commit 8ad5c667c3ad728ef764b31c0a61371e4076747d Author: Ben Hutchings Date: Sat Feb 13 10:34:14 2016 +0000 Linux 3.2.77 commit a71eddf2dd01d45d0d1314fce8a535da76053e7b Author: Vladis Dronov Date: Mon Nov 16 15:55:11 2015 -0200 usbvision: fix crash on detecting device with invalid configuration commit fa52bd506f274b7619955917abfde355e3d19ffe upstream. The usbvision driver crashes when a specially crafted usb device with invalid number of interfaces or endpoints is detected. This fix adds checks that the device has proper configuration expected by the driver. Reported-by: Ralf Spenneberg Signed-off-by: Vladis Dronov Signed-off-by: Mauro Carvalho Chehab [bwh: Backport to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit ae64b688736b2aa3861ca02792b69041676329a2 Author: Oliver Neukum Date: Tue Oct 27 09:51:34 2015 -0200 usbvision fix overflow of interfaces array commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream. This fixes the crash reported in: http://seclists.org/bugtraq/2015/Oct/35 The interface number needs a sanity check. Signed-off-by: Oliver Neukum Cc: Vladis Dronov Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 8069deca8771dcdfcf3e9e34a71c918b8ddc76d5 Author: Alexey Khoroshilov Date: Fri Mar 27 19:39:09 2015 -0300 usbvision: fix leak of usb_dev on failure paths in usbvision_probe() commit afd270d1a45043cef14341bcceff62ed50e8dc9a upstream. There is no usb_put_dev() on failure paths in usbvision_probe(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 89e46440df357001b6d122af71befcc0551e7072 Author: Alexey Khoroshilov Date: Mon Jun 10 17:32:29 2013 -0300 usbvision-video: fix memory leak of alt_max_pkt_size commit 090c65b694c362adb19ec9c27de216a808ee443c upstream. 1. usbvision->alt_max_pkt_size is not deallocated anywhere. 2. if allocation of usbvision->alt_max_pkt_size fails, there is no proper deallocation of already acquired resources. The patch adds kfree(usbvision->alt_max_pkt_size) to usbvision_release() as soon as other deallocations happen there. It calls usbvision_release() if allocation of usbvision->alt_max_pkt_size fails as soon as usbvision_release() is safe to work with incompletely initialized usbvision structure. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit a655ba1a8c185ef3d8ecc2709df568c1a7840b74 Author: Karl Heiss Date: Thu Sep 24 12:15:07 2015 -0400 sctp: Prevent soft lockup when sctp_accept() is called during a timeout event commit 635682a14427d241bab7bbdeebb48a7d7b91638e upstream. A case can occur when sctp_accept() is called by the user during a heartbeat timeout event after the 4-way handshake. Since sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the bh_sock_lock in sctp_generate_heartbeat_event() will be taken with the listening socket but released with the new association socket. The result is a deadlock on any future attempts to take the listening socket lock. Note that this race can occur with other SCTP timeouts that take the bh_lock_sock() in the event sctp_accept() is called. BUG: soft lockup - CPU#9 stuck for 67s! [swapper:0] ... RIP: 0010:[] [] _spin_lock+0x1e/0x30 RSP: 0018:ffff880028323b20 EFLAGS: 00000206 RAX: 0000000000000002 RBX: ffff880028323b20 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff880028323be0 RDI: ffff8804632c4b48 RBP: ffffffff8100bb93 R08: 0000000000000000 R09: 0000000000000000 R10: ffff880610662280 R11: 0000000000000100 R12: ffff880028323aa0 R13: ffff8804383c3880 R14: ffff880028323a90 R15: ffffffff81534225 FS: 0000000000000000(0000) GS:ffff880028320000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00000000006df528 CR3: 0000000001a85000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffff880616b70000, task ffff880616b6cab0) Stack: ffff880028323c40 ffffffffa01c2582 ffff880614cfb020 0000000000000000 0100000000000000 00000014383a6c44 ffff8804383c3880 ffff880614e93c00 ffff880614e93c00 0000000000000000 ffff8804632c4b00 ffff8804383c38b8 Call Trace: [] ? sctp_rcv+0x492/0xa10 [sctp] [] ? nf_iterate+0x69/0xb0 [] ? ip_local_deliver_finish+0x0/0x2d0 [] ? nf_hook_slow+0x76/0x120 [] ? ip_local_deliver_finish+0x0/0x2d0 [] ? ip_local_deliver_finish+0xdd/0x2d0 [] ? ip_local_deliver+0x98/0xa0 [] ? ip_rcv_finish+0x12d/0x440 [] ? ip_rcv+0x275/0x350 [] ? __netif_receive_skb+0x4ab/0x750 ... With lockdep debugging: ===================================== [ BUG: bad unlock balance detected! ] ------------------------------------- CslRx/12087 is trying to release lock (slock-AF_INET) at: [] sctp_generate_timeout_event+0x40/0xe0 [sctp] but there are no more locks to release! other info that might help us debug this: 2 locks held by CslRx/12087: #0: (&asoc->timers[i]){+.-...}, at: [] run_timer_softirq+0x16f/0x3e0 #1: (slock-AF_INET){+.-...}, at: [] sctp_generate_timeout_event+0x23/0xe0 [sctp] Ensure the socket taken is also the same one that is released by saving a copy of the socket before entering the timeout event critical section. Signed-off-by: Karl Heiss Signed-off-by: David S. Miller [bwh: Backported to 3.2: - Net namespaces are not used - Keep using sctp_bh_{,un}lock_sock() - Adjust context] Signed-off-by: Ben Hutchings commit 9cf50c3ff1d3286a25781c8d6f81e83f7835c5c8 Author: Herbert Xu Date: Mon Jan 18 18:46:10 2016 +0800 crypto: algif_skcipher - Load TX SG list after waiting commit 4f0414e54e4d1893c6f08260693f8ef84c929293 upstream. We need to load the TX SG list in sendmsg(2) after waiting for incoming data, not before. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Tested-by: Dmitry Vyukov [bwh: Backported to 3.2: adjust context, indentation] Signed-off-by: Ben Hutchings commit 9bc37ed5b25642391d5c39e9723c8cda1f5ccf39 Author: Herbert Xu Date: Fri Jan 15 22:02:20 2016 +0800 crypto: algif_skcipher - Fix race condition in skcipher_check_key commit 1822793a523e5d5730b19cc21160ff1717421bc8 upstream. We need to lock the child socket in skcipher_check_key as otherwise two simultaneous calls can cause the parent socket to be freed. Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings commit 8d33fff4858afd802c90da36e2020641b1a9599b Author: Herbert Xu Date: Fri Jan 15 22:01:08 2016 +0800 crypto: algif_hash - Fix race condition in hash_check_key commit ad46d7e33219218605ea619e32553daf4f346b9f upstream. We need to lock the child socket in hash_check_key as otherwise two simultaneous calls can cause the parent socket to be freed. Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings commit f1cf0b97e71d91b2b9d68540265133eb7711d3ed Author: Herbert Xu Date: Wed Jan 13 15:03:32 2016 +0800 crypto: af_alg - Forbid bind(2) when nokey child sockets are present commit a6a48c565f6f112c6983e2a02b1602189ed6e26e upstream. This patch forbids the calling of bind(2) when there are child sockets created by accept(2) in existence, even if they are created on the nokey path. This is needed as those child sockets have references to the tfm object which bind(2) will destroy. Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings commit cac88c40e23f7ad953721723aca1f9503023d022 Author: Herbert Xu Date: Wed Jan 13 15:01:06 2016 +0800 crypto: algif_skcipher - Remove custom release parent function commit d7b65aee1e7b4c87922b0232eaba56a8a143a4a0 upstream. This patch removes the custom release parent function as the generic af_alg_release_parent now works for nokey sockets too. Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings commit e6e7011182cdfda7fe4061e4eff3f8383132b111 Author: Herbert Xu Date: Wed Jan 13 15:00:36 2016 +0800 crypto: algif_hash - Remove custom release parent function commit f1d84af1835846a5a2b827382c5848faf2bb0e75 upstream. This patch removes the custom release parent function as the generic af_alg_release_parent now works for nokey sockets too. Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings commit 175577bbf41a69bd02b08a30e785ab3ba2a9c2fb Author: Herbert Xu Date: Wed Jan 13 14:59:03 2016 +0800 crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path commit 6a935170a980024dd29199e9dbb5c4da4767a1b9 upstream. This patch allows af_alg_release_parent to be called even for nokey sockets. Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings commit a59afee0ac4a3e6a249ebcb43da65ad99c513e33 Author: Herbert Xu Date: Mon Jan 11 21:29:41 2016 +0800 crypto: algif_skcipher - Add key check exception for cipher_null commit 6e8d8ecf438792ecf7a3207488fb4eebc4edb040 upstream. This patch adds an exception to the key check so that cipher_null users may continue to use algif_skcipher without setting a key. Signed-off-by: Herbert Xu [bwh: Backported to 3.2: use crypto_ablkcipher_has_setkey()] Signed-off-by: Ben Hutchings commit 3ba1945b048afd9cd8dba6b341160fffc4e431a0 Author: Herbert Xu Date: Mon Jan 11 21:26:50 2016 +0800 crypto: skcipher - Add crypto_skcipher_has_setkey commit a1383cd86a062fc798899ab20f0ec2116cce39cb upstream. This patch adds a way for skcipher users to determine whether a key is required by a transform. Signed-off-by: Herbert Xu [bwh: Backported to 3.2: add to ablkcipher API instead] Signed-off-by: Ben Hutchings commit 5d4c935b8a1ea8bb0efed11b204de06f96fdb6b1 Author: Herbert Xu Date: Fri Jan 8 21:31:04 2016 +0800 crypto: algif_hash - Require setkey before accept(2) commit 6de62f15b581f920ade22d758f4c338311c2f0d4 upstream. Hash implementations that require a key may crash if you use them without setting a key. This patch adds the necessary checks so that if you do attempt to use them without a key that we return -ENOKEY instead of proceeding. This patch also adds a compatibility path to support old applications that do acept(2) before setkey. Signed-off-by: Herbert Xu [bwh: Backported to 3.2: - Add struct kiocb * parameter to {recv,send}msg ops - Adjust context] Signed-off-by: Ben Hutchings commit 91be8bcfc83376406f0737d91b06d2a1587aa31b Author: Herbert Xu Date: Fri Jan 8 21:28:26 2016 +0800 crypto: hash - Add crypto_ahash_has_setkey commit a5596d6332787fd383b3b5427b41f94254430827 upstream. This patch adds a way for ahash users to determine whether a key is required by a crypto_ahash transform. Signed-off-by: Herbert Xu [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 62a73f4b649dedf99e8a32fd4834ef8954d04a37 Author: Herbert Xu Date: Mon Jan 4 13:36:12 2016 +0900 crypto: algif_skcipher - Add nokey compatibility path commit a0fa2d037129a9849918a92d91b79ed6c7bd2818 upstream. This patch adds a compatibility path to support old applications that do acept(2) before setkey. Signed-off-by: Herbert Xu [bwh: Backported to 3.2: add struct kiocb * parameter to {recv,send}msg ops] Signed-off-by: Ben Hutchings commit 02edec2abebf72c5915c8c3b968e653eb69d9257 Author: Herbert Xu Date: Mon Jan 4 13:35:18 2016 +0900 crypto: af_alg - Add nokey compatibility path commit 37766586c965d63758ad542325a96d5384f4a8c9 upstream. This patch adds a compatibility path to support old applications that do acept(2) before setkey. Signed-off-by: Herbert Xu [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit a4bbb982ded26deac0d63b5c5a6d7c6a53f6283d Author: Herbert Xu Date: Wed Dec 30 11:47:53 2015 +0800 crypto: af_alg - Disallow bind/setkey/... after accept(2) commit c840ac6af3f8713a71b4d2363419145760bd6044 upstream. Each af_alg parent socket obtained by socket(2) corresponds to a tfm object once bind(2) has succeeded. An accept(2) call on that parent socket creates a context which then uses the tfm object. Therefore as long as any child sockets created by accept(2) exist the parent socket must not be modified or freed. This patch guarantees this by using locks and a reference count on the parent socket. Any attempt to modify the parent socket will fail with EBUSY. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings commit e249f66acd1096c07a64cf59b6add21b0edbc7f3 Author: Herbert Xu Date: Fri Dec 25 15:40:05 2015 +0800 crypto: algif_skcipher - Require setkey before accept(2) commit dd504589577d8e8e70f51f997ad487a4cb6c026f upstream. Some cipher implementations will crash if you try to use them without calling setkey first. This patch adds a check so that the accept(2) call will fail with -ENOKEY if setkey hasn't been done on the socket yet. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Tested-by: Dmitry Vyukov [bwh: Backported to 3.2: s/crypto_(alloc_|free_)?skcipher/crypto_\1ablkcipher/] Signed-off-by: Ben Hutchings commit 11fbe69aa25a787aa3f3dea5dad9eb4f6944bc70 Author: Tariq Saeed Date: Thu Jan 21 16:40:39 2016 -0800 ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock commit b1b1e15ef6b80facf76d6757649dfd7295eda29f upstream. NFS on a 2 node ocfs2 cluster each node exporting dir. The lock causing the hang is the global bit map inode lock. Node 1 is master, has the lock granted in PR mode; Node 2 is in the converting list (PR -> EX). There are no holders of the lock on the master node so it should downconvert to NL and grant EX to node 2 but that does not happen. BLOCKED + QUEUED in lock res are set and it is on osb blocked list. Threads are waiting in __ocfs2_cluster_lock on BLOCKED. One thread wants EX, rest want PR. So it is as though the downconvert thread needs to be kicked to complete the conv. The hang is caused by an EX req coming into __ocfs2_cluster_lock on the heels of a PR req after it sets BUSY (drops l_lock, releasing EX thread), forcing the incoming EX to wait on BUSY without doing anything. PR has called ocfs2_dlm_lock, which sets the node 1 lock from NL -> PR, queues ast. At this time, upconvert (PR ->EX) arrives from node 2, finds conflict with node 1 lock in PR, so the lock res is put on dlm thread's dirty listt. After ret from ocf2_dlm_lock, PR thread now waits behind EX on BUSY till awoken by ast. Now it is dlm_thread that serially runs dlm_shuffle_lists, ast, bast, in that order. dlm_shuffle_lists ques a bast on behalf of node 2 (which will be run by dlm_thread right after the ast). ast does its part, sets UPCONVERT_FINISHING, clears BUSY and wakes its waiters. Next, dlm_thread runs bast. It sets BLOCKED and kicks dc thread. dc thread runs ocfs2_unblock_lock, but since UPCONVERT_FINISHING set, skips doing anything and reques. Inside of __ocfs2_cluster_lock, since EX has been waiting on BUSY ahead of PR, it wakes up first, finds BLOCKED set and skips doing anything but clearing UPCONVERT_FINISHING (which was actually "meant" for the PR thread), and this time waits on BLOCKED. Next, the PR thread comes out of wait but since UPCONVERT_FINISHING is not set, it skips updating the l_ro_holders and goes straight to wait on BLOCKED. So there, we have a hang! Threads in __ocfs2_cluster_lock wait on BLOCKED, lock res in osb blocked list. Only when dc thread is awoken, it will run ocfs2_unblock_lock and things will unhang. One way to fix this is to wake the dc thread on the flag after clearing UPCONVERT_FINISHING Orabug: 20933419 Signed-off-by: Tariq Saeed Signed-off-by: Santosh Shilimkar Reviewed-by: Wengang Wang Reviewed-by: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Reviewed-by: Joseph Qi Cc: Eric Ren Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit b121fad282f2ff012eca31efe4446dc9c170206a Author: Matan Barak Date: Thu Jan 14 17:47:02 2016 +0200 IB/mlx4: Initialize hop_limit when creating address handle commit 4e4081673445485aa6bc90383bdb83e7a96cc48a upstream. Hop limit value wasn't copied from attributes when ah was created. This may influence packets for unconnected services to get dropped in routers when endpoints are not in the same subnet. Fixes: fa417f7b520e ("IB/mlx4: Add support for IBoE") Signed-off-by: Matan Barak Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit d2c0e5a66d9aa447155d03679f0eb19d160f99e3 Author: Mike Marciniszyn Date: Thu Jan 7 16:44:10 2016 -0500 IB/qib: fix mcast detach when qp not attached commit 09dc9cd6528f5b52bcbd3292a6312e762c85260f upstream. The code produces the following trace: [1750924.419007] general protection fault: 0000 [#3] SMP [1750924.420364] Modules linked in: nfnetlink autofs4 rpcsec_gss_krb5 nfsv4 dcdbas rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl dm_multipath nfs lockd scsi_dh sunrpc fscache radeon ttm drm_kms_helper drm serio_raw parport_pc ppdev i2c_algo_bit lpc_ich ipmi_si ib_mthca ib_qib dca lp parport ib_ipoib mac_hid ib_cm i3000_edac ib_sa ib_uverbs edac_core ib_umad ib_mad ib_core ib_addr tg3 ptp dm_mirror dm_region_hash dm_log psmouse pps_core [1750924.420364] CPU: 1 PID: 8401 Comm: python Tainted: G D 3.13.0-39-generic #66-Ubuntu [1750924.420364] Hardware name: Dell Computer Corporation PowerEdge 860/0XM089, BIOS A04 07/24/2007 [1750924.420364] task: ffff8800366a9800 ti: ffff88007af1c000 task.ti: ffff88007af1c000 [1750924.420364] RIP: 0010:[] [] qib_mcast_qp_free+0x11/0x50 [ib_qib] [1750924.420364] RSP: 0018:ffff88007af1dd70 EFLAGS: 00010246 [1750924.420364] RAX: 0000000000000001 RBX: ffff88007b822688 RCX: 000000000000000f [1750924.420364] RDX: ffff88007b822688 RSI: ffff8800366c15a0 RDI: 6764697200000000 [1750924.420364] RBP: ffff88007af1dd78 R08: 0000000000000001 R09: 0000000000000000 [1750924.420364] R10: 0000000000000011 R11: 0000000000000246 R12: ffff88007baa1d98 [1750924.420364] R13: ffff88003ecab000 R14: ffff88007b822660 R15: 0000000000000000 [1750924.420364] FS: 00007ffff7fd8740(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000 [1750924.420364] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1750924.420364] CR2: 00007ffff597c750 CR3: 000000006860b000 CR4: 00000000000007e0 [1750924.420364] Stack: [1750924.420364] ffff88007b822688 ffff88007af1ddf0 ffffffffa0132429 000000007af1de20 [1750924.420364] ffff88007baa1dc8 ffff88007baa0000 ffff88007af1de70 ffffffffa00cb313 [1750924.420364] 00007fffffffde88 0000000000000000 0000000000000008 ffff88003ecab000 [1750924.420364] Call Trace: [1750924.420364] [] qib_multicast_detach+0x1e9/0x350 [ib_qib] [1750924.568035] [] ? ib_uverbs_modify_qp+0x323/0x3d0 [ib_uverbs] [1750924.568035] [] ib_detach_mcast+0x31/0x50 [ib_core] [1750924.568035] [] ib_uverbs_detach_mcast+0x93/0x170 [ib_uverbs] [1750924.568035] [] ib_uverbs_write+0xc6/0x2c0 [ib_uverbs] [1750924.568035] [] ? apparmor_file_permission+0x18/0x20 [1750924.568035] [] ? security_file_permission+0x23/0xa0 [1750924.568035] [] vfs_write+0xb4/0x1f0 [1750924.568035] [] SyS_write+0x49/0xa0 [1750924.568035] [] system_call_fastpath+0x1a/0x1f [1750924.568035] Code: 66 2e 0f 1f 84 00 00 00 00 00 31 c0 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 8b 7f 10 ff 8f 40 01 00 00 74 0e 48 89 df e8 8e f8 06 e1 5b 5d c3 0f [1750924.568035] RIP [] qib_mcast_qp_free+0x11/0x50 [ib_qib] [1750924.568035] RSP [1750924.650439] ---[ end trace 73d5d4b3f8ad4851 ] The fix is to note the qib_mcast_qp that was found. If none is found, then return EINVAL indicating the error. Reviewed-by: Dennis Dalessandro Reported-by: Jason Gunthorpe Signed-off-by: Mike Marciniszyn Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings commit c793373eea1dcd0102a4f09edea14d404da9629b Author: Takashi Iwai Date: Mon Jan 18 14:12:40 2016 +0100 ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream. When a TLV ioctl with numid zero is handled, the driver may spew a kernel warning with a stack trace at each call. The check was intended obviously only for a kernel driver, but not for a user interaction. Let's fix it. This was spotted by syzkaller fuzzer. Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 2652a5cb46b8e55c2e62aef48256c31af0127420 Author: Nicolas Boichat Date: Mon Jan 18 21:35:01 2016 +0800 ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode commit 9586495dc3011a80602329094e746dbce16cb1f1 upstream. This reverts one hunk of commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which replaced a number of kmalloc followed by memcpy with memdup calls. In this case, we are copying from a struct snd_seq_port_info32 to a struct snd_seq_port_info, but the latter is 4 bytes longer than the 32-bit version, so we need to separate kmalloc and copy calls. Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()') Signed-off-by: Nicolas Boichat Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit ee5f83ce56b923cd90c8f35d4e3fe30cc7699f57 Author: Nicolas Boichat Date: Mon Jan 18 21:35:00 2016 +0800 ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream. This reverts one hunk of commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which replaced a number of kmalloc followed by memcpy with memdup calls. In this case, we are copying from a struct snd_pcm_hw_params32 to a struct snd_pcm_hw_params, but the latter is 4 bytes longer than the 32-bit version, so we need to separate kmalloc and copy calls. This actually leads to an out-of-bounds memory access later on in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan). Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()') Signed-off-by: Nicolas Boichat Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit f35e5e1204e0017f4011fd2896b16c6d30e2e827 Author: Takashi Iwai Date: Mon Jan 18 13:52:47 2016 +0100 ALSA: hrtimer: Fix stall by hrtimer_cancel() commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 upstream. hrtimer_cancel() waits for the completion from the callback, thus it must not be called inside the callback itself. This was already a problem in the past with ALSA hrtimer driver, and the early commit [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it. However, the previous fix is still insufficient: it may still cause a lockup when the ALSA timer instance reprograms itself in its callback. Then it invokes the start function even in snd_timer_interrupt() that is called in hrtimer callback itself, results in a CPU stall. This is no hypothetical problem but actually triggered by syzkaller fuzzer. This patch tries to fix the issue again. Now we call hrtimer_try_to_cancel() at both start and stop functions so that it won't fall into a deadlock, yet giving some chance to cancel the queue if the functions have been called outside the callback. The proper hrtimer_cancel() is called in anyway at closing, so this should be enough. Reported-and-tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 542b4ad3c5f4cf151306c62ebf4296d4c6bf0fc8 Author: Herbert Xu Date: Wed Dec 30 20:24:17 2015 +0800 crypto: af_alg - Fix socket double-free when accept fails commit a383292c86663bbc31ac62cc0c04fc77504636a6 upstream. When we fail an accept(2) call we will end up freeing the socket twice, once due to the direct sk_free call and once again through newsock. This patch fixes this by removing the sk_free call. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings commit 60141aacff376347bb919ce0d64fa803d204f50e Author: Aaron Conole Date: Fri Jan 15 16:59:12 2016 -0800 printk: help pr_debug and pr_devel to optimize out arguments commit fe22cd9b7c980b8b948ec85f034a8668c57ec867 upstream. Currently, pr_debug and pr_devel will not elide function call arguments appearing in calls to the no_printk for these macros. This is because all side effects must be honored before proceeding to the 0-value assignment in no_printk. The behavior is contrary to documentation found in the CodingStyle and the header file where these functions are declared. This patch corrects that behavior by shunting out the call to no_printk completely. The format string is still checked by gcc for correctness, but no code seems to be emitted in common cases. [akpm@linux-foundation.org: remove braces, per Joe] Fixes: 5264f2f75d86 ("include/linux/printk.h: use and neaten no_printk") Signed-off-by: Aaron Conole Reported-by: Dmitry Vyukov Cc: Joe Perches Cc: Jason Baron Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 9248608dca94084ed774a8c602cbcbdc1aa8ed4a Author: Martijn Coenen Date: Fri Jan 15 16:57:49 2016 -0800 memcg: only free spare array when readers are done commit 6611d8d76132f86faa501de9451a89bf23fb2371 upstream. A spare array holding mem cgroup threshold events is kept around to make sure we can always safely deregister an event and have an array to store the new set of events in. In the scenario where we're going from 1 to 0 registered events, the pointer to the primary array containing 1 event is copied to the spare slot, and then the spare slot is freed because no events are left. However, it is freed before calling synchronize_rcu(), which means readers may still be accessing threshold->primary after it is freed. Fixed by only freeing after synchronize_rcu(). Signed-off-by: Martijn Coenen Cc: Johannes Weiner Acked-by: Michal Hocko Cc: Vladimir Davydov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 65b6e4a0b6497a57608821c20149e83f256dc32c Author: Takashi Iwai Date: Thu Jan 14 16:30:58 2016 +0100 ALSA: timer: Harden slave timer list handling commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream. A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Also, some linked lists (active_list and ack_list) of slave instances aren't unlinked immediately at stopping or closing, and this may lead to unexpected accesses. This patch tries to address these issues. It adds spin lock of timer->lock (either from master or slave, which is equivalent) in a few places. For avoiding a deadlock, we ensure that the global slave_active_lock is always locked at first before each timer lock. Also, ack and active_list of slave instances are properly unlinked at snd_timer_stop() and snd_timer_close(). Last but not least, remove the superfluous call of _snd_timer_stop() at removing slave links. This is a noop, and calling it may confuse readers wrt locking. Further cleanup will follow in a later patch. Actually we've got reports of use-after-free by syzkaller fuzzer, and this hopefully fixes these issues. Reported-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit b99688d443e58ba1f1206039de3316bc7d169235 Author: xuejiufei Date: Thu Jan 14 15:17:38 2016 -0800 ocfs2/dlm: ignore cleaning the migration mle that is inuse commit bef5502de074b6f6fa647b94b73155d675694420 upstream. We have found that migration source will trigger a BUG that the refcount of mle is already zero before put when the target is down during migration. The situation is as follows: dlm_migrate_lockres dlm_add_migration_mle dlm_mark_lockres_migrating dlm_get_mle_inuse <<<<<< Now the refcount of the mle is 2. dlm_send_one_lockres and wait for the target to become the new master. <<<<<< o2hb detect the target down and clean the migration mle. Now the refcount is 1. dlm_migrate_lockres woken, and put the mle twice when found the target goes down which trigger the BUG with the following message: "ERROR: bad mle: ". Signed-off-by: Jiufei Xue Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit da7b239bbdcc174c94cc6d0a4b55f9d421508d0c Author: Sergey Senozhatsky Date: Thu Jan 14 15:16:53 2016 -0800 scripts/bloat-o-meter: fix python3 syntax error commit 72214a24a7677d4c7501eecc9517ed681b5f2db2 upstream. In Python3+ print is a function so the old syntax is not correct anymore: $ ./scripts/bloat-o-meter vmlinux.o vmlinux.o.old File "./scripts/bloat-o-meter", line 61 print "add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s (%s)" % \ ^ SyntaxError: invalid syntax Fix by calling print as a function. Tested on python 2.7.11, 3.5.1 Signed-off-by: Sergey Senozhatsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 1e78fe2053abf53c2497c0540b39d91fa1eb543d Author: Laura Abbott Date: Thu Jan 14 15:16:50 2016 -0800 dma-debug: switch check from _text to _stext commit ea535e418c01837d07b6c94e817540f50bfdadb0 upstream. In include/asm-generic/sections.h: /* * Usage guidelines: * _text, _data: architecture specific, don't use them in * arch-independent code * [_stext, _etext]: contains .text.* sections, may also contain * .rodata.* * and/or .init.* sections _text is not guaranteed across architectures. Architectures such as ARM may reuse parts which are not actually text and erroneously trigger a bug. Switch to using _stext which is guaranteed to contain text sections. Came out of https://lkml.kernel.org/g/<567B1176.4000106@redhat.com> Signed-off-by: Laura Abbott Reviewed-by: Kees Cook Cc: Russell King Cc: Arnd Bergmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 74ccb89d9375a29ecabbb8ffcb0e8ba7d11dd136 Author: Sudip Mukherjee Date: Thu Jan 14 15:16:47 2016 -0800 m32r: fix m32104ut_defconfig build fail commit 601f1db653217f205ffa5fb33514b4e1711e56d1 upstream. The build of m32104ut_defconfig for m32r arch was failing for long long time with the error: ERROR: "memory_start" [fs/udf/udf.ko] undefined! ERROR: "memory_end" [fs/udf/udf.ko] undefined! ERROR: "memory_end" [drivers/scsi/sg.ko] undefined! ERROR: "memory_start" [drivers/scsi/sg.ko] undefined! ERROR: "memory_end" [drivers/i2c/i2c-dev.ko] undefined! ERROR: "memory_start" [drivers/i2c/i2c-dev.ko] undefined! As done in other architectures export the symbols to fix the error. Reported-by: Fengguang Wu Signed-off-by: Sudip Mukherjee Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit 32ea1f7a284539346e1bc9bf8655df46d9c68d7f Author: Vasily Averin Date: Thu Jan 14 13:41:14 2016 +0300 cifs_dbg() outputs an uninitialized buffer in cifs_readdir() commit 01b9b0b28626db4a47d7f48744d70abca9914ef1 upstream. In some cases tmp_bug can be not filled in cifs_filldir and stay uninitialized, therefore its printk with "%s" modifier can leak content of kernelspace memory. If old content of this buffer does not contain '\0' access bejond end of allocated object can crash the host. Signed-off-by: Vasily Averin Signed-off-by: Steve French [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit ece016f84bca636bfb5acf440f3074af60f80fa4 Author: Rabin Vincent Date: Wed Dec 23 07:32:41 2015 +0100 cifs: fix race between call_async() and reconnect() commit 820962dc700598ffe8cd21b967e30e7520c34748 upstream. cifs_call_async() queues the MID to the pending list and calls smb_send_rqst(). If smb_send_rqst() performs a partial send, it sets the tcpStatus to CifsNeedReconnect and returns an error code to cifs_call_async(). In this case, cifs_call_async() removes the MID from the list and returns to the caller. However, cifs_call_async() releases the server mutex _before_ removing the MID. This means that a cifs_reconnect() can race with this function and manage to remove the MID from the list and delete the entry before cifs_call_async() calls cifs_delete_mid(). This leads to various crashes due to the use after free in cifs_delete_mid(). Task1 Task2 cifs_call_async(): - rc = -EAGAIN - mutex_unlock(srv_mutex) cifs_reconnect(): - mutex_lock(srv_mutex) - mutex_unlock(srv_mutex) - list_delete(mid) - mid->callback() cifs_writev_callback(): - mutex_lock(srv_mutex) - delete(mid) - mutex_unlock(srv_mutex) - cifs_delete_mid(mid) <---- use after free Fix this by removing the MID in cifs_call_async() before releasing the srv_mutex. Also hold the srv_mutex in cifs_reconnect() until the MIDs are moved out of the pending list. Signed-off-by: Rabin Vincent Acked-by: Shirish Pargaonkar Signed-off-by: Steve French [bwh: Backported to 3.2: - In cifs_call_async() there are two error paths jumping to 'out_err'; fix both of them - s/cifs_delete_mid/delete_mid/ - Adjust context] Signed-off-by: Ben Hutchings commit 4ed805d143fbc9d5f2026405d7090301fad67066 Author: Jamie Bainbridge Date: Sat Nov 7 22:13:49 2015 +1000 cifs: Ratelimit kernel log messages commit ec7147a99e33a9e4abad6fc6e1b40d15df045d53 upstream. Under some conditions, CIFS can repeatedly call the cifs_dbg() logging wrapper. If done rapidly enough, the console framebuffer can softlockup or "rcu_sched self-detected stall". Apply the built-in log ratelimiters to prevent such hangs. Signed-off-by: Jamie Bainbridge Signed-off-by: Steve French [bwh: Backported to 3.2: - cifs_dbg() and cifs_vfs_err() do not exist, but make similar changes to cifsfyi(), cifswarn() and cifserror()] - Include explicitly] Signed-off-by: Ben Hutchings commit 0f2ed5d5f58037e83b57a6dab9738a207eb75d96 Author: Dmitry V. Levin Date: Sun Dec 27 02:13:27 2015 +0300 sparc64: fix incorrect sign extension in sys_sparc64_personality commit 525fd5a94e1be0776fa652df5c687697db508c91 upstream. The value returned by sys_personality has type "long int". It is saved to a variable of type "int", which is not a problem yet because the type of task_struct->pesonality is "unsigned int". The problem is the sign extension from "int" to "long int" that happens on return from sys_sparc64_personality. For example, a userspace call personality((unsigned) -EINVAL) will result to any subsequent personality call, including absolutely harmless read-only personality(0xffffffff) call, failing with errno set to EINVAL. Signed-off-by: Dmitry V. Levin Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 12f88515e0e99a220afdfaeeeedf2fe206fbdc24 Author: Takashi Iwai Date: Wed Jan 13 17:48:01 2016 +0100 ALSA: timer: Fix race among timer ioctls commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream. ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 0e8f916d7dc9170ab2ef4b9a9ed19b640720029b Author: Takashi Iwai Date: Wed Jan 13 21:35:06 2016 +0100 ALSA: timer: Fix double unlink of active_list commit ee8413b01045c74340aa13ad5bdf905de32be736 upstream. ALSA timer instance object has a couple of linked lists and they are unlinked unconditionally at snd_timer_stop(). Meanwhile snd_timer_interrupt() unlinks it, but it calls list_del() which leaves the element list itself unchanged. This ends up with unlinking twice, and it was caught by syzkaller fuzzer. The fix is to use list_del_init() variant properly there, too. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit e68624cb8e984efcfa95dd016e92fb67f325fd66 Author: Andy Lutomirski Date: Tue Jan 12 12:47:40 2016 -0800 x86/mm: Improve switch_mm() barrier comments commit 4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b upstream. My previous comments were still a bit confusing and there was a typo. Fix it up. Reported-by: Peter Zijlstra Signed-off-by: Andy Lutomirski Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Hansen Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Rik van Riel Cc: Thomas Gleixner Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization") Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 7a83e0d0a1dbc97e1b271538e479e3bd8fc4838e Author: Helge Deller Date: Sun Jan 10 09:30:42 2016 +0100 parisc: Fix __ARCH_SI_PREAMBLE_SIZE commit e60fc5aa608eb38b47ba4ee058f306f739eb70a0 upstream. On a 64bit kernel build the compiler aligns the _sifields union in the struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define compensates for this alignment and thus fixes the wait testcase of the strace package. The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that _sigchld.si_stime variable is missed to be copied and thus after a copy_siginfo() will have uninitialized values. Signed-off-by: Helge Deller [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit d60262682193d5098dc1e13cd374ddfa49ee4c8d Author: Takashi Iwai Date: Tue Jan 12 15:36:27 2016 +0100 ALSA: seq: Fix race at timer setup and close commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 4cc2016fc314d14eb406dbd654120ae5a1bc2423 Author: Takashi Iwai Date: Tue Jan 12 12:38:02 2016 +0100 ALSA: seq: Fix missing NULL check at remove_events ioctl commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 upstream. snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() unconditionally even if there is no FIFO assigned, and this leads to an Oops due to NULL dereference. The fix is just to add a proper NULL check. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit afebb87b9e08149c4a9f8fdbd2b1a51401e2feb8 Author: Mario Kleiner Date: Fri Dec 18 20:24:06 2015 +0100 x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] commit 2f0c0b2d96b1205efb14347009748d786c2d9ba5 upstream. Without the reboot=pci method, the iMac 10,1 simply hangs after printing "Restarting system" at the point when it should reboot. This fixes it. Signed-off-by: Mario Kleiner Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Jones Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1450466646-26663-1-git-send-email-mario.kleiner.de@gmail.com Signed-off-by: Ingo Molnar [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit ddb405752278075861b5aafa429e84fdbe80868e Author: H.J. Lu Date: Mon Jan 4 10:17:09 2016 -0800 x86/boot: Double BOOT_HEAP_SIZE to 64KB commit 8c31902cffc4d716450be549c66a67a8a3dd479c upstream. When decompressing kernel image during x86 bootup, malloc memory for ELF program headers may run out of heap space, which leads to system halt. This patch doubles BOOT_HEAP_SIZE to 64KB. Tested with 32-bit kernel which failed to boot without this patch. Signed-off-by: H.J. Lu Acked-by: H. Peter Anvin Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings commit 72e67165876432b2803c02ba8a8f0168f18ab3c7 Author: Andy Lutomirski Date: Wed Jan 6 12:21:01 2016 -0800 x86/mm: Add barriers and document switch_mm()-vs-flush synchronization commit 71b3c126e61177eb693423f2e18a1914205b165e upstream. When switch_mm() activates a new PGD, it also sets a bit that tells other CPUs that the PGD is in use so that TLB flush IPIs will be sent. In order for that to work correctly, the bit needs to be visible prior to loading the PGD and therefore starting to fill the local TLB. Document all the barriers that make this work correctly and add a couple that were missing. Signed-off-by: Andy Lutomirski Cc: Andrew Morton Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Hansen Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Rik van Riel Cc: Thomas Gleixner Cc: linux-mm@kvack.org Signed-off-by: Ingo Molnar [bwh: Backported to 3.2: - There's no flush_tlb_mm_range(), only flush_tlb_mm() which does not use INVLPG - Adjust context] Signed-off-by: Ben Hutchings commit 0602b3e4e73ad7124d1c1a389bf38b99c8717cff Author: Eric Dumazet Date: Fri Jan 8 09:35:51 2016 -0800 ipv6: tcp: add rcu locking in tcp_v6_send_synack() commit 3e4006f0b86a5ae5eb0e8215f9a9e1db24506977 upstream. When first SYNACK is sent, we already hold rcu_read_lock(), but this is not true if a SYNACK is retransmitted, as a timer (soft) interrupt does not hold rcu_read_lock() Fixes: 45f6fad84cc30 ("ipv6: add complete rcu protection around np->opt") Reported-by: Dave Jones Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 15dabec9d87dd441d6f0ce49fbbef7fcc5f1ec39 Author: Vegard Nossum Date: Fri Dec 18 21:28:53 2015 +0100 uml: flush stdout before forking commit 0754fb298f2f2719f0393491d010d46cfb25d043 upstream. I was seeing some really weird behaviour where piping UML's output somewhere would cause output to get duplicated: $ ./vmlinux | head -n 40 Checking that ptrace can change system call numbers...Core dump limits : soft - 0 hard - NONE OK Checking syscall emulation patch for ptrace...Core dump limits : soft - 0 hard - NONE OK Checking advanced syscall emulation patch for ptrace...Core dump limits : soft - 0 hard - NONE OK Core dump limits : soft - 0 hard - NONE This is because these tests do a fork() which duplicates the non-empty stdout buffer, then glibc flushes the duplicated buffer as each child exits. A simple workaround is to flush before forking. Signed-off-by: Vegard Nossum Signed-off-by: Richard Weinberger Signed-off-by: Ben Hutchings commit edde646c29cc1729088935ee187f6ec733d61d62 Author: Vegard Nossum Date: Wed Dec 16 21:59:56 2015 +0100 uml: fix hostfs mknod() commit 9f2dfda2f2f1c6181c3732c16b85c59ab2d195e0 upstream. An inverted return value check in hostfs_mknod() caused the function to return success after handling it as an error (and cleaning up). It resulted in the following segfault when trying to bind() a named unix socket: Pid: 198, comm: a.out Not tainted 4.4.0-rc4 RIP: 0033:[<0000000061077df6>] RSP: 00000000daae5d60 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 000000006092a460 RCX: 00000000dfc54208 RDX: 0000000061073ef1 RSI: 0000000000000070 RDI: 00000000e027d600 RBP: 00000000daae5de0 R08: 00000000da980ac0 R09: 0000000000000000 R10: 0000000000000003 R11: 00007fb1ae08f72a R12: 0000000000000000 R13: 000000006092a460 R14: 00000000daaa97c0 R15: 00000000daaa9a88 Kernel panic - not syncing: Kernel mode fault at addr 0x40, ip 0x61077df6 CPU: 0 PID: 198 Comm: a.out Not tainted 4.4.0-rc4 #1 Stack: e027d620 dfc54208 0000006f da981398 61bee000 0000c1ed daae5de0 0000006e e027d620 dfcd4208 00000005 6092a460 Call Trace: [<60dedc67>] SyS_bind+0xf7/0x110 [<600587be>] handle_syscall+0x7e/0x80 [<60066ad7>] userspace+0x3e7/0x4e0 [<6006321f>] ? save_registers+0x1f/0x40 [<6006c88e>] ? arch_prctl+0x1be/0x1f0 [<60054985>] fork_handler+0x85/0x90 Let's also get rid of the "cosmic ray protection" while we're at it. Fixes: e9193059b1b3 "hostfs: fix races in dentry_name() and inode_name()" Signed-off-by: Vegard Nossum Cc: Jeff Dike Cc: Al Viro Signed-off-by: Richard Weinberger Signed-off-by: Ben Hutchings commit 07b8f29203c5fc3ea82e1c8819d10ff10b66e056 Author: Mikulas Patocka Date: Fri Jan 8 19:07:55 2016 -0500 dm snapshot: fix hung bios when copy error occurs commit 385277bfb57faac44e92497104ba542cdd82d5fe upstream. When there is an error copying a chunk dm-snapshot can incorrectly hold associated bios indefinitely, resulting in hung IO. The function copy_callback sets pe->error if there was error copying the chunk, and then calls complete_exception. complete_exception calls pending_complete on error, otherwise it calls commit_exception with commit_callback (and commit_callback calls complete_exception). The persistent exception store (dm-snap-persistent.c) assumes that calls to prepare_exception and commit_exception are paired. persistent_prepare_exception increases ps->pending_count and persistent_commit_exception decreases it. If there is a copy error, persistent_prepare_exception is called but persistent_commit_exception is not. This results in the variable ps->pending_count never returning to zero and that causes some pending exceptions (and their associated bios) to be held forever. Fix this by unconditionally calling commit_exception regardless of whether the copy was successful. A new "valid" parameter is added to commit_exception -- when the copy fails this parameter is set to zero so that the chunk that failed to copy (and all following chunks) is not recorded in the snapshot store. Also, remove commit_callback now that it is merely a wrapper around pending_complete. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Ben Hutchings commit 06ae8020723247e74340ecd544c6c18ccdc1dce4 Author: Jeff Layton Date: Thu Jan 7 16:38:10 2016 -0500 locks: fix unlock when fcntl_setlk races with a close commit 7f3697e24dc3820b10f445a4a7d914fc356012d1 upstream. Dmitry reported that he was able to reproduce the WARN_ON_ONCE that fires in locks_free_lock_context when the flc_posix list isn't empty. The problem turns out to be that we're basically rebuilding the file_lock from scratch in fcntl_setlk when we discover that the setlk has raced with a close. If the l_whence field is SEEK_CUR or SEEK_END, then we may end up with fl_start and fl_end values that differ from when the lock was initially set, if the file position or length of the file has changed in the interim. Fix this by just reusing the same lock request structure, and simply override fl_type value with F_UNLCK as appropriate. That ensures that we really are unlocking the lock that was initially set. While we're there, make sure that we do pop a WARN_ON_ONCE if the removal ever fails. Also return -EBADF in this event, since that's what we would have returned if the close had happened earlier. Cc: Alexander Viro Fixes: c293621bbf67 (stale POSIX lock handling) Reported-by: Dmitry Vyukov Signed-off-by: Jeff Layton Acked-by: "J. Bruce Fields" [bwh: Backported to 3.2: s/i_flctx->flc_posix/inode->i_flock/ in comments] Signed-off-by: Ben Hutchings commit abaa03b0d6f1442c236ee0a667f7e14f129fd67c Author: Sasha Levin Date: Tue Dec 22 12:43:36 2015 -0500 power: test_power: correctly handle empty writes commit 6b9140f39c2aaf76791197fbab0839c0e4af56e8 upstream. Writing 0 length data into test_power makes it access an invalid array location and kill the system. Fixes: f17ef9b2d ("power: Make test_power driver more dynamic.") Signed-off-by: Sasha Levin Signed-off-by: Sebastian Reichel Signed-off-by: Ben Hutchings commit 92d909411afd8783bd70ea910bad5cdc0110aac2 Author: Andrew Gabbasov Date: Thu Dec 24 10:25:33 2015 -0600 udf: Check output buffer length when converting name to CS0 commit bb00c898ad1ce40c4bb422a8207ae562e9aea7ae upstream. If a name contains at least some characters with Unicode values exceeding single byte, the CS0 output should have 2 bytes per character. And if other input characters have single byte Unicode values, then the single input byte is converted to 2 output bytes, and the length of output becomes larger than the length of input. And if the input name is long enough, the output length may exceed the allocated buffer length. All this means that conversion from UTF8 or NLS to CS0 requires checking of output length in order to stop when it exceeds the given output buffer size. [JK: Make code return -ENAMETOOLONG instead of silently truncating the name] Signed-off-by: Andrew Gabbasov Signed-off-by: Jan Kara Signed-off-by: Ben Hutchings commit dba4f816e8204bfc3de568ba386cb72178c55715 Author: Andrew Gabbasov Date: Thu Dec 24 10:25:32 2015 -0600 udf: Prevent buffer overrun with multi-byte characters commit ad402b265ecf6fa22d04043b41444cdfcdf4f52d upstream. udf_CS0toUTF8 function stops the conversion when the output buffer length reaches UDF_NAME_LEN-2, which is correct maximum name length, but, when checking, it leaves the space for a single byte only, while multi-bytes output characters can take more space, causing buffer overflow. Similar error exists in udf_CS0toNLS function, that restricts the output length to UDF_NAME_LEN, while actual maximum allowed length is UDF_NAME_LEN-2. In these cases the output can override not only the current buffer length field, causing corruption of the name buffer itself, but also following allocation structures, causing kernel crash. Adjust the output length checks in both functions to prevent buffer overruns in case of multi-bytes UTF8 or NLS characters. Signed-off-by: Andrew Gabbasov Signed-off-by: Jan Kara Signed-off-by: Ben Hutchings commit 8b0969157ef3d3db0ba4541b5f4ec399f5fddccd Author: Ouyang Zhaowei (Charles) Date: Wed May 6 09:47:04 2015 +0800 x86/xen: don't reset vcpu_info on a cancelled suspend commit 6a1f513776b78c994045287073e55bae44ed9f8c upstream. On a cancelled suspend the vcpu_info location does not change (it's still in the per-cpu area registered by xen_vcpu_setup()). So do not call xen_hvm_init_shared_info() which would make the kernel think its back in the shared info. With the wrong vcpu_info, events cannot be received and the domain will hang after a cancelled suspend. Signed-off-by: Charles Ouyang Reviewed-by: Boris Ostrovsky Signed-off-by: David Vrabel Signed-off-by: Ben Hutchings commit c1e4a82572edd68dcbfa0a695cca486723e3ea2d Author: Aurélien Francillon Date: Sat Jan 2 20:39:54 2016 -0800 Input: i8042 - add Fujitsu Lifebook U745 to the nomux list commit dd0d0d4de582a6a61c032332c91f4f4cb2bab569 upstream. Without i8042.nomux=1 the Elantech touch pad is not working at all on a Fujitsu Lifebook U745. This patch does not seem necessary for all U745 (maybe because of different BIOS versions?). However, it was verified that the patch does not break those (see opensuse bug 883192: https://bugzilla.opensuse.org/show_bug.cgi?id=883192). Signed-off-by: Aurélien Francillon Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings commit 4ac492979f1fd87e63208119b4a34e8b114a3db4 Author: Trond Myklebust Date: Tue Dec 29 18:55:19 2015 -0500 NFS: Fix attribute cache revalidation commit ade14a7df796d4e86bd9d181193c883a57b13db0 upstream. If a NFSv4 client uses the cache_consistency_bitmask in order to request only information about the change attribute, timestamps and size, then it has not revalidated all attributes, and hence the attribute timeout timestamp should not be updated. Reported-by: Donald Buczek Signed-off-by: Trond Myklebust [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 4d80d6bd2d48bd4c1967aa6bdc0e10cfa7108a4b Author: Larry Finger Date: Mon Dec 14 16:34:38 2015 -0600 rtlwifi: rtl8192cu: Add missing parameter setup commit b68d0ae7e58624c33f2eddab471fee55db27dbf9 upstream. This driver fails to copy the module parameter for software encryption to the locations used by the main code. Signed-off-by: Larry Finger Signed-off-by: Kalle Valo [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings commit e437495c1a550626bd46a6273db049ad9287ec95 Author: Larry Finger Date: Mon Dec 14 16:34:37 2015 -0600 rtlwifi: rtl8192ce: Fix handling of module parameters commit b24f19f16b9e43f54218c07609b783ea8625406a upstream. The module parameter for software encryption was never transferred to the location used by the driver. Signed-off-by: Larry Finger Signed-off-by: Kalle Valo [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 34680f6e90e31dae1dae9d599b3876b159e58332 Author: Larry Finger Date: Mon Dec 14 16:34:36 2015 -0600 rtlwifi: rtl8192se: Fix module parameter initialization commit 7503efbd82c15c4070adffff1344e5169d3634b4 upstream. Two of the module parameter descriptions show incorrect default values. In addition the value for software encryption is not transferred to the locations used by the driver. Signed-off-by: Larry Finger Signed-off-by: Kalle Valo [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit c47c6960b9091fc8f330edd15e6668cc54a3d5bf Author: Larry Finger Date: Mon Dec 14 16:34:35 2015 -0600 rtlwifi: rtl8192de: Fix incorrect module parameter descriptions commit d4d60b4caaa5926e1b243070770968f05656107a upstream. Two of the module parameters are listed with incorrect default values. Signed-off-by: Larry Finger Signed-off-by: Kalle Valo [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit d4f0604190a2037a7f43a00c26c77d075b2edfed Author: Jan Beulich Date: Tue Dec 22 08:42:44 2015 -0700 x86/LDT: Print the real LDT base address commit 0d430e3fb3f7cdc13c0d22078b820f682821b45a upstream. This was meant to print base address and entry count; make it do so again. Fixes: 37868fe113ff "x86/ldt: Make modify_ldt synchronous" Signed-off-by: Jan Beulich Acked-by: Andy Lutomirski Link: http://lkml.kernel.org/r/56797D8402000078000C24F0@prv-mh.provo.novell.com Signed-off-by: Thomas Gleixner [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit cb2b6167ad3f5cdd5bf0f79d78340aac14dcee5b Author: Richard Cochran Date: Tue Dec 22 22:19:58 2015 +0100 posix-clock: Fix return code on the poll method's error path commit 1b9f23727abb92c5e58f139e7d180befcaa06fe0 upstream. The posix_clock_poll function is supposed to return a bit mask of POLLxxx values. However, in case the hardware has disappeared (due to hot plugging for example) this code returns -ENODEV in a futile attempt to throw an error at the file descriptor level. The kernel's file_operations interface does not accept such error codes from the poll method. Instead, this function aught to return POLLERR. The value -ENODEV does, in fact, contain the POLLERR bit (and almost all the other POLLxxx bits as well), but only by chance. This patch fixes code to return a proper bit mask. Credit goes to Markus Elfring for pointing out the suspicious signed/unsigned mismatch. Reported-by: Markus Elfring igned-off-by: Richard Cochran Cc: John Stultz Cc: Julia Lawall Link: http://lkml.kernel.org/r/1450819198-17420-1-git-send-email-richardcochran@gmail.com Signed-off-by: Thomas Gleixner Signed-off-by: Ben Hutchings commit 695dc80a38c649fb43b63546209e0f01f8d5e154 Author: Oliver Freyermuth Date: Mon Dec 28 18:37:38 2015 +0100 USB: cp210x: add ID for ELV Marble Sound Board 1 commit f7d7f59ab124748156ea551edf789994f05da342 upstream. Add the USB device ID for ELV Marble Sound Board 1. Signed-off-by: Oliver Freyermuth Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings commit ef16fa90c41f032db95b7aae74e4a6ad21a283e9 Author: Vegard Nossum Date: Fri Dec 11 15:54:16 2015 +0100 udf: limit the maximum number of indirect extents in a row commit b0918d9f476a8434b055e362b83fa4fd1d462c3f upstream. udf_next_aext() just follows extent pointers while extents are marked as indirect. This can loop forever for corrupted filesystem. Limit number the of indirect extents we are willing to follow in a row. [JK: Updated changelog, limit, style] Signed-off-by: Vegard Nossum Cc: Jan Kara Cc: Quentin Casasnovas Cc: Andrew Morton Signed-off-by: Jan Kara Signed-off-by: Ben Hutchings commit be23a28ef52914d32502b776f9ecba7f820a3f24 Author: Alex Deucher Date: Thu Dec 17 12:52:17 2015 -0500 drm/radeon: clean up fujitsu quirks commit 0eb1c3d4084eeb6fb3a703f88d6ce1521f8fcdd1 upstream. Combine the two quirks. bug: https://bugzilla.kernel.org/show_bug.cgi?id=109481 Signed-off-by: Alex Deucher Signed-off-by: Ben Hutchings commit 62d9c17bf8649d90791b7319ad9a51a5da2daba2 Author: Andy Shevchenko Date: Mon Dec 21 19:09:52 2015 +0200 ALSA: fm801: propagate TUNER_ONLY bit when autodetected commit dbec6719ac036f68568d8488805d41346c021eff upstream. The commit d7ba858a7f7a (ALSA: fm801: implement TEA575x tuner autodetection) brings autodetection to the driver. However the autodetection algorithm misses the TUNER_ONLY bit if it is supplied by the user. Thus, user gets weird messages and no card registered. snd_fm801 0000:0d:01.0: detected TEA575x radio type SF64-PCR snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) ... snd_fm801 0000:0d:01.0: AC'97 0 does not respond - RESET snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) snd_fm801 0000:0d:01.0: AC'97 0 access is not valid [0x0], removing mixer. snd_fm801: probe of 0000:0d:01.0 failed with error -5 Do a copy of TUNER_ONLY bit to be applied after autodetection is done. Fixes: d7ba858a7f7a (ALSA: fm801: implement TEA575x tuner autodetection) Signed-off-by: Andy Shevchenko Cc: Ondrej Zary Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 58467344684846506b9d95d32a2af7b818b4a885 Author: Thomas Gleixner Date: Sat Dec 19 20:07:38 2015 +0000 futex: Drop refcount if requeue_pi() acquired the rtmutex commit fb75a4282d0d9a3c7c44d940582c2d226cf3acfb upstream. If the proxy lock in the requeue loop acquires the rtmutex for a waiter then it acquired also refcount on the pi_state related to the futex, but the waiter side does not drop the reference count. Add the missing free_pi_state() call. Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Cc: Darren Hart Cc: Davidlohr Bueso Cc: Bhuvanesh_Surachari@mentor.com Cc: Andy Lowe Link: http://lkml.kernel.org/r/20151219200607.178132067@linutronix.de Signed-off-by: Thomas Gleixner Signed-off-by: Ben Hutchings commit 27d5e195aa0e49927dc65213be3d2ab69d21f797 Author: stephen hemminger Date: Thu Dec 17 17:51:16 2015 -0800 asix: silence log message from oversize packet commit b70183db83552cf63cac51406aaf76a2cf5fca73 upstream. Since it is possible for an external system to send oversize packets at anytime, it is best for driver not to print a message and spam the log (potential external DoS). Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=109471 Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings commit f901a0f7d4ce450f3b63f81fa6ddb5619fc21fb7 Author: Boqun Feng Date: Mon Nov 2 09:30:32 2015 +0800 powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered commit 81d7a3294de7e9828310bbf986a67246b13fa01e upstream. According to memory-barriers.txt, xchg*, cmpxchg* and their atomic_ versions all need to be fully ordered, however they are now just RELEASE+ACQUIRE, which are not fully ordered. So also replace PPC_RELEASE_BARRIER and PPC_ACQUIRE_BARRIER with PPC_ATOMIC_ENTRY_BARRIER and PPC_ATOMIC_EXIT_BARRIER in __{cmp,}xchg_{u32,u64} respectively to guarantee fully ordered semantics of atomic{,64}_{cmp,}xchg() and {cmp,}xchg(), as a complement of commit b97021f85517 ("powerpc: Fix atomic_xxx_return barrier semantics") This patch depends on patch "powerpc: Make value-returning atomics fully ordered" for PPC_ATOMIC_ENTRY_BARRIER definition. Signed-off-by: Boqun Feng Reviewed-by: Paul E. McKenney Acked-by: Peter Zijlstra (Intel) Signed-off-by: Michael Ellerman [bwh: backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 00beb246325524f116dff2a7b88f60da3fc255b0 Author: Boqun Feng Date: Mon Nov 2 09:30:31 2015 +0800 powerpc: Make value-returning atomics fully ordered commit 49e9cf3f0c04bf76ffa59242254110309554861d upstream. According to memory-barriers.txt: > Any atomic operation that modifies some state in memory and returns > information about the state (old or new) implies an SMP-conditional > general memory barrier (smp_mb()) on each side of the actual > operation ... Which mean these operations should be fully ordered. However on PPC, PPC_ATOMIC_ENTRY_BARRIER is the barrier before the actual operation, which is currently "lwsync" if SMP=y. The leading "lwsync" can not guarantee fully ordered atomics, according to Paul Mckenney: https://lkml.org/lkml/2015/10/14/970 To fix this, we define PPC_ATOMIC_ENTRY_BARRIER as "sync" to guarantee the fully-ordered semantics. This also makes futex atomics fully ordered, which can avoid possible memory ordering problems if userspace code relies on futex system call for fully ordered semantics. Fixes: b97021f85517 ("powerpc: Fix atomic_xxx_return barrier semantics") Signed-off-by: Boqun Feng Reviewed-by: Paul E. McKenney Acked-by: Peter Zijlstra (Intel) Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings commit 516e06bfb9eb3e85c9b9540c7b2fae2f4f257f38 Author: Borislav Petkov Date: Fri Nov 27 10:38:38 2015 +0100 EDAC: Robustify workqueues destruction commit fcd5c4dd8201595d4c598c9cca5e54760277d687 upstream. EDAC workqueue destruction is really fragile. We cancel delayed work but if it is still running and requeues itself, we still go ahead and destroy the workqueue and the queued work explodes when workqueue core attempts to run it. Make the destruction more robust by switching op_state to offline so that requeuing stops. Cancel any pending work *synchronously* too. EDAC i7core: Driver loaded. general protection fault: 0000 [#1] SMP CPU 12 Modules linked in: Supported: Yes Pid: 0, comm: kworker/0:1 Tainted: G IE 3.0.101-0-default #1 HP ProLiant DL380 G7 RIP: 0010:[] [] __queue_work+0x17/0x3f0 < ... regs ...> Process kworker/0:1 (pid: 0, threadinfo ffff88019def6000, task ffff88019def4600) Stack: ... Call Trace: call_timer_fn run_timer_softirq __do_softirq call_softirq do_softirq irq_exit smp_apic_timer_interrupt apic_timer_interrupt intel_idle cpuidle_idle_call cpu_idle Code: ... RIP __queue_work RSP <...> Signed-off-by: Borislav Petkov [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit b6a44d868bf5396d86f294c9cb66c347af0622e7 Author: Uri Mashiach Date: Thu Dec 10 15:12:56 2015 +0200 wlcore/wl12xx: spi: fix oops on firmware load commit 9b2761cb72dc41e1948c8a5512b4efd384eda130 upstream. The maximum chunks used by the function is (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1). The original commands array had space for (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands. When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last command is stored outside the bounds of the commands array. Oops 5 (page fault) is generated during current wl1271 firmware load attempt: root@debian-armhf:~# ifconfig wlan0 up [ 294.312399] Unable to handle kernel paging request at virtual address 00203fc4 [ 294.320173] pgd = de528000 [ 294.323028] [00203fc4] *pgd=00000000 [ 294.326916] Internal error: Oops: 5 [#1] SMP ARM [ 294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys hwmon [ 294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted 4.2.0-00002-g3e9ad27-dirty #78 [ 294.360154] Hardware name: Generic AM33XX (Flattened Device Tree) [ 294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000 [ 294.372236] PC is at __spi_validate+0xa8/0x2ac [ 294.376902] LR is at __spi_sync+0x78/0x210 [ 294.381200] pc : [] lr : [] psr: 60000013 [ 294.381200] sp : de551998 ip : de5519d8 fp : 00200000 [ 294.393242] r10: de551c8c r9 : de5519d8 r8 : de3a9000 [ 294.398730] r7 : de3a9258 r6 : de3a9400 r5 : de551a48 r4 : 00203fbc [ 294.405577] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : de3a9000 [ 294.412420] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [ 294.419918] Control: 10c5387d Table: 9e528019 DAC: 00000015 [ 294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218) [ 294.432437] Stack: (0xde551998 to 0xde552000) ... [ 294.883613] [] (__spi_validate) from [] (__spi_sync+0x78/0x210) [ 294.891670] [] (__spi_sync) from [] (wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi]) [ 294.901661] [] (wl12xx_spi_raw_write [wlcore_spi]) from [] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore]) [ 294.914038] [] (wlcore_boot_upload_firmware [wlcore]) from [] (wl12xx_boot+0xc10/0xfac [wl12xx]) [ 294.925161] [] (wl12xx_boot [wl12xx]) from [] (wl1271_op_add_interface+0x5b0/0x910 [wlcore]) [ 294.936364] [] (wl1271_op_add_interface [wlcore]) from [] (ieee80211_do_open+0x44c/0xf7c [mac80211]) [ 294.947963] [] (ieee80211_do_open [mac80211]) from [] (__dev_open+0xa8/0x110) [ 294.957307] [] (__dev_open) from [] (__dev_change_flags+0x88/0x148) [ 294.965713] [] (__dev_change_flags) from [] (dev_change_flags+0x18/0x48) [ 294.974576] [] (dev_change_flags) from [] (devinet_ioctl+0x6b4/0x7d0) [ 294.983191] [] (devinet_ioctl) from [] (sock_ioctl+0x1e4/0x2bc) [ 294.991244] [] (sock_ioctl) from [] (do_vfs_ioctl+0x420/0x6b0) [ 294.999208] [] (do_vfs_ioctl) from [] (SyS_ioctl+0x6c/0x7c) [ 295.006880] [] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x54) [ 295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008) [ 295.021544] ---[ end trace 66ed188198f4e24e ]--- Signed-off-by: Uri Mashiach Acked-by: Igor Grinberg Signed-off-by: Kalle Valo [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings commit 2cb838539e20eb9405150d6e586f06ebc67e4e4a Author: Janusz.Dziedzic@tieto.com Date: Wed Nov 7 15:42:19 2012 +0200 wlcore: SPI - fix spi transfer_list commit 4eeac22c159f053ea34527e4fea359ab10b4b5a5 upstream. In corner case for wl12xx_spi_raw_write() when len == SPI_AGGR_BUFFER_SIZE we don't setup correctly spi transfer_list. Next we will have garbage and strange errors reported by SPI framework (eg. wrong speed_hz, failed to transfer one message from queue) when iterate transfer_list. Signed-off-by: Janusz Dziedzic Signed-off-by: Luciano Coelho [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings commit 5ad6094bd9d451a6e2f417cb10fa8fea2cabdc13 Author: Peter Wu Date: Mon Dec 7 01:07:31 2015 +0100 rtlwifi: fix memory leak for USB device commit 17bc55864f81dd730d05f09b1641312a7990d636 upstream. Free skb for received frames with a wrong checksum. This can happen pretty rapidly, exhausting all memory. This fixes a memleak (detected with kmemleak). Originally found while using monitor mode, but it also appears during managed mode (once the link is up). Signed-off-by: Peter Wu ACKed-by: Larry Finger Signed-off-by: Kalle Valo [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings commit bc53b1e234987f0f14a02969bf3ed348ec077c56 Author: Oliver Neukum Date: Thu Dec 3 15:03:34 2015 +0100 xhci: refuse loading if nousb is used commit 1eaf35e4dd592c59041bc1ed3248c46326da1f5f upstream. The module should fail to load. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: xhci_hcd_init() registers the PCI driver, so check before doing that rather than at the end of the function] Signed-off-by: Ben Hutchings commit 9b6775a50007e1ce56feb7c48b243a02912b576c Author: Alex Deucher Date: Tue Nov 24 14:32:44 2015 -0500 drm/radeon: call hpd_irq_event on resume commit dbb17a21c131eca94eb31136eee9a7fe5aff00d9 upstream. Need to call this on resume if displays changes during suspend in order to properly be notified of changes. Signed-off-by: Alex Deucher [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit f247d52ac47d2cccf7536ca98f6a741a8f028174 Author: Boris BREZILLON Date: Mon Nov 23 11:23:07 2015 +0100 mtd: nand: fix ONFI parameter page layout commit de64aa9ec129ba627634088f662a4d09e356ddb6 upstream. src_ssync_features field is only 1 byte large, and the 4th reserved area is actually 8 bytes large. Fixes: d1e1f4e42b5 ("mtd: nand: add support for reading ONFI parameters from NAND device") Signed-off-by: Boris Brezillon Signed-off-by: Brian Norris Signed-off-by: Ben Hutchings commit 636109645fa424fd896db9f25ddfd39a6cdc110f Author: Dan Carpenter Date: Fri Nov 6 13:01:20 2015 +0300 ath9k_htc: check for underflow in ath9k_htc_rx_msg() commit 3a318426e09a9c9266fe6440842e11238f640a20 upstream. We check for overflow here, but we don't check for underflow so it causes a static checker warning. Fixes: fb9987d0f748 ('ath9k_htc: Support for AR9271 chipset.') Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Signed-off-by: Ben Hutchings commit c2456538435026a255f4cb0ae25e48fa0970bb06 Author: Paolo Bonzini Date: Thu Nov 12 16:42:18 2015 +0100 KVM: x86: correctly print #AC in traces commit aba2f06c070f604e388cf77b1dcc7f4cf4577eb0 upstream. Poor #AC was so unimportant until a few days ago that we were not even tracing its name correctly. But now it's all over the place. Signed-off-by: Paolo Bonzini Signed-off-by: Ben Hutchings commit bc48f6f5a8c6d628a1af649306eaf906493bb986 Author: Paolo Bonzini Date: Thu Nov 12 14:49:17 2015 +0100 KVM: x86: expose MSR_TSC_AUX to userspace commit 9dbe6cf941a6fe82933aef565e4095fb10f65023 upstream. If we do not do this, it is not properly saved and restored across migration. Windows notices due to its self-protection mechanisms, and is very upset about it (blue screen of death). Cc: Radim Krcmar Signed-off-by: Paolo Bonzini [bwh: Backported to 3.2: - We didn't yet have the switch() in kvm_init_msr_list as MPX is not supported at all - Adjust context] Signed-off-by: Ben Hutchings commit 558c1f07308ed4bf6c74aa6432cce9f90cc0e221 Author: Arnd Bergmann Date: Thu Nov 19 15:33:41 2015 +0100 SCSI: initio: remove duplicate module device table commit d282e2b383e3f41a7758e8cbf3076091ef9d9447 upstream. The initio driver has for many years had two copies of the same module device table. One of them is also used for registering the other driver, the other one is entirely useless after the large scale cleanup that Alan Cox did back in 2007. The compiler warns about this whenever the driver is built-in: drivers/scsi/initio.c:131:29: warning: 'i91u_pci_devices' defined but not used [-Wunused-variable] This removes the extraneous table and the warning. Signed-off-by: Arnd Bergmann Fixes: 72d39fea901 ("[SCSI] initio: Convert into a real Linux driver and update to modern style") Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen Signed-off-by: Ben Hutchings commit a3277e201df72bbe0617e1b87ed7fa78361f6f88 Author: Russell King Date: Thu Oct 15 13:15:24 2015 -0300 rc: allow rc modules to be loaded if rc-main is not a module commit 2ff56fadd94cdaeeaeccbc0a9b703a0101ada128 upstream. rc-main mistakenly uses #ifdef MODULE to determine whether it should load the rc keymap modules. This symbol is only defined if rc-main is being built as a module itself, and bears no relation to whether the rc keymaps are modules. Fix this to use CONFIG_MODULES instead. Fixes: 631493ecacd8 ("[media] rc-core: merge rc-map.c into rc-main.c") Signed-off-by: Russell King Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings commit 5f18d55c3a82551ad1ec50a2c1668e475a5f3f00 Author: Malcolm Priestley Date: Mon Aug 31 06:13:45 2015 -0300 media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode commit c9d57de6103e343f2d4e04ea8d9e417e10a24da7 upstream. When in FE_TUNE_MODE_ONESHOT the frontend must report the actual capabilities so user can take appropriate action. With frontends that can't do auto inversion this is done by dvb-core automatically so CAN_INVERSION_AUTO is valid. However, when in FE_TUNE_MODE_ONESHOT this is not true. So only set FE_CAN_INVERSION_AUTO in modes other than FE_TUNE_MODE_ONESHOT Signed-off-by: Malcolm Priestley Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit 125ccb6404d9221789b3f580c644ba61d7cddffe Author: Antonio Ospite Date: Fri Oct 2 17:33:13 2015 -0300 gspca: ov534/topro: prevent a division by 0 commit dcc7fdbec53a960588f2c40232db2c6466c09917 upstream. v4l2-compliance sends a zeroed struct v4l2_streamparm in v4l2-test-formats.cpp::testParmType(), and this results in a division by 0 in some gspca subdrivers: divide error: 0000 [#1] SMP Modules linked in: gspca_ov534 gspca_main ... CPU: 0 PID: 17201 Comm: v4l2-compliance Not tainted 4.3.0-rc2-ao2 #1 Hardware name: System manufacturer System Product Name/M2N-E SLI, BIOS ASUS M2N-E SLI ACPI BIOS Revision 1301 09/16/2010 task: ffff8800818306c0 ti: ffff880095c4c000 task.ti: ffff880095c4c000 RIP: 0010:[] [] sd_set_streamparm+0x12/0x60 [gspca_ov534] RSP: 0018:ffff880095c4fce8 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffff8800c9522000 RCX: ffffffffa077a140 RDX: 0000000000000000 RSI: ffff880095e0c100 RDI: ffff8800c9522000 RBP: ffff880095e0c100 R08: ffffffffa077a100 R09: 00000000000000cc R10: ffff880067ec7740 R11: 0000000000000016 R12: ffffffffa07bb400 R13: 0000000000000000 R14: ffff880081b6a800 R15: 0000000000000000 FS: 00007fda0de78740(0000) GS:ffff88012fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000014630f8 CR3: 00000000cf349000 CR4: 00000000000006f0 Stack: ffffffffa07a6431 ffff8800c9522000 ffffffffa077656e 00000000c0cc5616 ffff8800c9522000 ffffffffa07a5e20 ffff880095e0c100 0000000000000000 ffff880067ec7740 ffffffffa077a140 ffff880067ec7740 0000000000000016 Call Trace: [] ? v4l_s_parm+0x21/0x50 [videodev] [] ? vidioc_s_parm+0x4e/0x60 [gspca_main] [] ? __video_do_ioctl+0x280/0x2f0 [videodev] [] ? video_ioctl2+0x20/0x20 [videodev] [] ? video_usercopy+0x319/0x4e0 [videodev] [] ? page_add_new_anon_rmap+0x71/0xa0 [] ? mem_cgroup_commit_charge+0x52/0x90 [] ? handle_mm_fault+0xc18/0x1680 [] ? v4l2_ioctl+0xac/0xd0 [videodev] [] ? do_vfs_ioctl+0x28f/0x480 [] ? SyS_ioctl+0x74/0x80 [] ? entry_SYSCALL_64_fastpath+0x16/0x75 Code: c7 93 d9 79 a0 5b 5d e9 f1 f3 9a e0 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 53 31 d2 48 89 fb 48 83 ec 08 8b 46 10 76 0c 80 bf ac 0c 00 00 00 88 87 4e 0e 00 00 74 09 80 bf 4f RIP [] sd_set_streamparm+0x12/0x60 [gspca_ov534] RSP ---[ end trace 279710c2c6c72080 ]--- Following what the doc says about a zeroed timeperframe (see http://www.linuxtv.org/downloads/v4l-dvb-apis/vidioc-g-parm.html): ... To reset manually applications can just set this field to zero. fix the issue by resetting the frame rate to a default value in case of an unusable timeperframe. The fix is done in the subdrivers instead of gspca.c because only the subdrivers have notion of a default frame rate to reset the camera to. Signed-off-by: Antonio Ospite Reviewed-by: Hans de Goede Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filenames] Signed-off-by: Ben Hutchings