bus errors.

Signed-off-by: Geert Uytterhoeven <>
Cc: Oliver Neukum <>
Signed-off-by: Jiri Slaby <>
4 years agom32r: fix potential NULL-pointer dereference
Kirill A. Shutemov [Thu, 14 Nov 2013 22:31:18 +0000 (14:31 -0800)]
m32r: fix potential NULL-pointer dereference

commit fecf3743b824ce4eb275ed4a1d6aee9494f6a966 upstream.

Add missing check for memory allocation fail.

Signed-off-by: Kirill A. Shutemov <>
Cc: Hirokazu Takata <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Cc: Oliver Neukum <>
Signed-off-by: Jiri Slaby <>
4 years agopm: use GFP_ATOMIC when pm core call this function
Scott Jiang [Mon, 16 Sep 2013 04:53:09 +0000 (00:53 -0400)]
pm: use GFP_ATOMIC when pm core call this function

commit aefefe92116b776203f95f3249ae61b94f73f170 upstream.

We shouldn't sleep in atomic sections.

Signed-off-by: Scott Jiang <>
Cc: Oliver Neukum <>
Signed-off-by: Jiri Slaby <>
4 years agostaging/dgnc: fix info leak in ioctl
Salva Peiró [Wed, 14 Oct 2015 15:48:02 +0000 (17:48 +0200)]
staging/dgnc: fix info leak in ioctl

commit 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05 upstream.

The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of
struct digi_dinfo after the ->dinfo_nboards member. Add an explicit
memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Salva Peiró <>
Signed-off-by: Greg Kroah-Hartman <>
Cc: Yuki Machida <>
Signed-off-by: Jiri Slaby <>
4 years agomodule: remove MODULE_GENERIC_TABLE
Rusty Russell [Mon, 3 Feb 2014 00:45:13 +0000 (11:15 +1030)]

commit cff26a51da5d206d3baf871e75778da44710219d upstream.

work directly.  This also removes a wart introduced in the last patch,
where the alias is defined to be an unknown struct type "struct
type##__##name##_device_id" instead of "struct type##_device_id" (it's
an extern so GCC doesn't care, but it's wrong).

The other user of MODULE_GENERIC_TABLE (ISAPNP_CARD_TABLE) is unused,
so delete it.

Bryan: gcc v3.3.2 cares

Signed-off-by: Rusty Russell <>
Cc: Bryan Kadzban <>
Signed-off-by: Jiri Slaby <>
4 years agoqla2xxx: Fix hardware lock/unlock issue causing kernel panic.
Saurav Kashyap [Wed, 10 Jun 2015 15:05:17 +0000 (11:05 -0400)]
qla2xxx: Fix hardware lock/unlock issue causing kernel panic.

commit ba9f6f64a0ff6b7ecaed72144c179061f8eca378 upstream.

This patch fixes a kernel panic for qla2xxx Target core
Module driver introduced by a fix in the qla2xxx initiator code.

Commit ef86cb2 ("qla2xxx: Mark port lost when we receive an RSCN for it.")
introduced the regression for qla2xxx Target driver.

Stack trace will have following signature

 --- <NMI exception stack> ---
[ffff88081faa3cc8] _raw_spin_lock_irqsave at ffffffff815b1f03
[ffff88081faa3cd0] qlt_fc_port_deleted at ffffffffa096ccd0 [qla2xxx]
[ffff88081faa3d20] qla2x00_schedule_rport_del at ffffffffa0913831[qla2xxx]
[ffff88081faa3d50] qla2x00_mark_device_lost at ffffffffa09159c5[qla2xxx]
[ffff88081faa3db0] qla2x00_async_event at ffffffffa0938d59 [qla2xxx]
[ffff88081faa3e30] qla24xx_msix_default at ffffffffa093a326 [qla2xxx]
[ffff88081faa3e90] handle_irq_event_percpu at ffffffff810a7b8d
[ffff88081faa3ee0] handle_irq_event at ffffffff810a7d32
[ffff88081faa3f10] handle_edge_irq at ffffffff810ab6b9
[ffff88081faa3f30] handle_irq at ffffffff8100619c
[ffff88081faa3f70] do_IRQ at ffffffff815b4b1c
 --- <IRQ stack> ---

