commit 095f493c4d532b0ced3aee22e2d5b2cea02aa773 Author: Greg Kroah-Hartman Date: Fri Dec 20 07:45:26 2013 -0800 Linux 3.10.25 commit 5a04f32ce5dca8dce0061e995fc7265e58d2d5c0 Author: Roger Quadros Date: Sun Dec 8 18:39:02 2013 -0700 ARM: OMAP2+: hwmod: Fix SOFTRESET logic commit 313a76ee11cda6700548afe68499ef174a240688 upstream. In _ocp_softreset(), after _set_softreset() + write_sysconfig(), the hwmod's sysc_cache will always contain SOFTRESET bit set so all further writes to sysconfig using this cache will initiate a repeated SOFTRESET e.g. enable_sysc(). This is true for OMAP3 like platforms that have RESET_DONE status in the SYSSTATUS register and so the the SOFTRESET bit in SYSCONFIG is not automatically cleared. It is not a problem for OMAP4 like platforms that indicate RESET completion by clearing the SOFTRESET bit in the SYSCONFIG register. This repeated SOFTRESET is undesired and was the root cause of USB host issues on OMAP3 platforms when hwmod was allowed to do the SOFTRESET for the USB Host module. To fix this we clear the SOFTRESET bit and update the sysconfig register + sysc_cache using write_sysconfig(). Signed-off-by: Roger Quadros Tested-by: Tomi Valkeinen # Panda, BeagleXM [paul@pwsan.com: renamed _clr_softreset() to _clear_softreset()] Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit f5749e3720c038fe92dc9ffb5e6fe7b4d8809ea1 Author: Liu Bo Date: Tue Oct 29 10:45:05 2013 +0800 Btrfs: do not run snapshot-aware defragment on error commit 6f519564d7d978c00351d9ab6abac3deeac31621 upstream. If something wrong happens in write endio, running snapshot-aware defragment can end up with undefined results, maybe a crash, so we should avoid it. In order to share similar code, this also adds a helper to free the struct for snapshot-aware defrag. Signed-off-by: Liu Bo Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 9436cf971ed1aa296e6ca36489f5240d3868ff84 Author: Filipe David Borba Manana Date: Tue Oct 15 18:44:00 2013 +0100 Btrfs: fix incorrect inode acl reset commit 8185554d3eb09d23a805456b6fa98dcbb34aa518 upstream. When a directory has a default ACL and a subdirectory is created under that directory, btrfs_init_acl() is called when the subdirectory's inode is created to initialize the inode's ACL (inherited from the parent directory) but it was clearing the ACL from the inode after setting it if posix_acl_create() returned success, instead of clearing it only if it returned an error. To reproduce this issue: $ mkfs.btrfs -f /dev/loop0 $ mount /dev/loop0 /mnt $ mkdir /mnt/acl $ setfacl -d --set u::rwx,g::rwx,o::- /mnt/acl $ getfacl /mnt/acl user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:other::--- $ mkdir /mnt/acl/dir1 $ getfacl /mnt/acl/dir1 user::rwx group::rwx other::--- After unmounting and mounting again the filesystem, fgetacl returned the expected ACL: $ umount /mnt/acl $ mount /dev/loop0 /mnt $ getfacl /mnt/acl/dir1 user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:other::--- Meaning that the underlying xattr was persisted. Reported-by: Giuseppe Fierro Signed-off-by: Filipe David Borba Manana Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit b395193ecf087a36e98b97c396f839b3fe9a4d19 Author: Josef Bacik Date: Mon Oct 14 17:23:08 2013 -0400 Btrfs: fix hole check in log_one_extent commit ed9e8af88e2551aaa6bf51d8063a2493e2d71597 upstream. I added an assert to make sure we were looking up aligned offsets for csums and I tripped it when running xfstests. This is because log_one_extent was checking if block_start == 0 for a hole instead of EXTENT_MAP_HOLE. This worked out fine in practice it seems, but it adds a lot of extra work that is uneeded. With this fix I'm no longer tripping my assert. Thanks, Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit fb5834ff2b2823e1eaecd920e2ade3e07f4a42f9 Author: Liu Bo Date: Sun Sep 29 10:33:16 2013 +0800 Btrfs: fix memory leak of chunks' extent map commit 7d3d1744f8a7d62e4875bd69cc2192a939813880 upstream. As we're hold a ref on looking up the extent map, we need to drop the ref before returning to callers. Signed-off-by: Liu Bo Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 2845c3628961c64e8e3fd6987234a818cfeadb35 Author: Greg Kroah-Hartman Date: Wed Dec 18 12:40:45 2013 -0800 Revert "net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST" It turns out that commit: d3f7d56a7a4671d395e8af87071068a195257bf6 was applied to the tree twice, which didn't hurt anything, but it's good to fix this up. Reported-by: Veaceslav Falico Cc: David S. Miller Cc: Eric Dumazet Cc: Richard Weinberger Cc: Shawn Landden Cc: Tom Herbert Signed-off-by: Greg Kroah-Hartman commit 22c3ec552c29cf4bd4a75566088950fe57d860c4 Author: Nicolas Dichtel Date: Fri Dec 13 10:06:35 2013 +0100 ip6tnl: fix use after free of fb_tnl_dev The upstream commit bb8140947a24 ("ip6tnl: allow to use rtnl ops on fb tunnel") (backported into linux-3.10.y) left a bug which was fixed upstream by commit 1e9f3d6f1c40 ("ip6tnl: fix use after free of fb_tnl_dev"). The problem is a bit different in linux-3.10.y, because there is no x-netns support (upstream commit 0bd8762824e7 ("ip6tnl: add x-netns support")). When ip6_tunnel.ko is unloaded, FB device is deleted by rtnl_link_unregister() and then we try to delete it again in ip6_tnl_destroy_tunnels(). This patch removes the second deletion. Reported-by: Steven Rostedt Suggested-by: Steven Rostedt Signed-off-by: Nicolas Dichtel Cc: David Miller Signed-off-by: Greg Kroah-Hartman commit 39be1c3dd03ee291a006189fe1cf43a5322a6eaf Author: Andy Adamson Date: Fri Nov 15 16:36:16 2013 -0500 NFSv4 wait on recovery for async session errors commit 4a82fd7c4e78a1b7a224f9ae8bb7e1fd95f670e0 upstream. When the state manager is processing the NFS4CLNT_DELEGRETURN flag, session draining is off, but DELEGRETURN can still get a session error. The async handler calls nfs4_schedule_session_recovery returns -EAGAIN, and the DELEGRETURN done then restarts the RPC task in the prepare state. With the state manager still processing the NFS4CLNT_DELEGRETURN flag with session draining off, these DELEGRETURNs will cycle with errors filling up the session slots. This prevents OPEN reclaims (from nfs_delegation_claim_opens) required by the NFS4CLNT_DELEGRETURN state manager processing from completing, hanging the state manager in the __rpc_wait_for_completion_task in nfs4_run_open_task as seen in this kernel thread dump: kernel: 4.12.32.53-ma D 0000000000000000 0 3393 2 0x00000000 kernel: ffff88013995fb60 0000000000000046 ffff880138cc5400 ffff88013a9df140 kernel: ffff8800000265c0 ffffffff8116eef0 ffff88013fc10080 0000000300000001 kernel: ffff88013a4ad058 ffff88013995ffd8 000000000000fbc8 ffff88013a4ad058 kernel: Call Trace: kernel: [] ? cache_alloc_refill+0x1c0/0x240 kernel: [] ? rpc_wait_bit_killable+0x0/0xa0 [sunrpc] kernel: [] rpc_wait_bit_killable+0x42/0xa0 [sunrpc] kernel: [] __wait_on_bit+0x5f/0x90 kernel: [] ? rpc_wait_bit_killable+0x0/0xa0 [sunrpc] kernel: [] out_of_line_wait_on_bit+0x78/0x90 kernel: [] ? wake_bit_function+0x0/0x50 kernel: [] __rpc_wait_for_completion_task+0x2d/0x30 [sunrpc] kernel: [] nfs4_run_open_task+0x11c/0x160 [nfs] kernel: [] nfs4_open_recover_helper+0x87/0x120 [nfs] kernel: [] nfs4_open_recover+0xc6/0x150 [nfs] kernel: [] ? nfs4_open_recoverdata_alloc+0x2f/0x60 [nfs] kernel: [] nfs4_open_delegation_recall+0x6a/0xa0 [nfs] kernel: [] nfs_end_delegation_return+0x120/0x2e0 [nfs] kernel: [] ? queue_work+0x1f/0x30 kernel: [] nfs_client_return_marked_delegations+0xd7/0x110 [nfs] kernel: [] nfs4_run_state_manager+0x548/0x620 [nfs] kernel: [] ? nfs4_run_state_manager+0x0/0x620 [nfs] kernel: [] kthread+0x96/0xa0 kernel: [] child_rip+0xa/0x20 kernel: [] ? kthread+0x0/0xa0 kernel: [] ? child_rip+0x0/0x20 The state manager can not therefore process the DELEGRETURN session errors. Change the async handler to wait for recovery on session errors. Signed-off-by: Andy