commit 94f578e6aba14bb2aeb00db2e7f6e5f704fee937 Author: Greg Kroah-Hartman Date: Wed Jan 8 09:42:33 2014 -0800 Linux 3.4.76 commit b7a9e22f44afe81e1252ad0aeb6b145af93103e0 Author: Jean Delvare Date: Thu Dec 12 08:05:32 2013 +0100 hwmon: (w83l768ng) Fix fan speed control range commit 33a7ab91d509fa33b4bcd3ce0038cc80298050da upstream. The W83L786NG stores the fan speed on 4 bits while the sysfs interface uses a 0-255 range. Thus the driver should scale the user input down to map it to the device range, and scale up the value read from the device before presenting it to the user. The reserved register nibble should be left unchanged. Signed-off-by: Jean Delvare Reviewed-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 420cc6d77fd83ab28ebed7ab1dc9018ab351ec12 Author: Paul Moore Date: Tue Dec 10 14:58:01 2013 -0500 selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute() commit c0828e50485932b7e019df377a6b0a8d1ebd3080 upstream. Due to difficulty in arriving at the proper security label for TCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets while/before they are undergoing XFRM transforms instead of waiting until afterwards so that we can determine the correct security label. Reported-by: Janak Desai Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 73ec955cd6954d69540c7a761182ee84d2bad189 Author: Paul Moore Date: Tue Dec 10 14:57:54 2013 -0500 selinux: look for IPsec labels on both inbound and outbound packets commit 817eff718dca4e54d5721211ddde0914428fbb7c upstream. Previously selinux_skb_peerlbl_sid() would only check for labeled IPsec security labels on inbound packets, this patch enables it to check both inbound and outbound traffic for labeled IPsec security labels. Reported-by: Janak Desai Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 7a12bcd95b59dcf1a715827846baa7c81d1946f9 Author: Geert Uytterhoeven Date: Wed Dec 18 17:08:48 2013 -0800 sh: always link in helper functions extracted from libgcc commit 84ed8a99058e61567f495cc43118344261641c5f upstream. E.g. landisk_defconfig, which has CONFIG_NTFS_FS=m: ERROR: "__ashrdi3" [fs/ntfs/ntfs.ko] undefined! For "lib-y", if no symbols in a compilation unit are referenced by other units, the compilation unit will not be included in vmlinux. This breaks modules that do reference those symbols. Use "obj-y" instead to fix this. http://kisskb.ellerman.id.au/kisskb/buildresult/8838077/ This doesn't fix all cases. There are others, e.g. udivsi3. This is also not limited to sh, many architectures handle this in the same way. A simple solution is to unconditionally include all helper functions. A more complex solution is to make the choice of "lib-y" or "obj-y" depend on CONFIG_MODULES: obj-$(CONFIG_MODULES) += ... lib-y($CONFIG_MODULES) += ... Signed-off-by: Geert Uytterhoeven Cc: Paul Mundt Tested-by: Nobuhiro Iwamatsu Reviewed-by: Nobuhiro Iwamatsu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dfb473b35096a0ffae221c7eeb49c34882ea6f9c Author: Ben Segall Date: Wed Oct 16 11:16:32 2013 -0700 sched: Avoid throttle_cfs_rq() racing with period_timer stopping commit f9f9ffc237dd924f048204e8799da74f9ecf40cf upstream. throttle_cfs_rq() doesn't check to make sure that period_timer is running, and while update_curr/assign_cfs_runtime does, a concurrently running period_timer on another cpu could cancel itself between this cpu's update_curr and throttle_cfs_rq(). If there are no other cfs_rqs running in the tg to restart the timer, this causes the cfs_rq to be stranded forever. Fix this by calling __start_cfs_bandwidth() in throttle if the timer is inactive. (Also add some sched_debug lines for cfs_bandwidth.) Tested: make a run/sleep task in a cgroup, loop switching the cgroup between 1ms/100ms quota and unlimited, checking for timer_active=0 and throttled=1 as a failure. With the throttle_cfs_rq() change commented out this fails, with the full patch it