Signed-off-by: Saurav Kashyap <>
Signed-off-by: Himanshu Madhani <>
Reviewed-by: Nicholas Bellinger <>
Signed-off-by: Nicholas Bellinger <>
Cc: Michal Marek <>
Fixes: ef86cb205 ("qla2xxx: Mark port lost when we receive an RSCN for it.")
Signed-off-by: Jiri Slaby <>
4 years agoInput: aiptek - fix crash on detecting device without endpoints
Vladis Dronov [Tue, 1 Dec 2015 21:09:17 +0000 (13:09 -0800)]
Input: aiptek - fix crash on detecting device without endpoints

commit 8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 upstream.

The aiptek driver crashes in aiptek_probe() when a specially crafted USB
device without endpoints is detected. This fix adds a check that the device
has proper configuration expected by the driver. Also an error return value
is changed to more matching one in one of the error paths.

Reported-by: Ralf Spenneberg <>
Signed-off-by: Vladis Dronov <>
Signed-off-by: Dmitry Torokhov <>
Signed-off-by: Jiri Slaby <>
4 years agoblock: Always check queue limits for cloned requests
Hannes Reinecke [Thu, 26 Nov 2015 07:46:57 +0000 (08:46 +0100)]
block: Always check queue limits for cloned requests

commit bf4e6b4e757488dee1b6a581f49c7ac34cd217f8 upstream.

When a cloned request is retried on other queues it always needs
to be checked against the queue limits of that queue.
Otherwise the calculations for nr_phys_segments might be wrong,
leading to a crash in scsi_init_sgtable().

To clarify this the patch renames blk_rq_check_limits()
to blk_cloned_rq_check_limits() and removes the symbol
export, as the new function should only be used for
cloned requests and never exported.

Cc: Mike Snitzer <>
Cc: Ewan Milne <>
Cc: Jeff Moyer <>
Signed-off-by: Hannes Reinecke <>
Fixes: e2a60da74 ("block: Clean up special command handling logic")
Acked-by: Mike Snitzer <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Jiri Slaby <>
4 years agolpfc: Fix null ndlp dereference in target_reset_handler
James Smart [Tue, 7 Apr 2015 19:07:20 +0000 (15:07 -0400)]
lpfc: Fix null ndlp dereference in target_reset_handler

commit 63e480fd2f598e9ad37f89e79c36834e7dd60ba0 upstream.

Signed-off-by: Dick Kennedy <>
Signed-off-by: James Smart <>
Reviewed-by: Hannes Reinecke <>
Signed-off-by: James Bottomley <>
Acked-by: Johannes Thumshirn <>
Signed-off-by: Jiri Slaby <>
4 years agodrm/i915: Fix SRC_COPY width on 830/845g
Chris Wilson [Fri, 12 Sep 2014 06:37:42 +0000 (07:37 +0100)]
drm/i915: Fix SRC_COPY width on 830/845g

commit 611a7a4fd8b5fb6b25ab1f8bdcde61800a7feacf upstream.

One small change I forgot to make in

commit c4d69da167fa967749aeb70bc0e94a457e5d00c1
Author: Chris Wilson <>
Date:   Mon Sep 8 14:25:41 2014 +0100

    drm/i915: Evict CS TLBs between batches

was to update the copy width for the compact BLT copy instruction.

Reported-by: Thomas Richter <>
Signed-off-by: Chris Wilson <>
Cc: Thomas Richter <>
Cc: Jani Nikula <>
Tested-by: Thomas Richter <>
Acked-by: Daniel Vetter <>
Signed-off-by: Jani Nikula <>
Signed-off-by: Jiri Slaby <>
4 years agoring-buffer: Always run per-cpu ring buffer resize with schedule_work_on()
Corey Minyard [Wed, 16 Jul 2014 19:07:13 +0000 (14:07 -0500)]
ring-buffer: Always run per-cpu ring buffer resize with schedule_work_on()

commit 021c5b34452d52e51664f09b98cd50c5495e74b6 upstream.

The code for resizing the trace ring buffers has to run the per-cpu
resize on the CPU itself.  The code was using preempt_off() and
running the code for the current CPU directly, otherwise calling

At least on RT this could result in the following:

|BUG: sleeping function called from invalid context at kernel/rtmutex.c:673
|in_atomic(): 1, irqs_disabled(): 0, pid: 607, name: bash
|3 locks held by bash/607:
|CPU: 0 PID: 607 Comm: bash Not tainted 3.12.15-rt25+ #124

probably via
|cd /sys/kernel/debug/tracing/
|echo 1 > events/enable ; sleep 2
|echo 1024 > buffer_size_kb

If we just always use schedule_work_on(), there's no need for the
preempt_off().  So do that.

Reported-by: Stanislav Meduna <>
Signed-off-by: Corey Minyard <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Jiri Slaby <>
4 years agoSUNRPC: Fix oops when trace sunrpc_task events in nfs client
Ditang Chen [Fri, 7 Mar 2014 05:27:57 +0000 (13:27 +0800)]
SUNRPC: Fix oops when trace sunrpc_task events in nfs client

commit 2ca310fc4160ed0420da65534a21ae77b24326a8 upstream.

When tracking sunrpc_task events in nfs client, the clnt pointer may be NULL.

[  139.269266] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[  139.269915] IP: [<ffffffffa026f216>] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc]
[  139.269915] PGD 1d293067 PUD 1d294067 PMD 0
[  139.269915] Oops: 0000 [#1] SMP
[  139.269915] Modules linked in: nfsv4 dns_resolver nfs lockd sunrpc fscache sg ppdev e1000
serio_raw pcspkr parport_pc parport i2c_piix4 i2c_core microcode xfs libcrc32c sd_mod sr_mod
cdrom ata_generic crc_t10dif crct10dif_common pata_acpi ahci libahci ata_piix libata dm_mirror
dm_region_hash dm_log dm_mod
[  139.269915] CPU: 0 PID: 59 Comm: kworker/0:2 Not tainted 3.10.0-84.el7.x86_64 #1
[  139.269915] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  139.269915] Workqueue: rpciod rpc_async_schedule [sunrpc]
[  139.269915] task: ffff88001b598000 ti: ffff88001b632000 task.ti: ffff88001b632000
[  139.269915] RIP: 0010:[<ffffffffa026f216>]  [<ffffffffa026f216>] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc]
[  139.269915] RSP: 0018:ffff88001b633d70  EFLAGS: 00010206
[  139.269915] RAX: ffff88001dfc5338 RBX: ffff88001cc37a00 RCX: ffff88001dfc5334
[  139.269915] RDX: ffff88001dfc5338 RSI: 0000000000000000 RDI: ffff88001dfc533c
[  139.269915] RBP: ffff88001b633db0 R08: 000000000000002c R09: 000000000000000a
[  139.269915] R10: 0000000000062180 R11: 00000020759fb9dc R12: ffffffffa0292c20
[  139.269915] R13: ffff88001dfc5334 R14: 0000000000000000 R15: 0000000000000000
[  139.269915] FS:  0000000000000000(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
[  139.269915] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  139.269915] CR2: 0000000000000004 CR3: 000000001d290000 CR4: 00000000000006f0
[  139.269915] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  139.269915] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  139.269915] Stack:
[  139.269915]  000000001b633d98 0000000000000246 ffff88001df1dc00 ffff88001cc37a00
[  139.269915]  ffff88001bc35e60 0000000000000000 ffff88001ffa0a48 ffff88001bc35ee0
[  139.269915]  ffff88001b633e08 ffffffffa02704b5 0000000000010000 ffff88001cc37a70
[  139.269915] Call Trace:
[  139.269915]  [<ffffffffa02704b5>] __rpc_execute+0x1d5/0x400 [sunrpc]
[  139.269915]  [<ffffffffa0270706>] rpc_async_schedule+0x26/0x30 [sunrpc]
[  139.269915]  [<ffffffff8107867b>] process_one_work+0x17b/0x460
[  139.269915]  [<ffffffff8107942b>] worker_thread+0x11b/0x400
[  139.269915]  [<ffffffff81079310>] ? rescuer_thread+0x3e0/0x3e0
[  139.269915]  [<ffffffff8107fc80>] kthread+0xc0/0xd0
[  139.269915]  [<ffffffff8107fbc0>] ? kthread_create_on_node+0x110/0x110
[  139.269915]  [<ffffffff815d122c>] ret_from_fork+0x7c/0xb0
[  139.269915]  [<ffffffff8107fbc0>] ? kthread_create_on_node+0x110/0x110
[  139.269915] Code: 4c 8b 45 c8 48 8d 7d d0 89 4d c4 41 89 c9 b9 28 00 00 00 e8 9d b4 e9
e0 48 85 c0 49 89 c5 74 a2 48 89 c7 e8 9d 3f e9 e0 48 89 c2 <41> 8b 46 04 48 8b 7d d0 4c
89 e9 4c 89 e6 89 42 0c 0f b7 83 d4
[  139.269915] RIP  [<ffffffffa026f216>] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc]
[  139.269915]  RSP <ffff88001b633d70>
[  139.269915] CR2: 0000000000000004
[  140.946406] ---[ end trace ba486328b98d7622 ]---