Adamson Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 8a8e917f784930fe2f18a5b559f3860446d5a32b Author: Alan Date: Wed Dec 4 15:31:52 2013 +0000 sc1200_wdt: Fix oops commit dace8bbfccfd9e4fcccfffcfbd82881fda3e756f upstream. If loaded with isapnp = 0 the driver explodes. This is catching people out now and then. What should happen in the working case is a complete mystery and the code appears terminally confused, but we can at least make the error path work properly. Signed-off-by: Alan Cox Reviewed-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Partially-Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=53991 Signed-off-by: Greg Kroah-Hartman commit 4d72984a5893a40e0990080d6036646a688cd493 Author: H Hartley Sweeten Date: Fri Aug 30 11:08:50 2013 -0700 staging: comedi: ssv_dnp: use comedi_dio_update_state() commit f6b316bcd8c421acd6fa5a6e18b4c846ecb9d965 upstream. Use comedi_dio_update_state() to handle the boilerplate code to update the subdevice s->state. Also, fix a bug where the state of the channels is returned in data[0]. The comedi core expects it to be returned in data[1]. Signed-off-by: H Hartley Sweeten Reviewed-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 442ae1bbb73a9ce8bc8743b679fb63cc5cf04dad Author: H Hartley Sweeten Date: Fri Aug 30 11:05:58 2013 -0700 staging: comedi: drivers: use comedi_dio_update_state() for simple cases commit 97f4289ad08cffe55de06d4ac4f89ac540450aee upstream. [Split from original patch subject: "staging: comedi: drivers: use comedi_dio_update_state() for simple cases"] Use comedi_dio_update_state() to handle the boilerplate code to update the subdevice s->state for simple cases where the hardware is updated when any channel is modified. Also, fix a bug in the amplc_pc263 and amplc_pci263 drivers where the current state is not returned in data[1]. Signed-off-by: H Hartley Sweeten Reviewed-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit bc049656c27b34c9b1f5f36ffa95f7a73b82c8a4 Author: Ian Abbott Date: Tue Aug 20 11:50:19 2013 +0100 staging: comedi: pcmuio: fix possible NULL deref on detach commit 2fd2bdfccae61efe18f6b92b6a45fbf936d75b48 upstream. pcmuio_detach() is called by the comedi core even if pcmuio_attach() returned an error, so `dev->private` might be `NULL`. Check for that before dereferencing it. Also, as pointed out by Dan Carpenter, there is no need to check the pointer passed to `kfree()` is non-NULL, so remove that check. Signed-off-by: Ian Abbott Cc: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit 5232a7194556c819b2cea0b8395895dc5a448aae Author: Ben Segall Date: Wed Oct 16 11:16:32 2013 -0700 sched: Avoid throttle_cfs_rq() racing with period_timer stopping commit f9f9ffc237dd924f048204e8799da74f9ecf40cf upstream. throttle_cfs_rq() doesn't check to make sure that period_timer is running, and while update_curr/assign_cfs_runtime does, a concurrently running period_timer on another cpu could cancel itself between this cpu's update_curr and throttle_cfs_rq(). If there are no other cfs_rqs running in the tg to restart the timer, this causes the cfs_rq to be stranded forever. Fix this by calling __start_cfs_bandwidth() in throttle if the timer is inactive. (Also add some sched_debug lines for cfs_bandwidth.) Tested: make a run/sleep task in a cgroup, loop switching the cgroup between 1ms/100ms quota and unlimited, checking for timer_active=0 and throttled=1 as a failure. With the throttle_cfs_rq() change commented out this fails, with the full patch it passes. Signed-off-by: Ben Segall Signed-off-by: Peter Zijlstra Cc: pjt@google.com Link: http://lkml.kernel.org/r/20131016181632.22647.84174.stgit@sword-of-the-dawn.mtv.corp.google.com Signed-off-by: Ingo Molnar Cc: Chris J Arges Signed-off-by: Greg Kroah-Hartman commit a5eec39a11a81c1f3b4adcd1839187b5299ddc42 Author: Hans Verkuil Date: Fri Oct 4 11:01:43 2013 -0300 cxd2820r_core: fix sparse warnings commit 0db3fa2741ad8371c21b3a6785416a4afc0cc1d4 upstream. drivers/media/dvb-frontends/cxd2820r_core.c:34:32: error: cannot size expression drivers/media/dvb-frontends/cxd2820r_core.c:68:32: error: cannot size expression Signed-off-by: Hans Verkuil Acked-by: Antti Palosaari Reviewed-by: Antti Palosaari Reviewed-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Cc: Frederik Himpe Signed-off-by: Greg Kroah-Hartman commit 0f8285ad902ab61b7631f059f0ffdf7a23b0601f Author: Helge Deller Date: Mon Dec 2 19:59:31 2013 +0100 nfs: fix do_div() warning by instead using sector_div() commit 3873d064b8538686bbbd4b858dc8a07db1f7f43a upstream. When compiling a 32bit kernel with CONFIG_LBDAF=n the compiler complains like shown below. Fix this warning by instead using sector_div() which is provided by the kernel.h header file. fs/nfs/blocklayout/extents.c: In function ‘normalize’: include/asm-generic/div64.h:43:28: warning: comparison of distinct pointer types lacks a cast [enabled by default] fs/nfs/blocklayout/extents.c:47:13: note: in expansion of macro ‘do_div’ nfs/blocklayout/extents.c:47:2: warning: right shift count >= width of type [enabled by default] fs/nfs/blocklayout/extents.c:47:2: warning: passing argument 1 of ‘__div64_32’ from incompatible pointer type [enabled by default] include/asm-generic/div64.h:35:17: note: expected ‘uint64_t *’ but argument is of type ‘sector_t *’ extern uint32_t __div64_32(uint64_t *dividend, uint32_t divisor); Signed-off-by: Helge Deller Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit f4cf4b1b2d2907241269939ee2913e0b2c39f70f Author: Joe Thornber Date: Mon Dec 2 17:57:42 2013 -0500 dm thin: switch to read only mode if a mapping insert fails commit fafc7a815e40255d24e80a1cb7365892362fa398 upstream. Switch the thin pool to read-only mode when dm_thin_insert_block() fails since there is little reason to expect the cause of the failure to be resolved without further action by user space. This issue was noticed with the device-mapper-test-suite using: dmtest run --suite thin-provisioning -n /exhausting_metadata_space_causes_fail_mode/ The quantity of errors logged in this case must be reduced. before patch: device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: dm_thin_insert_block() failed device-mapper: space map metadata: unable to allocate new metadata block device-mapper: space map metadata: unable to allocate new metadata block device-mapper: space map metadata: unable to allocate new metadata block device-mapper: space map metadata: unable to allocate new metadata block device-mapper: space map metadata: unable to allocate new metadata block device-mapper: space map metadata: unable to allocate new metadata block device-mapper: space map metadata: unable to allocate new metadata block device-mapper: space map common: dm_tm_shadow_block() failed device-mapper: thin: 253:4: no free metadata space available. device-mapper: thin: 253:4: switching pool to read-only mode after patch: device-mapper: space map metadata: unable to allocate new metadata block device-mapper: thin: 253:4: dm_thin_insert_block() failed: error = -28 device-mapper: thin: 253:4: switching pool to read-only mode Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 135949c10b4f97eaf9da90535e18c6a2a0e2993a Author: Mikulas Patocka Date: Fri Nov 22 19:52:06 2013 -0500 dm table: fail dm_table_create on dm_round_up overflow commit 5b2d06576c5410c10d95adfd5c4d8b24de861d87 upstream. The dm_round_up function may overflow to zero. In this case, dm_table_create() must fail rather than go on to allocate an empty array with alloc_targets(). This fixes a possible memory corruption that could be caused by passing too large a number in "param->target_count". Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 2c54d62aa894ff2675272e0570abcb0ab76a3aa4 Author: Mike Snitzer Date: Mon Dec 2 16:47:01 2013 -0500 dm space map metadata: return on failure in sm_metadata_new_block commit f62b6b8f498658a9d537c7d380e9966f15e1b2a1 upstream. Commit 2fc48021f4afdd109b9e52b6eef5db89ca80bac7 ("dm persistent metadata: add space map threshold callback") introduced a regression to the metadata block allocation path that resulted in errors being ignored. This regression was uncovered by running the following device-mapper-test-suite test: dmtest run --suite thin-provisioning -n /exhausting_metadata_space_causes_fail_mode/ The ignored error codes in sm_metadata_new_block() could crash the kernel through use of either the dm-thin or dm-cache targets, e.g.: device-mapper: thin: 253:4: reached low water mark for metadata device: sending event. device-mapper: space map metadata: unable to allocate new metadata block general protection fault: 0000 [#1] SMP ... Workqueue: dm-thin do_worker [dm_thin_pool] task: ffff880035ce2ab0 ti: ffff88021a054000 task.ti: ffff88021a054000 RIP: 0010:[] [] metadata_ll_load_ie+0x15/0x30 [dm_persistent_data] RSP: 0018:ffff88021a055a68 EFLAGS: 00010202 RAX: 003fc8243d212ba0 RBX: ffff88021a780070 RCX: ffff88021a055a78 RDX: ffff88021a055a78 RSI: 0040402222a92a80 RDI: ffff88021a780070 RBP: ffff88021a055a68 R08: ffff88021a055ba4 R09: 0000000000000010 R10: 0000000000000000 R11: 00000002a02e1000 R12: ffff88021a055ad4 R13: 0000000000000598 R14: ffffffffa0338470 R15: ffff88021a055ba4 FS: 0000000000000000(0000) GS:ffff88033fca0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f467c0291b8 CR3: 0000000001a0b000 CR4: 00000000000007e0 Stack: ffff88021a055ab8 ffffffffa0332020 ffff88021a055b30 0000000000000001 ffff88021a055b30 0000000000000000 ffff88021a055b18 0000000000000000 ffff88021a055ba4 ffff88021a055b98 ffff88021a055ae8 ffffffffa033304c Call Trace: [] sm_ll_lookup_bitmap+0x40/0xa0 [dm_persistent_data] [] sm_metadata_count_is_more_than_one+0x8c/0xc0 [dm_persistent_data] [] dm_tm_shadow_block+0x65/0x110 [dm_persistent_data] [] sm_ll_mutate+0x80/0x300 [dm_persistent_data] [] ? set_ref_count+0x10/0x10 [dm_persistent_data] [] sm_ll_inc+0x1a/0x20 [dm_persistent_data] [] sm_disk_new_block+0x60/0x80 [dm_persistent_data] [] ? down_write+0x16/0x40 [] dm_pool_alloc_data_block+0x54/0x80 [dm_thin_pool] [] alloc_data_block+0x9c/0x130 [dm_thin_pool] [] provision_block+0x4e/0x180 [dm_thin_pool] [] ? dm_thin_find_block+0x6a/0x110 [dm_thin_pool] [] process_bio+0x1ca/0x1f0 [dm_thin_pool] [] ? mempool_free+0x8d/0xa0 [] process_deferred_bios+0xc5/0x230 [dm_thin_pool] [] do_worker+0x51/0x60 [dm_thin_pool] [] process_one_work+0x182/0x3b0 [] worker_thread+0x120/0x3a0 [] ? manage_workers+0x160/0x160 [] kthread+0xce/0xe0 [] ? kthread_freezable_should_stop+0x70/0x70 [] ret_from_fork+0x7c/0xb0 [] ? kthread_freezable_should_stop+0x70/0x70 [] ret_from_fork+0x7c/0xb0 [] ? kthread_freezable_should_stop+0x70/0x70 Signed-off-by: Mike Snitzer Acked-by: Joe Thornber Signed-off-by: Greg Kroah-Hartman commit 729d38d163b90714a99202efbfdc04b0527dbfd5 Author: Mikulas Patocka Date: Fri Nov 15 16:12:20 2013 -0500 dm delay: fix a possible deadlock due to shared workqueue commit 718822c1c112dc99e0c72c8968ee1db9d9d910f0 upstream. The dm-delay target uses a shared workqueue for multiple instances. This can cause deadlock if two or more dm-delay targets are stacked on the top of each other. This patch changes dm-delay to use a per-instance workqueue. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 1cfc4552917a128e0cdf15f57abfe60a30f5eaec Author: Joe Thornber Date: Fri Dec 13 14:55:55 2013 +0000 dm array: fix a reference counting bug in shadow_ablock commit ed9571f0cf1fe09d3506302610f3ccdfa1d22c4a upstream. An old array block could have its reference count decremented below zero when it is being replaced in the btree by a new array block. The fix is to increment the old ablock's reference count just before inserting a new ablock into the btree. Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 20d68d38efd83f2bb598d7b3655a5c230ccc17e8 Author: Mikulas Patocka Date: Fri Nov 29 18:13:37 2013 -0500 dm snapshot: avoid snapshot space leak on crash commit 230c83afdd9cd384348475bea1e14b80b3b6b1b8 upstream. There is a possible leak of snapshot space in case of crash. The reason for space leaking is that chunks in the snapshot device are allocated sequentially, but they are finished (and stored in the metadata) out of order, depending on the order in which copying finished. For example, supposed that the metadata contains the following records SUPERBLOCK METADATA (blocks 0 ... 250) DATA 0 DATA 1 DATA 2 ... DATA 250 Now suppose that you allocate 10 new data blocks 251-260. Suppose that copying of these blocks finish out of order (block 260 finished first and the block 251 finished last). Now, the snapshot device looks like this: SUPERBLOCK METADATA (blocks 0 ... 250, 260, 259, 258, 257, 256) DATA 0 DATA 1 DATA 2 ... DATA 250 DATA 251 DATA 252 DATA 253 DATA 254 DATA 255 METADATA (blocks 255, 254, 253, 252, 251) DATA 256 DATA 257 DATA 258 DATA 259 DATA 260 Now, if the machine crashes after writing the first metadata block but before writing the second metadata block, the space for areas DATA 250-255 is leaked, it contains no valid data and it will never be used in the future. This patch makes dm-snapshot complete exceptions in the same order they were allocated, thus fixing this bug. Note: when backporting this patch to the stable kernel, change the version field in the following way: * if version in the stable kernel is {1, 11, 1}, change it to {1, 12, 0} * if version in the stable kernel is {1, 10, 0} or {1, 10, 1}, change it to {1, 10, 2} Userspace reads the version to determine if the bug was fixed, so the version change is needed. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit d468a287d01c58db4769ddd30870eb3c8a9360b2 Author: Mikulas Patocka Date: Thu Dec 5 17:33:29 2013 -0500 dm bufio: initialize read-only module parameters commit 4cb57ab4a2e61978f3a9b7d4f53988f30d61c27f upstream. Some module parameters in dm-bufio are read-only. These parameters inform the user about memory consumption. They are not supposed to be changed by the user. However, despite being read-only, these parameters can be set on modprobe or insmod command line, for example: modprobe dm-bufio current_allocated_bytes=12345 The kernel doesn't expect that these variables can be non-zero at module initialization and if the user sets them, it results in BUG. This patch initializes the variables in the module init routine, so that user-supplied values are ignored. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 89ec75229a591cd7a3f57c330dc0791b8646b112 Author: David Sterba Date: Fri Dec 6 17:51:32 2013 +0100 btrfs: call mnt_drop_write after interrupted subvol deletion commit e43f998e47bae27e37e159915625e8d4b130153b upstream. If btrfs_ioctl_snap_destroy blocks on the mutex and the process is killed, mnt_write count is unbalanced and leads to unmountable filesystem. Signed-off-by: David Sterba Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 6b047827d4cdd57ac7c4f9da2d779d811649566f Author: Dan Carpenter Date: Thu Jan 10 03:57:25 2013 -0500 Btrfs: fix access_ok() check in btrfs_ioctl_send() commit 700ff4f095d78af0998953e922e041d75254518b upstream. The closing parenthesis is in the wrong place. We want to check "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of "sizeof(*arg->clone_sources * arg->clone_sources_count)". Signed-off-by: Dan Carpenter Reviewed-by: Jie Liu Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 89e6d5d2c91925b16e6eaf2e867325ec3c47d513 Author: Dan Carpenter Date: Fri Nov 22 04:50:46 2013 -0300 media: af9035: unlock on error in af9035_i2c_master_xfer() commit 3189ef0290dcc9f44782672fade35847cb30da00 upstream. We introduced a couple new error paths which are missing unlocks. Fixes: 7760e148350b ('[media] af9035: Don't use dynamic static allocation') Signed-off-by: Dan Carpenter Acked-by: Antti Palosaari Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 53ef7579cf5eaf0fafcce062edbd0bf6dd20cabe Author: Antti Palosaari Date: Thu Aug 8 19:41:06 2013 -0300 media: af9035: add [0413:6a05] Leadtek WinFast DTV Dongle Dual commit 0c413d10515feae02cee967b31bb8afea8aa0d29 upstream. It is IT9135 dual design. Thanks to Michael Piko for reporting that! Reported-by: Michael Piko Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 43f8e28916e96bf71c01591711168a1eaa58d8e3 Author: Hans Verkuil Date: Mon Nov 11 11:02:52 2013 -0300 media: wm8775: fix broken audio routing commit 3af41a337a5b270de3e65466a07f106ad97ad0c6 upstream. Commit 5aa9ae5ed5d449a85fbf7aac3d1fdc241c542a79 inverted the mute control state test in s_routing which caused the audio routing to fail. This broke ivtv support for the Hauppauge video/audio input bracket (which adds additional video and audio inputs) all the way back in kernel 2.6.36. This fix fixes the condition and it also removes a nonsense check on the balance control. Bisected-by: Rajil Saraswat Signed-off-by: Andy Walls Reported-by: Rajil Saraswat Tested-by: Hans Verkuil Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit db856694c4ec6204b3220b2089da1c642bffad22 Author: Antti Palosaari Date: Wed Nov 27 17:17:43 2013 -0300 media: af9033: fix broken I2C commit d18a88b1f535d627412b2a265d71b2f7d464860e upstream. Driver did not work anymore since I2C has gone broken due to recent commit: commit 37ebaf6891ee81687bb558e8375c0712d8264ed8 [media] dvb-frontends: Don't use dynamic static allocation Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 899901b0776c94e91742f7f3e14ad39bc6e44411 Author: Hans Verkuil Date: Mon Nov 11 08:16:03 2013 -0300 media: bttv: don't setup the controls if there are no video devices commit f8e1b699a5504a2da05834c7cfdddb125a8ce088 upstream. The no_video flag was checked in all other cases except one. Calling v4l2_ctrl_handler_setup() if no_video is 1 will crash. This wasn't noticed before since there are only two card types that set no_video to 1, so this type of hardware is quite rare. Signed-off-by: Hans Verkuil Reported-by: Lorenz Röhrl Tested-by: Lorenz Röhrl Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ec0593f929cd58143998f42263d74b10c203d393 Author: Wei Yongjun Date: Fri Oct 25 06:34:03 2013 -0300 media: saa7164: fix return value check in saa7164_initdev() commit 89f4d45b2752df5d222b5f63919ce59e2d8afaf4 upstream. In case of error, the function kthread_run() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Signed-off-by: Wei Yongjun Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ac6d0ecfef36956cb0549c89398e5f7e1e84e658 Author: H. Peter Anvin Date: Tue Dec 10 14:56:06 2013 -0800 x86, build, icc: Remove uninitialized_var() from compiler-intel.h commit 503cf95c061a0551eb684da364509297efbe55d9 upstream. When compiling with icc, ends up included because the icc environment defines __GNUC__. Thus, we neither need nor want to have this macro defined in both compiler-gcc.h and compiler-intel.h, and the fact that they are inconsistent just makes the compiler spew warnings. Reported-by: Sunil K. Pandey Cc: Kevin B. Smith Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/n/tip-0mbwou1zt7pafij09b897lg3@git.kernel.org Signed-off-by: Greg Kroah-Hartman commit d1c75367275d54dbc0521e31cb478668241eafdb Author: H. Peter Anvin Date: Mon Dec 9 15:43:38 2013 -0800 x86, build: Pass in additional -mno-mmx, -mno-sse options commit 8b3b005d675726e38bc504d2e35a991e55819155 upstream. In checkin 5551a34e5aea x86-64, build: Always pass in -mno-sse we unconditionally added -mno-sse to the main build, to keep newer compilers from generating SSE instructions from autovectorization. However, this did not extend to the special environments (arch/x86/boot, arch/x86/boot/compressed, and arch/x86/realmode/rm). Add -mno-sse to the compiler command line for these environments, and add -mno-mmx to all the environments as well, as we don't want a compiler to generate MMX code either. This patch also removes a $(cc-option) call for -m32, since we have long since stopped supporting compilers too old for the -m32 option, and in fact hardcode it in other places in the Makefiles. Reported-by: Kevin B. Smith Cc: Sunil K. Pandey Signed-off-by: H. Peter Anvin Cc: H. J. Lu Link: http://lkml.kernel.org/n/tip-j21wzqv790q834n7yc6g80j1@git.kernel.org Signed-off-by: Greg Kroah-Hartman commit eea588a497c56a7ed72e00a71829118f465efe39 Author: Matthew Garrett Date: Fri Nov 29 14:44:43 2013 -0500 x86, efi: Don't use (U)EFI time services on 32 bit commit 04bf9ba720fcc4fa313fa122b799ae0989b6cd50 upstream. UEFI time services are often broken once we're in virtual mode. We were already refusing to use them on 64-bit systems, but it turns out that they're also broken on some 32-bit firmware, including the Dell Venue. Disable them for now, we can revisit once we have the 1:1 mappings code incorporated. Signed-off-by: Matthew Garrett Link: http://lkml.kernel.org/r/1385754283-2464-1-git-send-email-matthew.garrett@nebula.com Cc: Matt Fleming Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit d7b2643fc9a596037084830b157a559d8f870169 Author: Alex Deucher Date: Tue Dec 3 09:24:30 2013 -0500 drm/radeon: fixup bad vram size on SI commit 0ca223b029a261e82fb2f50c52eb85d510f4260e upstream. Some boards seem to have garbage in the upper 16 bits of the vram size register. Check for this and clamp the size properly. Fixes boards reporting bogus amounts of vram. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 14655c3cc0adb85752b165eadb003cbc781bcffe Author: Alex Deucher Date: Mon Nov 25 13:20:59 2013 -0500 drm/radeon: program DCE2 audio dto just like DCE3 commit 55d4e020fb8ddd3896a8cd3351028f5c3a2c4bd3 upstream. Seems to work like the DCE3 version despite what the register spec says. bug: https://bugs.freedesktop.org/show_bug.cgi?id=71975 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 82607fbefacada141d98e4eb8b1ee55369959fa7 Author: Carolyn Wyborny Date: Sat Dec 14 03:26:46 2013 -0800 igb: Fix for issue where values could be too high for udelay function. commit df29df92adda751ac04ca5149d30014b5199db81 upstream. This patch changes the igb_phy_has_link function to check the value of the parameter before deciding to use udelay or mdelay in order to be sure that the value is not too high for udelay function. Signed-off-by: Sunil K Pandey Signed-off-by: Kevin B Smith Signed-off-by: Carolyn Wyborny Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4798e3b3fb8759bd0134a77e7d5112d37edde16b Author: Ujjal Roy Date: Thu Nov 21 11:08:56 2013 -0800 mwifiex: fix memory leak issue for ibss join commit 517543fd72d577dde2ebd9505dc4abf26d589f9a upstream. For IBSS join if the requested SSID matches current SSID, it returns without freeing the allocated beacon IE buffer. Signed-off-by: Ujjal Roy Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 555214ae0d4e891eefe5caf019c2a3a6a4e2f5c2 Author: Johannes Berg Date: Fri Oct 25 13:06:06 2013 +0200 iwlwifi: mvm: check sta_id/drain values in debugfs commit 60765a47a433d54e4744c285ad127f182dcd80aa upstream. The station ID must be valid, if it's out of range then the array access may crash. Validate the station ID to the array length, and also validate the drain value even if that doesn't matter all that much. Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver") Signed-off-by: Johannes Berg Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 42beb2047176e0ccfc32afc189e8501ae38a88b8 Author: Johannes Berg Date: Wed Nov 20 11:28:27 2013 +0100 mac80211: don't attempt to reorder multicast frames commit 051a41fa4ee14f5c39668f0980973b9a195de560 upstream. Multicast frames can't be transmitted as part of an aggregation session (such a session couldn't even be set up) so don't try to reorder them. Trying to do so would cause the reorder to stop working correctly since multicast QoS frames (as transmitted by the Aruba APs this was found with) would cause sequence number confusion in the buffer. Reported-by: Blaise Gassend Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 9697f64ab623045dc189b8ac7f2509d68694ef8d Author: Bob Copeland Date: Tue Oct 29 18:11:59 2013 -0400 Revert "mac80211: allow disable power save in mesh" commit 2d3db210860f1df099a35b1dd54cca35454e0361 upstream. This reverts commit ee1f668136b2fb6640ee2d54c2a525ea41f98211. The aformentioned commit added a check to allow 'iw wlan0 set power_save off' to work for mesh interfaces. However, this is problematic because it also allows 'iw wlan0 set power_save on', which will crash in short order because all of the subsequent code manipulates sdata->u.mgd. The power-saving states for mesh interfaces can be manipulated through the mesh config, e.g: 'iw wlan0 set mesh_param mesh_power_save=active' (which, despite the name, actualy disables power saving since the setting refers to the type of sleep the interface undergoes). Fixes: ee1f668136b2 ("mac80211: allow disable power save in mesh") Signed-off-by: Bob Copeland Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 348d7867154c8d7b6f472cbe5918b1169dd13b0c Author: Paul Moore Date: Wed Dec 4 16:10:51 2013 -0500 selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute() commit 446b802437f285de68ffb8d6fac3c44c3cab5b04 upstream. In selinux_ip_postroute() we perform access checks based on the packet's security label. For locally generated traffic we get the packet's security label from the associated socket; this works in all cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's the correct security label is stored in the connection's request_sock, not the server's socket. Unfortunately, at the point in time when selinux_ip_postroute() is called we can't query the request_sock directly, we need to recreate the label using the same logic that originally labeled the associated request_sock. See the inline comments for more explanation. Reported-by: Janak Desai Tested-by: Janak Desai Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 216c4a776a12148e8386070da71b9f10ab854e93 Author: Paul Moore Date: Wed Dec 4 16:10:45 2013 -0500 selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output() commit 47180068276a04ed31d24fe04c673138208b07a9 upstream. In selinux_ip_output() we always label packets based on the parent socket. While this approach works in almost all cases, it doesn't work in the case of TCP SYN-ACK packets when the correct label is not the label of the parent socket, but rather the label of the larval socket represented by the request_sock struct. Unfortunately, since the request_sock isn't queued on the parent socket until *after* the SYN-ACK packet is sent, we can't lookup the request_sock to determine the correct label for the packet; at this point in time the best we can do is simply pass/NF_ACCEPT the packet. It must be said that simply passing the packet without any explicit labeling action, while far from ideal, is not terrible as the SYN-ACK packet will inherit any IP option based labeling from the initial connection request so the label *should* be correct and all our access controls remain in place so we shouldn't have to worry about information leaks. Reported-by: Janak Desai Tested-by: Janak Desai Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit c588502a732451d199ea27fa5eae9045230e786b Author: Sujith Manoharan Date: Tue Nov 26 07:21:39 2013 +0530 ath9k: Fix XLNA bias strength commit a1783a7b0846fc6414483e6caf646db72023fffd upstream. The EEPROM parameter to determine whether the bias strength values for XLNA have to be applied is part of the miscConfiguration field and not featureEnable. Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 464f44b6e46f257d24a560d0103298865ca67173 Author: Sujith Manoharan Date: Tue Nov 26 07:21:08 2013 +0530 ath9k: Fix QuickDrop usage commit 93c1cfbe598f72cfa7be49e4a7d2a1d482e15119 upstream. Bit 5 in the miscConfiguration field of the base EEPROM header denotes whether QuickDrop is enabled or not. Fix the incorrect usage of BIT(1) and also make sure that this is done only for the required chips. Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a07e39486b2d0a6e15e134501f7e38b1bcfac07c Author: Ville Syrjälä Date: Thu Nov 28 22:10:38 2013 +0200 drm/i915: Fix pipe CSC post offset calculation commit 32cf0cb0294814cb1ee5d8727e9aac0e9aa80d2e upstream. We were miscalculating the pipe CSC post offset for the full->limited range conversion. The resulting post offset was double what it was supposed to be, which caused blacks to come out grey when using limited range output on HSW+. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=71769 Tested-by: Lauri Mylläri Signed-off-by: Ville Syrjälä Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 8de7e61bf3ea5eb5349c4bd1de196fa4d397caab Author: Linus Pizunski Date: Thu Dec 12 17:12:23 2013 -0800 drivers/rtc/rtc-at91rm9200.c: correct alarm over day/month wrap commit eb3c227289840eed95ddfb0516046f08d8993940 upstream. Update month and day of month to the alarm month/day instead of current day/month when setting the RTC alarm mask. Signed-off-by: Linus Pizunski Signed-off-by: Nicolas Ferre Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 21261e510cfb5d807fb827b6c01330daa7e0c330 Author: Hong H. Pham Date: Sat Dec 7 09:06:33 2013 -0500 powerpc: Fix PTE page address mismatch in pgtable ctor/dtor commit cf77ee54362a245f9a01f240adce03a06c05eb68 upstream. In pte_alloc_one(), pgtable_page_ctor() is passed an address that has not been converted by page_address() to the newly allocated PTE page. When the PTE is freed, __pte_free_tlb() calls pgtable_page_dtor() with an address to the PTE page that has been converted by page_address(). The mismatch in the PTE's page address causes pgtable_page_dtor() to access invalid memory, so resources for that PTE (such as the page lock) is not properly cleaned up. On PPC32, only SMP kernels are affected. On PPC64, only SMP kernels with 4K page size are affected. This bug was introduced by commit d614bb041209fd7cb5e4b35e11a7b2f6ee8f62b8 "powerpc: Move the pte free routines from common header". On a preempt-rt kernel, a spinlock is dynamically allocated for each PTE in pgtable_page_ctor(). When the PTE is freed, calling pgtable_page_dtor() with a mismatched page address causes a memory leak, as the pointer to the PTE's spinlock is bogus. On mainline, there isn't any immediately obvious symptoms, but the problem still exists here. Fixes: d614bb041209fd7c "powerpc: Move the pte free routes from common header" Cc: Paul Mackerras Cc: Aneesh Kumar K.V Cc: Benjamin Herrenschmidt Signed-off-by: Hong H. Pham Reviewed-by: Aneesh Kumar K.V Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit b96e6f2b02fd5e07a972242c0f2ddf1ccb9882f1 Author: Antti Palosaari Date: Wed Nov 27 17:23:00 2013 -0300 media: af9035: fix broken I2C and USB I/O commit 9323297dc0ea9141f8099e474657391bb3ad98f8 upstream. There was three small buffer len calculation bugs which caused driver non-working. These are coming from recent commit: commit 7760e148350bf6df95662bc0db3734e9d991cb03 [media] af9035: Don't use dynamic static allocation Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c3d8edeff268c5d7c6701b238a1d75389efd899c Author: Christian Engelmayer Date: Tue Nov 26 18:16:17 2013 -0800 Input: usbtouchscreen - separate report and transmit buffer size handling commit 4ef38351d770cc421f4a0c7a849fd13207fc5741 upstream. This patch supports the separate handling of the USB transfer buffer length and the length of the buffer used for multi packet support. For devices supporting multiple report or diagnostic packets, the USB transfer size is now limited to the USB endpoints wMaxPacketSize - otherwise it defaults to the configured report packet size as before. This fixes an issue where event reporting can be delayed for an arbitrary time for multi packet devices. For instance the report size for eGalax devices is defined to the 16 byte maximum diagnostic packet size as opposed to the 5 byte report packet size. In case the driver