passes. Signed-off-by: Ben Segall Signed-off-by: Peter Zijlstra Cc: pjt@google.com Link: http://lkml.kernel.org/r/20131016181632.22647.84174.stgit@sword-of-the-dawn.mtv.corp.google.com Signed-off-by: Ingo Molnar Signed-off-by: Chris J Arges Signed-off-by: Greg Kroah-Hartman commit 05bbcdd32afbfd520c71ae8104a8bf531aed9163 Author: Stephen Boyd Date: Tue Dec 10 15:19:03 2013 -0800 gpio: msm: Fix irq mask/unmask by writing bits instead of numbers commit 4cc629b7a20945ce35628179180329b6bc9e552b upstream. We should be writing bits here but instead we're writing the numbers that correspond to the bits we want to write. Fix it by wrapping the numbers in the BIT() macro. This fixes gpios acting as interrupts. Signed-off-by: Stephen Boyd Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit db7d85d7f0137628d24dfb3415716e96a1c11833 Author: Theodore Ts'o Date: Sun Dec 8 21:12:59 2013 -0500 jbd2: don't BUG but return ENOSPC if a handle runs out of space commit f6c07cad081ba222d63623d913aafba5586c1d2c upstream. If a handle runs out of space, we currently stop the kernel with a BUG in jbd2_journal_dirty_metadata(). This makes it hard to figure out what might be going on. So return an error of ENOSPC, so we can let the file system layer figure out what is going on, to make it more likely we can get useful debugging information). This should make it easier to debug problems such as the one which was reported by: https://bugzilla.kernel.org/show_bug.cgi?id=44731 The only two callers of this function are ext4_handle_dirty_metadata() and ocfs2_journal_dirty(). The ocfs2 function will trigger a BUG_ON(), which means there will be no change in behavior. The ext4 function will call ext4_error_inode() which will print the useful debugging information and then handle the situation using ext4's error handling mechanisms (i.e., which might mean halting the kernel or remounting the file system read-only). Also, since both file systems already call WARN_ON(), drop the WARN_ON from jbd2_journal_dirty_metadata() to avoid two stack traces from being displayed. Signed-off-by: "Theodore Ts'o" Cc: ocfs2-devel@oss.oracle.com Acked-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit d23a87af40a35e7bedb349d071c4a1c5dcf050e2 Author: Steven Whitehouse Date: Wed Dec 18 14:14:52 2013 +0000 GFS2: Fix incorrect invalidation for DIO/buffered I/O commit dfd11184d894cd0a92397b25cac18831a1a6a5bc upstream. In patch 209806aba9d540dde3db0a5ce72307f85f33468f we allowed local deferred locks to be granted against a cached exclusive lock. That opened up a corner case which this patch now fixes. The solution to the problem is to check whether we have cached pages each time we do direct I/O and if so to unmap, flush and invalidate those pages. Since the glock state machine normally does that for us, mostly the code will be a no-op. Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit af7cf2107d3a05709799e441a55c2a646e7b5a45 Author: Steven Whitehouse Date: Fri Dec 6 11:52:34 2013 +0000 GFS2: don't hold s_umount over blkdev_put commit dfe5b9ad83a63180f358b27d1018649a27b394a9 upstream. This is a GFS2 version of Tejun's patch: 4f331f01b9c43bf001d3ffee578a97a1e0633eac vfs: don't hold s_umount over close_bdev_exclusive() call In this case its blkdev_put itself that is the issue and this patch uses the same solution of dropping and retaking s_umount. Reported-by: Tejun Heo Reported-by: Al Viro Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit 1b01494b82bf4f46821dd4dda2bb35aa43415eeb Author: Dmitry Torokhov Date: Thu Dec 26 17:44:29 2013 -0800 Input: allocate absinfo data when setting ABS capability commit 28a2a2e1aedbe2d8b2301e6e0e4e63f6e4177aca upstream. We need to make sure we allocate absinfo data when we are setting one of EV_ABS/ABS_XXX capabilities, otherwise we may bomb when we try to emit this event. Rested-by: Paul Cercueil Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 