Signed-off-by: Ditang Chen <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Jiri Slaby <>
4 years agoroute: Use ipv4_mtu instead of raw rt_pmtu
Herbert Xu [Tue, 28 Apr 2015 03:43:15 +0000 (11:43 +0800)]
route: Use ipv4_mtu instead of raw rt_pmtu

commit cb6ccf09d6b94bec4def1ac5cf4678d12b216474 upstream.

The commit 3cdaa5be9e81a914e633a6be7b7d2ef75b528562 ("ipv4: Don't
increase PMTU with Datagram Too Big message") broke PMTU in cases
where the rt_pmtu value has expired but is smaller than the new
PMTU value.

This obsolete rt_pmtu then prevents the new PMTU value from being

Fixes: 3cdaa5be9e81 ("ipv4: Don't increase PMTU with Datagram Too Big message")
Reported-by: Gerd v. Egidy <>
Signed-off-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoipv4: Don't increase PMTU with Datagram Too Big message.
Li Wei [Thu, 29 Jan 2015 08:09:03 +0000 (16:09 +0800)]
ipv4: Don't increase PMTU with Datagram Too Big message.

commit 3cdaa5be9e81a914e633a6be7b7d2ef75b528562 upstream.

RFC 1191 said, "a host MUST not increase its estimate of the Path
MTU in response to the contents of a Datagram Too Big message."

Signed-off-by: Li Wei <>
Signed-off-by: David S. Miller <>
Signed-off-by: Jiri Slaby <>
4 years agoPCI: Drop "setting latency timer" messages
Bjorn Helgaas [Mon, 23 Sep 2013 21:25:26 +0000 (15:25 -0600)]
PCI: Drop "setting latency timer" messages

commit a006482b67a96c16dfefc558e36863c51e1829bf upstream.

This message isn't useful any more, so drop it.

Reported-by: Oleksil Shevchuk <>
Reported-by: Andy Lutomirski <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Jiri Slaby <>