requests 16 byte from the USB interrupt endpoint, the USB host controller driver needs to split up the request into 2 accesses according to the endpoints wMaxPacketSize of 8 byte. When the first transfer is answered by the eGalax device with not less than the full 8 byte requested, the host controller has got no way of knowing whether the touch controller has got additional data queued and will issue the second transfer. If per example a liftoff event finishes at such a wMaxPacketSize boundary, the data will not be available to the usbtouch driver until a further event is triggered and transfered to the host. From user perspective the BTN_TOUCH release event in this case is stuck until the next touch down event. Signed-off-by: Christian Engelmayer Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 50721ffc366856576fdeec82bfe77f9fb98187bb Author: Fangxiaozhi (Franko) Date: Mon Dec 2 09:00:11 2013 +0000 USB: option: support new huawei devices commit 2bf308d7bc5e8cdd69672199f59532f35339133c upstream. Add new supporting declarations to option.c, to support Huawei new devices with new bInterfaceProtocol value. Signed-off-by: fangxiaozhi Signed-off-by: Greg Kroah-Hartman commit 472387193e2eecad980dab9ac3d0af16280a7700 Author: Gustavo Zacarias Date: Mon Nov 11 09:59:15 2013 -0300 USB: serial: option: blacklist interface 1 for Huawei E173s-6 commit 8f173e22abf2258ddfa73f46eadbb6a6c29f1631 upstream. Interface 1 on this device isn't for option to bind to otherwise an oops on usb_wwan with log flooding will happen when accessing the port: tty_release: ttyUSB1: read/write wait queue active! It doesn't seem to respond to QMI if it's added to qmi_wwan so don't add it there - it's likely used by the card reader. Signed-off-by: Gustavo Zacarias Signed-off-by: Greg Kroah-Hartman commit 82628480bdbe8eba0f39ede6ee9b540c3a729f72 Author: Michael Grzeschik Date: Mon Nov 11 23:43:32 2013 +0100 usb: gadget: composite: reset delayed_status on reset_config commit 2bac51a1827a18821150ed8c9f9752c02f9c2b02 upstream. The delayed_status value is used to keep track of status response packets on ep0. It needs to be reset or the set_config function would still delay the answer, if the usb device got unplugged while waiting for setup_continue to be called. Signed-off-by: Michael Grzeschik Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit e6303463eee8685f5b7d7a1b58f6f7ff1518d3af Author: Alan Stern Date: Fri Nov 1 12:05:12 2013 -0400 usb: dwc3: fix implementation of endpoint wedge commit a535d81c92615b8ffb99b7e1fd1fb01effaed1af upstream. The dwc3 UDC driver doesn't implement endpoint wedging correctly. When an endpoint is wedged, the gadget driver should be allowed to clear the wedge by calling usb_ep_clear_halt(). Only the host is prevented from resetting the endpoint. This patch fixes the implementation. Signed-off-by: Alan Stern Tested-by: Pratyush Anand Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 9126f1f5d338fed3f492b4d49f64178231dce76d Author: Julius Werner Date: Thu Nov 7 10:59:14 2013 -0800 usb: hub: Use correct reset for wedged USB3 devices that are NOTATTACHED commit 2d51f3cd11f414c56a87dc018196b85fd50b04a4 upstream. This patch adds a check for USB_STATE_NOTATTACHED to the hub_port_warm_reset_required() workaround for ports that end up in Compliance Mode in hub_events() when trying to decide which reset function to use. Trying to call usb_reset_device() with a NOTATTACHED device will just fail and leave the port broken. Signed-off-by: Julius Werner Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit fbaa929d862503b59110081efb57a40213193a6d Author: Jeff Layton Date: Mon Dec 2 15:26:19 2013 -0500 nfsd: when reusing an existing repcache entry, unhash it first commit 781c2a5a5f75eacc04663aced0f0f1a648d4f308 upstream. The DRC code will attempt to reuse an existing, expired cache entry in preference to allocating a new one. It'll then search the cache, and if it gets a hit it'll then free the cache entry that it was going to reuse. The cache code doesn't unhash the entry that it's going to reuse however, so it's possible for it end up designating an entry for reuse and then subsequently freeing the same entry after it finds it. This leads it to a later use-after-free situation and usually some list corruption warnings or an oops. Fix this by simply unhashing the entry that we intend to reuse. That will mean that it's not findable via a search and should prevent this situation from occurring. Reported-by: Christoph Hellwig Reported-by: g. artim Signed-off-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 13bb709cbe791f2d0218f29f1390a0d5e206edc3 Author: Linus Torvalds Date: Thu Dec 12 09:38:42 2013 -0800 futex: fix handling of read-only-mapped hugepages commit f12d5bfceb7e1f9051563381ec047f7f13956c3c upstream. The hugepage code had the exact same bug that regular pages had in commit 7485d0d3758e ("futexes: Remove rw parameter from get_futex_key()"). The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix regression with read only mappings"), but the transparent hugepage case (added in a5b338f2b0b1: "thp: update futex compound knowledge") case remained broken. Found by Dave Jones and his trinity tool. Reported-and-tested-by: Dave Jones Acked-by: Thomas Gleixner Cc: Mel Gorman Cc: Darren Hart Cc: Andrea Arcangeli Cc: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2a038881b601a81b522fa4bd3dfc8ccfafd34202 Author: Khalid Aziz Date: Wed Nov 27 15:19:25 2013 -0700 PCI: Disable Bus Master only on kexec reboot commit 4fc9bbf98fd66f879e628d8537ba7c240be2b58e upstream. Add a flag to tell the PCI subsystem that kernel is shutting down in preparation to kexec a kernel. Add code in PCI subsystem to use this flag to clear Bus Master bit on PCI devices only in case of kexec reboot. This fixes a power-off problem on Acer Aspire V5-573G and likely other machines and avoids any other issues caused by clearing Bus Master bit on PCI devices in normal shutdown path. The problem was introduced by b566a22c2332 ("PCI: disable Bus Master on PCI device shutdown"). This patch is based on discussion at http://marc.info/?l=linux-pci&m=138425645204355&w=2 Link: https://bugzilla.kernel.org/show_bug.cgi?id=63861 Reported-by: Chang Liu Signed-off-by: Khalid Aziz Signed-off-by: Bjorn Helgaas Acked-by: Konstantin Khlebnikov Signed-off-by: Greg Kroah-Hartman commit f75eb9d4085192dc58c30a9384cf4496194be851 Author: Dan Carpenter Date: Thu Oct 31 21:00:10 2013 +0300 xfs: underflow bug in xfs_attrlist_by_handle() commit 31978b5cc66b8ba8a7e8eef60b12395d41b7b890 upstream. If we allocate less than sizeof(struct attrlist) then we end up corrupting memory or doing a ZERO_PTR_SIZE dereference. This can only be triggered with CAP_SYS_ADMIN. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Reviewed-by: Dave Chinner Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit 7e767aae0ed129f6e67f5fec09fa870be452788c Author: Dave Chinner Date: Thu Nov 21 15:41:06 2013 +1100 xfs: growfs overruns AGFL buffer on V4 filesystems commit f94c44573e7c22860e2c3dfe349c45f72ba35ad3 upstream. This loop in xfs_growfs_data_private() is incorrect for V4 superblocks filesystems: for (bucket = 0; bucket < XFS_AGFL_SIZE(mp); bucket++) agfl->agfl_bno[bucket] = cpu_to_be32(NULLAGBLOCK); For V4 filesystems, we don't have a agfl header structure, and so XFS_AGFL_SIZE() returns an entire sector's worth of entries, which we then index from an offset into the sector. Hence: buffer overrun. This problem was introduced in 3.10 by commit 77c95bba ("xfs: add CRC checks to the AGFL") which changed the AGFL structure but failed to update the growfs code to handle the different structures. Fix it by using the correct offset into the buffer for both V4 and V5 filesystems. Signed-off-by: Dave Chinner Reviewed-by: Jie Liu Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit a903818b46ee2bf0c9a0bc7d1fa80ed4b72083c2 Author: Jean Delvare Date: Thu Dec 12 08:05:32 2013 +0100 hwmon: (w83l768ng) Fix fan speed control range commit 33a7ab91d509fa33b4bcd3ce0038cc80298050da upstream. The W83L786NG stores the fan speed on 4 bits while the sysfs interface uses a 0-255 range. Thus the driver should scale the user input down to map it to the device range, and scale up the value read from the device before presenting it to the user. The reserved register nibble should be left unchanged. Signed-off-by: Jean Delvare Reviewed-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit d6eb2d04bb8bcf9c899630fee2072477096c7599 Author: Brian Carnes Date: Thu Dec 12 08:05:32 2013 +0100 hwmon: (w83l786ng) Fix fan speed control mode setting and reporting commit cf7559bc053471f32373d71d04a9aa19e0b48d59 upstream. The wrong mask is used, which causes some fan speed control modes (pwmX_enable) to be incorrectly reported, and some modes to be impossible to set. [JD: add subject and description.] Signed-off-by: Brian Carnes Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit d4fa5279d77716bdcadcefee942629433ae45554 Author: José Miguel Gonçalves Date: Wed Dec 11 11:11:13 2013 +0000 hwmon: HIH-6130: Support I2C bus drivers without I2C_FUNC_SMBUS_QUICK commit efabcc2123f0ed47870033b8d6fc73b50d76d635 upstream. Some I2C bus drivers do not allow zero-length data transfers which are required to start a measurement with the HIH6130/1 sensor. Nevertheless, we can overcome this limitation by writing a zero dummy byte. This byte is ignored by the sensor and was verified to be working with the OMAP I2C bus driver in a BeagleBone board. Signed-off-by: José Miguel Gonçalves [Guenter Roeck: Simplified complexity of write_length initialization] Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 223cc81c8c68c4c6b09cf8c024b1881084f29e5d Author: Dan Carpenter Date: Thu Dec 12 08:05:33 2013 +0100 hwmon: Prevent some divide by zeros in FAN_TO_REG() commit 3806b45ba4655147a011df03242cc197ab986c43 upstream. The "rpm * div" operations can overflow here, so this patch adds an upper limit to rpm to prevent that. Jean Delvare helped me with this patch. Signed-off-by: Dan Carpenter Acked-by: Roger Lucas Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit e77a822f213aaa903e1aa9e5a5e4003b141d915c Author: Gleb Natapov Date: Thu Dec 12 21:20:08 2013 +0100 KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) commit 17d68b763f09a9ce824ae23eb62c9efc57b69271 upstream. A guest can cause a BUG_ON() leading to a host kernel crash. When the guest writes to the ICR to request an IPI, while in x2apic mode the following things happen, the destination is read from ICR2, which is a register that the guest can control. kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the cluster id. A BUG_ON is triggered, which is a protection against accessing map->logical_map with an out-of-bounds access and manages to avoid that anything really unsafe occurs. The logic in the code is correct from real HW point of view. The problem is that KVM supports only one cluster with ID 0 in clustered mode, but the code that has the bug does not take this into account. Reported-by: Lars Bull Signed-off-by: Gleb Natapov Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 0e03b79fc2eb224e09fde9f5f3495b5b15dac1ed Author: Andy Honig Date: Wed Nov 20 10:23:22 2013 -0800 KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) commit fda4e2e85589191b123d31cdc21fd33ee70f50fd upstream. In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the potential to corrupt kernel memory if userspace provides an address that is at the end of a page. This patches concerts those functions to use kvm_write_guest_cached and kvm_read_guest_cached. It also checks the vapic_address specified by userspace during ioctl processing and returns an error to userspace if the address is not a valid GPA. This is generally not guest triggerable, because the required write is done by firmware that runs before the guest. Also, it only affects AMD processors and oldish Intel that do not have the FlexPriority feature (unless you disable FlexPriority, of course; then newer processors are also affected). Fixes: b93463aa59d6 ('KVM: Accelerated apic support') Reported-by: Andrew Honig Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 9913f77411d04f56f600d900a6533c9518e6ee68 Author: Andy Honig Date: Tue Nov 19 14:12:18 2013 -0800 KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream. Under guest controllable circumstances apic_get_tmcct will execute a divide by zero and cause a crash. If the guest cpuid support tsc deadline timers and performs the following sequence of requests the host will crash. - Set the mode to periodic - Set the TMICT to 0 - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) - Set the TMICT to non-zero. Then the lapic_timer.period will be 0, but the TMICT will not be. If the guest then reads from the TMCCT then the host will perform a divide by 0. This patch ensures that if the lapic_timer.period is 0, then the division does not occur. Reported-by: Andrew Honig Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit f4d838225e0cbdc8099c2eb8d55dd9406def1f33 Author: Andy Honig Date: Mon Nov 18 16:09:22 2013 -0800 KVM: Improve create VCPU parameter (CVE-2013-4587) commit 338c7dbadd2671189cec7faf64c84d01071b3f96 upstream. In multiple functions the vcpu_id is used as an offset into a bitfield. Ag malicious user could specify a vcpu_id greater than 255 in order to set or clear bits in kernel memory. This could be used to elevate priveges in the kernel. This patch verifies that the vcpu_id provided is less than 255. The api documentation already specifies that the vcpu_id must be less than max_vcpus, but this is currently not checked. Reported-by: Andrew Honig Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit a5633d4871bae973f39945b2ba0f86f6bbd45ab4 Author: Konstantin Khlebnikov Date: Thu Dec 5 14:23:48 2013 +0100 ARM: 7913/1: fix framepointer check in unwind_frame commit 3abb6671a9c04479c4bd026798a05f857393b7e2 upstream. This patch fixes corner case when (fp + 4) overflows unsigned long, for example: fp = 0xFFFFFFFF -> fp + 4 == 3. Signed-off-by: Konstantin Khlebnikov Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 7768a84a3e65465c0fc96ec3d447453ea79dbaed Author: Konstantin Khlebnikov Date: Thu Dec 5 14:21:36 2013 +0100 ARM: 7912/1: check stack pointer in get_wchan commit 1b15ec7a7427d4188ba91b9bbac696250a059d22 upstream. get_wchan() is lockless. Task may wakeup at any time and change its own stack, thus each next stack frame may be overwritten and filled with random stuff. /proc/$pid/stack interface had been disabled for non-current tasks, see [1] But 'wchan' still allows to trigger stack frame unwinding on volatile stack. This patch fixes oops in unwind_frame() by adding stack pointer validation on each step (as x86 code do), unwind_frame() already checks frame pointer. Also I've found another report of this oops on stackoverflow (irony). Link: http://www.spinics.net/lists/arm-kernel/msg110589.html [1] Link: http://stackoverflow.com/questions/18479894/unwind-frame-cause-a-kernel-paging-error Signed-off-by: Konstantin Khlebnikov Acked-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 58a6ea8d32e9d23c8cc531a800aabc2c8f2f95aa Author: Roger Quadros Date: Sun Dec 8 18:39:02 2013 -0700 ARM: OMAP3: hwmod data: Don't prevent RESET of USB Host module commit 7f4d3641e2548d1ac5dee837ff434df668a2810c upstream. Unlike what the comment states, errata i660 does not state that we can't RESET the USB host module. Instead it states that RESET is the only way to recover from a deadlock situation. RESET ensures that the module is in a known good state irrespective of what bootloader does with the module, so it must be done at boot. Signed-off-by: Roger Quadros Tested-by: Tomi Valkeinen # Panda, BeagleXM Fixes: de231388cb80 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3") Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit ff1dbcb8f938b2344b0d4c37c83ee75d360157cf Author: Sergei Ianovich Date: Tue Dec 10 08:39:15 2013 +0400 ARM: pxa: prevent PXA270 occasional reboot freezes commit ff88b4724fde18056a4c539f7327389aec0f4c2d upstream. Erratum 71 of PXA270M Processor Family Specification Update (April 19, 2010) explains that watchdog reset time is just 8us insead of 10ms in EMTS. If SDRAM is not reset, it causes memory bus congestion and the device hangs. We put SDRAM in selfresh mode before watchdog reset, removing potential freezes. Without this patch PXA270-based ICP DAS LP-8x4x hangs after up to 40 reboots. With this patch it has successfully rebooted 500 times. Signed-off-by: Sergei Ianovich Tested-by: Marek Vasut Signed-off-by: Haojian Zhuang Signed-off-by: Olof Johansson Signed-off-by: Greg Kroah-Hartman commit 886a5c50e528c5190f88d6e9fa88d612257dad18 Author: Dmitry Eremin-Solenikov Date: Sat Nov 16 16:47:50 2013 +0400 ARM: pxa: tosa: fix keys mapping commit 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 upstream. When converting from tosa-keyboard driver to matrix keyboard, tosa keys received extra 1 column shift. Replace that with correct values to make keyboard work again. Fixes: f69a6548c9d5 ('[ARM] pxa/tosa: make use of the matrix keypad driver') Signed-off-by: Dmitry Eremin-Solenikov Signed-off-by: Haojian Zhuang Signed-off-by: Olof Johansson Signed-off-by: Greg Kroah-Hartman commit 6492e3defff1af5c2cbc0c4c9b9bd3c954b6e59e Author: Anssi Hannula Date: Tue Dec 10 22:46:34 2013 +0200 ALSA: hda - hdmi: Fix IEC958 ctl indexes for some simple HDMI devices commit c9a6338aecdb92f9d015ecc26d203e54250bebbb upstream. In case a single HDA card has both HDMI and S/PDIF outputs, the S/PDIF outputs will have their IEC958 controls created starting from index 16 and the HDMI controls will be created starting from index 0. However, HDMI simple_playback_build_controls() as used by old VIA and NVIDIA codecs incorrectly requests the IEC958 controls to be created with an S/PDIF type instead of HDMI. In case the card has other codecs that have HDMI outputs, the controls will be created with wrong index=16, causing them to e.g. be unreachable by the ALSA "hdmi" alias. Fix that by making simple_playback_build_controls() request controls with HDMI indexes. Not many cards have an affected configuration, but e.g. ASUS M3N78-VM contains an integrated NVIDIA HDA "card" with: - a VIA codec that has, among others, an S/PDIF pin incorrectly labelled as an HDMI pin, and - an NVIDIA MCP7x HDMI codec. Reported-by: MysterX on #openelec Tested-by: MysterX on #openelec Signed-off-by: Anssi Hannula Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3d0ed796879a3d63593eee271e3acafb3cffb7d6 Author: Takashi Iwai Date: Tue Dec 10 17:33:49 2013 +0100 ALSA: hda - Mute all aamix inputs as default commit ebb93c057dda376414fbc499ad6ace9b527dff5a upstream. Not all channels have been initialized, so far, especially when aamix NID itself doesn't have amps but its leaves have. This patch fixes these holes. Otherwise you might get unexpected loopback inputs, e.g. from surround channels. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2a9f683edd34578a3d1e789781f4499af4990d63 Author: Takashi Iwai Date: Tue Dec 10 17:29:26 2013 +0100 ALSA: hda - Add static DAC/pin mapping for AD1986A codec commit 3690739b013504d33fe9348dd45f6b126aa370fb upstream. AD1986A codec is a pretty old codec and has really many hidden restrictions. One of such is that each DAC is dedicated to certain pin although there are possible connections. Currently, the generic parser tries to assign individual DACs as much as possible, and this lead to two bad situations: connections where the sound actually doesn't work, and connections conflicting other channels. We may fix this by trying to find the best connections more harder, but as of now, it's easier to give some hints for paired DAC/pin connections and honor them if available, since such a hint is needed only for specific codecs (right now only AD1986A, and there will be unlikely any others in future). Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=64971 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=66621 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 44b8b7a7f2e76dd1aea131bcf79417252a1f3f11 Author: Stefano Panella Date: Tue Dec 10 14:20:28 2013 +0000 ALSA: memalloc.h - fix wrong truncation of dma_addr_t commit 932e9dec380c67ec15ac3eb073bb55797d8b4801 upstream. When running a 32bit kernel the hda_intel driver is still reporting a 64bit dma_mask if the HW supports it. From sound/pci/hda/hda_intel.c: /* allow 64bit DMA address if supported by H/W */ if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64))) pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(64)); else { pci_set_dma_mask(pci, DMA_BIT_MASK(32)); pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(32)); } which means when there is a call to dma_alloc_coherent from snd_malloc_dev_pages a machine address bigger than 32bit can be returned. This can be true in particular if running the 32bit kernel as a pv dom0 under the Xen Hypervisor or PAE on bare metal. The problem is that when calling setup_bdle to program the BLE the dma_addr_t returned from the dma_alloc_coherent is wrongly truncated from snd_sgbuf_get_addr if running a 32bit kernel: static inline dma_addr_t snd_sgbuf_get_addr(struct snd_dma_buffer *dmab, size_t offset) { struct snd_sg_buf *sgbuf = dmab->private_data; dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr; addr &= PAGE_MASK; return addr + offset % PAGE_SIZE; } where PAGE_MASK in a 32bit kernel is zeroing the upper 32bit af addr. Without this patch the HW will fetch the 32bit truncated address, which is not the one obtained from dma_alloc_coherent and will result to a non working audio but can corrupt host memory at a random location. The current patch apply to v3.13-rc3-74-g6c843f5 Signed-off-by: Stefano Panella Reviewed-by: Frediano Ziglio Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f4b017da47d8aa1a1ab0fd4ec04b9f7044a096e8 Author: Takashi Iwai Date: Tue Dec 10 12:15:52 2013 +0100 ALSA: compress: Fix 64bit ABI incompatibility commit 6733cf572a9e20db2b7580a5dd39d5782d571eec upstream. snd_pcm_uframes_t is defined as unsigned long so it would take different sizes depending on 32 or 64bit architectures. As we don't want this ABI incompatibility, and there is no real 64bit user yet, let's make it the fixed size with __u32. Also bump the protocol version number to 0.1.2. Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 17430858ee6bbf5e5f15a998ce5447f05d90b850 Author: Mag Date: Mon Aug 26 00:22:01 2013 -0700 Input: xpad - add signature for Razer Onza Classic Edition commit ed06349fe8d12dcb718984862b6e839fc8606c34 upstream. Signed-off-by: Nol "Mag" Archinova Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit f8d29bed8aecf9b0cfe56c5740855b31c2ea0390 Author: Jim Quinlan Date: Tue Aug 27 16:57:51 2013 -0400 MIPS: DMA: For BMIPS5000 cores flush region just like non-coherent R10000 commit f86f55d3ad21b21b736bdeb29bee0f0937b77138 upstream. The BMIPS5000 (Zephyr) processor utilizes instruction speculation. A stale misprediction address in either the JTB or the CRS may trigger a prefetch inside a region that is currently being used by a DMA engine, which is not IO-coherent. This prefetch will fetch a line into the scache, and that line will soon become stale (ie wrong) during/after the DMA. Mayhem ensues. In dma-default.c, the r10000 is handled as a special case in the same way that we want to handle Zephyr. So we generalize the exception cases into a function, and include Zephyr as one of the processors that needs this special care. Signed-off-by: Jim Quinlan Cc: linux-mips@linux-mips.org Cc: cernekee@gmail.com Patchwork: https://patchwork.linux-mips.org/patch/5776/ Signed-off-by: Ralf Baechle Cc: John Ulvr Signed-off-by: Greg Kroah-Hartman