2efb73fb4f0f5081ba6450e789b52f70247c80d9 Author: Jianguo Wu Date: Wed Dec 18 17:08:59 2013 -0800 mm/hugetlb: check for pte NULL pointer in __page_check_address() commit 98398c32f6687ee1e1f3ae084effb4b75adb0747 upstream. In __page_check_address(), if address's pud is not present, huge_pte_offset() will return NULL, we should check the return value. Signed-off-by: Jianguo Wu Cc: Naoya Horiguchi Cc: Mel Gorman Cc: qiuxishi Cc: Hanjun Guo Acked-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1005954e40d50fbbbf48bd3c7fe4942f42f26f75 Author: Larry Finger Date: Wed Dec 11 17:13:10 2013 -0600 rtlwifi: pci: Fix oops on driver unload commit 9278db6279e28d4d433bc8a848e10b4ece8793ed upstream. On Fedora systems, unloading rtl8192ce causes an oops. This patch fixes the problem reported at https://bugzilla.redhat.com/show_bug.cgi?id=852761. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a86f1d64f44d5e443eb0f5eb9498583f364e9f33 Author: Johannes Berg Date: Mon Dec 16 12:04:36 2013 +0100 radiotap: fix bitmap-end-finding buffer overrun commit bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 upstream. Evan Huus found (by fuzzing in wireshark) that the radiotap iterator code can access beyond the length of the buffer if the first bitmap claims an extension but then there's no data at all. Fix this. Reported-by: Evan Huus Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit c89c4dc7c370102ed0b5c0d90d892364d4980e37 Author: Michele Baldessari Date: Mon Nov 25 19:00:14 2013 +0000 libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus SpinPoint M8 commit 87809942d3fa60bafb7a58d0bdb1c79e90a6821d upstream. We've received multiple reports in Fedora via (BZ 907193) that the Seagate Momentus SpinPoint M8 errors out when enabling AA: [ 2.555905] ata2.00: failed to enable AA (error_mask=0x1) [ 2.568482] ata2.00: failed to enable AA (error_mask=0x1) Add the ATA_HORKAGE_BROKEN_FPDMA_AA for this specific harddisk. Reported-by: Nicholas Signed-off-by: Michele Baldessari Tested-by: Nicholas Acked-by: Alan Cox Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 40fe79abb0828a085dc99827fa8588b8970788b9 Author: Josh Boyer Date: Fri Oct 11 08:45:51 2013 -0400 cpupower: Fix segfault due to incorrect getopt_long arugments commit f447ef4a56dee4b68a91460bcdfe06b5011085f2 upstream. If a user calls 'cpupower set --perf-bias 15', the process will end with a SIGSEGV in libc because cpupower-set passes a NULL optarg to the atoi call. This is because the getopt_long structure currently has all of the options as having an optional_argument when they really have a required argument. We change the structure to use required_argument to match the short options and it resolves the issue. This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1000439 Signed-off-by: Josh Boyer Cc: Dominik Brodowski Cc: Thomas Renninger Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 70a9450d1b854b02a0e7d19c6b18f48ed9d7b4db Author: Anton Blanchard Date: Mon Dec 23 12:19:51 2013 +1100 powerpc: Align p_end commit 286e4f90a72c0b0621dde0294af6ed4b0baddabb upstream. p_end is an 8 byte value embedded in the text section. This means it is only 4 byte aligned when it should be 8 byte aligned. Fix this by adding an explicit alignment. This fixes an issue where POWER7 little endian builds with CONFIG_RELOCATABLE=y fail to boot. Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 4e6cc83041aacf32013022d922c34230ee6e6e90 Author: Michael Neuling Date: Mon Dec 16 15:12:43 2013 +1100 powerpc: Fix bad stack check in exception entry commit 90ff5d688e61f49f23545ffab6228bd7e87e6dc7 upstream. In EXCEPTION_PROLOG_COMMON() we check to see if the stack pointer (r1) is valid when coming from the kernel. If it's not valid, we die but with a nice oops message. Currently we allocate a stack frame (subtract INT_FRAME_SIZE) before we check to see if the stack pointer is negative. Unfortunately, this won't detect a bad stack where r1 is less than INT_FRAME_SIZE. This patch fixes the check to compare the modified r1 with -INT_FRAME_SIZE. With this, bad kernel stack pointers (including NULL pointers) are correctly detected again. Kudos to Paulus for finding this. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 7110adb76087508116e4ce1496b8ca7a57e2d85d Author: Mathy Vanhoef Date: Thu Nov 28 12:21:45 2013 +0100 ath9k_htc: properly set MAC address and BSSID mask commit 657eb17d87852c42b55c4b06d5425baa08b2ddb3 upstream. Pick the MAC address of the first virtual interface as the new hardware MAC address. Set BSSID mask according to this MAC address. This fixes CVE-2013-4579. Signed-off-by: Mathy Vanhoef Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 07632d5ce9517f0b75e4b0dbd56040072fe8bf06 Author: Sujith Manoharan Date: Mon Dec 16 07:04:59 2013 +0530 ath9k: Fix interrupt handling for the AR9002 family commit 73f0b56a1ff64e7fb6c3a62088804bab93bcedc2 upstream. This patch adds a driver workaround for a HW issue. A race condition in the HW results in missing interrupts, which can be avoided by a read/write with the ISR register. All chips in the AR9002 series are affected by this bug - AR9003 and above do not have this problem. Cc: Felix Fietkau Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b5e9100f23e189fb01c186ca2d830ac994bdb678 Author: Peter Korsgaard Date: Mon Dec 16 11:35:35 2013 +0100 dm9601: work around tx fifo sync issue on dm962x commit 4263c86dca5198da6bd3ad826d0b2304fbe25776 upstream. Certain dm962x revisions contain an bug, where if a USB bulk transfer retry (E.G. if bulk crc mismatch) happens right after a transfer with odd or maxpacket length, the internal tx hardware fifo gets out of sync causing the interface to stop working. Work around it by adding up to 3 bytes of padding to ensure this situation cannot trigger. This workaround also means we never pass multiple-of-maxpacket size skb's to usbnet, so the length adjustment to handle usbnet's padding of those can be removed. Reported-by: Joseph Chang Signed-off-by: Peter Korsgaard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aa0a506a5b3d8fe3d63469bc9a43b50601f751bc Author: Peter Korsgaard Date: Mon Dec 16 11:35:33 2013 +0100 dm9601: fix reception of full size ethernet frames on dm9620/dm9621a commit 407900cfb54bdb2cfa228010b6697305f66b2948 upstream. dm9620/dm9621a require room for 4 byte padding even in dm9601 (3 byte header) mode. Signed-off-by: Peter Korsgaard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e0050ac1e4b0a9340e9fc3d9d918799613b72f9a Author: Li Wang Date: Wed Nov 13 15:22:14 2013 +0800 ceph: Avoid data inconsistency due to d-cache aliasing in readpage() commit 56f91aad69444d650237295f68c195b74d888d95 upstream. If the length of data to be read in readpage() is exactly PAGE_CACHE_SIZE, the original code does not flush d-cache for data consistency after finishing reading. This patches fixes this. Signed-off-by: Li Wang Signed-off-by: Sage Weil Signed-off-by: Greg Kroah-Hartman commit be541ecb66d285c4135c3820113af22ff57d4a0c Author: Alex Deucher Date: Mon Dec 23 09:31:58 2013 -0500 drm/radeon: 0x9649 is SUMO2 not SUMO commit d00adcc8ae9e22eca9d8af5f66c59ad9a74c90ec upstream. Fixes rendering corruption due to incorrect gfx configuration. bug: https://bugs.freedesktop.org/show_bug.cgi?id=63599 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 93fb68c0c53ce4660686cf276320e64fe68578a1 Author: Alex Deucher Date: Thu Dec 19 19:41:46 2013 -0500 drm/radeon: fix asic gfx values for scrapper asics commit e2f6c88fb903e123edfd1106b0b8310d5117f774 upstream. Fixes gfx corruption on certain TN/RL parts. bug: https://bugs.freedesktop.org/show_bug.cgi?id=60389 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 628706b739d6fdf0942030c75e301234f0c72d52 Author: Dan Williams Date: Tue Dec 17 10:09:32 2013 -0800 net_dma: mark broken commit 77873803363c9e831fc1d1e6895c084279090c22 upstream. net_dma can cause data to be copied to a stale mapping if a copy-on-write fault occurs during dma. The application sees missing data. The following trace is triggered by modifying the kernel to WARN if it ever triggers copy-on-write on a page that is undergoing dma: WARNING: CPU: 24 PID: 2529 at lib/dma-debug.c:485 debug_dma_assert_idle+0xd2/0x120() ioatdma 0000:00:04.0: DMA-API: cpu touching an active dma mapped page [pfn=0x16bcd9] Modules linked in: iTCO_wdt iTCO_vendor_support ioatdma lpc_ich pcspkr dca CPU: 24 PID: 2529 Comm: linbug Tainted: G W 3.13.0-rc1+ #353 00000000000001e5 ffff88016f45f688 ffffffff81751041 ffff88017ab0ef70 ffff88016f45f6d8 ffff88016f45f6c8 ffffffff8104ed9c ffffffff810f3646 ffff8801768f4840 0000000000000282 ffff88016f6cca10 00007fa2bb699349 Call Trace: [] dump_stack+0x46/0x58 [] warn_slowpath_common+0x8c/0xc0 [] ? ftrace_pid_func+0x26/0x30 [] warn_slowpath_fmt+0x46/0x50 [] debug_dma_assert_idle+0xd2/0x120 [] do_wp_page+0xd0/0x790 [] handle_mm_fault+0x51c/0xde0 [] ? copy_user_enhanced_fast_string+0x9/0x20 [] __do_page_fault+0x19c/0x530 [] ? _raw_spin_lock_bh+0x16/0x40 [] ? trace_clock_local+0x9/0x10 [] ? rb_reserve_next_event+0x64/0x310 [] ? ioat2_dma_prep_memcpy_lock+0x60/0x130 [ioatdma] [] do_page_fault+0xe/0x10 [] page_fault+0x22/0x30 [] ? __kfree_skb+0x51/0xd0 [] ? copy_user_enhanced_fast_string+0x9/0x20 [] ? memcpy_toiovec+0x52/0xa0 [] skb_copy_datagram_iovec+0x5f/0x2a0 [] tcp_rcv_established+0x674/0x7f0 [] tcp_v4_do_rcv+0x2e5/0x4a0 [..] ---[ end trace e30e3b01191b7617 ]--- Mapped at: [] debug_dma_map_page+0xb9/0x160 [] dma_async_memcpy_pg_to_pg+0x127/0x210 [] dma_memcpy_pg_to_iovec+0x119/0x1f0 [] dma_skb_copy_datagram_iovec+0x11c/0x2b0 [] tcp_rcv_established+0x74a/0x7f0: ...the problem is that the receive path falls back to cpu-copy in several locations and this trace is just one of the areas. A few options were considered to fix this: 1/ sync all dma whenever a cpu copy branch is taken 2/ modify the page fault handler to hold off while dma is in-flight Option 1 adds yet more cpu overhead to an "offload" that struggles to compete with cpu-copy. Option 2 adds checks for behavior that is already documented as broken when using get_user_pages(). At a minimum a debug mode is warranted to catch and flag these violations of the dma-api vs get_user_pages(). Thanks to David for his reproducer. Cc: Dave Jiang Cc: Vinod Koul Cc: Alexander Duyck Reported-by: David Whipple Acked-by: David S. Miller Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit b266405d3fb1b41af54c762247da92cf9083d98e Author: Rafał Miłecki Date: Sat Dec 7 13:22:42 2013 +0100 drm/edid: add quirk for BPC in Samsung NP700G7A-S01PL notebook commit 49d45a31b71d7d9da74485922bdb63faf3dc9684 upstream. This bug in EDID was exposed by: commit eccea7920cfb009c2fa40e9ecdce8c36f61cab66 Author: Alex Deucher Date: Mon Mar 26 15:12:54 2012 -0400 drm/radeon/kms: improve bpc handling (v2) Which resulted in kind of regression in 3.5. This fixes https://bugs.freedesktop.org/show_bug.cgi?id=70934 Signed-off-by: Rafał Miłecki Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 3f8878956c833443d6c6e498e9ed6a18ee30e0f5 Author: Kirill Tkhai Date: Wed Nov 27 19:59:13 2013 +0400 sched/rt: Fix rq's cpupri leak while enqueue/dequeue child RT entities commit 757dfcaa41844595964f1220f1d33182dae49976 upstream. This patch touches the RT group scheduling case. Functions inc_rt_prio_smp() and dec_rt_prio_smp() change (global) rq's priority, while rt_rq passed to them may be not the top-level rt_rq. This is wrong, because changing of priority on a child level does not guarantee that the priority is the highest all over the rq. So, this leak makes RT balancing unusable. The short example: the task having the highest priority among all rq's RT tasks (no one other task has the same priority) are waking on a throttle rt_rq. The rq's cpupri is set to the task's priority equivalent, but real rq->rt.highest_prio.curr is less. The patch below fixes the problem. Signed-off-by: Kirill Tkhai Signed-off-by: Peter Zijlstra CC: Steven Rostedt Link: http://lkml.kernel.org/r/49231385567953@web4m.yandex.ru Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a1192c0e5d037def6763f3873d3340615c241fe7 Author: Eryu Guan Date: Tue Dec 3 21:22:21 2013 -0500 ext4: check for overlapping extents in ext4_valid_extent_entries() commit 5946d089379a35dda0e531710b48fca05446a196 upstream. A corrupted ext4 may have out of order leaf extents, i.e. extent: lblk 0--1023, len 1024, pblk 9217, flags: LEAF UNINIT extent: lblk 1000--2047, len 1024, pblk 10241, flags: LEAF UNINIT ^^^^ overlap with previous extent Reading such extent could hit BUG_ON() in ext4_es_cache_extent(). BUG_ON(end < lblk); The problem is that __read_extent_tree_block() tries to cache holes as well but assumes 'lblk' is greater than 'prev' and passes underflowed length to ext4_es_cache_extent(). Fix it by checking for overlapping extents in ext4_valid_extent_entries(). I hit this when fuzz testing ext4, and am able to reproduce it by modifying the on-disk extent by hand. Also add the check for (ee_block + len - 1) in ext4_valid_extent() to make sure the value is not overflow. Ran xfstests on patched ext4 and no regression. Cc: Lukáš Czerner Signed-off-by: Eryu Guan Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 510e024d1e74bb0f574d14ee19436a56ed4fc476 Author: Junho Ryu Date: Tue Dec 3 18:10:28 2013 -0500 ext4: fix use-after-free in ext4_mb_new_blocks commit 4e8d2139802ce4f41936a687f06c560b12115247 upstream. ext4_mb_put_pa should hold pa->pa_lock before accessing pa->pa_count. While ext4_mb_use_preallocated checks pa->pa_deleted first and then increments pa->count later, ext4_mb_put_pa decrements pa->pa_count before holding pa->pa_lock and then sets pa->pa_deleted. * Free sequence ext4_mb_put_pa (1): atomic_dec_and_test pa->pa_count ext4_mb_put_pa (2): lock pa->pa_lock ext4_mb_put_pa (3): check pa->pa_deleted ext4_mb_put_pa (4): set pa->pa_deleted=1 ext4_mb_put_pa (5): unlock pa->pa_lock ext4_mb_put_pa (6): remove pa from a list ext4_mb_pa_callback: free pa * Use sequence ext4_mb_use_preallocated (1): iterate over preallocation ext4_mb_use_preallocated (2): lock pa->pa_lock ext4_mb_use_preallocated (3): check pa->pa_deleted ext4_mb_use_preallocated (4): increase pa->pa_count ext4_mb_use_preallocated (5): unlock pa->pa_lock ext4_mb_release_context: access pa * Use-after-free sequence [initial status] pa_deleted = 0, pa_count = 1> ext4_mb_use_preallocated (1): iterate over preallocation ext4_mb_use_preallocated (2): lock pa->pa_lock ext4_mb_use_preallocated (3): check pa->pa_deleted ext4_mb_put_pa (1): atomic_dec_and_test pa->pa_count [pa_count decremented] pa_deleted = 0, pa_count = 0> ext4_mb_use_preallocated (4): increase pa->pa_count [pa_count incremented] pa_deleted = 0, pa_count = 1> ext4_mb_use_preallocated (5): unlock pa->pa_lock ext4_mb_put_pa (2): lock pa->pa_lock ext4_mb_put_pa (3): check pa->pa_deleted ext4_mb_put_pa (4): set pa->pa_deleted=1 [race condition!] pa_deleted = 1, pa_count = 1> ext4_mb_put_pa (5): unlock pa->pa_lock ext4_mb_put_pa (6): remove pa from a list ext4_mb_pa_callback: free pa ext4_mb_release_context: access pa AddressSanitizer has detected use-after-free in ext4_mb_new_blocks Bug report: http://goo.gl/rG1On3 Signed-off-by: Junho Ryu Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 3be19dd5258a26cfe1d90a22132784c2ba836039 Author: Len Brown Date: Wed Sep 26 22:28:21 2012 -0400 intel_idle: enable IVB Xeon support commit 23795e580cad5d6b73d47d51b9074ce3e58bf334 upstream. IVB Xeon currently shares the same parameters IVB client. Signed-off-by: Len Brown Cc: Vinson Lee Signed-off-by: Greg Kroah-Hartman commit 5806153a870c8b6557423e495f6d79ac9ec87197 Author: Len Brown Date: Fri Jun 1 19:45:32 2012 -0400 intel_idle: initial IVB support commit 6edab08c24f9141d69cfa4683a0a027d86ab303e upstream. From an OS point of view, IVB looks like SNB, but quicker. Signed-off-by: Len Brown Cc: Vinson Lee Signed-off-by: Greg Kroah-Hartman commit 09951c9b33f8cfdc0e8c4e03fe83bc66c9d908dc Author: Miao Xie Date: Mon Dec 16 15:20:01 2013 +0800 ftrace: Initialize the ftrace profiler for each possible cpu commit c4602c1c818bd6626178d6d3fcc152d9f2f48ac0 upstream. Ftrace currently initializes only the online CPUs. This implementation has two problems: - If we online a CPU after we enable the function profile, and then run the test, we will lose the trace information on that CPU. Steps to reproduce: # echo 0 > /sys/devices/system/cpu/cpu1/online # cd /tracing/ # echo >> set_ftrace_filter # echo 1 > function_profile_enabled # echo 1 > /sys/devices/system/cpu/cpu1/online # run test - If we offline a CPU before we enable the function profile, we will not clear the trace information when we enable the function profile. It will trouble the users. Steps to reproduce: # cd /tracing/ # echo >> set_ftrace_filter # echo 1 > function_profile_enabled # run test # cat trace_stat/function* # echo 0 > /sys/devices/system/cpu/cpu1/online # echo 0 > function_profile_enabled # echo 1 > function_profile_enabled # cat trace_stat/function* # run test # cat trace_stat/function* So it is better that we initialize the ftrace profiler for each possible cpu every time we enable the function profile instead of just the online ones. Link: http://lkml.kernel.org/r/1387178401-10619-1-git-send-email-miaox@cn.fujitsu.com Signed-off-by: Miao Xie Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 58c2314ac41e8f24a2a594bd866915e38de9648e Author: Oleg Nesterov Date: Mon Dec 23 17:45:01 2013 -0500 selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() commit c0c1439541f5305b57a83d599af32b74182933fe upstream. selinux_setprocattr() does ptrace_parent(p) under task_lock(p), but task_struct->alloc_lock doesn't pin ->parent or ->ptrace, this looks confusing and triggers the "suspicious RCU usage" warning because ptrace_parent() does rcu_dereference_check(). And in theory this is wrong, spin_lock()->preempt_disable() doesn't necessarily imply rcu_read_lock() we need to access the ->parent. Reported-by: Evan McNabb Signed-off-by: Oleg Nesterov Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 351381d8cea3036cfe021eb29994584d0e5c0e73 Author: Chad Hanson Date: Mon Dec 23 17:45:01 2013 -0500 selinux: fix broken peer recv check commit 46d01d63221c3508421dd72ff9c879f61053cffc upstream. Fix a broken networking check. Return an error if peer recv fails. If secmark is active and the packet recv succeeds the peer recv error is ignored. Signed-off-by: Chad Hanson Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit bc8a3912facbd66e2b88d10922aae74548b86606 Author: Bjørn Mork Date: Fri Nov 29 20:17:45 2013 +0100 usb: cdc-wdm: manage_power should always set needs_remote_wakeup commit 4144bc861ed7934d56f16d2acd808d44af0fcc90 upstream. Reported-by: Oliver Neukum Signed-off-by: Bjørn Mork Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit b86d86822526d0be85d41cca71242fba6ac3c2c7 Author: JongHo Kim Date: Tue Dec 17 23:02:24 2013 +0900 ALSA: Add SNDRV_PCM_STATE_PAUSED case in wait_for_avail function commit ed697e1aaf7237b1a62af39f64463b05c262808d upstream. When the process is sleeping at the SNDRV_PCM_STATE_PAUSED state from the wait_for_avail function, the sleep process will be woken by timeout(10 seconds). Even if the sleep process wake up by timeout, by this patch, the process will continue with sleep and wait for the other state. Signed-off-by: JongHo Kim Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a183811472052b849d74d4fb2674265c6f874610 Author: Bo Shen Date: Wed Dec 18 11:26:23 2013 +0800 ASoC: wm8904: fix DSP mode B configuration commit f0199bc5e3a3ec13f9bc938556517ec430b36437 upstream. When wm8904 work in DSP mode B, we still need to configure it to work in DSP mode. Or else, it will work in Right Justified mode. Signed-off-by: Bo Shen Acked-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 34ee0e8ad09ec1e58858bd3c8756a31a2b3c46bf Author: Geert Uytterhoeven Date: Fri Nov 22 16:47:26 2013 +0100 TTY: pmac_zilog, check existence of ports in pmz_console_init() commit dc1dc2f8a5dd863bf2e79f338fc3ae29e99c683a upstream. When booting a multi-platform m68k kernel on a non-Mac with "console=ttyS0" on the kernel command line, it crashes with: Unable to handle kernel NULL pointer dereference at virtual address (null) Oops: 00000000 PC: [<0013ad28>] __pmz_startup+0x32/0x2a0 ... Call Trace: [<002c5d3e>] pmz_console_setup+0x64/0xe4 The normal tty driver doesn't crash, because init_pmz() checks pmz_ports_count again after calling pmz_probe(). In the serial console initialization path, pmz_console_init() doesn't do this, causing the driver to crash later. Add a check for pmz_ports_count to fix this. Signed-off-by: Geert Uytterhoeven Cc: Finn Thain Cc: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 7898047084bed6716bbc2c08b969ddf364ca36fd Author: pingfan liu Date: Fri Nov 15 16:35:00 2013 +0800 powerpc: kvm: fix rare but potential deadlock scene commit 91648ec09c1ef69c4d840ab6dab391bfb452d554 upstream. Since kvmppc_hv_find_lock_hpte() is called from both virtmode and realmode, so it can trigger the deadlock. Suppose the following scene: Two physical cpuM, cpuN, two VM instances A, B, each VM has a group of vcpus. If on cpuM, vcpu_A_1 holds bitlock X (HPTE_V_HVLOCK), then is switched out, and on cpuN, vcpu_A_2 try to lock X in realmode, then cpuN will be caught in realmode for a long time. What makes things even worse if the following happens, On cpuM, bitlockX is hold, on cpuN, Y is hold. vcpu_B_2 try to lock Y on cpuM in realmode vcpu_A_2 try to lock X on cpuN in realmode Oops! deadlock happens Signed-off-by: Liu Ping Fan Reviewed-by: Paul Mackerras Signed-off-by: Alexander Graf Signed-off-by: Greg Kroah-Hartman commit bb4e90afb0b16996ff921762ab4212db0f40535f Author: Yan, Zheng Date: Thu Oct 31 09:10:47 2013 +0800 ceph: wake up 'safe' waiters when unregistering request commit fc55d2c9448b34218ca58733a6f51fbede09575b upstream. We also need to wake up 'safe' waiters if error occurs or request aborted. Otherwise sync(2)/fsync(2) may hang forever. Signed-off-by: Yan, Zheng Signed-off-by: Sage Weil Signed-off-by: Greg Kroah-Hartman commit 1461d4c794c2f98ebdd9d60f47a08c09dc4ce453 Author: Yan, Zheng Date: Thu Sep 26 14:25:36 2013 +0800 ceph: cleanup aborted requests when re-sending requests. commit eb1b8af33c2e42a9a57fc0a7588f4a7b255d2e79 upstream. Aborted requests usually get cleared when the reply is received. If MDS crashes, no reply will be received. So we need to cleanup aborted requests when re-sending requests. Signed-off-by: Yan, Zheng Reviewed-by: Greg Farnum Signed-off-by: Sage Weil Signed-off-by: Greg Kroah-Hartman commit bc845e5405b033fadd398c5ca2884a568313c875 Author: Johan Hovold Date: Sat Nov 9 12:38:09 2013 +0100 USB: serial: fix race in generic write commit 6f6485463aada1ec6a0f3db6a03eb8e393d6bb55 upstream. Fix race in generic write implementation, which could lead to temporarily degraded throughput. The current generic write implementation introduced by commit 27c7acf22047 ("USB: serial: reimplement generic fifo-based writes") has always had this bug, although it's fairly hard to trigger and the consequences are not likely to be noticed. Specifically, a write() on one CPU while the completion handler is running on another could result in only one of the two write urbs being utilised to empty the remainder of the write fifo (unless there is a second write() that doesn't race during that time). Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman