commit d89a13cf5f83e4f2b6fe98b52530bdab4b773c5c Author: Greg Kroah-Hartman Date: Tue May 6 07:52:14 2014 -0700 Linux 3.4.89 commit 1361b5386da290994fcbf5399d87e4417bec213d Author: Aaron Sanders Date: Mon Mar 31 15:54:21 2014 +0200 USB: pl2303: add ids for Hewlett-Packard HP POS pole displays commit b16c02fbfb963fa2941b7517ebf1f8a21946775e upstream. Add device ids to pl2303 for the Hewlett-Packard HP POS pole displays: LD960: 03f0:0B39 LCM220: 03f0:3139 LCM960: 03f0:3239 [ Johan: fix indentation and sort PIDs numerically ] Signed-off-by: Aaron Sanders Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 6b2b2314fe03f5dc66d4c9370dfa263e19fda392 Author: Theodore Ts'o Date: Sat Apr 12 12:45:25 2014 -0400 ext4: use i_size_read in ext4_unaligned_aio() commit 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 upstream. We haven't taken i_mutex yet, so we need to use i_size_read(). Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 982daeb44e46bd2c1d84106f90381184bf2c0ed2 Author: alex chen Date: Thu Apr 3 14:47:05 2014 -0700 ocfs2: do not put bh when buffer_uptodate failed commit f7cf4f5bfe073ad792ab49c04f247626b3e38db6 upstream. Do not put bh when buffer_uptodate failed in ocfs2_write_block and ocfs2_write_super_or_backup, because it will put bh in b_end_io. Otherwise it will hit a warning "VFS: brelse: Trying to free free buffer". Signed-off-by: Alex Chen Reviewed-by: Joseph Qi Reviewed-by: Srinivas Eeda Cc: Mark Fasheh Acked-by: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8917a40da468d4ffb7accf5eea6e381a123058b1 Author: Junxiao Bi Date: Thu Apr 3 14:46:51 2014 -0700 ocfs2: dlm: fix recovery hung commit ded2cf71419b9353060e633b59e446c42a6a2a09 upstream. There is a race window in dlm_do_recovery() between dlm_remaster_locks() and dlm_reset_recovery() when the recovery master nearly finish the recovery process for a dead node. After the master sends FINALIZE_RECO message in dlm_remaster_locks(), another node may become the recovery master for another dead node, and then send the BEGIN_RECO message to all the nodes included the old master, in the handler of this message dlm_begin_reco_handler() of old master, dlm->reco.dead_node and dlm->reco.new_master will be set to the second dead node and the new master, then in dlm_reset_recovery(), these two variables will be reset to default value. This will cause new recovery master can not finish the recovery process and hung, at last the whole cluster will hung for recovery. old recovery master: new recovery master: dlm_remaster_locks() become recovery master for another dead node. dlm_send_begin_reco_message() dlm_begin_reco_handler() { if (dlm->reco.state & DLM_RECO_STATE_FINALIZE) { return -EAGAIN; } dlm_set_reco_master(dlm, br->node_idx); dlm_set_reco_dead_node(dlm, br->dead_node); } dlm_reset_recovery() { dlm_set_reco_dead_node(dlm, O2NM_INVALID_NODE_NUM); dlm_set_reco_master(dlm, O2NM_INVALID_NODE_NUM); } will hang in dlm_remaster_locks() for request dlm locks info Before send FINALIZE_RECO message, recovery master should set DLM_RECO_STATE_FINALIZE for itself and clear it after the recovery done, this can break the race windows as the BEGIN_RECO messages will not be handled before DLM_RECO_STATE_FINALIZE flag is cleared. A similar race may happen between new recovery master and normal node which is in dlm_finalize_reco_handler(), also fix it. Signed-off-by: Junxiao Bi Reviewed-by: Srinivas Eeda Reviewed-by: Wengang Wang Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 09400fe4ff8794b823889c4634afa0c740d29b1c Author: Junxiao Bi Date: Thu Apr 3 14:46:49 2014 -0700 ocfs2: dlm: fix lock migration crash commit 34aa8dac482f1358d59110d5e3a12f4351f6acaa upstream. This issue was introduced by commit 800deef3f6f8 ("ocfs2: use list_for_each_entry where benefical") in 2007 where it replaced list_for_each with list_for_each_entry. The variable "lock" will point to invalid data if "tmpq" list is empty and a panic will be triggered due to this. Sunil advised reverting it back, but the old version was also not right. At the end of the outer for loop, that list_for_each_entry will also set "lock" to an invalid data, then in the next loop, if the "tmpq" list is empty, "lock" will be an stale invalid data and cause the panic. So reverting the list_for_each back and reset "lock" to NULL to fix this issue. Another concern is that this seemes can not happen because the "tmpq" list should not be empty. Let me describe how. old lock resource owner(node 1): migratation target(node 2): image there's lockres with a EX lock from node 2 in granted list, a NR lock from node x with convert_type EX in converting list. dlm_empty_lockres() { dlm_pick_migration_target() { pick node 2 as target as its lock is the first one in granted list. } dlm_migrate_lockres() { dlm_mark_lockres_migrating() { res->state |= DLM_LOCK_RES_BLOCK_DIRTY; wait_event(dlm->ast_wq, !dlm_lockres_is_dirty(dlm, res)); //after the above code, we can not dirty lockres any more, // so dlm_thread shuffle list will not run downconvert lock from EX to NR upconvert lock from NR to EX <<< migration may schedule out here, then <<< node 2 send down convert request to convert type from EX to <<< NR, then send up convert request to convert type from NR to <<< EX, at this time, lockres granted list is empty, and two locks <<< in the converting list, node x up convert lock followed by <<< node 2 up convert lock. // will set lockres RES_MIGRATING flag, the following // lock/unlock can not run dlm_lockres_release_ast(dlm, res); } dlm_send_one_lockres() dlm_process_recovery_data() for (i=0; inum_locks; i++) if (ml->node == dlm->node_num) for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) { list_for_each_entry(lock, tmpq, list) if (lock) break; <<< lock is invalid as grant list is empty. } if (lock->ml.node != ml->node) BUG() >>> crash here } I see the above locks status from a vmcore of our internal bug. Signed-off-by: Junxiao Bi Reviewed-by: Wengang Wang Cc: Sunil Mushran Reviewed-by: Srinivas Eeda Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 96f6aea2715b25edfc9b982f9e372bd87db6c04e Author: Liu Hua Date: Mon Apr 7 15:38:57 2014 -0700 hung_task: check the value of "sysctl_hung_task_timeout_sec" commit 80df28476505ed4e6701c3448c63c9229a50c655 upstream. As sysctl_hung_task_timeout_sec is unsigned long, when this value is larger then LONG_MAX/HZ, the function schedule_timeout_interruptible in watchdog will return immediately without sleep and with print : schedule_timeout: wrong timeout value ffffffffffffff83 and then the funtion watchdog will call schedule_timeout_interruptible again and again. The screen will be filled with "schedule_timeout: wrong timeout value ffffffffffffff83" This patch does some check and correction in sysctl, to let the function schedule_timeout_interruptible allways get the valid parameter. Signed-off-by: Liu Hua Tested-by: Satoru Takeuchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit af4acfaf3ca2f1da6e48d67e50f27f5e22fa3308 Author: Mizuma, Masayoshi Date: Mon Apr 7 15:37:54 2014 -0700 mm: hugetlb: fix softlockup when a large number of hugepages are freed. commit 55f67141a8927b2be3e51840da37b8a2320143ed upstream. When I decrease the value of nr_hugepage in procfs a lot, softlockup happens. It is because there is no chance of context switch during this process. On the other hand, when I allocate a large number of hugepages, there is some chance of context switch. Hence softlockup doesn't happen during this process. So it's necessary to add the context switch in the freeing process as same as allocating process to avoid softlockup. When I freed 12 TB hugapages with kernel-2.6.32-358.el6, the freeing process occupied a CPU over 150 seconds and following softlockup message appeared twice or more. $ echo 6000000 > /proc/sys/vm/nr_hugepages $ cat /proc/sys/vm/nr_hugepages 6000000 $ grep ^Huge /proc/meminfo HugePages_Total: 6000000 HugePages_Free: 6000000 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB $ echo 0 > /proc/sys/vm/nr_hugepages BUG: soft lockup - CPU#16 stuck for 67s! [sh:12883] ... Pid: 12883, comm: sh Not tainted 2.6.32-358.el6.x86_64 #1 Call Trace: free_pool_huge_page+0xb8/0xd0 set_max_huge_pages+0x128/0x190 hugetlb_sysctl_handler_common+0x113/0x140 hugetlb_sysctl_handler+0x1e/0x20 proc_sys_call_handler+0x97/0xd0 proc_sys_write+0x14/0x20 vfs_write+0xb8/0x1a0 sys_write+0x51/0x90 __audit_syscall_exit+0x265/0x290 system_call_fastpath+0x16/0x1b I have not confirmed this problem with upstream kernels because I am not able to prepare the machine equipped with 12TB memory now. However I confirmed that the amount of decreasing hugepages was directly proportional to the amount of required time. I measured required times on a smaller machine. It showed 130-145 hugepages decreased in a millisecond. Amount of decreasing Required time Decreasing rate hugepages (msec) (pages/msec) ------------------------------------------------------------ 10,000 pages == 20GB 70 - 74 135-142 30,000 pages == 60GB 208 - 229 131-144 It means decrement of 6TB hugepages will trigger softlockup with the default threshold 20sec, in this decreasing rate. Signed-off-by: Masayoshi Mizuma Cc: Joonsoo Kim Cc: Michal Hocko Cc: Wanpeng Li Cc: Aneesh Kumar Cc: KOSAKI Motohiro Cc: Naoya Horiguchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5650bff7fdf4f586d05dad9315d4786eba694149 Author: Matt Fleming Date: Thu Apr 3 14:46:20 2014 -0700 sh: fix format string bug in stack tracer commit a0c32761e73c9999cbf592b702f284221fea8040 upstream. Kees reported the following error: arch/sh/kernel/dumpstack.c: In function 'print_trace_address': arch/sh/kernel/dumpstack.c:118:2: error: format not a string literal and no format arguments [-Werror=format-security] Use the "%s" format so that it's impossible to interpret 'data' as a format string. Signed-off-by: Matt Fleming Reported-by: Kees Cook Acked-by: Kees Cook Cc: Paul Mundt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d6f6fc7a2bc99124058b7c4850a9997530589a33 Author: Alan Stern Date: Wed Mar 12 11:30:38 2014 -0400 USB: unbind all interfaces before rebinding any commit 6aec044cc2f5670cf3b143c151c8be846499bd15 upstream. When a driver doesn't have pre_reset, post_reset, or reset_resume methods, the USB core unbinds that driver when its device undergoes a reset or a reset-resume, and then rebinds it afterward. The existing straightforward implementation can lead to problems, because each interface gets unbound and rebound before the next interface is handled. If a driver claims additional interfaces, the claim may fail because the old binding instance may still own the additional interface when the new instance tries to claim it. This patch fixes the problem by first unbinding all the interfaces that are marked (i.e., their needs_binding flag is set) and then rebinding all of them. The patch also makes the helper functions in driver.c a little more uniform and adjusts some out-of-date comments. Signed-off-by: Alan Stern Reported-and-tested-by: "Poulain, Loic" Signed-off-by: Greg Kroah-Hartman commit 216583b5033215cd64468b865c0ee96d265cf546 Author: Paul Gortmaker Date: Tue Jan 14 16:03:37 2014 -0500 hvc: ensure hvc_init is only ever called once in hvc_console.c commit f76a1cbed18c86e2d192455f0daebb48458965f3 upstream. Commit 3e6c6f630a5282df8f3393a59f10eb9c56536d23 ("Delay creation of khcvd thread") moved the call of hvc_init from being a device_initcall into hvc_alloc, and used a non-null hvc_driver as indication of whether hvc_init had already been called. The problem with this is that hvc_driver is only assigned a value at the bottom of hvc_init, and so there is a window where multiple hvc_alloc calls can be in progress at the same time and hence try and call hvc_init multiple times. Previously the use of device_init guaranteed that hvc_init was only called once. This manifests itself as sporadic instances of two hvc_init calls racing each other, and with the loser of the race getting -EBUSY from tty_register_driver() and hence that virtual console fails: Couldn't register hvc console driver virtio-ports vport0p1: error -16 allocating hvc for port Here we add an atomic_t to guarantee we'll never run hvc_init twice. Cc: Rusty Russell Cc: Greg Kroah-Hartman Fixes: 3e6c6f630a52 ("Delay creation of khcvd thread") Reported-by: Jim Somerville Tested-by: Jim Somerville Signed-off-by: Paul Gortmaker Signed-off-by: Greg Kroah-Hartman commit f53fd451ade7c197376e9337c0ff4bbadf985dde Author: Huang Rui Date: Tue Jan 7 17:45:50 2014 +0800 usb: dwc3: fix wrong bit mask in dwc3_event_devt commit 06f9b6e59661cee510b04513b13ea7927727d758 upstream. Around DWC USB3 2.30a release another bit has been added to the Device-Specific Event (DEVT) Event Information (EvtInfo) bitfield. Because of that, what used to be 8 bits long, has become 9 bits long. Per dwc3 2.30a+ spec in the Device-Specific Event (DEVT), the field of Event Information Bits(EvtInfo) uses [24:16] bits, and it has 9 bits not 8 bits. And the following reserved field uses [31:25] bits not [31:24] bits, and it has 7 bits. So in dwc3_event_devt, the bit mask should be: event_info [24:16] 9 bits reserved31_25 [31:25] 7 bits This patch makes sure that newer core releases will work fine with Linux and that we will decode the event information properly on new core releases. [ balbi@ti.com : improve commit log a bit ] Signed-off-by: Huang Rui Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit f97f28f902804f7ccc209ff0e560c20dcb32c608 Author: David Cohen Date: Fri Apr 25 19:20:16 2014 +0300 usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM commit 01bb59ebffdec314da8da66266edf29529372f9b upstream. When CONFIG_PCI and CONFIG_PM are not selected, xhci.c gets this warning: drivers/usb/host/xhci.c:409:13: warning: ‘xhci_msix_sync_irqs’ defined but not used [-Wunused-function] Instead of creating nested #ifdefs, this patch fixes it by defining the xHCI PCI stubs as inline. This warning has been in since 3.2 kernel and was caused by commit 421aa841a134f6a743111cf44d0c6d3b45e3cf8c "usb/xhci: hide MSI code behind PCI bars", but wasn't noticed until 3.13 when a configuration with these options was tried Signed-off-by: David Cohen Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 8ccd1a5521d0e870ccc5fee1d4bf7ee7ddab66ff Author: Igor Gnatenko Date: Fri Apr 25 19:20:15 2014 +0300 xhci: extend quirk for Renesas cards commit 6db249ebefc6bf5c39f35dfaacc046d8ad3ffd70 upstream. After suspend another Renesas PCI-X USB 3.0 card doesn't work. [root@fedora-20 ~]# lspci -vmnnd 1912: Device: 03:00.0 Class: USB controller [0c03] Vendor: Renesas Technology Corp. [1912] Device: uPD720202 USB 3.0 Host Controller [0015] SVendor: Renesas Technology Corp. [1912] SDevice: uPD720202 USB 3.0 Host Controller [0015] Rev: 02 ProgIf: 30 This patch should be applied to stable kernel 3.14 that contain the commit 1aa9578c1a9450fb21501c4f549f5b1edb557e6d "xhci: Fix resume issues on Renesas chips in Samsung laptops" Reported-and-tested-by: Anatoly Kharchenko Reference: http://redmine.russianfedora.pro/issues/1315 Signed-off-by: Igor Gnatenko Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 41b4a7dfd391b5826492a89c702420b97dc02334 Author: supriya karanth Date: Thu Dec 6 11:12:48 2012 +0530 usb: musb: set TXMAXP and AUTOSET for full speed bulk in device mode commit bb3a2ef2eb8cfaea335dcb3426350df7f3d48069 upstream. The TXMAXP register is not set correctly for full speed bulk case when the can_bulk_split() is used. Without this PIO transfers will not take place correctly The "mult" factor needs to be updated correctly for the can_bulk_split() case The AUTOSET bit in the TXCSR is not being set if the "mult" factor is greater than 0 for the High Bandwidth ISO case. But the "mult" factor is also greater than 0 in case of Full speed bulk transfers with the packet splitting in TXMAXP register Without the AUTOSET the DMA transfers will not progress in mode1 [ balbi@ti.com : add braces to both branches ] Signed-off-by: supriya karanth Signed-off-by: Praveena NADAHALLY Acked-by: Linus Walleij Signed-off-by: Felipe Balbi Cc: ian coolidge Signed-off-by: Greg Kroah-Hartman commit 15e5f90c0f1d3f597981ffe18112aae9421f57c0 Author: Jeff Mahoney Date: Wed Apr 2 14:40:26 2014 -0400 reiserfs: fix race in readdir commit 01d8885785a60ae8f4c37b0ed75bdc96d0fc6a44 upstream. jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) The -ENOENT is due to readdir calling dir_emit on the same entry twice. If the dir_emit callback sleeps and the tree is changed underneath us, we won't be able to trust deh_offset(deh) anymore. We need to save next_pos before we might sleep so we can find the next entry. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 86455b800f7544e239b2fa5a16962ea780a1e9d8 Author: Andy Grover Date: Fri Apr 4 16:44:37 2014 -0700 target/tcm_fc: Fix use-after-free of ft_tpg commit 2c42be2dd4f6586728dba5c4e197afd5cfaded78 upstream. ft_del_tpg checks tpg->tport is set before unlinking the tpg from the tport when the tpg is being removed. Set this pointer in ft_tport_create, or the unlinking won't happen in ft_del_tpg and tport->tpg will reference a deleted object. This patch sets tpg->tport in ft_tport_create, because that's what ft_del_tpg checks, and is the only way to get back to the tport to clear tport->tpg. The bug was occuring when: - lport created, tport (our per-lport, per-provider context) is allocated. tport->tpg = NULL - tpg created - a PRLI is received. ft_tport_create is called, tpg is found and tport->tpg is set - tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not set, tport->tpg is not cleared and points at freed memory - Future calls to ft_tport_create return tport via first conditional, instead of searching for new tpg by calling ft_lport_find_tpg. tport->tpg is still invalid, and will access freed memory. see https://bugzilla.redhat.com/show_bug.cgi?id=1071340 Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit d72db3c871f7232448abab9e12fbbe9d80a6606c Author: Nicholas Bellinger Date: Wed Feb 19 23:32:14 2014 +0000 iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug commit d444edc679e7713412f243b792b1f964e5cff1e1 upstream. This patch fixes a long-standing bug in iscsit_build_conn_drop_async_message() where during ERL=2 connection recovery, a bogus conn_p pointer could end up being used to send the ISCSI_OP_ASYNC_EVENT + DROPPING_CONNECTION notifying the initiator that cmd->logout_cid has failed. The bug was manifesting itself as an OOPs in iscsit_allocate_cmd() with a bogus conn_p pointer in iscsit_build_conn_drop_async_message(). Reported-by: Arshad Hussain Reported-by: santosh kulkarni Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 8ba4bc7680f75ac3294cb3222b21bc2912b24963 Author: Dan Carpenter Date: Tue Feb 11 19:06:33 2014 +0300 SCSI: arcmsr: upper 32 of dma address lost commit e2c70425f05219b142b3a8a9489a622c736db39d upstream. The original code always set the upper 32 bits to zero because it was doing a shift of the wrong variable. Fixes: 1a4f550a09f8 ('[SCSI] arcmsr: 1.20.00.15: add SATA RAID plus other fixes') Signed-off-by: Dan Carpenter Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 41d5d291583dedd9fde7dbdad524a604166266c4 Author: Mike Marciniszyn Date: Mon Apr 7 13:58:35 2014 -0400 ib_srpt: Use correct ib_sg_dma primitives commit b076808051f2c80d38e03fb2f1294f525c7a446d upstream. The code was incorrectly using sg_dma_address() and sg_dma_len() instead of ib_sg_dma_address() and ib_sg_dma_len(). This prevents srpt from functioning with the Intel HCA and indeed will corrupt memory badly. Cc: Bart Van Assche Reviewed-by: Dennis Dalessandro Tested-by: Vinod Kumar Signed-off-by: Mike Marciniszyn Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 794f9950ebd832b8712e32007e0359e5c6e60f55 Author: Yann Droneaud Date: Mon Mar 10 23:06:25 2014 +0100 IB/ehca: Returns an error on ib_copy_to_udata() failure commit 5bdb0f02add5994b0bc17494f4726925ca5d6ba1 upstream. In case of error when writing to userspace, function ehca_create_cq() does not set an error code before following its error path. This patch sets the error code to -EFAULT when ib_copy_to_udata() fails. This was caught when using spatch (aka. coccinelle) to rewrite call to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 53b5bc1e97df8c617d6a9e15d0ce33981ee086c9 Author: Yann Droneaud Date: Mon Mar 10 23:06:26 2014 +0100 IB/mthca: Return an error on ib_copy_to_udata() failure commit 08e74c4b00c30c232d535ff368554959403d0432 upstream. In case of error when writing to userspace, the function mthca_create_cq() does not set an error code before following its error path. This patch sets the error code to -EFAULT when ib_copy_to_udata() fails. This was caught when using spatch (aka. coccinelle) to rewrite call to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 64900cd67cf96f8fc40d1db1f4058cbaa2dca7ff Author: Yann Droneaud Date: Mon Mar 10 23:06:27 2014 +0100 IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL commit 9d194d1025f463392feafa26ff8c2d8247f71be1 upstream. In case of error while accessing to userspace memory, function nes_create_qp() returns NULL instead of an error code wrapped through ERR_PTR(). But NULL is not expected by ib_uverbs_create_qp(), as it check for error with IS_ERR(). As page 0 is likely not mapped, it is going to trigger an Oops when the kernel will try to dereference NULL pointer to access to struct ib_qp's fields. In some rare cases, page 0 could be mapped by userspace, which could turn this bug to a vulnerability that could be exploited: the function pointers in struct ib_device will be under userspace total control. This was caught when using spatch (aka. coccinelle) to rewrite calls to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/ib-hw-nes-create-qp-null Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 066c269f39f667f486d3cb709429dc73ff2f172d Author: Dennis Dalessandro Date: Thu Feb 20 11:02:53 2014 -0500 IB/ipath: Fix potential buffer overrun in sending diag packet routine commit a2cb0eb8a64adb29a99fd864013de957028f36ae upstream. Guard against a potential buffer overrun. The size to read from the user is passed in, and due to the padding that needs to be taken into account, as well as the place holder for the ICRC it is possible to overflow the 32bit value which would cause more data to be copied from user space than is allocated in the buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Reviewed-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit d8992efff2b60c8b360ebef7daa03db6496cc131 Author: J. Bruce Fields Date: Mon Mar 10 14:17:55 2014 -0400 nfsd4: fix setclientid encode size commit 480efaee085235bb848f1063f959bf144103c342 upstream. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 367bce496469f4a47c717c048116cdb73caefa62 Author: J. Bruce Fields Date: Mon Feb 24 14:59:47 2014 -0500 nfsd: notify_change needs elevated write count commit 9f67f189939eccaa54f3d2c9cf10788abaf2d584 upstream. Looks like this bug has been here since these write counts were introduced, not sure why it was just noticed now. Thanks also to Jan Kara for pointing out the problem. Reported-by: Matthew Rahtz Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit c2189c7fedb781f3dd14b4df162661e36a85cc02 Author: J. Bruce Fields Date: Mon Feb 3 16:31:42 2014 -0500 nfsd4: fix test_stateid error reply encoding commit a11fcce1544df08c723d950ff0edef3adac40405 upstream. If the entire operation fails then there's nothing to encode. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 9acc531f6038cccb95a7bf4d26469196764e6d53 Author: J. Bruce Fields Date: Tue Jan 28 16:05:15 2014 -0500 nfsd4: buffer-length check for SUPPATTR_EXCLCREAT commit de3997a7eeb9ea286b15879fdf8a95aae065b4f7 upstream. This was an omission from 8c18f2052e756e7d5dea712fc6e7ed70c00e8a39 "nfsd41: SUPPATTR_EXCLCREAT attribute". Cc: Benny Halevy Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit fc111bf8f73b9223fd4f8e420b7b76f4e0fed427 Author: J. Bruce Fields Date: Tue Jan 28 16:01:04 2014 -0500 nfsd4: session needs room for following op to error out commit 4c69d5855a16f7378648c5733632628fa10431db upstream. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 5d052fbbd7b0069df1fdeaa7dd5eb16e1345a458 Author: Alan Stern Date: Mon Apr 14 13:48:47 2014 -0400 USB: fix crash during hotplug of PCI USB controller card commit a2ff864b53eac9a0e9b05bfe9d1781ccd6c2af71 upstream. The code in hcd-pci.c that matches up EHCI controllers with their companion UHCI or OHCI controllers assumes that the private drvdata fields don't get set too early. However, it turns out that this field gets set by usb_create_hcd(), before hcd-pci expects it, and this can result in a crash when two controllers are probed in parallel (as can happen when a new controller card is hotplugged). The companions_rwsem lock was supposed to prevent this sort of thing, but usb_create_hcd() is called outside the scope of the rwsem. A simple solution is to check that the root-hub pointer has been initialized as well as the drvdata field. This doesn't happen until usb_add_hcd() is called; that call and the check are both protected by the rwsem. This patch should be applied to stable kernels from 3.10 onward. Signed-off-by: Alan Stern Reported-by: Stefani Seibold Tested-by: Stefani Seibold Signed-off-by: Greg Kroah-Hartman commit 632d996e9911371a3b48cec1e8451c7c2761fd69 Author: H. Peter Anvin Date: Sun Mar 16 15:31:54 2014 -0700 x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels commit b3b42ac2cbae1f3cecbb6229964a4d48af31d382 upstream. The IRET instruction, when returning to a 16-bit segment, only restores the bottom 16 bits of the user space stack pointer. We have a software workaround for that ("espfix") for the 32-bit kernel, but it relies on a nonzero stack segment base which is not available in 32-bit mode. Since 16-bit support is somewhat crippled anyway on a 64-bit kernel (no V86 mode), and most (if not quite all) 64-bit processors support virtualization for the users who really need it, simply reject attempts at creating a 16-bit segment when running on top of a 64-bit kernel. Cc: Linus Torvalds Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org Signed-off-by: Greg Kroah-Hartman commit 9d1a5959bc3be5b9aa5886e8736534b96098b215 Author: Larry Finger Date: Wed Apr 16 14:49:33 2014 -0500 staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0 commit f764cd68d9036498f08fe8834deb6a367b5c2542 upstream. Zero-initializing ether_type masked that the ether type would never be obtained for 8021x packets and the comparison against eapol_type would always fail. Reported-by: Jes Sorensen Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit 725f2ba0cbb94c7e8f3499ef57dbd47d85521ef7 Author: Himangi Saraogi Date: Wed Mar 5 04:59:57 2014 +0530 staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to integer commit abe5d64d1a74195a44cd14624f8178b9f48b7cc7 upstream. This patch fixes the following sparse warning : drivers/staging/serqt_usb2/serqt_usb2.c:727:40: warning: restricted __le16 degrades to integer Signed-off-by: Himangi Saraogi Signed-off-by: Greg Kroah-Hartman commit 6733ac581418cfd8d7bef57c22fc2e0d673c4272 Author: David Fries Date: Wed Jan 15 22:29:12 2014 -0600 w1: fix w1_send_slave dropping a slave id commit 6b355b33a64fd6d8ead2b838ec16fb9b551f71e8 upstream. Previous logic, if (avail > 8) { store slave; return; } send data; clear; The logic error is, if there isn't space send the buffer and clear, but the slave wasn't added to the now empty buffer loosing that slave id. It also should have been "if (avail >= 8)" because when it is 8, there is space. Instead, if there isn't space send and clear the buffer, then there is always space for the slave id. Signed-off-by: David Fries Acked-by: Evgeniy Polyakov Signed-off-by: Greg Kroah-Hartman commit 3b015ff0243274791bb5d9357f517e43babcf705 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:34 2014 +0100 mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy error commit 97dc4ed3fa377ec91bb60ba98b70d645c2099384 upstream. During probe the driver allocates dummy I2C devices for RTC, haptic and MUIC with i2c_new_dummy() but it does not check the return value of this calls. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC, haptic or MUIC devices, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 4efaf4210b1a995cf39f29425259fbbd87194661 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:35 2014 +0100 mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy error commit ed26f87b9f71693a1d1ee85f5e6209601505080f upstream. During probe the driver allocates dummy I2C device for RTC with i2c_new_dummy() but it does not check the return value of this call. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit b9546b807f1a47ba98760246df1c3f1cb6d05306 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:33 2014 +0100 mfd: max8925: Fix possible NULL pointer dereference on i2c_new_dummy error commit 96cf3dedc491d2f1f66cc26217f2b06b0c7b6797 upstream. During probe the driver allocates dummy I2C devices for RTC and ADC with i2c_new_dummy() but it does not check the return value of this calls. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC or ADC devices, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit f4a8f6c0d3970daa2634475ce43d04310127272d Author: Takashi Iwai Date: Tue Apr 8 16:58:34 2014 +0200 ALSA: ice1712: Fix boundary checks in PCM pointer ops commit 4f8e940095536bc002a81666a4107a581c84e9b9 upstream. PCM pointer callbacks in ice1712 driver check the buffer size boundary wrongly between bytes and frames. This leads to PCM core warnings like: snd_pcm_update_hw_ptr0: 105 callbacks suppressed ALSA pcm_lib.c:352 BUG: pcmC3D0c:0, pos = 5461, buffer size = 5461, period size = 2730 This patch fixes these checks to be placed after the proper unit conversions. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b7b38eb3f20b2cd88c41f6b05aa2e3f2f1b3b878 Author: W. Trevor King Date: Sat Mar 29 17:47:24 2014 -0700 ALSA: hda - Enable beep for ASUS 1015E commit a4b7f21d7b42b33609df3f86992a8deff80abfaf upstream. The `lspci -nnvv` output contains (wrapped for line length): 00:1b.0 Audio device [0403]: Intel Corporation 7 Series/C210 Series Chipset Family High Definition Audio Controller [8086:1e20] (rev 04) Subsystem: ASUSTeK Computer Inc. Device [1043:115d] Signed-off-by: W. Trevor King Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 61d0294719523889c7ce32d33a2ab7cc73fbb814 Author: Liu Hua Date: Fri Apr 18 07:45:36 2014 +0100 ARM: 8030/1: ARM : kdump : add arch_crash_save_vmcoreinfo commit 56b700fd6f1e49149880fb1b6ffee0dca5be45fb upstream. For vmcore generated by LPAE enabled kernel, user space utility such as crash needs additional infomation to parse. So this patch add arch_crash_save_vmcoreinfo as what PAE enabled i386 linux does. Reviewed-by: Will Deacon Signed-off-by: Liu Hua Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 76ff67ac5a2585634709abc41a0a9f3f3b28c90f Author: Xiangyu Lu Date: Tue Apr 15 09:38:17 2014 +0100 ARM: 8027/1: fix do_div() bug in big-endian systems commit 80bb3ef109ff40a7593d9481c17de9bbc4d7c0e2 upstream. In big-endian systems, "%1" get the most significant part of the value, cause the instruction to get the wrong result. When viewing ftrace record in big-endian ARM systems, we found that the timestamp errors: swapper-0 [001] 1325.970000: 0:120:R ==> [001] 16:120:R events/1 events/1-16 [001] 1325.970000: 16:120:S ==> [001] 0:120:R swapper swapper-0 [000] 1325.1000000: 0:120:R + [000] 15:120:R events/0 swapper-0 [000] 1325.1000000: 0:120:R ==> [000] 15:120:R events/0 swapper-0 [000] 1326.030000: 0:120:R + [000] 1150:120:R sshd swapper-0 [000] 1326.030000: 0:120:R ==> [000] 1150:120:R sshd When viewed ftrace records, it will call the do_div(n, base) function, which achieved arch/arm/include/asm/div64.h in. When n = 10000000, base = 1000000, in do_div(n, base) will execute "umull %Q0, %R0, %1, %Q2". Reviewed-by: Dave Martin Reviewed-by: Nicolas Pitre Signed-off-by: Alex Wu Signed-off-by: Xiangyu Lu Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 375f0dfa0c993b38ca4cd6f5859cc2a35ee10157 Author: Roger Quadros Date: Thu Apr 10 10:18:17 2014 +0300 ARM: OMAP3: hwmod data: Correct clock domains for USB modules commit c6c56697ae4bf1226263c19e8353343d7083f40e upstream. OMAP3 doesn't contain "l3_init_clkdm" clock domain. Use the proper clock domains for USB Host and USB TLL modules. Gets rid of the following warnings during boot omap_hwmod: usb_host_hs: could not associate to clkdm l3_init_clkdm omap_hwmod: usb_tll_hs: could not associate to clkdm l3_init_clkdm Reported-by: Nishanth Menon Cc: Paul Walmsley Signed-off-by: Roger Quadros Fixes: de231388cb80a8ef3e779bbfa0564ba0157b7377 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3") Cc: Keshava Munegowda Cc: Partha Basak Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit 05b81311eb29058600b458393cf577b4d40a0b14 Author: Stefan Sørensen Date: Thu Mar 6 16:27:15 2014 +0100 ARM: OMAP2+: INTC: Acknowledge stuck active interrupts commit 698b48532539484b012fb7c4176b959d32a17d00 upstream. When an interrupt has become active on the INTC it will stay active until it is acked, even if masked or de-asserted. The INTC_PENDING_IRQn registers are however updated and since these are used by omap_intc_handle_irq to determine which interrupt to handle, it will never see the active interrupt. This will result in a storm of useless interrupts that is only stopped when another higher priority interrupt is asserted. Fix by sending the INTC an acknowledge if we find no interrupts to handle. Signed-off-by: Stefan Sørensen Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 62f29567f2e87357413ec534d7ecde5763e83239 Author: Brian Austin Date: Tue Mar 18 13:56:21 2014 -0500 ASoC: cs42l73: Fix mask bits for SOC_VALUE_ENUM_SINGLE commit 1555b652970e541fa1cb80c61ffc696bbfb92bb7 upstream. The mask bits values were wrong for the SOC_VALUE_ENUM_SINGLE for the mono mix controls. Reported-by: Takashi Iwai Signed-off-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman